Breaking News

Home / Networking / How to get a better view of Wireshark capture files with Brim

How to get a better view of Wireshark capture files with Brim

If you’re a network admin who depends on Wireshark, you’re going to want to use this third-party application to make coming through captures even easier.

IT technician with network equipment and cables

Image: Getty Images/iStockphoto

For many network admins, Wireshark is the de facto standard for
checking in on the health and security of networks

. With this open source GUI network package capturing tool, you can monitor your network traffic and sniff out problems. Even better, you can have Wireshark save those captured packets for later viewing. Wireshark then allows you to filter through that traffic to find exactly what you’re looking for. 

For some admins, Wireshark has one glaring flaw–it doesn’t handle large capture files with much grace. When those packet capture files get large (which they easily can), Wireshark gets laggy. Given the nature of the beast, no admin wants to have to deal with such a problem. To make things worse, drilling down into a packet on Wireshark isn’t terribly intuitive.

That’s where Brim comes in. Brim is a GUI tool with the single purpose of viewing Wireshark PCAP files. If network packet capture and analysis is your jam, you’re going to want to use Brim. Brim can help prevent you from getting lost in a sea of networking packets. Brim transforms PCAP files into Zeek logs (in the ZNG format) so you can easily search those logs and drill down into those packages to get even more information than you thought possible.

Brim is free and available for Linux, macOS, and Windows.

Let’s install Brim on Ubuntu Desktop 20.04.

SEE: Incident response policy (TechRepublic Premium)

What you’ll need

  • A running instance of Ubuntu Desktop (you can also install this on Red Hat-based distributions, macOS, or Windows)

  • Wireshark installed

  • A capture file saved from Wireshark

  • A user with sudo privileges

How to install Brim

The first thing we’re going to do is install the Brim package. Head over to the Brim download page and download the .deb package. When the download completes, open a terminal window and change into the Downloads directory with the command:

cd ~/Downloads

Install Brim with the command:

sudo dpkg -i brim*.deb

Back at the Brim download page, download the ZQ (pronounced “zeek”) package and save it to the ~/Downloads directory. When that download completes, unpack the file with the command:

unzip zq*.zip

If you find unzip not installed, install it with the command:

sudo apt-get install zip -y

Now we need to create a new directory to house the contents of the ZQ package. Create this new directory with the command:

sudo mkdir /opt/zeek

Move the necessary files to the newly-created directory with the command:

sudo cp zq-X/* /opt/zeek

Where X is the version number of ZQ.

We now need to add the ZQ path to our .bashrc file. Open .bashrc with the command:

nano ~/.bashrc

At the bottom of that file, add the following:

export PATH=$PATH:/opt/zeek

Save and close the file. 

How to load a capture into Brim

Let’s say you’ve already captured a file filled with network traffic from Wireshark. Because you cannot run Brim with sudo privileges (and you probably ran Wireshark with sudo privileges), you’re going to need to make sure that PCAP file is owned by the same user who will run Brim. 

For the sake of example, let’s say your capture file is called ~/testing.pcapng So back at your terminal window, issue the command:

sudo chown $USER.$USER ~/testing.pcapng

Now, open your desktop menu and find the Brim entry. When Brim opens click the Choose Files button (Figure A).

Figure A

brima.jpg

Opening a file in Brim is very easy.

Once you’ve located the file, Brim will display all of the packets captured in a way that is incredibly easy for you to sift through (Figure B).

Figure B

brimb.jpg

A Wireshark capture file opened in Brim.

At this point, you can start drilling down into that capture. Click on a packet to reveal more information than you might need to see to help you troubleshoot what’s going on with your network.

Also see


Source link

About admin

Check Also

Top 5 things to know about latency

Latency can interrupt your productivity and generally slow down your workday. Tom Merritt lists five ...

Leave a Reply

Your email address will not be published. Required fields are marked *