BruteShark is a Network


Building a Network Diagram


File Carving

Password Extracting


Reconstruct all TCP Sessions

Extract VoIP Calls



In general, it is recommended load, run and explore the results.
Example PCAP files containing scenarios that demonstrates all BruteShark capabilities can be downloaded from

Files Extracting Module

This module tries to extract files from UDP / TCP sessions (Therefore, note that in order for this module to be effective, the “Build TCP Sessions” / “Build UDP Sessions” should be turn on). Currently this module supports classic forensics techniques of file carving by “Header-Footer” algorithm which is effective for files with known file header and footer like JPG, PNG, PDF.

Voip Calls Module

This module extracts Voip calls from SIP & RTP protocols. The extracted calls can be exported as raw audio files and can be played using a proper audio player (like Audacity)


All BruteShark projects are implemented using .Net Core and .Net Standard for modern and cross platform support. The solution is designed with three layer architecture, including a one or more projects at each layer – DAL, BLL and PL. The separation between layers is created by the fact that each project refers only its own objects.

PcapProcessor (DAL)

As the Data Access Layer, this project is responsible for reading raw PCAP files using appropriate drivers (WinPcap, libpcap) and the amazing wrapper library SharpPcap by Chris Morgan. Can analyze a list of files at once, and provides additional features like reconstruction of all TCP Sessions (using the awesome project TcpRecon).

PcapAnalyzer (BLL)

The Business Logic Layer, responsible for analyzing network information (packet, TCP Session etc.), implements a pluggable mechanism. Each plugin is basically a class that implements the interface IModule. All plugins are loaded using reflection:

private void _initilyzeModulesList()
// Create an instance for any available modules by looking for every class that
// implements IModule.
this._modules = AppDomain.CurrentDomain.GetAssemblies()
.SelectMany(s => s.GetTypes())
.Where(p => typeof(IModule).IsAssignableFrom(p) && !p.IsInterface)
.Select(t => (IModule)Activator.CreateInstance(t))

// Register to each module event.
foreach(var m in _modules)
m.ParsedItemDetected += (s, e) => this.ParsedItemDetected(s, e);

BruteSharkDesktop (PL)

Desktop application for Windows based on WinForms. Uses a cross-cutting project by the meaning it referrers both the DAL and BLL layers. This is done by composing each of the layers, register to their events, when event is triggered, cast the event object to the next layer equivalent object, and send it to next layer.

public MainForm()

_files = new HashSet<string>();

// Create the DAL and BLL objects.
_processor = new PcapProcessor.Processor();
_analyzer = new PcapAnalyzer.Analyzer();
_processor.BuildTcpSessions = true;

// Create the user controls.
_networkMapUserControl = new NetworkMapUserControl();
_networkMapUserControl.Dock = DockStyle.Fill;
_sessionsExplorerUserControl = new SessionsExplorerUserControl();
_sessionsExplorerUserControl.Dock = DockStyle.Fill;
_hashesUserControl = new HashesUserControl();
_hashesUserControl.Dock = DockStyle.Fill;
_passwordsUserControl = new GenericTableUserControl();
_passwordsUserControl.Dock = DockStyle.Fill;

// Contract the events.
_processor.TcpPacketArived += (s, e) => _analyzer.Analyze(Casting.CastProcessorTcpPacketToAnalyzerTcpPacket(e.Packet));
_processor.TcpSessionArived += (s, e) => _analyzer.Analyze(Casting.CastProcessorTcpSessionToAnalyzerTcpSession(e.TcpSession));
_processor.FileProcessingStarted += (s, e) => SwitchToMainThreadContext(() => OnFileProcessStart(s, e));
_processor.FileProcessingEnded += (s, e) => SwitchToMainThreadContext(() => OnFileProcessEnd(s, e));
_processor.ProcessingPrecentsChanged += (s, e) => SwitchToMainThreadContext(() => OnProcessingPrecentsChanged(s, e));
_analyzer.ParsedItemDetected += (s, e) => SwitchToMainThreadContext(() => OnParsedItemDetected(s, e));
_processor.TcpSessionArived += (s, e) => SwitchToMainThreadContext(() => OnSessionArived(Casting.CastProcessorTcpSessionToBruteSharkDesktopTcpSession(e.TcpSession)));
_processor.ProcessingFinished += (s, e) => SwitchToMainThreadContext(() => OnProcessingFinished(s, e));



First off, thanks for taking the time to contribute! BruteShark welcomes contributions from everyone.

When contributing to this repository, please first discuss the change you wish to make via issue or an email before making a change.

How Can You Contribute?

  • Implementing new features from BruteShark Issues, look for “good first issue” and “help wanted” labels.
  • Uploading example PCAP files, especially files, with interesting content.
  • Proposing new features by Creating an Issue.
  • Reporting a bug by Creating an Issue.
  • Discussing the current state of the code.
  • Creating videos and example tutorials of using BruteShark.
Download BruteShark

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.


Original Source