Hey all, I built babyshark, a terminal UI for PCAPs aimed at people who find Wireshark powerful but overwhelming.
The goal is “PCAPs for humans”: Overview dashboard answers what’s happening + what to click next
Domains view (hostnames first) → select a domain → jump straight to relevant flows (works even when DNS is encrypted/cached by using observed IPs from flows)
Weird stuff view surfaces common failure/latency signals (retransmits/out-of-order hints, resets, handshake issues, DNS failures when visible)
From there you can drill down: Flows → Packets → Explain (plain-English hints) / follow stream
Commands: Offline: babyshark --pcap capture.pcap
Live (requires tshark): babyshark --list-ifaces then babyshark --live en0
Repo + v0.1.0 release: https://github.com/vignesh07/babyshark
Would love feedback on UX + what “weird detectors” you’d want next.
the overwhelming part of wireshark is, at least in my experience teaching networking at a college level, the actual networking part. protocols, flows, packet structure, etc. kids tend to be up to speed on the UI part pretty quickly.
what the kids in my classes really struggle with is actually using any command line stuff (at least for a month or two), because it is so foreign to them (coming from GUI-only experience).
what specific parts are made easier with babyshark, compared to wireshark? the github readme didnt really sell me on the "easier than GUI" part, nor did your description here. is it the "explain (plan-English hints)" part? if so, i think you should focus on that. right now it looks pretty bare bones (e.g. "Weird stuff" does not seem easier or super helpful from a learning perspective)
This might be a clone of termshark as it does the same thing for the most part. Also to note that the Author's Github profile shows a good bit of vibe coding as of late.
Looking over the commit history of this project, I'm about 90% sure it was entirely done with a AI Coding Agent, and not even a very good one.
Thanks for the look. Babyshark is inspired by a bunch of terminal tools (termshark included), but the focus here is different: domains/weirdness-first drilldowns + "explain" + live-mode hostname hints (including observed IPs when DNS is encrypted/cached). If you try it and have specific gaps vs termshark, I'd love concrete feedback /issues.
WHILE DO; DO; DO; DO; DO; DO
I'm not trying to say it's better than the GUI but it hopes to be more guided. it’s *opinionated* about the first 60 seconds:
- *Overview dashboard*: immediately surfaces top talkers/flows + “what should I click next” instead of dropping you into the full packet list. - *Domains-first pivot*: `D` shows hostnames and lets you jump from a domain → the relevant flows. It also works when DNS answers aren’t visible (DoH/DoT/cached) by using observed IPs from SNI/Host flows. - *Weird stuff*: `W` is a curated set of “likely problems” (retransmits/out-of-order hints, resets, handshake issues, DNS failures when visible) with a short “why it matters” and a drill-down. - *Explain*: `?` gives plain-English hints for a selected flow + suggested next steps (follow stream, filter, pivot to domains/weird).
So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.
If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that. Open to PRs as well.