Comment by Affric
19 hours ago
I remember going into my networking unit and absolutely destroying it through the use of the command line. Everyone else was clicking through the wireshark GUI and I just grepped every answer. Finished the hour long practical assessment in about 15 minutes having run everything twice.
CLI is so valuable because rather than explore a presentation of the data you plan your RE etc and then run it and it either returns the answer or it doesn't.
There are some TUIs I quite like (LNAV as a pager) but I think if you really know what you're dealing with the CLI is better almost every time.
There's a layer above that, when CLI and bash and sed and tshark are becoming too hairy or slow, and it's 'just' parsing the pcap frames in your language of productivity. Over the years I've built layer over layer of optimized Java code to parse and analyze pcap/pcapng files with either visitor patterns or active iterations (and multi-pass analyses through indexation, or just interfacing with duckdb for months-long-capture analysis to surface low signal-to-noise-ratio events). It builds a good understanding of all the layers and brings the power of a full-featured workbench (language, IDE, libraries, visualization options...).
Built it in Java, and rebuilt it in Ada, and Rust. I find it's a good exercise to learn about a programming language... bonus point, once I have a parser, plugging it live behind libpcap, dpdk, xdp, or just raw sockets is easy.