Forensicsnetwork forensicspcap analysispassword extractiontcp reconstructionhash extractionlive capture

BruteShark

BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic from PCAP files or live captures. It extracts passwords, builds network maps, reconstructs TCP sessions, and converts encrypted password hashes to Hashcat format for offline brute force attacks.

Description

BruteShark provides a solution for security researchers and network administrators tasked with network traffic analysis to identify weaknesses that could be exploited by attackers to gain access to critical network points. The tool processes captured network traffic to extract valuable forensic artifacts such as credentials and files, reconstruct communication sessions, and map network topology.

Use cases include analyzing PCAP files for password harvesting, identifying DNS queries, VoIP communications, and generating reports for incident response or penetration testing. It supports both offline analysis of stored captures and real-time processing from live network interfaces.

On Linux, BruteShark operates as a command-line interface tool named brutesharkcli, making it suitable for automated scripts and terminal-based workflows in cybersecurity investigations.

How It Works

BruteShark deeply inspects network traffic using libpcap for packet capture and processing, supporting both PCAP files and live interfaces. It employs specialized modules for tasks like credential extraction from protocols, TCP session reconstruction, file carving, network mapping via topology inference, DNS query logging, and VoIP stream analysis. Hashes of encrypted passwords are identified and exported in Hashcat-compatible format for offline cracking, leveraging deep packet inspection techniques across common network protocols.

Installation

bash

sudo apt install bruteshark

Flags

-d, --input-dirThe input directory containing the files to be processed.

-i, --inputThe files to be processed separated by comma.

-m, --modulesThe modules to be separated by comma: Credentials, FileExtracting, NetworkMap, DNS, Voip.

-o, --outputOutput directory for the results files.

-p, --promiscuousConfigures whether to start live capture with promiscuous mode (sometimes needs super user privileges to do so), use along with -l for live capture.

-l, --live-captureCapture and process packets live from a network interface.

-f, --filterSet a capture BPF filter to the live traffic processing.

--helpDisplay this help screen.

--versionDisplay version information.

Examples

Display the help screen (note: shown in content with unknown option error, use --help instead).

brutesharkcli -h

Process specific PCAP files with the Credentials module and save results to output directory.

brutesharkcli -i file1.pcap,file2.pcap -m Credentials -o /output/dir

Analyze all files in input directory using NetworkMap and DNS modules.

brutesharkcli -d /path/to/pcaps -m NetworkMap,DNS -o results

Perform live capture in promiscuous mode with BPF filter for HTTP traffic, extracting files.

brutesharkcli -l -p -f 'tcp port 80' -m FileExtracting -o live_results

Process directory of captures focusing on VoIP and file extraction.

brutesharkcli --input-dir captures/ --modules Voip,FileExtracting --output forensics

Extract credentials and build network map from a single PCAP file.

brutesharkcli --input traffic.pcap --modules Credentials,NetworkMap --output /tmp/output

Live capture from eth0 interface processing DNS traffic.

brutesharkcli -l eth0 -m DNS --output dns_logs

Updated 2026-04-16kali.org ↗