gcla / termshark Goto Github PK
View Code? Open in Web Editor NEWA terminal UI for tshark, inspired by Wireshark
License: MIT License
A terminal UI for tshark, inspired by Wireshark
License: MIT License
Could you please add the feature to read from stdin to support something like this:
kubectl -n NS exec POD -c CONTAINER -- tcpdump -s0 -w - -lUni INTERFACE | termshark -i -
or this:
ssh USER@IP -- tcpdump -s0 -w - -lUni any port PORT or port PORT | termshark -i -
Hi,
I compiled Termshark on my Raspberry 3B+ running Arch Linux ARM aarch64 and go1.12.7 linux/arm64.
When I run it, the UI looks like this:
What am i missing?
Thanks!
When termshark is executed with no parameters and not as root it will print the following error:
"INFO[0004] tshark: Couldn't run /usr/bin/dumpcap in child process: Permission denied"
Tried to use both the pre-compiled version and to compile it using the with GO111MODULE=on
termshark version: 1.0.0
tshark version: TShark (Wireshark) 3.0.1 (Git)
OS version: 4.19.35-1-MANJARO (inside of a VirtualBox VM)
I started trying to use termshark to analyze packet captures for my work. I noticed that I am unable to change the scrollbar position by clicking on the scrollbar itself. The scrollbar only seems to function by clicking either the box on the bar or by clicking on the arrows. I'm referring to being able to click on a different position on the scrollbar in order to jump to that position, i.e. jump quickly to the end of the file. I'm using Tilix terminal, Fedora 29, xorg session (in case this information is helpful).
Fix coming...
=== RUN TestFields1
--- FAIL: TestFields1 (1.09s)
fields_test.go:18:
Error Trace: fields_test.go:18
Error: Received unexpected error:
open /home/builder/.cache/termshark/tsharkfields.gob.gz: no such file or directory
Test: TestFields1
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x87754d]
goroutine 20 [running]:
testing.tRunner.func1(0xc0000e8600)
/usr/lib/go-1.11/src/testing/testing.go:792 +0x387
panic(0x8f4340, 0xd3c630)
/usr/lib/go-1.11/src/runtime/panic.go:513 +0x1b9
github.com/gcla/termshark.TestFields1(0xc0000e8600)
/build/source/_build/src/github.com/gcla/termshark/fields_test.go:20 +0xad
testing.tRunner(0xc0000e8600, 0x98efb8)
/usr/lib/go-1.11/src/testing/testing.go:827 +0xbf
created by testing.(*T).Run
/usr/lib/go-1.11/src/testing/testing.go:878 +0x35c
FAIL github.com/gcla/termshark 1.114s
This only happens if termshark wasn't run before.
Simply executing termshark -h
and then running tests, resolves this issue.
UPDATE: Okay after more investigation, it seems like the problem is about non existing termshark
directory in $XDG_CONFIG_CACHE
.
Seems related to this:
syncthing/syncthing-android#1291
and may just need to be compiled with go 1.13:
I might be missing something, but I'm not seeing test functions in termshark.go
. It looks like there's a smattering of unit tests scattered throughout other files, which is good. More unit tests for the main file would be helpful here (and goes hand in hand with #20).
I started testing out the termshark to hopefully one day be able to use it more often with packet capture analysis. I discovered that termshark is consistently utilizing a lot of CPU resources, causes my system to hang, and will frequently output the error codes shown in the screenshots.
$ tshark -v
TShark (Wireshark) 3.0.3 (Git commit 6130b92b0ec6)
Copyright 1998-2019 Gerald Combs [email protected] and contributors.
License GPLv2+: GNU GPL version 2 or later http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.58.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.13.0, with Lua
5.1.5, with GnuTLS 3.6.7 and PKCS #11 support, with Gcrypt 1.8.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.34.0, without LZ4, without
Snappy, without libxml2.
Running on Linux 5.2.11-100.fc29.x86_64, with Intel(R) Core(TM) i7-8650U CPU @
1.90GHz (with SSE4.2), with 15687 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.9.0-PRE-GIT (with TPACKET_V3), with GnuTLS
3.6.7, with Gcrypt 1.8.4, with zlib 1.2.11, binary plugins supported (0 loaded).
Built using gcc 8.3.1 20190223 (Red Hat 8.3.1-2).
as titled
This should be trivial to add.
When termshark is executed with root permissions it cannot find any device. ends up printing the following error: "Giving up waiting for : "
Tried to use both the pre-compiled version and to compile it using the with GO111MODULE=on
termshark version: 1.0.0
tshark version: TShark (Wireshark) 3.0.1 (Git)
OS version: 4.19.35-1-MANJARO (inside of a VirtualBox VM)
Thanks for this good-looking app :)
Applying a display filter during a live capture does nothing.
Confirmed on Macos: 10.14
Totally love this tool but would even more so if it had the "Follow Stream" feature from Wireshark...perhaps the feature I depend on the most.
This came up on twitter - 1.5m load time for wireshark, 6.5m load time for termshark. Termshark is dependent on tshark -T psml, and currently will run through the whole pcap to generate the packet list, slowly updating the progress bar as it goes. If
$ time tshark -r my.pcap -T psml > /dev/null
isn't appreciably faster than termshark, then short of looking at tshark itself, maybe termshark can consider "lazy loading" of the packet list as well, like it does for the packet structure (PDML). This raises its own issues, like how would termshark know how many packets are in the pcap before a full load, and does it need to know. Could it use capinfos - which will work its way through the pcap much more quickly than a tshark process that is generating XML output.. Can we just turn off the progress bar early, when enough packets have been loaded for several screens-worth of scrolling. All seems to add extra complexity.
First of all, thank you so much for this great project.
My first feature request would be a dark theme. The fairly bright colors can be a little overwhelming in dark environments.
I've published termshark on the Snap store so it can be easily installed on almost all major distros just by issuing: snap install termshark
After installation, it requires some additional permissions:
snap connect termshark:network-control
snap connect termshark:bluetooth-control
snap connect termshark:firewall-control
snap connect termshark:ppp
snap connect termshark:raw-usb
snap connect termshark:removable-media
Hi,
When I launch termshark -i wlan0, I get this error
goroutine 1 [running]: main.makePacketListModel(0xc0002881e0, 0x4, 0xa, 0xc001a70000, 0x2e, 0x40, 0xb459c0, 0xc0001224d0, 0xc002cbac20) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:1529 +0x721 main.updatePacketListWithData(0xc0002881e0, 0x4, 0xa, 0xc001a70000, 0x2e, 0x40, 0xb459c0, 0xc0001224d0) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:1536 +0x7e main.updatePacketViews.BeforeBegin.func1.1.1.1(0xb459c0, 0xc0001224d0) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:1048 +0xd0 github.com/gcla/gowid.RunFunction.RunThenRenderEvent(0xab8b30, 0xb459c0, 0xc0001224d0) /usr/gocode/src/github.com/gcla/gowid/app.go:720 +0x3a github.com/gcla/gowid.(*App).RunThenRenderEvent(0xc0001224d0, 0xb39220, 0xab8b30) /usr/gocode/src/github.com/gcla/gowid/app.go:600 +0x47 main.cmain(0x0) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:3114 +0x61c7 main.main() /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:2109 +0x4b
I also get the same error when I try to read a pcap file 'termshark -r test.pcap'
I'm using the Golang-go 1.11.6 btw
The issue is down to parsing escape codes in psml. Fix coming!
There are references to a MIT LICENSE file but none is present.
blackarch ~ ]$ ifconfig enp58s0f1
enp58s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.65 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::9ccf:e3dc:a22b:4d8c prefixlen 64 scopeid 0x20<link>
inet6 fe80::de0d:7644:64b1:1e80 prefixlen 64 scopeid 0x20<link>
ether 80:fa:5b:4f:5a:ee txqueuelen 1000 (Ethernet)
RX packets 746591 bytes 897956470 (856.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 455377 bytes 52721791 (50.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 127 base 0xd000
[ blackarch ~ ]$ termshark -i enp58s0f1
Could not find network interface enp58s0f1
please fix.
hit enter in filter input is noop. How about when input is valid we do apply button callback?
Is there any plans to support vim key bindings?
I am on a mac and installed termshark via brew. For some reason I am not able to see hex data... ever. I have tried multiple terminals as well as live data and reading from a pcap.
Has anyone experienced this?
Support for a wireshark coloring rule configuration file, to configure and support the wireshark coloring ruleset.
The default ruleset provides at-a-glance protocol and issue recognition. Being able to point to a config file where this exists on the filesystem allows us to import and share our existing wireshark coloring rulesets
DO NOT EDIT THIS FILE! It was created by Wireshark
@bad [email protected] && !tcp.analysis.window_update@[4626,10023,11822][63479,34695,34695]
@hsrp State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092]
@spanning Tree Topology [email protected] == 0x80@[4626,10023,11822][65535,64764,40092]
@ospf State [email protected] != 1@[4626,10023,11822][65535,64764,40092]
@icmp [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[4626,10023,11822][47031,63479,29812]
@arp@arp@[64250,61680,55255][4626,10023,11822]
@icmp@icmp || icmpv6@[64764,57568,65535][4626,10023,11822]
@tcp [email protected] eq 1@[42148,0,0][65535,64764,40092]
@sctp [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092]
@Ttl low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim && !ospf) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695]
@smb@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822]
@http@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822]
@dcerpc@dcerpc@[51143,38807,65535][4626,10023,11822]
@routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822]
@tcp SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822]
@tcp@tcp@[59367,59110,65535][4626,10023,11822]
@udp@udp@[56026,61166,65535][4626,10023,11822]
@broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774]
@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]
I would like a .deb
package for this tool.
Packaging a single binary as a .deb
package is fairly simple [0], but will ofc require a bit of extra time when releasing. Could you be convinced to do it? Or can I create an "official" PPA for the tool?
[0] Shameless plug: I made the tool ELF2deb to automate the "anything-to-deb" process.
It would be nice to recommend that users upgrade to latest tshark, but this may not be possible for all users. @gcla has also put in work towards making tshark v1.1.0 not break.
Would it possible to add a shortcut to enable auto scrolling of the packet capture rows in the main window as with wireshark?
Really liking this project!
PS C:\WINDOWS\system32> termshark -i wifi
Could not find network interface wifi
PS C:\WINDOWS\system32> tshark -i wifi
Capturing on 'wifi'
1 0.000000 2600:100f:b01e:92c1:e497:adce:657c:53c1 → 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 ICMPv6 86 Neighbor Solicitation for 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 from 7e:50:49:23:f5:64
2 0.000250 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 → 2600:100f:b01e:92c1:e497:adce:657c:53c1 ICMPv6 86 Neighbor Advertisement 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 (sol, ovr) is at 20:79:18:8d:81:af
3 0.999516 0 40.90.10.180 → 172.20.10.3 TLSv1.2 85 31 Application Data
3 packets captured
First of all, congrats on launching a cool project!
I want termshark to launch on the first interface to mimic the behavior of tshark. Depending on how you have this set up, you could call tshark without interface arguments if termshark does not receive any.
On the CLI, this will show you the first interface tshark sees (and will use):
tshark -D | awk 'NR==1 { print $2}'
.
Hi - one common request is to have termshark be part of homebrew. I've put together a formula - would anyone like to try it before I officially submit it to the homebrew team? This works for me on linuxbrew, but I don't have ready access to a Mac right now to test it there. Here's a link to the formula:
https://gist.github.com/gcla/a40524d4deb9b95b404b2ec678577d20
To test it out, drop the formula in Library/Taps/homebrew/homebrew-core/Formula/termshark.rb, then
brew update
brew install termshark
<...wait...>
termshark -v
brew test termshark # crucial step for homebrew acceptance
brew uninstall termshark
brew install --build-from-source termshark
Thanks :-)
I am loading a very tiny pcap file (11 packets) with termshark.
When using using the mouse, clicking and scrolling, the ram usage is up at 20 to 30 GB within seconds.
I am not sure how much ram termshark should consume.
Please provide the complete output of these commands:
TShark (Wireshark) 3.0.3 (Git commit 6130b92b0ec6)
Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.60.5, with zlib 1.2.11, without SMI, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.8 and PKCS #11 support, with Gcrypt 1.8.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.36.0, with LZ4, with Snappy,
with libxml2 2.9.9.
Running on Linux 4.19.69-1-MANJARO, with Intel(R) Xeon(R) CPU E5-1620 0 @
3.60GHz (with SSE4.2), with 19988 MB of physical memory, with locale
LC_CTYPE=en_GB.UTF-8, LC_NUMERIC=de_DE.UTF-8, LC_TIME=de_DE.UTF-8,
LC_COLLATE=en_GB.UTF-8, LC_MONETARY=de_DE.UTF-8, LC_MESSAGES=en_GB.UTF-8,
LC_PAPER=de_DE.UTF-8, LC_NAME=de_DE.UTF-8, LC_ADDRESS=de_DE.UTF-8,
LC_TELEPHONE=de_DE.UTF-8, LC_MEASUREMENT=de_DE.UTF-8,
LC_IDENTIFICATION=de_DE.UTF-8, with libpcap version 1.9.0-PRE-GIT (with
TPACKET_V3), with GnuTLS 3.6.9, with Gcrypt 1.8.5, with zlib 1.2.11, binary
plugins supported (0 loaded).
Built using gcc 9.1.0
termshark v1.0.0++
Please also provide any relevant information about your environment (OS, VM, pi,...):
Manjaro Linux 18.1.0
I'm currently in the process of packaging termshark for Nix/NixOS. I would like to build the tagged versions from source. Could you give me a hint on how to compile termshark?
I've tried the following without success:
➜ ~/vcs/termshark (v1.0.0) go version
go version go1.11.6 linux/amd64
➜ ~/vcs/termshark (v1.0.0) export GO111MODULE=on
➜ ~/vcs/termshark (v1.0.0) go build -o termshark *.go
# command-line-arguments
./copycommand_darwin.go:7:5: CopyToClipboard redeclared in this block
previous declaration at ./copycommand_android.go:7:5
./copycommand.go:9:5: CopyToClipboard redeclared in this block
previous declaration at ./copycommand_darwin.go:7:5
./copycommand_windows.go:7:5: CopyToClipboard redeclared in this block
previous declaration at ./copycommand.go:9:5
./have_fdinfo_linux.go:7:7: HaveFdinfo redeclared in this block
previous declaration at ./have_fdinfo.go:9:20
Thanks 😄
Part of the problem here is that when files are too large, it's harder to contribute :)
I'm seeing a lot of UI logic in this file. Maybe refactor that out as a first step?
Checked repo per #42 and found additional contributors (crossed out issues have been closed):
The heuristic here being: Did you open an issue that was judged to be a bug? PR inbound.
I make it available on AUR for Arch Linux users. This is a binary package, which simply copies the released binary to install directory. Enjoy it. The issue page is left for discussion.
This is related to #9 Read from stdin insofar as unix redirection is concerned. The following works with wireshark reading from the pipe, but not termshark:
bash-5.0$ mkfifo mypipe
bash-5.0$ tshark -r file.pcap -w mypipe &
[1] 52917
bash-5.0$ termshark -i mypipe
Could not find network interface mypipe
SemVer is a way to track versions. Termshark has added many features/fixes since initial release, but only has one version. For feature adds since v1, increment minor (1.[2].3) and for bugfixes, increment patch (1.2.[3]). I'm proposing to call latest commit, 74abf8f "v1.1.0" as a bundle of all previous features/fixes, but to increment version in future with features/patches in mind.
What do you think?
A feature request stemming from a bug reported by @jJit0
When I look into this, take a look at ~/.wireshark/preferences
, gui.column.format
When using go get github.com/gcla/termshark/cmd/termshark
, the version is v<localbuild>
. Confirmed on Macos 10.14.
sudo add-apt-repository --update ppa:nicolais/termshark
tag:launchpad.net:2008:redacted
More info: https://launchpad.net/~nicolais/+archive/ubuntu/termshark
Press [ENTER] to continue or Ctrl-c to cancel adding it.
'Error reading https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&exact=on&search=0xtag:launchpad.net:2008:redacted: Not Found'
Anyone else experience this?
% termshark
Error: terminal entry not found [TERM: screen.xterm-256color]
zsh: exit 1 termshark
% TERM=xterm-256color termshark
Packets read from interface eth0 have been saved in /$home/.cache/termshark/eth0-921608986.pcap
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.