在Linux上使用Brim转换Wireshark工作流程

pixelnest/Shutterstock pixelnest /快门

Wireshark is the de facto standard for analyzing network traffic. Unfortunately, it does become increasingly laggy as the packet capture grows. Brim solves this problem so well, it’ll change your Wireshark workflow.

Wireshark是用于分析网络流量的事实上的标准。 不幸的是，随着数据包捕获的增长，它的确变得越来越滞后。 Brim很好地解决了这个问题，它将改变您的Wireshark工作流程。

Wireshark很棒，但是。 。 。 (Wireshark Is Great, But . . . )

Wireshark is a wonderful piece of open-source software. It’s used by amateurs and professionals alike worldwide to investigate networking issues. It captures the data packets that travel down the wires or through the ether of your network. Once you’ve captured your traffic, Wireshark allows you to filter and search through the data, trace conversations between network devices, and much more.

Wireshark是一款很棒的开源软件。 全世界的业余爱好者和专业人士都使用它来调查网络问题。 它捕获通过网络或通过网络的以太网传输的数据包。 捕获流量后，Wireshark允许您筛选和搜索数据，跟踪网络设备之间的对话等等。

As great as Wireshark is, though, it does have one issue. Network data capture files (called network traces or packet captures), can get very large, very quickly. This is especially true if the issue you’re trying to investigate is complex or sporadic, or the network is large and busy.

尽管与Wireshark一样强大，但确实存在一个问题。 网络数据捕获文件(称为网络跟踪或数据包捕获)可以非常快速地变得很大。 如果您要调查的问题是复杂的或零星的，或者网络很大且很繁忙，则尤其如此。

The larger the packet capture (or PCAP), the more laggy Wireshark becomes. Just opening and loading a very large (anything over 1 GB) trace can take so long, you’d think Wireshark had keeled over and given up the ghost.

数据包捕获(或PCAP)越大，Wireshark越滞后。 只是打开并加载非常大的跟踪记录(超过1 GB)可能会花费很长时间，您可能会认为Wireshark弯腰并放弃了这个鬼影。

Working with files of that size is a real pain. Every time you perform a search or change a filter, you have to wait for the effects to be applied to the data and updated on the screen. Each delay disrupts your concentration, which can hinder your progress.

使用如此大的文件确实是一件痛苦的事。 每次执行搜索或更改过滤器时，都必须等待将效果应用于数据并在屏幕上更新。 每次延迟都会打乱您的注意力，这可能会阻碍您的进步。

Brim is the remedy for these woes. It acts as an interactive preprocessor and front-end for Wireshark. When you want to see the granular level Wireshark can provide, Brim instantly opens it for you exactly on those packets.

边缘是解决这些问题的方法。 它充当Wireshark的交互式预处理器和前端。 如果您想查看Wireshark可以提供的详细级别，Brim会立即在这些数据包上为您打开它。

If you do a lot of network capture and packet analysis, Brim will revolutionize your workflow.

如果您进行大量网络捕获和数据包分析，Brim将彻底改变您的工作流程。

安装帽沿 (Installing Brim )

Brim is very new, so it hasn’t yet made its way into the software repositories of the Linux distributions. However, on the Brim download page, you’ll find DEB and RPM package files, so installing it on Ubuntu or Fedora is simple enough.

Brim非常新，因此尚未进入Linux发行版的软件存储库。 但是，在Brim下载页面上 ，您会找到DEB和RPM软件包文件，因此在Ubuntu或Fedora上安装它非常简单。

If you use another distribution, you can download the source code from GitHub and build the application yourself.

如果您使用其他发行版，则可以从GitHub 下载源代码并自己构建应用程序。

Brim uses zq, a command-line tool for Zeek logs, so you’ll also need to download a ZIP file containing the zq binaries.

Brim使用zq ( Zeek日志的命令行工具)，因此您还需要下载包含zq二进制文件的ZIP文件。

在Ubuntu上安装Brim (Installing Brim on Ubuntu )

If you’re using Ubuntu, you’ll need to download the DEB package file and zq Linux ZIP file. Double-click the downloaded DEB package file, and the Ubuntu Software application will open. The Brim license is mistakenly listed as “Proprietary”—it uses the BSD 3-Clause License.

如果您使用的是Ubuntu，则需要下载DEB软件包文件和zq Linux ZIP文件。 双击下载的DEB软件包文件，Ubuntu软件应用程序将打开。 Brim许可证被误认为是“专有”，它使用了BSD 3-Clause许可证 。

Click “Install.”

点击“安装”。

When the installation is complete, double-click the zq ZIP file to launch the Archive Manager application. The ZIP file will contain a single directory; drag and drop it from the “Archive Manager” to a location on your computer, like the “Downloads” directory.

安装完成后，双击zq ZIP文件以启动Archive Manager应用程序。 ZIP文件将包含一个目录。 将其从“存档管理器”拖放到计算机上的某个位置，例如“下载”目录。

We type the following to create a location for the zq binaries:

我们键入以下内容以创建zq二进制文件的位置：

sudo mkdir /opt/zeek

We need to copy the binaries from the extracted directory to the location we just created. Substitute the path and name of the extracted directory on your machine in the following command:

我们需要将二进制文件从提取的目录复制到我们刚刚创建的位置。 使用以下命令替换计算机上提取的目录的路径和名称：

sudo cp Downloads/zq-v0.20.0.linux-amd64/* /opt/Zeek

We need to add that location to the path, so we’ll edit the BASHRC file:

我们需要将该位置添加到路径，因此我们将编辑BASHRC文件：

sudo gedit .bashrc

The gedit editor will open. Scroll to the bottom of the file, and then type this line:

gedit编辑器将打开。 滚动到文件底部，然后键入以下行：

export PATH=$PATH:/opt/zeek

Save your changes and close the editor.

保存您的更改并关闭编辑器。

在Fedora上安装Brim (Installing Brim on Fedora )

To install Brim on Fedora, download the RPM package file (instead of the DEB), and then follow the same steps we covered for the Ubuntu installation above.

要在Fedora上安装Brim，请下载RPM软件包文件(而不是DEB)，然后按照上面为Ubuntu安装所做的相同步骤进行操作。

Interestingly, when the RPM file opens in Fedora, it’s correctly identified as having an open-source license, rather than a proprietary one.

有趣的是，当RPM文件在Fedora中打开时，它被正确识别为具有开源许可证，而不是专有许可证。

推出边缘 (Launching Brim)

Click “Show Applications” in the dock or press Super+A. Type “brim” in the Search box, and then click “Brim” when it appears.

单击扩展坞中的“显示应用程序”或按Super + A。 在“搜索”框中键入“边缘”，然后在出现时单击“边缘”。

Brim launches and displays its main window. You can click “Choose Files” to open a file browser, or drag and drop a PCAP file in the area surrounded by the red rectangle.

Brim启动并显示其主窗口。 您可以单击“选择文件”以打开文件浏览器，或将PCAP文件拖放到红色矩形包围的区域中。

Brim uses a tabbed display, and you can have multiple tabs open simultaneously. To open a new tab, click the plus sign (+) at the top, and then select another PCAP.

Brim使用选项卡式显示，您可以同时打开多个选项卡。 要打开新选项卡，请单击顶部的加号(+)，然后选择另一个PCAP。

帽檐基础 (Brim Basics)

Brim loads and indexes the selected file. The index is one of the reasons Brim is so fast. The main window contains a histogram of packet volumes over time, and a list of network “flows.”

Brim加载并索引所选文件。 索引是Brim这么快的原因之一。 主窗口包含一段时间内数据包量的直方图，以及网络“流量”列表。

A PCAP file holds a time-ordered stream of network packets for a great many network connections. The data packets for the various connections are intermingled because some of them will have been opened concurrently. The packets for each network “conversation” are interspersed with the packets of other conversations.

PCAP文件包含用于许多网络连接的按时间顺序排列的网络数据包流。 各种连接的数据包混合在一起，因为其中一些将同时打开。 每个网络“对话”的数据包都散布在其他对话的数据包中。

Wireshark displays the network stream packet by packet, while Brim uses a concept called “flows.” A flow is a complete network interchange (or conversation) between two devices. Each flow type is categorized, color coded, and labeled by flow type. You’ll see flows labeled “dns,” “ssh,” “https,” “ssl,” and many more.

Wireshark逐包显示网络流，而Brim使用称为“流”的概念。 流是两个设备之间的完整网络交换(或对话)。 每种流类型都经过分类，颜色编码并按流类型进行标记。 您将看到标记为“ dns”，“ ssh”，“ https”，“ ssl”等的流。

If you scroll the flow summary display left or right, many more columns will be displayed. You can also adjust the time period to display the subset of information you want to see. Below are a few ways you can view data:

如果向左或向右滚动流摘要显示，将显示更多列。 您还可以调整时间段以显示要查看的信息子集。 以下是几种查看数据的方式：

• Click a bar in the histogram to zoom in on the network activity within it.
  单击直方图中的条形以放大其中的网络活动。
• Click and drag to highlight a range of the histogram display and zoom in. Brim will then display the data from the highlighted section.
  单击并拖动以突出显示直方图显示的范围并放大。然后Brim将显示突出显示部分的数据。
• You can also specify exact periods in the “Date” and “Time” fields.
  您还可以在“日期”和“时间”字段中指定确切的时间段。

Brim can display two side panes: one on the left, and one on the right. These can be hidden or remain visible. The pane on the left shows a search history and list of open PCAPs, called spaces. Press Ctrl+[ to toggle the left pane on or off.

Brim可以显示两个侧窗格：一个在左侧，一个在右侧。 这些可以隐藏或保持可见。 左侧窗格显示搜索历史记录和打开的PCAP列表，称为空格。 按Ctrl + [可以打开或关闭左窗格。

The pane on the right contains detailed information about the highlighted flow. Press Ctrl+] to toggle the right pane on or off.

右侧窗格包含有关突出显示的流程的详细信息。 按Ctrl +]可以打开或关闭右窗格。

Click “Conn” in the “UID Correlation” list to open a connection diagram for the highlighted flow.

单击“ UID关联”列表中的“连接”以打开突出显示的流程的连接图。

In the main window, you can also highlight a flow, and then click the Wireshark icon. This launches Wireshark with the packets for the highlighted flow displayed.

在主窗口中，您还可以突出显示流，然后单击“ Wireshark”图标。 这将启动Wireshark，并显示突出显示的流的数据包。

Wireshark opens, displaying the packets of interest.

Wireshark打开，显示感兴趣的数据包。

边缘过滤 (Filtering in Brim)

Searching and filtering in Brim are flexible and comprehensive, but you don’t have to learn a new filtering language if you don’t want to. You can build a syntactically correct filter in Brim by clicking fields in the summary window, and then selecting options from a menu.

Brim中的搜索和过滤是灵活而全面的，但是如果您不想学习新的过滤语言，则无需学习。 通过单击摘要窗口中的字段，然后从菜单中选择选项，可以在Brim中构建语法正确的过滤器。

For example, in the image below, we right-clicked a “dns” field. We’re then going to select “Filter = Value” from the context menu.

例如，在下图中，我们右键单击“ dns”字段。 然后，我们从上下文菜单中选择“过滤器=值”。

The following things then occur:

然后发生以下情况：

• The text _path = "dns" is added to the search bar.

  文本_path = "dns"被添加到搜索栏中。

• That filter is applied to the PCAP file, so it will only display flows that are Domain Name Service (DNS) flows.
  该过滤器将应用于PCAP文件，因此它将仅显示作为域名服务(DNS)流的流。
• The filter text is also added to the search history in the left pane.
  过滤器文本也将添加到左窗格的搜索历史中。

We can add further clauses to the search term using the same technique. We’ll right-click the IP address field (containing “192.168.1.26”) in the “Id.orig_h” column, and then select “Filter = Value” from the context menu.

我们可以使用相同的技术在搜索词中添加更多子句。 我们将右键单击“ Id.orig_h”列中的IP地址字段(包含“ 192.168.1.26”)，然后从上下文菜单中选择“过滤器=值”。

This adds the additional clause as an AND clause. The display is now filtered to show DNS flows that originated from that IP address (192.168.1.26).

这会将附加子句添加为AND子句。 现在已过滤显示内容，以显示源自该IP地址(192.168.1.26)的DNS流。

The new filter term is added to the search history in the left pane. You can hop between searches by clicking the items in the search history list.

新的过滤条件将添加到左侧窗格的搜索历史中。 您可以通过单击搜索历史记录列表中的项目在搜索之间跳转。

The destination IP address for most of our filtered data is 81.139.56.100. To see which DNS flows were sent to different IP addresses, we right-click “81.139.56.100” in the “Id_resp_h” column, and then select “Filter != Value” from the context menu.

我们大多数已过滤数据的目标IP地址是81.139.56.100。 要查看哪些DNS流已发送到不同的IP地址，请在“ Id_resp_h”列中右键单击“ 81.139.56.100”，然后从上下文菜单中选择“ Filter！= Value”。

Only one DNS flow that originated from 192.168.1.26 wasn’t sent to 81.139.56.100, and we’ve located it without having to type anything to create our filter.

只有一个源自192.168.1.26的DNS流没有被发送到81.139.56.100，我们已经找到它而不必键入任何内容来创建过滤器。

固定过滤器子句 (Pinning Filter Clauses)

When we right-click an “HTTP” flow and select “Filter = Value” from the context menu, the summary pane will display only HTTP flows. We can then click the Pin icon next to the HTTP filter clause.

当我们右键单击“ HTTP”流并从上下文菜单中选择“ Filter = Value”时，摘要窗格将仅显示HTTP流。 然后，我们可以单击HTTP过滤器子句旁边的Pin图标。

The HTTP clause is now pinned in place, and any other filters or search terms we use will be executed with the HTTP clause prepended to them.

现在将HTTP子句固定在适当的位置，并且我们将使用在其前面带有HTTP子句的其他任何过滤器或搜索词来执行。

If we type “GET” in the search bar, the search will be restricted to flows that have already been filtered by the pinned clause. You can pin as many filter clauses as necessary.

如果我们在搜索栏中键入“ GET”，则搜索将仅限于已被pinned子句过滤的流。 您可以根据需要固定任意数量的过滤器子句。

To search for POST packets in the HTTP flows, we simply clear the search bar, type “POST,” and then press Enter.

要在HTTP流中搜索POST数据包，我们只需清除搜索栏，键入“ POST”，然后按Enter。

Scrolling sideways reveals the ID of the remote host.

侧向滚动将显示远程主机的ID。

All the search and filter terms are added to the “History” list. To reapply any filter, just click it.

所有搜索和过滤条件都会添加到“历史记录”列表中。 要重新应用任何过滤器，只需单击它。

You can also search for a remote host by name.

您也可以按名称搜索远程主机。

编辑搜索词 (Editing Search Terms)

If you want to search for something, but don’t see a flow of that type, you can click any flow and edit the entry in the search bar.

如果要搜索某些内容，但看不到该类型的流，则可以单击任何流，然后在搜索栏中编辑条目。

For example, we know there must be at least one SSH flow in the PCAP file because we used rsync to send some files to another computer, but we can’t see it.

例如，我们知道PCAP文件中至少必须有一个SSH流，因为我们使用rsync将某些文件发送到另一台计算机，但看不到它。

So, we’ll right-click another flow, select “Filter = Value” from the context menu, and then edit the search bar to say “ssh” instead of “dns.”

因此，我们将右键单击另一个流，从上下文菜单中选择“ Filter = Value”，然后编辑搜索栏以说“ ssh”而不是“ dns”。

We press Enter to search for SSH flows and find there’s only one.

我们按Enter键搜索SSH流，发现只有一个。

Pressing Ctrl+] opens the right pane, which shows the details for this flow. If a file was transferred during a flow, the MD5, SHA1, and SHA256 hashes appear.

按Ctrl +]将打开右窗格，该窗格显示此流程的详细信息。 如果在流期间传输了文件， 则会显示MD5 ， SHA1和SHA256哈希。

Right-click any of these, and then select “VirusTotal Lookup” from the context menu to open your browser at the VirusTotal website and pass in the hash for checking.

右键单击其中任何一个，然后从上下文菜单中选择“ VirusTotal查找”以在VirusTotal网站上打开浏览器并传递哈希以进行检查。

VirusTotal stores the hashes of known malware and other malicious files. If you’re unsure whether a file is safe, this is an easy way to check, even if you no longer have access to the file.

VirusTotal存储已知恶意软件和其他恶意文件的哈希。 如果不确定文件是否安全，这是一种简单的检查方法，即使您不再有权访问该文件。

If the file is benign, you’ll see the screen shown in the image below.

如果文件是良性的，您将看到下图所示的屏幕。

Wireshark的完美补充 (The Perfect Complement to Wireshark)

Brim makes working with Wireshark even faster and easier by allowing you to work with very large packet capture files. Give it a test run today!

Brim允许您处理非常大的数据包捕获文件，从而使Wireshark的使用变得更快，更轻松。 今天就进行测试！

翻译自: https://www.howtogeek.com/689026/transform-your-wireshark-workflow-with-brim-on-linux/