Trisul User Documentation
How to use this guideTopUse the table of contents on the left to navigate the user guide. The following table describes what can be found in each section.
|Working with the UI||How to navigate the UI ? Using the modules and dashboards|
|Traffic monitoring|| How to perform long term and real time traffic monitoring ? How to create
your own counting policies ?
|Raw packets and resources||How to use and customize the full packet capture storage ? How to setup policies to control what gets stored ?|
|Flow analysis||How to use flow data ? How to track interesting flows and tag flows with text labels ?|
|Alerts||How to view alerts ? How to setup threshold crossing and flow alerts ?|
|Webapp admin||Create web users, manage permissions, app settings|
|12 Tools you can use||Description of built in network analysis tools|
|Reporting||How to view the dozens of included reports ? How to schedule reports by email ?|
Trisul is centered around fine grained metering of network traffic supplemented by various other types of data.
Traffic statistics are tightly cross indexed with flows, raw packets, and security alerts. The goal is to enable you to cross drill into one type of data from another.
Here is some terminology that we use
|Object type||What it is||Remarks|
|Counter Groups||A type of network entity being monitored||A counter group is the fundamental unit of network monitoring in Trisul. You get 20 built in groups such as Hosts, IPv6, Appls, MAC, VLANs, HTTP Hosts. Each counter group can potentially contain millions of keys. Example : The IPv4 Internal Hosts counter group may contain 80,000 keys (IP Addresses)|
|Flows/Sessions||A TCP or UDP conversation||Trisul generates Bi-directional TCP flows by observing packets or by directly processing Netflow/SFlow.|
|Packets||A record of actual traffic||To aid the practice of NSM, Trisul stores raw packets for extended periods of time. Innovative options are available to control storage requirements. Packets are encrypted on disk for added security.|
|Resources||HTTP URLs and DNS (currently)||All URLS and domains are logged. Provides a useful handle for incident response.|
|Alerts||IDS alerts||Trisul can accept alerts from an external IDS ((Intrusion detection system such as Snort or Suricata)) in Unified or Unified2 format on a Unix Socket. Like Resources, alerts can also provide useful entry points for investigation.|