Tshark, Colorized

With color one obtains an energy that seems to stem from witchcraft. — Henri Matisse
2 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Quicklinks: colors in tshark! | 24bit color

Part of the allure of Wireshark is the ability to identify networking problems with the use of color. Relatively recently, tshark has gained this ability too with the --color flag. This article goes over how to set it up on your system.

Demonstration of tshark –color on Windows, Macos, Linux, and BSD.

Using a compatible terminal

Support for terminal colors depends on whether “truecolor” 24-bit colors are implemented. One way to check for it is to query the $COLORTERM environment variable. If supported, echo $COLORTERM will return truecolor or 24bit.

This repo keeps track whether your ${TERMINAL} supports truecolor as well as general truecolor info.

alias tshark='tshark --color'

I have tested truecolor and tshark --color compatability across multiple terminals.
These are my recommendations:

Platform Recommendations
Windows Mobaxterm, WSL [1]
Macos iTerm2, upterm
Linux gnome-terminal, Any terminal using libvte
BSD gnome-terminal, Any terminal using libvte

[1]: Note that you can call Powershell from Mobaxterm or WSL, but given that Powershell does not support truecolor, you are limited to using bash pseudo-terminals on Windows to get truecolor.

Windows Considerations

As with most things terminal, using on Windows is harder

The problem

NOTE: I filed a bug for tshark on Windows, and a fix may be available in the latest dev version of Wireshark.

  • The Windows version of tshark will print 16 colors, instead of 24bit “truecolor”.
  • The Linux version of tshark usable by WSL and Mobaxterm can print in truecolor
  • The Linux version of tshark (like tcpdump on WSL) is not able to capture packets. This is because sockets (SOCK_RAW/SOCK_PACKET) are not yet implemented in WSL.

The hack

I created a hack that will allow you to use tshark --color while capturing on Windows by using both Windows and Linux tsharks.

  1. Install Wireshark # Link to the Windows section
  2. Install WSL
  3. Install tshark on WSL with sudo apt install tshark
  4. Add this bash function to your ~/.bashrc:
  5. source ~/.bashrc
  6. Test by live capturing with the tshark command with no options: