Open source app offers a searchable bridge between logs and packets

Security researchers have developed an open source desktop application that makes it straightforward to work with even very large packet capture (pcap) files.

Pcaps provide data for network troubleshooting and security incident response, but these raw data files can easily become massive and unwieldy.

The tool, dubbed Brim, offers a means to search through large packet captures and logs via the Zeek network traffic analysis framework. Users can search through logs and drill down into packets from a particular flow by launching Wireshark.

Brim is built from multiple open source components, including: zq, a structured log query engine; Electron and React for multi-platform user interfaces; and Zeek, to generate network analysis data from packet capture files.

Joining up domains

The network forensics tool was developed by US-based vendor Brim Security and released as an open source utility last month.

Steve McCanne, Brim Security’s founder, created libpcap and is one of the authors of tcpdump.

Asked about the rationale for developing the tool, McCanne told The Daily Swig: “We wanted to reduce the time it takes anyone – expert incident responders and threat hunters, or someone just looking to win a capture-the-flag contest – to find interesting data in big pcaps and logs.

“Big pcaps are cumbersome but have lots of detail. Zeek logs summarize pcaps well, but there’s no easy way to search them on the desktop, or easily link back to a pcap.

“Brim joins these domains in an easy to use desktop app, that’s open source, so anyone can use it right now,” it added.

A YouTube walkthrough provides offers a guide on using Brim.

YOU MIGHT ALSO LIKE InQL will help developers discover GraphQL vulnerabilities