PCAP comes in a range of formats including Libpcap, WinPcap, and PCAPng. pcap files to collect and record packet data from a network. The “ files ” log file provides detailed information (MD5, SHA1, etc.) about files analyzed during Zeek’s analysis.Packet Capture or PCAP (also known as libpcap) is an application programming interface (API) that captures live network packet data from OSI model Layers 2-7. Looking at the overall number of bytes transferred to and from a system can help with baselining and identifying spikes in activity. The “ conn ” log file shows us the data transferred between connection attempts. By exploring the “ HTTP“ logs, we can see the IP address of the host machine associated with this activity. Now let’s dive into a few of the common files produced by Zeek (as seen in the Brim UI).
notice (logs for activities that seem out of the ordinary ). conn (records TCP/UDP/ICMP connections). files (results of file analysis, contains MD5s and SHA values). HTTP (contains HTTP requests and denies). The below outlines the types of Zeek logs derived from this file that we care to look at: We can see a breakdown of the type of activity seen in this capture from the above screenshot. What does this data mean?īrim took the PCAP and generated the associated Zeek log files from the data. You can also use the questions provided on the website as a starting point if you wish to dive deeper into the data. I then uploaded the PCAP file to the Brim system and received the below output.įrom here, we are now ready to explore the data. Y ou can find all the versions and platforms Brim supports to use the tool yourself. Īfter I downloaded the PCAP file safely, I downloaded Brim for MacOS. I’ll start by pulling the PCAP file from the website. We will explore the data in the “ Traffic analysis exercise – Windows host visits a website, gets EK traffic ” exercise for this articleįirst, we will need to download the appropriate tools and files for this use case. A website devoted to hosting various network traffic exercises and PCAP files. 
Brim has a great UI to explore Zeek logs in a ‘user-friendly’ manner.
For this article, we will use the tool to transform PCAP data into Zeek logs.
0 kommentar(er)
