the overwhelming part of wireshark is, at least in my experience teaching networking at a college level, the actual networking part. protocols, flows, packet structure, etc. kids tend to be up to speed on the UI part pretty quickly.
what the kids in my classes really struggle with is actually using any command line stuff (at least for a month or two), because it is so foreign to them (coming from GUI-only experience).
what specific parts are made easier with babyshark, compared to wireshark? the github readme didnt really sell me on the "easier than GUI" part, nor did your description here. is it the "explain (plan-English hints)" part? if so, i think you should focus on that. right now it looks pretty bare bones (e.g. "Weird stuff" does not seem easier or super helpful from a learning perspective)
I remember going into my networking unit and absolutely destroying it through the use of the command line. Everyone else was clicking through the wireshark GUI and I just grepped every answer. Finished the hour long practical assessment in about 15 minutes having run everything twice.
CLI is so valuable because rather than explore a presentation of the data you plan your RE etc and then run it and it either returns the answer or it doesn't.
There are some TUIs I quite like (LNAV as a pager) but I think if you really know what you're dealing with the CLI is better almost every time.
There's a layer above that, when CLI and bash and sed and tshark are becoming too hairy or slow, and it's 'just' parsing the pcap frames in your language of productivity. Over the years I've built layer over layer of optimized Java code to parse and analyze pcap/pcapng files with either visitor patterns or active iterations (and multi-pass analyses through indexation, or just interfacing with duckdb for months-long-capture analysis to surface low signal-to-noise-ratio events). It builds a good understanding of all the layers and brings the power of a full-featured workbench (language, IDE, libraries, visualization options...).
Built it in Java, and rebuilt it in Ada, and Rust. I find it's a good exercise to learn about a programming language... bonus point, once I have a parser, plugging it live behind libpcap, dpdk, xdp, or just raw sockets is easy.
>CLI is so valuable because [...]
indeed! command line is great.
however, ~99.8% of 18 year old students have never used any command line tool in their lives. they do not know what grep is. they can navigate a gui because they have used a gui all of their life.
when im teaching networking for example, using a gui means i only need to teach one thing (networking), where if i use a cli i have to teach two things (cli + networking)
>I think if you really know what you're dealing with the CLI is better almost every time
to be clear, i was not making an argument that gui is better in general.
i am speaking as someone who teaches introductory networking courses at a 1st-year college level. no one i teach "really knows" what they are dealing with because it is the first time they are learning about it.
I'm not trying to say it's better than the GUI but it hopes to be more guided. it’s *opinionated* about the first 60 seconds:
- *Overview dashboard*: immediately surfaces top talkers/flows + “what should I click next” instead of dropping you into the full packet list. - *Domains-first pivot*: `D` shows hostnames and lets you jump from a domain → the relevant flows. It also works when DNS answers aren’t visible (DoH/DoT/cached) by using observed IPs from SNI/Host flows. - *Weird stuff*: `W` is a curated set of “likely problems” (retransmits/out-of-order hints, resets, handshake issues, DNS failures when visible) with a short “why it matters” and a drill-down. - *Explain*: `?` gives plain-English hints for a selected flow + suggested next steps (follow stream, filter, pivot to domains/weird).
So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.
If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that. Open to PRs as well.
>So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.
i think there is definitely room for something like this, it just (at first glance from the readme at least) seems like the guided part of this tool is bolted on as a bit of an after thought.
it feels like you are currently in an odd position where the user is expected to know the networking jargon already, be able to recognize that something might be "weird" at a glance, but also not know how to drill down into the data. i think that is probably a small overlap of people.
if i were you, i would lean all-in on making it a learning tool.
>If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that.
i will put some thought into some real-world examples of what i would be interested in, from a teaching perspective. your post caught my eye because i am starting my wireshark module next week, so it is certainly timely.
Yeah, right now it's closer to "triage for non-experts" than "full teaching tool," and l agree there's an awkward middle where it assumes you recognize some concepts (flows/ports/latency) while trying to help with the drilldown.
The direction I want to push it in is exactly what you're describing; make it a learning tool, where each detector/view answers: 1) What am I seeing? (plain language) 2) Why might it matter? 3) What's the next click? 4) What term should I learn? (glossary link)
If you're about to teach a Wireshark module next week, two super useful things would be: • 3-5 common lab prompts you give students (e.g. "identify the DNS failure," "find the top talker," "spot a TCP reset," "why is this slow?") • one small pcap you already use (or even just describe its scenario)
I can tune Overview/Weird/Explain around those and make the guided layer feel like the main product rather than a thin overlay. Also: if your students are GUl-only early on, that's a good callout - I should improve the README to frame Babyshark as "guided analysis," not "terminal is easier than GUI."
I'm also happy for your students to get hands on by sending PRs for things they wish are intuitive from the get go.
I was with your parent until I remembered I haven't actually given it a go! In my defense I have a low five digit Slashdot ID (and I lurked for some years before signing up) so if anyone can comment without actually reading the OP, let alone giving it a go: Its me!
(digs out git ...)
OK, rustup etc installed and it looks amazing and there is lots of great stuff in the initial view - I'm investigating "Weird stuff".
I completely get where you are going with this tool and I think you have absolutely nailed it except for the very, very initial bit. I think running babyshark with no params should effectively run babyshark --list-ifaces and ask for which one(s) to use. That's what wireshark does.
You might also spell out that capital letters mean just that. Is there a reason for capital letters being needed in the first place for actions?
I remember Ethereal and when Wireshark came out. Your babyshark looks like a pretty decent way to get non experts into looking at pcaps.
Thank you for your work
Thanks a lot. No reason to have upper case letters besides forcing intent and not move on accidental key presses. However, I have 'q' not mapped to upper case so I missed the obvious footgun :)
This has been addressed and is in main now :) thanks again!