Show HN: Babyshark – Wireshark made easy (terminal UI for PCAPs) (github.com)

151 points by eigen-vector ↗ HN
Hey all, I built babyshark, a terminal UI for PCAPs aimed at people who find Wireshark powerful but overwhelming.

The goal is “PCAPs for humans”: Overview dashboard answers what’s happening + what to click next

Domains view (hostnames first) → select a domain → jump straight to relevant flows (works even when DNS is encrypted/cached by using observed IPs from flows)

Weird stuff view surfaces common failure/latency signals (retransmits/out-of-order hints, resets, handshake issues, DNS failures when visible)

From there you can drill down: Flows → Packets → Explain (plain-English hints) / follow stream

Commands: Offline: babyshark --pcap capture.pcap

Live (requires tshark): babyshark --list-ifaces then babyshark --live en0

Repo + v0.1.0 release: https://github.com/vignesh07/babyshark

Would love feedback on UX + what “weird detectors” you’d want next.

21 comments

[ 3.0 ms ] story [ 38.6 ms ] thread
This might be a clone of termshark as it does the same thing for the most part. Also to note that the Author's Github profile shows a good bit of vibe coding as of late.

Looking over the commit history of this project, I'm about 90% sure it was entirely done with a AI Coding Agent, and not even a very good one.

It probably is somewhat LLM prompted but is that a bad thing?

I have a business partner who sounds like a TV evangelist when it comes to vibe coding but if he gets results then I am all in. He has got quite a lot of results in a few months on a project but he has certainly put the miles in himself.

The key is to use the tool appropriately. Don't blindly allow it to do what it likes but guide it all the way using your experience and knowledge.

Anyway, we now have tsharkrs to add to gotshark!

The keyword here is "built". I find when people use that, instead of "wrote", it's just AI slop.

That only works if there's a sliver of honesty left though.

I like using put together a program, that sounds just about right for our current AI Overlords
the overwhelming part of wireshark is, at least in my experience teaching networking at a college level, the actual networking part. protocols, flows, packet structure, etc. kids tend to be up to speed on the UI part pretty quickly.

what the kids in my classes really struggle with is actually using any command line stuff (at least for a month or two), because it is so foreign to them (coming from GUI-only experience).

what specific parts are made easier with babyshark, compared to wireshark? the github readme didnt really sell me on the "easier than GUI" part, nor did your description here. is it the "explain (plan-English hints)" part? if so, i think you should focus on that. right now it looks pretty bare bones (e.g. "Weird stuff" does not seem easier or super helpful from a learning perspective)

I remember going into my networking unit and absolutely destroying it through the use of the command line. Everyone else was clicking through the wireshark GUI and I just grepped every answer. Finished the hour long practical assessment in about 15 minutes having run everything twice.

CLI is so valuable because rather than explore a presentation of the data you plan your RE etc and then run it and it either returns the answer or it doesn't.

There are some TUIs I quite like (LNAV as a pager) but I think if you really know what you're dealing with the CLI is better almost every time.

>CLI is so valuable because [...]

indeed! command line is great.

however, ~99.8% of 18 year old students have never used any command line tool in their lives. they do not know what grep is. they can navigate a gui because they have used a gui all of their life.

when im teaching networking for example, using a gui means i only need to teach one thing (networking), where if i use a cli i have to teach two things (cli + networking)

>I think if you really know what you're dealing with the CLI is better almost every time

to be clear, i was not making an argument that gui is better in general.

i am speaking as someone who teaches introductory networking courses at a 1st-year college level. no one i teach "really knows" what they are dealing with because it is the first time they are learning about it.

(comment deleted)
How does it compare against tshark?
I am in the target audience of "would like to see network activity and debug occasional traffic but totally overwhelmed by termshark." So I appreciate the "what should I click?" thing, and offering weird flows to investigate.

---

Some UX bits I noticed after playing around for a few minutes:

- Esc for backwards navigation was not obvious for me. Maybe emphasize that somehow, and/or support Backspace too for backnav?

- Enter on Domains menu item does not work

- don't mention clicking if mouse is not supported. "Select" would be more appropriate

- packets screen is truncated vertically and horizontally. Probably should be scrollable

- "weird stuff" options are numbered 1-5, but pressing those keys has no effect. There's lots of little polish fixes like this.

---

And then things I wonder about as a novice user:

- Is it possible to see domain names instead of IP addresses while e.g. looking at packets?

- What does it mean to f stream?

- How do I inspect packets? Especially compressed or encrypted data? This is more a knowledge gap, like "what am I supposed to look for", "what could be in a packet", and I guess involves reverse engineering sometimes, but it's also a tooling question.

Regardless of the result of the TUI - I'd try this out just because you found the perfect name. Well done!
As a parent and a former network engineer, I both love you and hate you for choosing this name.
Love the idea, but please add some demo screenshots on GitHub. All UI tools should
Sometimes projects are created and then named, this was named and then created.
What's funny is that wireshark/tshark were created (first as "Ethereal") as a "friendlier" tcpdump, with more protocol analyzers.
Very cool, reminds me of sngrep, which I really like for analyzing SIP pcaps
Great idea, would it be possible to make it possible to add my own custom tshark one liners under weird stuff? For example, sometimes I find myself troubleshooting TCP retransmission issues that is specific to proprietary applications and that may not be relevant everyone else to have by default.

As an aside, I was thinking about something similar to this tool for a while now after seeing this post (https://news.ycombinator.com/item?id=46723990) where someone was using Claude to troubleshoot a PCAP. It made me think that it would be nice just to have a nice collection of tshark one-liners to quickly weed out any weird stuff right off the bat. I would assume that it would be a lot more performant than using a LLM and more scalable if you have large PCAP files.

I know that his has been done at least partially with an LLM because of the wording in the TUI.