Differences

This shows you the differences between two versions of the page.

--- offline:wrccdc_pcaps_results [2018/05/12 23:58] – [File Extraction] veera
+++ offline:wrccdc_pcaps_results [2018/05/13 00:08] (current) – [Conclusion] veera
@@ Line 108: / Line 108: @@
 ==== Drilldown to Packets ====
+This is the endzone of most drilldowns and hunts. The absolute truth! TrisulNSM can jump to packets from a number of places. We suggest you use the "Quick Packet Headers" option to eyeball the PCAP before bringing it into Wireshark.  The Packet Headers has
+  - Quickly gets the first 100K of the PCAP
+  - Shows the strings in the PCAP in the 1st pane. This is a very very useful trick, helped us improve speed 10x in many cases.
+  - In second pane, shows the hexdump in a canonical format
+  - In the third pane, shows each packet in TSHARK format
+  - You then decide if you want to download the PCAP into wireshark.
 [{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}]
+===== Conclusion =====
+Thank you so much for reading all the way to the end.  We hope you find this free TrisulNSM Docker tool useful for monitoring PCAPs as well as for Live networks. The default [[https://trisul.org/free|Free Community License]] allows you to do a lot on frugal hardware. Check out our site [[https://trisul.org|Trisul Network Analytics]] for more options
+We also want to thank the great team at WRCCDC for releasing them. We work with PCAP all the time and know what a tremendous effort it is to assemble them.
+<note>
+Thanks again to the folks in this tweet from @netresec.
+Over 1 TB of #PCAP files from the @wrccdc #CDX have been released online thanks to @spiceywasabi and @disturbedmime. The WRCCDC dataset is now linked from our PCAP repository list.
+</note>