展示HN：Babyshark – Wireshark 简化版 (PCAP 的终端 UI)

展示HN：Babyshark – Wireshark 简化版 (PCAP 的终端 UI)
Show HN: Babyshark – Wireshark made easy (terminal UI for PCAPs)

原始链接: https://github.com/vignesh07/babyshark

## Babyshark：基于终端的PCAP分析器 Babyshark是一个基于终端用户界面（TUI）的工具，用于分析网络捕获（PCAP）文件和实时网络流量，作为Wireshark的替代方案。它通过回答诸如“什么在使用网络？”和“哪里看起来有问题？”等问题，帮助用户快速了解网络活动。 **主要特性：** * **离线分析：**无需Wireshark即可查看.pcap/.pcapng文件。 * **实时捕获：**使用`tshark`（Wireshark的CLI）直接在终端中捕获和检查流量。 * **直观界面：**轻松浏览流、数据包和数据流。提供搜索和过滤选项。 * **有价值的摘要：**突出显示潜在的问题区域，例如高延迟流、TCP问题和DNS故障。 * **导出和注释：**书签有趣的流，并将报告导出为Markdown格式。 **安装：** Babyshark可以通过GitHub Releases中的预构建二进制文件安装，从源代码构建（需要Rust工具链和`tshark`），或使用`cargo install`。实时捕获需要单独安装`tshark`。 **用法：** 使用诸如`babyshark --pcap capture.pcap`进行离线分析，或`babyshark --live en0`进行实时捕获。可以在实时捕获期间应用显示过滤器。

## Babyshark：为终端设计的Wireshark简化版 Babyshark 是一款新的基于终端的用户界面，用于分析 PCAP 网络捕获文件，旨在成为 Wireshark 的一个更易访问的替代方案。它由 vignesh07 开发，并在 GitHub 上发布为 v0.1.0 版本 ([https://github.com/vignesh07/babyshark](https://github.com/vignesh07/babyshark))，专注于以人类可读的格式呈现网络数据。主要功能包括概览仪表盘、以域名为中心的视图，方便流量分析（即使是加密 DNS），以及“奇怪之处”视图，突出显示潜在的网络问题，例如重传或握手失败。用户可以从流量中深入到数据包，并获得用通俗易懂的语言解释。它支持离线 PCAP 分析和实时捕获（需要 tshark）。然而，初步反馈表明它与现有的 Termshark 工具相似，并引发了对项目开发过程的质疑，一些人怀疑它严重依赖 AI 编码辅助。开发者正在寻求用户对 UX 和期望的“异常检测器”的反馈。

原文

Wireshark made easy (in your terminal).

Babyshark is a PCAP TUI that helps you answer:

What’s using the network?
What looks broken/weird?
What should I click next?

Status: v0.1.0 (alpha).

Offline .pcap / .pcapng viewing works without Wireshark
Live capture requires tshark (Wireshark CLI)

Download a release (recommended)

Grab a binary from GitHub Releases:

git clone https://github.com/vignesh07/babyshark
cd babyshark/rust
cargo install --path . --force
babyshark --help

Offline: open .pcap / .pcapng and browse:
- flows list → packets list → follow stream
- stream search with highlighting + n / N navigation
Live: capture and inspect traffic in the TUI:
- list capture interfaces
- live capture with optional display filter
- optional write-to-file while capturing
Notes/export:
- bookmark flows
- export markdown report (latest + timestamped copies)

Option A: GitHub Release (recommended)

Download a prebuilt binary:

Option B: build from source

Prereqs:

Rust toolchain (stable)
(Live mode only) tshark

git clone https://github.com/vignesh07/babyshark
cd babyshark/rust
cargo install --path . --force
babyshark --help

Option C: cargo install (dev-friendly)

cargo install --git https://github.com/vignesh07/babyshark --bin babyshark

Install `tshark` (required for `--live`)

tshark is the official Wireshark CLI.

Debian/Ubuntu:

sudo apt-get update
sudo apt-get install -y tshark

Fedora:

sudo dnf install -y wireshark-cli

Verify:

tshark --version
tshark -D

Permissions note: live capture may require elevated permissions (sudo, dumpcap caps, or being in the wireshark group). If babyshark prints a permission error, follow the guidance it outputs.

babyshark --pcap ./capture.pcap

Live capture with Wireshark display filter

babyshark --live en0 --dfilter "tcp.port==443"

Live capture and write to file

babyshark --live en0 --write-pcap /tmp/live.pcapng

Example screens (sanitized)

These are text-only examples of what you’ll see in the TUI. IPs/domains are anonymized.

PCAP Viewer
babyshark   Overview  flows:114 packets:4227  tcp:on udp:on q=—

Overview  (D domains, W weird, F flows)
In plain English
Packets: 4227   Flows: 114   Top talker: 10.0.0.6 (2711.9KB)   Top talker (pkts): 10.0.0.6 (4046 pkts)
Live: 88s   pps~14.6   dropped~0   | last: Capturing on 'Wi‑Fi: en0'

pps: ▁▁▂▂▃▄▅▆▆▇▆▅▄▃▂▂▁  (max 1372/bucket)

Top flow (bytes): UDP 10.0.0.6:57315 ↔ 203.0.113.123:443 (1359.3KB)
Top flow (pkts):  UDP 10.0.0.6:57315 ↔ 203.0.113.123:443 (1284 pkts)

What should I click?
• Domains (human view)  (press D)
• Weird stuff (troubleshoot)  (press W)
• Flows (raw)  (press F)
  ↳ Detected: High-latency flows (rough) (29 flows)

Domains  (Enter show flows, s sort (conn/bytes/fail), c clear, Esc back)

  1 wikipedia.com                      conn=9  bytes=21.0KB  q=9  r=6  fail=0  ips=2
❯ 2 chat.openai.com                    conn=5  bytes=28.2KB  q=5  r=3  fail=0  ips=2

Domain details
chat.openai.com

queries=5 responses=3 failures=0

Observed IPs (from flows):
10.0.0.6
198.51.100.42

Tip: Enter applies a subset filter (prefers observed IPs; DNS IPs if available).

Weird stuff  (Enter show flows, c clear, Esc back)

❯ 1 High-latency flows (rough)                          flows=42
  2 TCP reliability hints (retransmits / out-of-order)  flows=16
  3 TCP resets (RST)                                    flows=11
  4 Handshake not completed                             flows=0
  5 DNS failures (NXDOMAIN/SERVFAIL)                    flows=0

Why it matters
High-latency flows (rough)

If a flow takes a long time and has lots of packets, it can indicate latency,
congestion, or retries. This is a rough heuristic and depends on correct timestamps.

Flows [LIVE en0] (63.8 pps)  (Enter packets, / filter, t/u toggles, b bookmark, E export, o overview)  subset=domain:chat.openai.com

  1 UDP  510   10.0.0.6:59175 ↔ 203.0.113.123:443
❯ 2 TCP   32   10.0.0.6:57608 ↔ 198.51.100.42:443

Details
TCP 10.0.0.6:57608 ↔ 198.51.100.42:443

A→B: 14 pkts / 1386 bytes
B→A: 26 pkts / 26307 bytes

bookmarks: 1

Top-level:

o overview
D domains
W weird stuff
F flows
h help
g glossary
q quit

In views:

Enter drill down (domains/weird → flows, flows → packets)
Esc back
c clear active subset filter
? explain selected flow
x dismiss onboarding hint (Overview)

Flows view:

↑/↓ or j/k move
/ filter
t / u toggle TCP / UDP
b bookmark flow
E export report

Packets view:

Stream view:

/ search
n / N next / prev match
Tab / Shift-Tab cycle stream direction
↑/↓ scroll

When you bookmark/export, babyshark writes next to the PCAP in a hidden directory:

.babyshark/case.json — bookmarks
.babyshark/report.md — latest report (overwritten)
.babyshark/report-YYYYMMDD-HHMMSS.md — versioned reports

Prettier onboarding + docs (screenshots/gifs)
--bpf capture filter pass-through for live mode
Even better protocol hints + flow classification
Improved TCP reassembly (gap/retransmit markers)
Homebrew/Scoop packaging

TBD (choose MIT/Apache-2.0/etc.)