Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach
Trace:
offline:wrccdc_pcaps

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
offline:wrccdc_pcaps [2018/05/12 16:18] – [Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach] veeraoffline:wrccdc_pcaps [2018/05/12 17:10] – [Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach] veera
Line 5: Line 5:
 This is Part-1 of a 3 Part series  This is Part-1 of a 3 Part series 
  
-  * Part 1:  Approach how to avoid getting overwhelmed by large PCAPS (this) +  * Part 1: Approach how to avoid getting overwhelmed by large PCAPS  
-  * Part 2:  How to use the free TrisulNSM Docker Image to analyze the PCAP dump +  * [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump]] 
-  * Part 3:  Screenshots & video of possible analysis paths (using TrisulNSM)+  * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]]
  
  
Line 93: Line 93:
  
  
- 
-===== Instructions to run TrisulNSM over the PCAPs ===== 
- 
- 
- 
- 
-Download the first 8 PCAP files. Roughly 4GB into ''/opt/trisulroot5/wrccdc'' 
- 
-<code> 
-root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/ 
-total 3.8G 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap 
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap 
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap 
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap 
-root@unpl:~#  
-</code> 
- 
- 
- 
-Run the Docker image over the pcaps 
- 
-<code> 
- 
-sudo docker run  --name=trisul1n \ 
-  --privileged=true --net=host -v /opt/trisulroot5:/trisulroot  \ 
-      -d trisulnsm/trisul6  --enable-file-extraction   \ 
-          --webserver-port 4000 --websockets-port 4003 \ 
-          --fine-resolution  \ 
-              --pcap  wrccdc 
-</code> 
- 
- 
- 
-Upon completion your ''docker logs -f trisul1n'' should show something like below. 
- 
- 
-<code> 
- 
-Finished elapsed : 328 seconds 
- 
- 
-==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc ===== 
-==== TO VIEW DASHBOARDS ===== 
-==== 1. login to the Web Trisul interface ===== 
-==== 2. select wrccdc1 on the Login Screen ===== 
- 
-Started TrisulNSM docker image. Sleeping. 
- 
-</code> 
- 
- 
- 
-Using Trisul to analyze the PCAPs  
- 
- 
-File extraction 
- 
-<code> 
-DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l 
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe 
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe 
--rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe 
--rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe 
-DOCKER:unpl:root savedfiles$  
- 
- 
-</code> 
  
  
offline/wrccdc_pcaps.txt · Last modified: 2018/05/13 00:10 by veera