I remember going into my networking unit and absolutely destroying it through the use of the command line. Everyone else was clicking through the wireshark GUI and I just grepped every answer. Finished the hour long practical assessment in about 15 minutes having run everything twice.

CLI is so valuable because rather than explore a presentation of the data you plan your RE etc and then run it and it either returns the answer or it doesn't.

There are some TUIs I quite like (LNAV as a pager) but I think if you really know what you're dealing with the CLI is better almost every time.

I'm not trying to say it's better than the GUI but it hopes to be more guided. it’s *opinionated* about the first 60 seconds:

- *Overview dashboard*: immediately surfaces top talkers/flows + “what should I click next” instead of dropping you into the full packet list. - *Domains-first pivot*: `D` shows hostnames and lets you jump from a domain → the relevant flows. It also works when DNS answers aren’t visible (DoH/DoT/cached) by using observed IPs from SNI/Host flows. - *Weird stuff*: `W` is a curated set of “likely problems” (retransmits/out-of-order hints, resets, handshake issues, DNS failures when visible) with a short “why it matters” and a drill-down. - *Explain*: `?` gives plain-English hints for a selected flow + suggested next steps (follow stream, filter, pivot to domains/weird).

So it’s basically a guided triage layer on top of tshark/pcap data, with the “where do I start?” path baked in.

If you’ve got a specific teaching use-case (e.g. “why is this slow?” or “which host is generating traffic?”), I’d love to tune the Overview/Weird detectors around that. Open to PRs as well.