BruteSharkCLI will fail on pcap files when running on Ubuntu 22.04 LTS

[Limpem]

BruteSharkCLI will fail on processing pcap files when running on the 22.04 LTS release on Ubuntu (20.04 seems to work fine):

./BruteSharkCli -i Pcap_Examples/Ftp.pcap -m Credentials -o Example
[+] Start analyzing 1 files
[+] Start processing file : Ftp.pcap
ERROR: Failed to process file : Ftp.pcap
[+] Successfully exported extracted files to: Demo/Files
[+] BruteShark finished processing

[odedshimon]

@Limpem
Thank you for reporting this.

1. Are you sure you have read privileges for this file?
2. Can you run it at debug mot (e.g. using VS Code) and share the exception?

[Limpem]

Thank you for looking into this. To answer your questions:

1. Yes (I am using the Ftp.pcap found in the examples folder)
2. When I use debug-mode (./BruteSharkCli --debug) on 20.04:
   Brute-Shark > add-file Ftp.pcap
Brute-Shark > start
[+] Packets Analyzed: 38, TCP: 38 UDP: 0
[+] TCP Sessions Analyzed: 3 UDP Streams Analyzed: 0
[+] Passwords Found: 1
[+] Hashes Found: 0
[+] Network Connections Found: 6
Brute-Shark > show-passwords
NetworkPassword:
┌──────────┬──────────┬──────────┬───────────────┬───────────────┐
│ Username │ Password │ Protocol │ Source │ Destination │
├──────────┼──────────┼──────────┼───────────────┼───────────────┤
│ csanders │ echo │ FTP │ 192.168.0.114 │ 192.168.0.193 │
└──────────┴──────────┴──────────┴───────────────┴───────────────┘

When I do the same thing on 22.04:
Brute-Shark > add-file Ftp.pcap
Brute-Shark > start
Brute-Shark > show-passwords
NetworkPassword:
┌──────────┬──────────┬──────────┬────────┬─────────────┐
│ Username │ Password │ Protocol │ Source │ Destination │
├──────────┼──────────┼──────────┼────────┼─────────────┤
└──────────┴──────────┴──────────┴────────┴─────────────┘

So it doesn't seem to do anything after running the start command.
libpcap is installed on both, but is seems 22.04 is using a newer version.

libpcap on 20.04:
libpcap-dev/focal,now 1.9.1-3 amd64 [installed]
libpcap0.8-dev/focal,now 1.9.1-3 amd64 [installed]
libpcap0.8/focal,now 1.9.1-3 amd64 [installed]

libpcap on 22.04:
libpcap-dev/jammy,now 1.10.1-4build1 amd64 [installed]
libpcap0.8-dev/jammy,now 1.10.1-4build1 amd64 [installed]
libpcap0.8/jammy,now 1.10.1-4build1 amd64 [installed]

[sbrun]

Hello
We have the same issue in Kali / Debian. It appeared with the latest version of the libc in Debian. I ran the command with strace to debug the issue.
Here is the relevant part I think:

openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
futex(0x7f51fb7971f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
mprotect(0x7f518233e000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f518234f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x7f518233f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d1000, 4096, PROT_READ|PROT_WRITE) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
write(1, "\33[39;49m", 8)               = 8
write(1, "\33[91m", 5)                  = 5
write(41, "ERROR: Failed to process file : "..., 41ERROR: Failed to process file : Ftp.pcap
) = 41

brutesharkcli is looking for libdl.so but it does not exist anymore, the libdl has been merged in the libc:
https://sourceware.org/glibc/wiki/Release/2.34#Libraries_merged_into_libc

I fixed the issue in Kali with a symlink: /usr/lib/brutesharkcli/libdl.so -> /lib/x86_64-linux-gnu/libdl.so.2

[odedshimon]

Thank you @sbrun, @Limpem
This is very helpful.
That might be a change needed in SharpPcap - a major framework BruteShark is using.
I'm currently on a vacation until mid November, I will try to investigate it when I will be back.

[UnknownSilicon]

Any updates on this? Still seems to be an issue on the latest version

[Affenselfie]

As @odedshimon suggested, an update in SharpPcap might be necessary. Therefore, I updated the following solution files:

• BruteShark/PcapProcessor/PcapProcessor.csproj
• BruteShark/PcapProcessorTest/PcapProcessorTest.csproj

What I updated was the package reference from SharpPcap 6.0.0 to SharpPcap 6.3.0:
<PackageReference Include="SharpPcap" Version="6.3.0" />

Under Linux, I was able to build the BruteSharkCli. First, I removed the BruteSharkDesktop solution (it's a Windows app) and then I ran:
dotnet publish -c Release -r linux-x64

That resulted in a successful build on the latest Arch Linux. The BruteSharkCli is not quitting with an error anymore:

➜  /tmp ~/Software/bruteshark/BruteSharkCli -m Credentials -i ./test-dump.pcapng
[+] Start analyzing 1 files
[+] Start processing file : test-dump.pcapng
[+] Finished processing file : test-dump.pcapng
[+] BruteShark finished processing

How could we further test my "fix" to implement it later into BruteShark?

[odedshimon]

@Affenselfie
Thank you for validating the hypothesis about the SharpPcap version! Nice work!

I need to bump the version at the source code, compile a new version and publish it as a new release.
Hopefuly I will get to it soon.