Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach
Trace:
offline:wrccdc_pcaps

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
offline:wrccdc_pcaps [2018/05/12 16:26] – [Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach] veeraoffline:wrccdc_pcaps [2018/05/12 16:32] – [Instructions to run TrisulNSM over the PCAPs] veera
Line 93: Line 93:
  
  
- 
-===== Instructions to run TrisulNSM over the PCAPs ===== 
- 
- 
- 
- 
-Download the first 8 PCAP files. Roughly 4GB into ''/opt/trisulroot5/wrccdc'' 
- 
-<code> 
-root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/ 
-total 3.8G 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap 
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap 
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap 
-root@unpl:~#  
-</code> 
- 
- 
- 
-Run the Docker image over the pcaps 
- 
-<code> 
- 
-sudo docker run  --name=trisul1n \ 
-  --privileged=true --net=host -v /opt/trisulroot5:/trisulroot  \ 
-      -d trisulnsm/trisul6  --enable-file-extraction   \ 
-          --webserver-port 4000 --websockets-port 4003 \ 
-          --fine-resolution  \ 
-              --pcap  wrccdc 
-</code> 
- 
- 
- 
-Upon completion your ''docker logs -f trisul1n'' should show something like below. 
- 
- 
-<code> 
- 
-Finished elapsed : 328 seconds 
- 
- 
-==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc ===== 
-==== TO VIEW DASHBOARDS ===== 
-==== 1. login to the Web Trisul interface ===== 
-==== 2. select wrccdc1 on the Login Screen ===== 
- 
-Started TrisulNSM docker image. Sleeping. 
- 
-</code> 
- 
- 
- 
-Using Trisul to analyze the PCAPs  
- 
- 
-File extraction 
- 
-<code> 
-DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l 
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe 
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe 
--rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe 
--rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe 
-DOCKER:unpl:root savedfiles$  
- 
- 
-</code> 
  
  
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera