It's free. It's open source.
If you’ve ever used Wireshark to hunt down a problem and got lost in a sea of packets, or if you just want to see your Zeek logs in a new light, you should check out Brim.
Brim is not just a tool to investigate packet captures through the lens of Zeek, but a whole new way to think about logs.
Inspired by the Unix-tools design pattern, everything Brim does can be run from the command line. Think of Brim's components like Lego blocks that you can easily interconnect and assemble. It’s all open source, so have a look.
Brim is packaged as a desktop app, built with Electron just like Slack. Once installed, you can open a pcap with Brim and it will transform the pcap into Zeek logs in the ZNG format. From here, you can search the logs and drill down to just the packets from a particular flow by launching Wireshark with a click of a button. While Brim currently supports browsing logs on your system at desktop-scale, future versions will connect to clusters of search servers or cloud services.
Brim includes built-in knowledge of Zeek logs, providing the building blocks that you already know and love like UIDs, connection histories, file hashes, sequence diagrams, and so forth. While you're clicking around and drilling down into logs, Brim runs derivative searches in the background automatically, e.g., to join related log events using the UID field, and presents these derived results in user-friendly visualizations.
Does the world really need another data format? Yes indeed! Brim stores its log data in the new structured log format ZNG. ZNG is richly typed and embeds its type schemas in the data stream. It's inspired by Avro, but without the hassle of out-of-band schema definitions and schema registries.
Brim provides a rich query language that allows you to easily perform simple, intuitive keyword searches while running rich analytics with sophisticated filters and pipelines. ZQL is available both in the Brim search bar as well as in the zq CLI.
Wireshark is great for troubleshooting specific traffic flows or for protocol messages. But if you ever have to load up a huge pcap and track something down, it can be painful. With Brim, you can load big pcaps and immediately start searching, getting responses in seconds and drilling down to the interesting packets, indexed and directly parsed to Wireshark. A multi-GB pcap typically distills down to a few hundred MB of ZNG logs, which is a breeze to search with Brim.
The Brim backend is built from the ground up using Go, the system language that powers massive infrastructure at the world's largest Internet sites. In fact, when Brim runs on your desktop, there's a miniature zqd server running in the background.
Brim blends together the richness of Zeek logs with the details of packets. It's the best of both worlds. While Zeek logs can answer most all of your questions quickly, you still have fast access to packets when you need to drill down into the details. Wireshark is always just a click away.
Whether you're a beginner or an expert working with packets, Zeek, or logs, Brim will get you the answers you're looking for. Seeing is believing so give it a try.
And, please reach out to us. We'd love your feedback and ideas.