I am in the target audience of "would like to see network activity and debug occasional traffic but totally overwhelmed by termshark." So I appreciate the "what should I click?" thing, and offering weird flows to investigate.
---
Some UX bits I noticed after playing around for a few minutes:
- Esc for backwards navigation was not obvious for me. Maybe emphasize that somehow, and/or support Backspace too for backnav?
- Enter on Domains menu item does not work
- don't mention clicking if mouse is not supported. "Select" would be more appropriate
- packets screen is truncated vertically and horizontally. Probably should be scrollable
- "weird stuff" options are numbered 1-5, but pressing those keys has no effect. There's lots of little polish fixes like this.
---
And then things I wonder about as a novice user:
- Is it possible to see domain names instead of IP addresses while e.g. looking at packets?
- What does it mean to f stream?
- How do I inspect packets? Especially compressed or encrypted data? This is more a knowledge gap, like "what am I supposed to look for", "what could be in a packet", and I guess involves reverse engineering sometimes, but it's also a tooling question.
Thanks a lot for trying. My experience with packet inspection is similar and that's what resulted in me trying to build a simpler plain language UI companion.
• Back navigation: good call. I'll make "Esc back" more explicit everywhere and add Backspace as an alias for back (and mention it in h help).
• Enter on Domains not working: it should drill down to flows. If you can share your OS/terminal + whether you installed from release vs cargo install, I'll try to reproduce and fix in the next release.
• "Clicking" wording: agreed — mouse isn't supported right now. I'll change Ul copy to say Select (and keep "Enter = drill down").
• Packets screen truncation: yep, needs scrolling/paging. On the list views I already do r/; l'll add page scroll and horizontal handling where it makes sense.
• Numbered weird options: great idea - I'll map 1..9 to jump-select and Enter (or open directly).
• Domain names in packets: yes, I want that. I already collect DNS/SNI/HTTP host hints; next step is showing hostname labels alongside IPs when I have more confident mapping.
• "f stream" definition: I'll clarify it as "Follow stream (reassembled payload)" and add a glossary/help entry.
• Inspecting encrypted/compressed data: totally fair. The tool can't decrypt TLS without keys, but it can make it clearer what's happening (SNI/ ALPN, sizes, timing, resets/retransmits). I'Il improve "Explain" to say what's possible vs not.
the overwhelming part of wireshark is, at least in my experience teaching networking at a college level, the actual networking part. protocols, flows, packet structure, etc. kids tend to be up to speed on the UI part pretty quickly.
what the kids in my classes really struggle with is actually using any command line stuff (at least for a month or two), because it is so foreign to them (coming from GUI-only experience).
what specific parts are made easier with babyshark, compared to wireshark? the github readme didnt really sell me on the "easier than GUI" part, nor did your description here. is it the "explain (plan-English hints)" part? if so, i think you should focus on that. right now it looks pretty bare bones (e.g. "Weird stuff" does not seem easier or super helpful from a learning perspective)
I remember going into my networking unit and absolutely destroying it through the use of the command line. Everyone else was clicking through the wireshark GUI and I just grepped every answer. Finished the hour long practical assessment in about 15 minutes having run everything twice.
CLI is so valuable because rather than explore a presentation of the data you plan your RE etc and then run it and it either returns the answer or it doesn't.
There are some TUIs I quite like (LNAV as a pager) but I think if you really know what you're dealing with the CLI is better almost every time.
I'm not trying to say it's better than the GUI but it hopes to be more guided. it’s *opinionated* about the first 60 seconds:
- *Overview dashboard*: immediately surfaces top talkers/flows + “what should I click next” instead of dropping you into the full packet list.
- *Domains-first pivot*: `D` shows hostnames and lets you jump from a domain → the relevant flows. It also works when DNS answers aren’t visible (DoH/DoT/cached) by using observed IPs from SNI/Host flows.
- *Weird stuff*: `W` is a curated set of “likely problems” (retransmits/out-of-order hints, resets, handshake issues, DNS failures when visible) with a short “why it matters” and a drill-down.
- *Explain*: `?` gives plain-English hints for a selected flow + suggested next steps (follow stream, filter, pivot to domains/weird).
So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.
If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that. Open to PRs as well.
>So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.
i think there is definitely room for something like this, it just (at first glance from the readme at least) seems like the guided part of this tool is bolted on as a bit of an after thought.
it feels like you are currently in an odd position where the user is expected to know the networking jargon already, be able to recognize that something might be "weird" at a glance, but also not know how to drill down into the data. i think that is probably a small overlap of people.
if i were you, i would lean all-in on making it a learning tool.
>If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that.
i will put some thought into some real-world examples of what i would be interested in, from a teaching perspective. your post caught my eye because i am starting my wireshark module next week, so it is certainly timely.
Yeah, right now it's closer to "triage for non-experts" than "full teaching tool," and l agree there's an awkward middle where it assumes you recognize some concepts (flows/ports/latency) while trying to help with the drilldown.
The direction I want to push it in is exactly what you're describing; make it a learning tool, where each detector/view answers:
1) What am I seeing? (plain language)
2) Why might it matter?
3) What's the next click?
4) What term should I learn? (glossary link)
If you're about to teach a Wireshark module next week, two super useful things would be:
• 3-5 common lab prompts you give students (e.g.
"identify the DNS failure," "find the top talker,"
"spot a TCP reset," "why is this slow?")
• one small pcap you already use (or even just describe its scenario)
I can tune Overview/Weird/Explain around those and make the guided layer feel like the main product rather than a thin overlay.
Also: if your students are GUl-only early on, that's a good callout - I should improve the README to frame Babyshark as "guided analysis," not
"terminal is easier than GUI."
I'm also happy for your students to get hands on by sending PRs for things they wish are intuitive from the get go.
I was with your parent until I remembered I haven't actually given it a go! In my defense I have a low five digit Slashdot ID (and I lurked for some years before signing up) so if anyone can comment without actually reading the OP, let alone giving it a go: Its me!
OK, rustup etc installed and it looks amazing and there is lots of great stuff in the initial view - I'm investigating "Weird stuff".
I completely get where you are going with this tool and I think you have absolutely nailed it except for the very, very initial bit. I think running babyshark with no params should effectively run babyshark --list-ifaces and ask for which one(s) to use. That's what wireshark does.
You might also spell out that capital letters mean just that. Is there a reason for capital letters being needed in the first place for actions?
I remember Ethereal and when Wireshark came out. Your babyshark looks like a pretty decent way to get non experts into looking at pcaps.
Thanks a lot. No reason to have upper case letters besides forcing intent and not move on accidental key presses. However, I have 'q' not mapped to upper case so I missed the obvious footgun :)
This might be a clone of termshark as it does the same thing for the most part. Also to note that the Author's Github profile shows a good bit of vibe coding as of late.
Looking over the commit history of this project, I'm about 90% sure it was entirely done with a AI Coding Agent, and not even a very good one.
Thanks for the look. Babyshark is inspired by a bunch of terminal tools (termshark included), but the focus here is different: domains/weirdness-first drilldowns + "explain" + live-mode hostname hints (including observed IPs when DNS is encrypted/cached). If you try it and have specific gaps vs termshark, I'd love concrete feedback /issues.
This isn't meant as a replacement for tshark. It actually uses tshark for the live capture part.
tshark is the engine; Babyshark is the guided Ul on top of it.
• tshark: raw packet/field dump + powerful filters, but you have to know what fields to ask for and how to stitch the story together.
• Babyshark: gives you an opinionated workflow (Overview → Domains/Weird → Flows → Packets/ Stream) with "explain/why it matters" text, curated detectors, and one-key drilldowns.
For live capture, Babyshark uses tshark -T fields to extract things like DNS qname / TLS SNI / HTTP host; for offline PCAP it parses enough to build flows + summaries.
So: if you already live in tshark one-liners, tshark is faster. If you're trying to understand what's happening or teach/debug quickly, Babyshark is a nicer front-end.
---
Some UX bits I noticed after playing around for a few minutes:
- Esc for backwards navigation was not obvious for me. Maybe emphasize that somehow, and/or support Backspace too for backnav?
- Enter on Domains menu item does not work
- don't mention clicking if mouse is not supported. "Select" would be more appropriate
- packets screen is truncated vertically and horizontally. Probably should be scrollable
- "weird stuff" options are numbered 1-5, but pressing those keys has no effect. There's lots of little polish fixes like this.
---
And then things I wonder about as a novice user:
- Is it possible to see domain names instead of IP addresses while e.g. looking at packets?
- What does it mean to f stream?
- How do I inspect packets? Especially compressed or encrypted data? This is more a knowledge gap, like "what am I supposed to look for", "what could be in a packet", and I guess involves reverse engineering sometimes, but it's also a tooling question.
• Back navigation: good call. I'll make "Esc back" more explicit everywhere and add Backspace as an alias for back (and mention it in h help).
• Enter on Domains not working: it should drill down to flows. If you can share your OS/terminal + whether you installed from release vs cargo install, I'll try to reproduce and fix in the next release.
• "Clicking" wording: agreed — mouse isn't supported right now. I'll change Ul copy to say Select (and keep "Enter = drill down").
• Packets screen truncation: yep, needs scrolling/paging. On the list views I already do r/; l'll add page scroll and horizontal handling where it makes sense.
• Numbered weird options: great idea - I'll map 1..9 to jump-select and Enter (or open directly).
• Domain names in packets: yes, I want that. I already collect DNS/SNI/HTTP host hints; next step is showing hostname labels alongside IPs when I have more confident mapping.
• "f stream" definition: I'll clarify it as "Follow stream (reassembled payload)" and add a glossary/help entry.
• Inspecting encrypted/compressed data: totally fair. The tool can't decrypt TLS without keys, but it can make it clearer what's happening (SNI/ ALPN, sizes, timing, resets/retransmits). I'Il improve "Explain" to say what's possible vs not.
Super useful feedback thanks!
what the kids in my classes really struggle with is actually using any command line stuff (at least for a month or two), because it is so foreign to them (coming from GUI-only experience).
what specific parts are made easier with babyshark, compared to wireshark? the github readme didnt really sell me on the "easier than GUI" part, nor did your description here. is it the "explain (plan-English hints)" part? if so, i think you should focus on that. right now it looks pretty bare bones (e.g. "Weird stuff" does not seem easier or super helpful from a learning perspective)
CLI is so valuable because rather than explore a presentation of the data you plan your RE etc and then run it and it either returns the answer or it doesn't.
There are some TUIs I quite like (LNAV as a pager) but I think if you really know what you're dealing with the CLI is better almost every time.
- *Overview dashboard*: immediately surfaces top talkers/flows + “what should I click next” instead of dropping you into the full packet list. - *Domains-first pivot*: `D` shows hostnames and lets you jump from a domain → the relevant flows. It also works when DNS answers aren’t visible (DoH/DoT/cached) by using observed IPs from SNI/Host flows. - *Weird stuff*: `W` is a curated set of “likely problems” (retransmits/out-of-order hints, resets, handshake issues, DNS failures when visible) with a short “why it matters” and a drill-down. - *Explain*: `?` gives plain-English hints for a selected flow + suggested next steps (follow stream, filter, pivot to domains/weird).
So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.
If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that. Open to PRs as well.
i think there is definitely room for something like this, it just (at first glance from the readme at least) seems like the guided part of this tool is bolted on as a bit of an after thought.
it feels like you are currently in an odd position where the user is expected to know the networking jargon already, be able to recognize that something might be "weird" at a glance, but also not know how to drill down into the data. i think that is probably a small overlap of people.
if i were you, i would lean all-in on making it a learning tool.
>If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that.
i will put some thought into some real-world examples of what i would be interested in, from a teaching perspective. your post caught my eye because i am starting my wireshark module next week, so it is certainly timely.
The direction I want to push it in is exactly what you're describing; make it a learning tool, where each detector/view answers: 1) What am I seeing? (plain language) 2) Why might it matter? 3) What's the next click? 4) What term should I learn? (glossary link)
If you're about to teach a Wireshark module next week, two super useful things would be: • 3-5 common lab prompts you give students (e.g. "identify the DNS failure," "find the top talker," "spot a TCP reset," "why is this slow?") • one small pcap you already use (or even just describe its scenario)
I can tune Overview/Weird/Explain around those and make the guided layer feel like the main product rather than a thin overlay. Also: if your students are GUl-only early on, that's a good callout - I should improve the README to frame Babyshark as "guided analysis," not "terminal is easier than GUI."
I'm also happy for your students to get hands on by sending PRs for things they wish are intuitive from the get go.
(digs out git ...)
I completely get where you are going with this tool and I think you have absolutely nailed it except for the very, very initial bit. I think running babyshark with no params should effectively run babyshark --list-ifaces and ask for which one(s) to use. That's what wireshark does.
You might also spell out that capital letters mean just that. Is there a reason for capital letters being needed in the first place for actions?
I remember Ethereal and when Wireshark came out. Your babyshark looks like a pretty decent way to get non experts into looking at pcaps.
Thank you for your work
Looking over the commit history of this project, I'm about 90% sure it was entirely done with a AI Coding Agent, and not even a very good one.
tshark is the engine; Babyshark is the guided Ul on top of it. • tshark: raw packet/field dump + powerful filters, but you have to know what fields to ask for and how to stitch the story together. • Babyshark: gives you an opinionated workflow (Overview → Domains/Weird → Flows → Packets/ Stream) with "explain/why it matters" text, curated detectors, and one-key drilldowns.
For live capture, Babyshark uses tshark -T fields to extract things like DNS qname / TLS SNI / HTTP host; for offline PCAP it parses enough to build flows + summaries.
So: if you already live in tshark one-liners, tshark is faster. If you're trying to understand what's happening or teach/debug quickly, Babyshark is a nicer front-end.