Wireshark is the de facto standard for analyzing network traffic. Unfortunately, it does become increasingly laggy as the packet capture grows. Brim solves this problem so well, it’ll change your Wireshark workflow.
Wireshark Is Great, But . . .
Wireshark is a wonderful piece of open-source software. It’s used by amateurs and professionals alike worldwide to investigate networking issues. It captures the data packets that travel down the wires or through the ether of your network. Once you’ve captured your traffic, Wireshark allows you to filter and search through the data, trace conversations between network devices, and much more.
As great as Wireshark is, though, it does have one issue. Network data capture files (called network traces or packet captures), can get very large, very quickly. This is especially true if the issue you’re trying to investigate is complex or sporadic, or the network is large and busy.
The larger the packet capture (or PCAP), the more laggy Wireshark becomes. Just opening and loading a very large (anything over 1 GB) trace can take so long, you’d think Wireshark had keeled over and given up the ghost.
Working with files of that size is a real pain. Every time you perform a search or change a filter, you have to wait for the effects to be applied to the data and updated on the screen. Each delay disrupts your concentration, which can hinder your progress.
Brim is the remedy for these woes. It acts as an interactive preprocessor and front-end for Wireshark. When you want to see the granular level Wireshark can provide, Brim instantly opens it for you exactly on those packets.
If you do a lot of network capture and packet analysis, Brim will revolutionize your workflow.
Brim is very new, so it hasn’t yet made its way into the software repositories of the Linux distributions. However, on the Brim download page, you’ll find DEB and RPM package files, so installing it on Ubuntu or Fedora is simple enough.
If you use another distribution, you can download the source code from GitHub and build the application yourself.
zq, a command-line tool for Zeek logs, so you’ll also need to download a ZIP file containing the
Installing Brim on Ubuntu
If you’re using Ubuntu, you’ll need to download the DEB package file and
zq Linux ZIP file. Double-click the downloaded DEB package file, and the Ubuntu Software application will open. The Brim license is mistakenly listed as “Proprietary”—it uses the BSD 3-Clause License.
When the installation is complete, double-click the
zq ZIP file to launch the Archive Manager application. The ZIP file will contain a single directory; drag and drop it from the “Archive Manager” to a location on your computer, like the “Downloads” directory.
We type the following to create a location for the
sudo mkdir /opt/zeek
We need to copy the binaries from the extracted directory to the location we just created. Substitute the path and name of the extracted directory on your machine in the following command:
sudo cp Downloads/zq-v0.20.0.linux-amd64/* /opt/Zeek
We need to add that location to the path, so we’ll edit the BASHRC file:
sudo gedit .bashrc
The gedit editor will open. Scroll to the bottom of the file, and then type this line:
Save your changes and close the editor.
Installing Brim on Fedora
To install Brim on Fedora, download the RPM package file (instead of the DEB), and then follow the same steps we covered for the Ubuntu installation above.
Interestingly, when the RPM file opens in Fedora, it’s correctly identified as having an open-source license, rather than a proprietary one.
Click “Show Applications” in the dock or press Super+A. Type “brim” in the Search box, and then click “Brim” when it appears.
Brim launches and displays its main window. You can click “Choose Files” to open a file browser, or drag and drop a PCAP file in the area surrounded by the red rectangle.
Brim uses a tabbed display, and you can have multiple tabs open simultaneously. To open a new tab, click the plus sign (+) at the top, and then select another PCAP.
Brim loads and indexes the selected file. The index is one of the reasons Brim is so fast. The main window contains a histogram of packet volumes over time, and a list of network “flows.”
A PCAP file holds a time-ordered stream of network packets for a great many network connections. The data packets for the various connections are intermingled because some of them will have been opened concurrently. The packets for each network “conversation” are interspersed with the packets of other conversations.
Wireshark displays the network stream packet by packet, while Brim uses a concept called “flows.” A flow is a complete network interchange (or conversation) between two devices. Each flow type is categorized, color coded, and labeled by flow type. You’ll see flows labeled “dns,” “ssh,” “https,” “ssl,” and many more.
If you scroll the flow summary display left or right, many more columns will be displayed. You can also adjust the time period to display the subset of information you want to see. Below are a few ways you can view data:
- Click a bar in the histogram to zoom in on the network activity within it.
- Click and drag to highlight a range of the histogram display and zoom in. Brim will then display the data from the highlighted section.
- You can also specify exact periods in the “Date” and “Time” fields.
Brim can display two side panes: one on the left, and one on the right. These can be hidden or remain visible. The pane on the left shows a search history and list of open PCAPs, called spaces. Press Ctrl+[ to toggle the left pane on or off.
The pane on the right contains detailed information about the highlighted flow. Press Ctrl+] to toggle the right pane on or off.
Click “Conn” in the “UID Correlation” list to open a connection diagram for the highlighted flow.
In the main window, you can also highlight a flow, and then click the Wireshark icon. This launches Wireshark with the packets for the highlighted flow displayed.
Wireshark opens, displaying the packets of interest.
Filtering in Brim
Searching and filtering in Brim are flexible and comprehensive, but you don’t have to learn a new filtering language if you don’t want to. You can build a syntactically correct filter in Brim by clicking fields in the summary window, and then selecting options from a menu.
For example, in the image below, we right-clicked a “dns” field. We’re then going to select “Filter = Value” from the context menu.
The following things then occur:
- The text
_path = "dns"is added to the search bar.
- That filter is applied to the PCAP file, so it will only display flows that are Domain Name Service (DNS) flows.
- The filter text is also added to the search history in the left pane.
We can add further clauses to the search term using the same technique. We’ll right-click the IP address field (containing “192.168.1.26”) in the “Id.orig_h” column, and then select “Filter = Value” from the context menu.
This adds the additional clause as an AND clause. The display is now filtered to show DNS flows that originated from that IP address (192.168.1.26).
The new filter term is added to the search history in the left pane. You can hop between searches by clicking the items in the search history list.
The destination IP address for most of our filtered data is 22.214.171.124. To see which DNS flows were sent to different IP addresses, we right-click “126.96.36.199” in the “Id_resp_h” column, and then select “Filter != Value” from the context menu.
Only one DNS flow that originated from 192.168.1.26 wasn’t sent to 188.8.131.52, and we’ve located it without having to type anything to create our filter.
Pinning Filter Clauses
When we right-click an “HTTP” flow and select “Filter = Value” from the context menu, the summary pane will display only HTTP flows. We can then click the Pin icon next to the HTTP filter clause.
The HTTP clause is now pinned in place, and any other filters or search terms we use will be executed with the HTTP clause prepended to them.
If we type “GET” in the search bar, the search will be restricted to flows that have already been filtered by the pinned clause. You can pin as many filter clauses as necessary.
To search for POST packets in the HTTP flows, we simply clear the search bar, type “POST,” and then press Enter.
Scrolling sideways reveals the ID of the remote host.
All the search and filter terms are added to the “History” list. To reapply any filter, just click it.
You can also search for a remote host by name.
Editing Search Terms
If you want to search for something, but don’t see a flow of that type, you can click any flow and edit the entry in the search bar.
For example, we know there must be at least one SSH flow in the PCAP file because we used
rsync to send some files to another computer, but we can’t see it.
So, we’ll right-click another flow, select “Filter = Value” from the context menu, and then edit the search bar to say “ssh” instead of “dns.”
We press Enter to search for SSH flows and find there’s only one.
Right-click any of these, and then select “VirusTotal Lookup” from the context menu to open your browser at the VirusTotal website and pass in the hash for checking.
VirusTotal stores the hashes of known malware and other malicious files. If you’re unsure whether a file is safe, this is an easy way to check, even if you no longer have access to the file.
If the file is benign, you’ll see the screen shown in the image below.
The Perfect Complement to Wireshark
Brim makes working with Wireshark even faster and easier by allowing you to work with very large packet capture files. Give it a test run today!