← Back to context

Comment by john_strinlai

11 hours ago

>So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.

i think there is definitely room for something like this, it just (at first glance from the readme at least) seems like the guided part of this tool is bolted on as a bit of an after thought.

it feels like you are currently in an odd position where the user is expected to know the networking jargon already, be able to recognize that something might be "weird" at a glance, but also not know how to drill down into the data. i think that is probably a small overlap of people.

if i were you, i would lean all-in on making it a learning tool.

>If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that.

i will put some thought into some real-world examples of what i would be interested in, from a teaching perspective. your post caught my eye because i am starting my wireshark module next week, so it is certainly timely.

1 comment

john_strinlai

Reply
eigen-vector  11 hours ago

Yeah, right now it's closer to "triage for non-experts" than "full teaching tool," and l agree there's an awkward middle where it assumes you recognize some concepts (flows/ports/latency) while trying to help with the drilldown.

The direction I want to push it in is exactly what you're describing; make it a learning tool, where each detector/view answers: 1) What am I seeing? (plain language) 2) Why might it matter? 3) What's the next click? 4) What term should I learn? (glossary link)

If you're about to teach a Wireshark module next week, two super useful things would be: • 3-5 common lab prompts you give students (e.g. "identify the DNS failure," "find the top talker," "spot a TCP reset," "why is this slow?") • one small pcap you already use (or even just describe its scenario)

I can tune Overview/Weird/Explain around those and make the guided layer feel like the main product rather than a thin overlay. Also: if your students are GUl-only early on, that's a good callout - I should improve the README to frame Babyshark as "guided analysis," not "terminal is easier than GUI."

I'm also happy for your students to get hands on by sending PRs for things they wish are intuitive from the get go.