Tshark, Colorized

ADVANCED TOPICS
ANALYZE PCAP
OBTAIN PCAP
GET STARTED
SharkFu

With color one obtains an energy that seems to stem from witchcraft. — Henri Matisse
2 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Quicklinks: colors in tshark! | 24bit color


Part of the allure of Wireshark is the ability to identify networking problems with the use of color. Relatively recently, tshark has gained this ability too with the --color flag. This article goes over how to set it up on your system.

Color on all 4 Operating Systems
Demonstration of tshark --color on Windows, Macos, Linux, and BSD.

Aliasing Tshark for Color

You can alias tshark for your terminal session with this:

alias tshark='tshark --color'`

Add this line to your .bashrc to have it permanently:

echo -e "alias tshark='tshark --color'" >> ~/.bashrc
source ~/.bashrc

Using a compatible terminal

Support for terminal colors depends on whether “truecolor” 24-bit colors are implemented. One way to check for it is to query the $COLORTERM environment variable. If supported, echo $COLORTERM will return truecolor or 24bit.

This repo keeps track whether your ${TERMINAL} supports 24bit-color as well as general 24bit-color info.

I have tested 24bit-color and tshark --color compatibility across multiple terminals.
These are my recommendations:

Platform Recommendations
Windows Mobaxterm, WSL [1]
Macos iTerm2, upterm
Linux gnome-terminal, Any terminal using libvte
BSD gnome-terminal, Any terminal using libvte

[1]: Note that you can call Powershell from Mobaxterm or WSL, but given that Powershell does not support 24bit-color, you are limited to using bash pseudo-terminals on Windows to get 24bit-color.

Windows Considerations

As with most things terminal, Windows complicates things.

The problem

  • The Windows version of tshark will print 16 colors, instead of 24bit “truecolor”.
  • The Linux version of tshark usable by WSL and Mobaxterm can print in truecolor
  • The Linux version of tshark (like tcpdump on WSL) is not able to capture packets. This is because sockets (SOCK_RAW/SOCK_PACKET) are not yet implemented in WSL.

The hack

I created a hack that will allow you to use tshark --color while capturing on Windows by using both Windows and Linux tsharks.

  1. Install Wireshark # Link to the Windows section
  2. Install WSL
  3. Install tshark on WSL with sudo apt install tshark
  4. Add this bash function to your ~/.bashrc:
  5. source ~/.bashrc
  6. Test by live capturing with the tshark command with no options:

Color on Windows