I was recently working on a headless server trying to troubleshoot an issue with Linux Bridging and IPTables and needed to understand where my packets were getting dropped. Traditionally in this situation I would run a tcpdump (with aggressive filters) and either watch the output or take a PCAP and scp the file to my workstation for analysis. In this case I decided to try a cool tool I’d played with in the Cilium Labs called Termshark.
Termshark is a command line tool written in Go leveraging the Gowid libraries for visualisation and Tshark for either live captures or PCAP analysis all within your terminal. In this example I took a short capture from my physical interface and loaded into termshark to show a different yet familiar view:
You can tab between the three main panels (packet list, dissectors, Hex view) with the dissector view expanding to view additional details in a hierarchical display.
Display Filters
Like VIM/Less/More we can use forward slash / to access the filters bar and type the Wireshark display filters.
You can do the equivalent of a right click on a dissector field using by pressing Enter on the desired field which will display a context menu.
Packet Search
To find strings or byte patters in the packets you can use ctrl-f and use the arrow keys to select the type of search you want to run.
Analysis
Press ESC (the escape key) to access the Analysis and Misc menus at the top.
Quit
Press ctrl-c to quit or use the escape key to access the Misc menu and select quit.
You can find the user guide here!
If you want to amplify your Wireshark skills check out on of my favourite network analysis books: Wireshark Network Analysis Second Edition by Laura Chappell or check out other books in the Book Recommendations.
Leave a Reply