Differences

This shows you the differences between two versions of the page.

--- offline:wrccdc_pcaps [2018/05/12 16:16] – [Analyzing the WRCCDC PCAP dump using TrisulNSM] veera
+++ offline:wrccdc_pcaps [2018/05/13 00:10] (current) – [Drilling down] veera
@@ Line 1: / Line 1: @@
-====== Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1: Approach ======
+====== Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 1 Approach ======
 The good folks at WRCCDC ((Western Regional Collegiate Cyber Defense Competition))  were kind enough to release [[https://archive.wrccdc.org/|packet captures]] (PCAPS) of the recently concluded event. The entire corpus is roughly 1TB.  Now the question is : **What are the tools that can help you unravel the information in the PCAPs?**
+This is Part-1 of a 3 Part series
+  * Part 1: Approach how to avoid getting overwhelmed by large PCAPS
+  * [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump]]
+  * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]]
-In this article, we show you how you can use the TrisulNSM Docker image to perform an end-to-end analysis of the PCAP dump.
 ===== Where to start with giant PCAP dumps =====
@@ Line 89: / Line 93: @@
+==== Next ====
-===== Instructions to run TrisulNSM over the PCAPs =====
+Enough of theory. [[offline:wrccdc_pcaps_trisulnsm|Part-2 of this series]] explains how you can get the TrisulNSM Docker image to run over the PCAP dump
-Download the first 8 PCAP files. Roughly 4GB into ''/opt/trisulroot5/wrccdc''
-<code>
-root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/
-total 3.8G
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap
--rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap
--rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap
--rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap
-root@unpl:~#
-</code>
-Run the Docker image over the pcaps
-<code>
-sudo docker run  --name=trisul1n \
-  --privileged=true --net=host -v /opt/trisulroot5:/trisulroot  \
-      -d trisulnsm/trisul6  --enable-file-extraction   \
-          --webserver-port 4000 --websockets-port 4003 \
-          --fine-resolution  \
-              --pcap  wrccdc
-</code>
-Upon completion your ''docker logs -f trisul1n'' should show something like below.
-<code>
-Finished elapsed : 328 seconds
-==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc =====
-==== TO VIEW DASHBOARDS =====
-==== 1. login to the Web Trisul interface =====
-==== 2. select wrccdc1 on the Login Screen =====
-Started TrisulNSM docker image. Sleeping.
-</code>
-Using Trisul to analyze the PCAPs
-File extraction
-<code>
-DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe
--rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe
--rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe
-DOCKER:unpl:root savedfiles$
-</code>