Wireshark is the de facto standard for analyzing network traffic. Unfortunately, it gets slower and slower as packet capture grows. Edge solves this problem so well, it will change your Wireshark workflow.
Wireshark is great, but. . .
Wireshark is wonderful open source software. It is used by amateurs and professionals all over the world to investigate network issues. It captures data packets that travel along wires or through the ether of your network. Once you’ve captured your traffic, Wireshark lets you filter and search data, track conversations between devices on the network, and more.
As great as Wireshark is, it has a problem. Network data capture files (called network traces or packet captures) can grow very large, very quickly. This is especially true if the problem you are trying to investigate is complex or sporadic, or if the network is large and busy.
The larger the packet capture (or PCAP), the slower Wireshark becomes. Just opening and loading a very large trace (anything over 1GB) can take so long that you think Wireshark has collapsed and abandoned the ghost.
Working with files of this size is a real pain. Whenever you search or change a filter, you have to wait for the effects to be applied to the data and updated on the screen. Each delay disrupts your concentration, which can hamper your progress.
Edge is the remedy for these misfortunes. It acts as an interactive preprocessor and front-end for Wireshark. When you want to see the granular level that Wireshark can deliver, Brim instantly opens it for you on exactly those packages.
If you do a lot of network capture and packet analysis, Brim will revolutionize your workflow.
Brim is very new, so it hasn’t made its way into the Linux distribution software repositories yet. However, on the Brim download pageyou will find the DEB and RPM package files, so installing it on Ubuntu or Fedora is fairly straightforward.
If you are using another distribution, you can download source code from GitHub and create the app yourself.
Brim uses zq, a command line tool for Zeek so you will also need to download a ZIP file containing the zq binaries.
Install Brim on Ubuntu
If you are using Ubuntu, you will need to download the DEB package file and the Linux zq ZIP file. Double click on the downloaded DEB package file and the Ubuntu software application will open. The Brim license is mistakenly listed as “owner” – it uses the 3-clause BSD license.
Click on “Install”.
When the installation is complete, double-click the zq ZIP file to launch the Archive Manager application. The ZIP file will contain a single directory; drag and drop it from “Archive Manager” to a location on your computer, such as the “Downloads” directory.
We type the following to create a location for the zq binaries:
sudo mkdir / opt / zeek
We need to copy the binaries from the extracted directory to the location we just created. Replace the path and name of the extracted directory on your machine in the following command:
sudo cp Downloads / zq-v0.20.0.linux-amd64 / * / opt / Zeek
We need to add this location to the path, so we’re going to edit the BASHRC file:
sudo gedit .bashrc
The gedit editor will open. Scroll down to the bottom of the file, then type this line:
export PATH = $ PATH: / opt / zeek
Save your changes and close the editor.
Installing Brim on Fedora
To install Brim on Fedora, download the RPM package file (instead of DEB), then follow the same steps as outlined for installing Ubuntu above.
Interestingly, when the RPM file opens in Fedora, it is correctly identified as having an open source license, rather than a proprietary license.
Click “Show apps” in the dock or press Super + A. Type “edge” in the search box, then click “edge” when it appears.
Brim launches and displays its main window. You can click “Choose Files” to open a file browser or drag and drop a PCAP file into the area surrounded by the red rectangle.
Brim uses a tabbed view and you can open multiple tabs simultaneously. To open a new tab, click the plus sign (+) at the top, then select another PCAP.
Brim loads and indexes the selected file. The clue is one of the reasons Brim is so fast. The main window contains a histogram of packet volumes over time and a list of network “flows”.
A PCAP file contains a time-ordered stream of network packets for a large number of network connections. The data packets for the different connections are intermixed because some of them will have been opened simultaneously. The packets for each network “conversation” are interspersed with packets from other conversations.
Wireshark displays the network stream packet by packet, while Brim uses a concept called “stream”. A flow is a complete network exchange (or conversation) between two devices. Each feed type is categorized, color coded, and labeled by feed type. You will see feeds titled “dns”, “ssh”, “https”, “ssl” and many more.
If you scroll the feed summary view left or right, many more columns will be displayed. You can also adjust the period to display the subset of information that you want to see. Here are some ways to display the data:
Click a bar in the histogram to zoom in on the network activity it contains.
Click and drag to highlight a range of the histogram display and zoom in. Brim will then display the data for the highlighted section.
You can also specify exact periods in the “Date” and “Time” fields.
Brim can display two side panes: one on the left and one on the right. These can be hidden or remain visible. The left pane displays a search history and a list of open PCAPs, called spaces. Press Ctrl +[toactivateordeactivatetheleftpane[totoggletheleftpaneonoroff[pouractiveroudésactiverlevoletgauche[totoggletheleftpaneonoroff
The right pane contains detailed information about the highlighted stream. Press Ctrl +]to activate or deactivate the right pane.
Click “Conn” in the “UID Correlation” list to open a connection diagram for the highlighted stream.
In the main window, you can also highlight a stream and then click on the Wireshark icon. This launches Wireshark with the packets for the highlighted stream displayed.
Wireshark opens, displaying the packages of interest.
Filtering to Brim
Searching and filtering in Brim is flexible and comprehensive, but you don’t need to learn a new filtering language if you don’t want to. You can create a syntactically correct filter in Brim by clicking fields in the summary window and then selecting options from a menu.
For example, in the image below, we have right clicked on a “dns” field. We will then select “Filter = Value” from the context menu.
The following things then happen:
The text _path = “dns” is added to the search bar.
This filter is applied to the PCAP file, so it will only display flows that are DNS (Domain Name Service) flows.
The filter text is also added to the search history in the left pane.
We can add other clauses to the search term using the same technique. We are going to right click on the IP address field (containing “192.168.1.26”) in the “Id.orig_h” column, then select “Filter = Value” in the context menu.
This adds the additional clause as an AND clause. The display is now filtered to show DNS feeds from this IP address (192.168.1.26).
The new filter term is added to the search history in the left pane. You can switch between searches by clicking on items in the search history list.
The destination IP address for most of our filtered data is 220.127.116.11. To see which DNS streams were sent to different IP addresses, we right-click on “18.104.22.168” in the “Id_resp_h” column, then we select “Filter! = Value ”in the context menu.
A single DNS stream from 192.168.1.26 was not sent to 22.214.171.124 and we located it without having to type anything to create our filter.
Pinning filter clauses
When we right click on an “HTTP” feed and select “Filter = Value” from the context menu, the summary pane will only show HTTP feeds. We can then click on the Pin icon next to the HTTP filter clause.
The HTTP clause is now pinned in place, and any other filters or search terms we use will be executed with the HTTP clause added at the beginning.
If we type “GET” in the search bar, the search will be limited to feeds that have already been filtered by the pinned clause. You can pin as many filter clauses as you need.
To search for POST packets in HTTP streams, simply clear the search bar, type “POST” and then press Enter.
Side scrolling reveals the ID of the remote host.
All search and filter terms are added to the “History” list. To reapply a filter, just click on it.
You can also search for a remote host by name.
Modification of search terms
If you want to search for something, but you don’t see such a feed, you can click on any feed and edit the entry in the search bar.
For example, we know that there must be at least one SSH stream in the PCAP file because we used rsync to send files to another computer, but we can’t see it.
So we’re going to right-click on another stream, select “Filter = Value” from the context menu, then modify the search bar to say “ssh” instead of “dns”.
We press Enter to search for SSH streams and find only one.
Right-click on any of these items, then select “VirusTotal Search” from the context menu to open your browser in the VirusTotal website and pass the hash for verification.
VirusTotal stores hashes of known malware and other malicious files. If you are unsure whether a file is safe, this is an easy way to check it, even if you no longer have access to the file.
If the file is harmless, you will see the screen shown in the image below.
The perfect complement to Wireshark
Brim makes working with Wireshark even faster and easier by allowing you to work with very large packet capture files. Give it a try today!