Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach
Trace:
offline:wrccdc_pcaps

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
offline:wrccdc_pcaps [2018/05/12 16:06] – [4: More advanced Traffic Analytics] veeraoffline:wrccdc_pcaps [2018/05/13 00:10] (current) – [Drilling down] veera
Line 1: Line 1:
-====== Analyzing the WRCCDC PCAP dump using TrisulNSM ======+====== Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach ======
  
 The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition))  were kind enough to release [[https://archive.wrccdc.org/|packet captures]] (PCAPS) of the recently concluded event. The entire corpus is roughly 1TB.  Now the question is : **What are the tools that can help you unravel the information in the PCAPs?**  The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition))  were kind enough to release [[https://archive.wrccdc.org/|packet captures]] (PCAPS) of the recently concluded event. The entire corpus is roughly 1TB.  Now the question is : **What are the tools that can help you unravel the information in the PCAPs?** 
  
 +This is Part-1 of a 3 Part series 
 +
 +  * Part 1: Approach how to avoid getting overwhelmed by large PCAPS 
 +  * [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump]]
 +  * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]]
  
-In this article, we show you how you can use the TrisulNSM Docker image to perform an end-to-end analysis of the PCAP dump. 
  
 ===== Where to start with giant PCAP dumps ===== ===== Where to start with giant PCAP dumps =====
Line 30: Line 34:
 First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions.  First step is to get the "lay of the land". We created TrisulNSM to excel in this area. You can try answering these traffic questions. 
  
-  * How many packets in the PCAP dump? Bytes? How many Flows ? +  * What is the duration of the PCAPs? How many packets in the PCAP dump? Bytes? How many Flows ? 
   * What does the overall bandwidth usage chart look like ?    * What does the overall bandwidth usage chart look like ? 
   * How much of that bandwidth went to external world, how much stayed inside?    * How much of that bandwidth went to external world, how much stayed inside? 
Line 85: Line 89:
   - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them.    - **Files** : Dump executables and potential troublesome downloads. TrisulNSM can extract files of any size and show them. 
   - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows.    - **Flows** : The second last level of drill down. From a IP or App or other items you can pull up a list of flows. 
-  - **Packets** : The final level of drill down.   +  - **Packets** : The final level of drill down.  After this you should have all the information to decide if any escalation is required for action outside the NSM toolset.  
- +
- +
- +
- +
-===== Instructions to run TrisulNSM over the PCAPs ===== +
- +
- +
- +
- +
-Download the first 8 PCAP filesRoughly 4GB into ''/opt/trisulroot5/wrccdc'' +
- +
-<code> +
-root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/ +
-total 3.8G +
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap +
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap +
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap +
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap +
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap +
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap +
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap +
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap +
-root@unpl:~#  +
-</code> +
- +
- +
- +
-Run the Docker image over the pcaps +
- +
-<code> +
- +
-sudo docker run  --name=trisul1n \ +
-  --privileged=true --net=host -v /opt/trisulroot5:/trisulroot +
-      -d trisulnsm/trisul6  --enable-file-extraction   \ +
-          --webserver-port 4000 --websockets-port 4003 \ +
-          --fine-resolution +
-              --pcap  wrccdc +
-</code> +
- +
- +
- +
-Upon completion your ''docker logs -f trisul1n'' should show something like below. +
- +
- +
-<code> +
- +
-Finished elapsed : 328 seconds +
- +
- +
-==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc ===== +
-==== TO VIEW DASHBOARDS ===== +
-==== 1. login to the Web Trisul interface ===== +
-==== 2. select wrccdc1 on the Login Screen ===== +
- +
-Started TrisulNSM docker image. Sleeping. +
- +
-</code> +
- +
- +
- +
-Using Trisul to analyze the PCAPs  +
- +
- +
-File extraction+
  
-<code> 
-DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l 
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe 
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe 
--rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe 
--rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe 
-DOCKER:unpl:root savedfiles$  
  
  
-</code>+==== Next ====
  
 +Enough of theory. [[offline:wrccdc_pcaps_trisulnsm|Part-2 of this series]] explains how you can get the TrisulNSM Docker image to run over the PCAP dump
  
offline/wrccdc_pcaps.1526121374.txt.gz · Last modified: 2018/05/12 16:06 by veera