Wireshark is the de facto standard for analyzing network traffic. Unfortunately, it gets increasingly laggy as the package catch grows. Brim solves this problem so well, it will change your Wireshark workflow.
Wireshark is good, though. . .
Wireshark is a wonderful piece of open source software. It is used by amateurs and professionals around the world to investigate networking issues. It captures data packets that run along the wires or through the ether in your network. Once you̵7;ve captured your traffic, Wireshark allows you to filter and scan data, track conversations between network devices, and more.
As good as Wireshark is, but it has a question. Network data capture files (called network tracks or packet capture) can become very large, very fast. This is especially true if the problem you are trying to investigate is complex or sporadic, or if the network is large and busy.
The larger the packet pickup (or PCAP), the more laggy Wireshark becomes. Just opening and loading a very large track (anything over 1 GB) can take so long, one would think that Wireshark had cooled down and given up the ghost.
Working with files of that size is a real pain. Each time you search for or change filters, you must wait for the effects to be applied to data and updated on the screen. Each delay interferes with your concentration, which can hinder your progress.
Brim is the cure for these misery. It acts as an interactive preprocessor and front-end for Wireshark. When you want to see the granular level Wireshark can offer, Brim opens it directly for you exactly on these packages.
If you do a lot of network recording and packet analysis, Brim will revolutionize your workflow.
RELATED: How to use Wireshark filters on Linux
Brim is very new, so it has not yet entered the software repository for the Linux distributions. On the Brim download page, however, you will find DEB and RPM package files, so it is easy to install it on Ubuntu or Fedora.
If you use another distribution, you can download the source code from GitHub and build the application yourself.
zq, a command line tool for Zeek logs, so you must also download a ZIP file that contains
Installs Brim on Ubuntu
If you are using Ubuntu, you need to download the DEB package file and
zq Linux ZIP file. Double-click the downloaded DEB package file to display the Ubuntu software. The Brim license is incorrectly listed as “Proprietary” – it uses the BSD 3-Clause License.
When the installation is complete, double-click
zq ZIP file to start the Archive Manager program. The ZIP file contains a single directory; drag and drop it from the “Archive Manager” to a location on your computer, such as the “Downloads” directory.
We write the following to create a place for
sudo mkdir /opt/zeek
We need to copy the binaries from the extracted directory to the location we just created. Replace the path and name of the extracted directory on your machine with the following command:
sudo cp Downloads/zq-v0.20.0.linux-amd64/* /opt/Zeek
We need to add that location to the path, so we’re editing the BASHRC file:
sudo gedit .bashrc
The Gedit editor opens. Browse to the bottom of the file, and then type this line:
Save your changes and close the editor.
Installs Brim on Fedora
To install Brim on Fedora, download the RPM package file (instead of DEB) and then follow the same steps we covered for the Ubuntu installation above.
Interestingly, when the RPM file is opened in Fedora, it is correctly identified as having an open source license rather than its own.
Click “Show Applications” in the dock or press Super + A. Type “brim” in the search box, then click “Brim” when it appears.
Brim starts and shows the main window. You can click “Select Files” to open a web browser or drag and drop a PCAP file into the area surrounded by the red rectangle.
Brim uses a tab screen and you can have several tabs open at the same time. To open a new tab, click the plus sign (+) at the top, then select another PCAP.
The border loads and indexes the selected file. The index is one of the reasons why Brim is so fast. The main window contains a histogram of packet volumes over time and a list of network feeds.
A PCAP file contains a timed stream of network packets for many network connections. Data packets for the different connections are mixed because some of them have been opened at the same time. The packets for each network conversation are mixed with the packets with other conversations.
Wireshark shows the network power packet for packets, while Brim uses a concept called “feeds”. A feed is a complete network exchange (or conversation) between two devices. Each flow type is categorized, color coded and labeled by flow type. You see feeds labeled “dns”, “ssh”, “https”, “ssl” and many more.
If you scroll the flow view to the left or right, many more columns will appear. You can also adjust the time period to display the subset of information you want to see. Below are some ways to view data:
- Click a bar in the histogram to zoom in on the network activity in it.
- Click and drag to select an area of the histogram view and zoom in. Brim then displays data from the selected section.
- You can also enter exact periods in the “Date” and “Time” fields.
The board can display two side windows: one on the left and one on the right. These can be hidden or remain visible. The window on the left shows a search history and a list of open PCAPs, called spaces. Press Ctrl +[toswitchlefttoorfrom[totoggletheleftpaneonoroff[förattväxlatillvänstertillellerfrån[totoggletheleftpaneonoroff
The window on the right contains detailed information about the selected flow. Press Ctrl +]to toggle the right pane on or off.
Click “Conn” in the “UID Correlation” list to open a connection diagram for the selected flow.
In the main window you can also select a feed and then click on the Wireshark icon. This starts Wireshark with the packages for the selected flow displayed.
Wireshark opens and shows the interesting packages.
Filtration in the board
Searching and filtering in Brim is flexible and extensive, but you do not have to learn a new filter language if you do not want to. You can create a syntactically correct filter in Brim by clicking on fields in the summary window and then selecting options from a menu.
In the image below, we right-clicked on a “dns” field, for example. We will then select “Filter = Value” from the context menu.
The following things then happen:
- The text
_path = "dns"is added to the search field.
- That filter is applied to the PCAP file, so it only displays feeds that are Domain Name Service (DNS) feeds.
- The filter text is also added to the search history in the left pane.
We can add additional sentences to the search term using the same technology. We right-click on the IP address field (which contains “192.168.1.26”) in the column “Id.orig_h” and then select “Filter = value” from the context menu.
This adds an additional clause as an AND clause. The display is now filtered to show DNS feeds derived from that IP address (192.168.1.26).
The new filter term is added to the search history in the left pane. You can skip between searches by clicking on the items in the search history list.
The destination IP address for most of our filtered data is 22.214.171.124. To see which DNS feeds were sent to different IP addresses, we right-click on “126.96.36.199” in the “Id_resp_h” column and then select “Filter! = Value” from the context menu.
Only one DNS feed from 192.168.1.26 was not sent to 188.8.131.52, and we found it without having to type anything to create our filter.
Attach filter clauses
When we right-click on an “HTTP” feed and select “Filter = value” from the context menu, the summary window will only display HTTP feeds. We can then click on the pin icon next to the HTTP filter clause.
The HTTP clause is now attached in place and any other filters or search terms we use will run with the HTTP clause prepared for them.
If we type “GET” in the search field, the search will be limited to flows that have already been filtered by the attached statement. You can attach as many filter clauses as necessary.
To search for POST packets in the HTTP feeds, we simply clear the search field, type “POST” and then press Enter.
Rolling sideways reveals ID for remote values.
All search and filter terms are added to the “History” list. Just click on it to apply a filter again.
You can also search for a remote host by name.
Edit search terms
If you want to search for something but do not see a feed of that type, you can click on any feed and edit the entry in the search field.
For example, we know that there must be at least one SSH feed in the PCAP file because we used it
rsync to send some files to another computer, but we can not see it.
Then we right-click on another feed, select “Filter = value” in the context menu and then edit the search field to say “ssh” instead of “dns.”
We press Enter to search for SSH feeds and find that there is only one.
Pressing Ctrl +]opens the right pane showing the details of this flow. If a file was transferred during a flow, MD5, SHA1 and SHA256 hash are displayed.
Right-click on any of these and then select “VirusTotal Lookup” from the context menu to open your browser on the VirusTotal website and submit the hash for checking.
VirusTotal stores the hash of known malware and other malicious files. If you are unsure whether a file is secure, this is an easy way to check, even if you no longer have access to the file.
If the file is benign, you will see the screen shown in the image below.
The perfect complement to Wireshark
Brim makes working with Wireshark even faster and easier by allowing you to work with very large packet capture files. Try it today!