Error

[ghost]

$ network-parser -p debian.pcapng -o ./ --proto ssh --popt KEY=keys.json
getrlimit: (1024, 1048576)
Exception in handle_tcp_stream: No module named dissect

[yunzheng]

Did you install dissect.cstruct using python2 or python3? eg: what version of python does your pip command use?

[yunzheng]

Looks good, although only dissect.cstruct is needed. When you install dissect it will install the whole suite which is not needed for this project. Can you share how you installed this project?

Python 2.7 is deprecated so it might become harder to install this project on newer Linux distributions, so if you can live with using a Docker image, the following works:

$ docker run -it --rm python:2.7 bash

# follwing commands are in the docker image
$ apt update && apt install -y libpcap-dev
$ git clone https://github.com/fox-it/OpenSSH-Network-Parser
$ cd OpenSSH-Network-Parser
$ pip install -e .
$ network-parser --help
usage: network-parser [-h] -p PCAP -o OUTPUT [--dport DPORT] [--sport SPORT]
                      [--src SRC] [--dst DST] [-s] [-u USER] [--stats STATS]
                      [-f FILE_LIMIT] [--startdate STARTDATE] --proto PROTO
                      [-v] [--popt KEY=VALUE]

[yunzheng]

This is a different error, looks like chacha20-poly1306 is not supported, but maybe with some modifications it could be supported. Feel free to open another issue for it.

[yunzheng]

Wow. How did you solve it?

I did not solve it. Just saying the KeyError: 'chacha20-poly1305@openssh.com' is a different error and not related to this issue. It should be a new issue on its own.