offline:wrccdc_pcaps
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
offline:wrccdc_pcaps [2018/05/12 16:15] – [1: Traffic Analytics] veera | offline:wrccdc_pcaps [2018/05/12 17:10] – [Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM ====== | + | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM |
The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | ||
+ | This is Part-1 of a 3 Part series | ||
+ | |||
+ | * Part 1: Approach how to avoid getting overwhelmed by large PCAPS | ||
+ | * [[offline: | ||
+ | * [[offline: | ||
- | In this article, we show you how you can use the TrisulNSM Docker image to perform an end-to-end analysis of the PCAP dump. | ||
===== Where to start with giant PCAP dumps ===== | ===== Where to start with giant PCAP dumps ===== | ||
Line 89: | Line 93: | ||
- | |||
- | ===== Instructions to run TrisulNSM over the PCAPs ===== | ||
- | |||
- | |||
- | |||
- | |||
- | Download the first 8 PCAP files. Roughly 4GB into ''/ | ||
- | |||
- | < | ||
- | root@unpl: | ||
- | total 3.8G | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap | ||
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap | ||
- | root@unpl: | ||
- | </ | ||
- | |||
- | |||
- | |||
- | Run the Docker image over the pcaps | ||
- | |||
- | < | ||
- | |||
- | sudo docker run --name=trisul1n \ | ||
- | --privileged=true --net=host -v / | ||
- | -d trisulnsm/ | ||
- | --webserver-port 4000 --websockets-port 4003 \ | ||
- | --fine-resolution | ||
- | --pcap | ||
- | </ | ||
- | |||
- | |||
- | |||
- | Upon completion your '' | ||
- | |||
- | |||
- | < | ||
- | |||
- | Finished elapsed : 328 seconds | ||
- | |||
- | |||
- | ==== SUCCESSFULLY IMPORTED FROM PCAP REPO / | ||
- | ==== TO VIEW DASHBOARDS ===== | ||
- | ==== 1. login to the Web Trisul interface ===== | ||
- | ==== 2. select wrccdc1 on the Login Screen ===== | ||
- | |||
- | Started TrisulNSM docker image. Sleeping. | ||
- | |||
- | </ | ||
- | |||
- | |||
- | |||
- | Using Trisul to analyze the PCAPs | ||
- | |||
- | |||
- | File extraction | ||
- | |||
- | < | ||
- | DOCKER: | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul | ||
- | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 / | ||
- | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 / | ||
- | DOCKER: | ||
- | |||
- | |||
- | </ | ||
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera