Specialized command-line productivity tool that brings Wireshark-level field awareness to TShark display filters through advanced Zsh autocompletion.
- TShark display filter automation
- Hierarchical protocol and field resolution
TShark Advanced Zsh Autocomplete is a specialized Zsh plugin designed to dramatically improve the usability of TShark by providing deep, protocol-aware, and hierarchical autocompletion for display filters (-Y) and extracted fields (-e). Unlike traditional shell completions that only suggest flat protocol names or static options, this tool understands the internal structure of TShark fields.
- Hierarchical Field Autocomplete: Progressively completes fields level by level (
http.request.uri.path) - Protocol-Aware Suggestions: Only valid protocol headings and fields are suggested
- Display Filter Support: Full autocomplete for the
-Ydisplay filter option - Field Extraction Support: Autocomplete for
-eextracted field definitions - Oh My Zsh Compatible: Uses native Zsh completion mechanisms
- Zsh: Required shell environment
- TShark / Wireshark: Needed for packet analysis and field definitions
- Oh My Zsh: Recommended for plugin management
- Python 3: Required only if regenerating field databases
# Navigate to Oh My Zsh custom plugins directory
cd ~/.oh-my-zsh/custom/plugins
# Clone the repository
git clone https://github.com/Yoswell/zsh_tshark_autocomplete.gitAdd the plugin to your plugin list:
plugins=(
zsh_tshark_autocomplete
)
if [ -f ~/.oh-my-zsh/custom/plugins/zsh_tshark_autocomplete/zsh_tshark_autocomplete.plugin.zsh ]; then
source ~/.oh-my-zsh/custom/plugins/zsh_tshark_autocomplete/zsh_tshark_autocomplete.plugin.zsh
bindkey $key[Up] up-line-or-history
bindkey $key[Down] down-line-or-history
fi
source $ZSH/oh-my-zsh.shReload your shell:
source ~/.zshrcTip
First-Time Setup: After installation, restart your terminal to ensure Zsh reloads the completion system correctly.
The project includes a utility script to generate and maintain the field database:
python extract_fields.py- Extracts all available TShark fields
- Groups fields by protocol heading
- Normalizes and deduplicates field paths
- Preserves hierarchical structure
- Updates
headings.txtandfields/*.txt
The completion engine always suggests only the next valid level, ensuring clean and precise completions without overwhelming the user with irrelevant fields.
# Press [TAB] after typing 'http.'
VIsh0k@VIsh0k:~/Desktop$ tshark -r capture.pcap -T fields -Y 'http.'
# You will see the following completions
http.accept http.content_range http.path_sub_segment
http.accept_encoding http.content_type http.prev_request_in
http.accept_language http.cookie http.prev_response_in
http.authbasic http.cookie_pair http.proxy_authenticate
http.authcitrix http.date http.proxy_authorization
http.authorization http.decompression_disabled http.proxy_connect_host
http.bad_header_name http.decompression_failed http.proxy_connect_port
http.body http.excess_data http.range
# ...(omited content)This plugin integrates seamlessly into existing TShark-based workflows:
- Incident Response: Rapidly explore packet fields during investigations
- CTF Competitions: Accelerate filter writing under time pressure
- Network Debugging: Discover protocol internals interactively
- Detection Engineering: Validate and refine display filters quickly
The tool is especially useful when dealing with complex protocols where field names are difficult to memorize or inconsistently documented.
Accuracy Reminder: Autocomplete assists with discovery, but it does not validate filter logic or guarantee semantic correctness of display filters.
# Press [TAB] after typing 'http.request'
VIsh0k@VIsh0k:~/Desktop$ tshark -r capture.pcap -T fields -Y 'http.request. [TAB]'
# You will see the following completions
http.request.host http.request.method http.request.uri.path
# ...(omited content)# Press [TAB] after typing 'http.response.'
VIsh0k@VIsh0k:~/Desktop$ tshark -r capture.pcap -T fields -Y 'http' -e http.response.
# You will see the following completions
http.response.code http.response.content_type http.response.headers
# ...(omited content)Both options share the same hierarchical resolution logic and field database.
This project is licensed under the terms specified in the LICENSE file, was develop by VIsh0k