This seems useful. Are there other good recent tools for analyzing network traffic? For example something more high-level than Wireshark? A common use is to zero in on the flow you're interested in, and see which party is saying what. And maybe zoom back out and pick another flow. The flow choosing part could use better UI, maybe in the form of a more high level view.
My first port of call tends to be tcpdump, with various filters and greps to pick out what I want. Usually I'm looking at RTP streams [0], so I run it through some perl to decode [1]
For wider monitoring, at key points on the network I use ntop [2] to see what's
If I want a quick overview of a given machine I load up iftop [3], which isn't very thrilling on my desktop at the moment
All of these are trivial to install (except for the RTP perl script which I have as a custom apt-gettable package) and don't require non-standard interpreters and package managers.
Nethertheless I went to get this. I had to install 540MB of support files just to run "go get github.com/gcla/termshark/cmd/termshark". Still it compliles. Then I run it, and it shows bugger all, I suspect I need to find and install more libraries (tcell, gowid), which themselves require massive downloads.
It's simply not worth it, it's like going back in time 20 years.
How is that different from compiling other software with build dependencies? I mean, if you consider libc etc most applications have quite a large tree of build deps if you need to download _all_ libraries from scratch - it's just that in most cases you already have those deps.
Next time you need to build a golang project you most likely won't have to download all of those libs again, unless you remove them for some reason.
hi isostatic - sorry for the trouble :( I had hoped that compiling it would be quick and reliable. By default termshark will be installed in ~/go/bin/ - though it sounds like you have it compiled, it's just not running. Send me a message if you like and I'll see if I can get it working for you. There are also pre-compiled binaries at https://github.com/gcla/termshark/releases
As an old fart I expect to type "./configure; make", however it did seem to compile.
It runs, just doesn't look like it's reading anything from "sudo ./termshark -i eno1 icmp". Works fine when reading a pcap file, works fine when launching from a root session (rather than via sudo)
Riverbed Pilot[0] (or whatever it's called now) may be what you're looking for. It works incredibly well to help drill down the haystack, and then export that particular part to Wireshark. Do like.
There was some discussion about opening a new wireshark window at the current location so you could navigate like in a browser more or less. It didn't go anywhere https://seclists.org/wireshark/2015/Apr/97
I seem to remember a really old gtk1.x app that would show network flows as blobs representing local/remote hosts on the left and right of the screen, and ribbons connecting the blobs scaled to the amount of traffic per stream. Don't remember the name though.
I need to admit, I have a lot of respect for someone that can keep a project going for so long. I assume there are contributors, but it wouldn't surprise me if it's a one-person lead. People who also tend to have other side projects going. I have trouble maintaining a bunch of GitHub side repo's and keeping Ubuntu installations on a bunch of VPS's up to date.
I'm using Wireshark filters to automatically categorize traces (using tshark) and compile a HTML overview. “Wireshark://“ will open the corresponding PCAP then.
Having this integrated in some tool would be great.
Charles is an http proxy only - it does not capture any other protocols. Good for general app debugging, but did not fit the bill when I recently tried to dig into traffic coming out of my shady ip camera.
I recently used this method (wireshark/windows) [1] with the cam vendors app on an old iPhone to get more insight into what was going on (particularly outside the HTTP space).
