offline:wrccdc_pcaps
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
offline:wrccdc_pcaps [2018/05/12 16:06] – [4: More advanced Traffic Analytics] veera | offline:wrccdc_pcaps [2018/05/13 00:10] (current) – [Drilling down] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM ====== | + | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM |
The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | ||
+ | This is Part-1 of a 3 Part series | ||
+ | |||
+ | * Part 1: Approach how to avoid getting overwhelmed by large PCAPS | ||
+ | * [[offline: | ||
+ | * [[offline: | ||
- | In this article, we show you how you can use the TrisulNSM Docker image to perform an end-to-end analysis of the PCAP dump. | ||
===== Where to start with giant PCAP dumps ===== | ===== Where to start with giant PCAP dumps ===== | ||
Line 30: | Line 34: | ||
First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. | ||
- | * How many packets in the PCAP dump? Bytes? How many Flows ? | + | * What is the duration of the PCAPs? |
* What does the overall bandwidth usage chart look like ? | * What does the overall bandwidth usage chart look like ? | ||
* How much of that bandwidth went to external world, how much stayed inside? | * How much of that bandwidth went to external world, how much stayed inside? | ||
Line 85: | Line 89: | ||
- **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. | - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. | ||
- **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. | - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. | ||
- | - **Packets** : The final level of drill down. | + | - **Packets** : The final level of drill down. |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | ===== Instructions | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | Download the first 8 PCAP files. Roughly 4GB into ''/ | + | |
- | + | ||
- | < | + | |
- | root@unpl: | + | |
- | total 3.8G | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap | + | |
- | root@unpl: | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Run the Docker image over the pcaps | + | |
- | + | ||
- | < | + | |
- | + | ||
- | sudo docker run --name=trisul1n \ | + | |
- | --privileged=true --net=host -v / | + | |
- | -d trisulnsm/ | + | |
- | --webserver-port 4000 --websockets-port 4003 \ | + | |
- | --fine-resolution | + | |
- | --pcap | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Upon completion your '' | + | |
- | + | ||
- | + | ||
- | < | + | |
- | + | ||
- | Finished elapsed : 328 seconds | + | |
- | + | ||
- | + | ||
- | ==== SUCCESSFULLY IMPORTED FROM PCAP REPO / | + | |
- | ==== TO VIEW DASHBOARDS ===== | + | |
- | ==== 1. login to the Web Trisul interface ===== | + | |
- | ==== 2. select wrccdc1 on the Login Screen ===== | + | |
- | + | ||
- | Started TrisulNSM docker image. Sleeping. | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Using Trisul to analyze the PCAPs | + | |
- | + | ||
- | + | ||
- | File extraction | + | |
- | < | ||
- | DOCKER: | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 / | ||
- | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 / | ||
- | DOCKER: | ||
- | </ | + | ==== Next ==== |
+ | Enough of theory. [[offline: | ||
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera