offline:wrccdc_pcaps
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
offline:wrccdc_pcaps [2018/05/12 16:16] – [Analyzing the WRCCDC PCAP dump using TrisulNSM] veera | offline:wrccdc_pcaps [2018/05/13 00:10] (current) – [Drilling down] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1: Approach ====== | + | ====== Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach ====== |
The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition)) | ||
+ | This is Part-1 of a 3 Part series | ||
+ | |||
+ | * Part 1: Approach how to avoid getting overwhelmed by large PCAPS | ||
+ | * [[offline: | ||
+ | * [[offline: | ||
- | In this article, we show you how you can use the TrisulNSM Docker image to perform an end-to-end analysis of the PCAP dump. | ||
===== Where to start with giant PCAP dumps ===== | ===== Where to start with giant PCAP dumps ===== | ||
Line 89: | Line 93: | ||
+ | ==== Next ==== | ||
- | ===== Instructions to run TrisulNSM over the PCAPs ===== | + | Enough of theory. [[offline:wrccdc_pcaps_trisulnsm|Part-2 of this series]] explains how you can get the TrisulNSM |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | Download the first 8 PCAP files. Roughly 4GB into ''/ | + | |
- | + | ||
- | < | + | |
- | root@unpl:~# ls -lh / | + | |
- | total 3.8G | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap | + | |
- | -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap | + | |
- | root@unpl: | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Run the Docker image over the pcaps | + | |
- | + | ||
- | < | + | |
- | + | ||
- | sudo docker run --name=trisul1n \ | + | |
- | --privileged=true --net=host -v / | + | |
- | -d trisulnsm/ | + | |
- | --webserver-port 4000 --websockets-port 4003 \ | + | |
- | --fine-resolution | + | |
- | --pcap | + | |
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Upon completion your '' | + | |
- | + | ||
- | + | ||
- | < | + | |
- | + | ||
- | Finished elapsed : 328 seconds | + | |
- | + | ||
- | + | ||
- | ==== SUCCESSFULLY IMPORTED FROM PCAP REPO / | + | |
- | ==== TO VIEW DASHBOARDS ===== | + | |
- | ==== 1. login to the Web Trisul interface ===== | + | |
- | ==== 2. select wrccdc1 on the Login Screen ===== | + | |
- | + | ||
- | Started TrisulNSM docker image. Sleeping. | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | + | ||
- | + | ||
- | Using Trisul to analyze the PCAPs | + | |
- | + | ||
- | + | ||
- | File extraction | + | |
- | + | ||
- | < | + | |
- | DOCKER: | + | |
- | -rw-r--r-- 1 trisul trisul | + | |
- | -rw-r--r-- 1 trisul trisul | + | |
- | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 / | + | |
- | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 / | + | |
- | DOCKER: | + | |
- | + | ||
- | + | ||
- | </ | + | |
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera