====== Installing Trisul using Docker Image ====== 

This article helps you with installing Trisul Network Analytics using Docker Image.

===== 1. Run TrisulNSM on a capture interface =====

Now you are ready to run TrisulNSM. Say you want to capture traffic from the port //ens33// and store the results in /opt/trisul6_root just type.

<code>
sudo docker run  --net=host -v /opt/trisul6_root:/trisulroot -d trisulnsm/trisul6 --interface ens33</code>

{{:tips:docker_execute.png?600|}}
In the above command, notice that you mapped the volume using -v of the host directory ///opt/trisul6_root//. That is where all the persistent data is kept.

Logon on https://localhost:3000 and you can dive right in. Click on [[https://www.trisul.org/docs/ug/basicusage/index.html|Trisul Docs:Basic Usage]] to get started.

===== 2. Process a PCAP dump =====

  * Trisul does a two-pass analysis over PCAP dumps. The First pass builds statistics, flows, packets, and resources.
  * Then a second pass with Suricata IDS overlays the IDS alerts. This gives you full NSM visibility of both traffic and signature based alerts.

The following command processes the //myPacketDump.pcap// file located in the trisulroot.
<code>
sudo docker run --privileged=true  --name=trisul1a \
   --net=host -v /opt/trisul6_root:/trisulroot \
       -d trisulnsm/trisul6 --pcap myPacketDump.pcap</code>

**Notes on offline pcap:**

  * PCAP File Location The file //myPacketDump.pcap// has to be placed inside the shared volume /opt/trisul6_root volume so that the Docker image can see the outside file.
  * privileged==true This option is required because the Trisul File Extraction feature requires root to create a RAMFS partition inside the docker container.

===== 3. Start a Netflow Analytics instance =====

With just a single line you can start a TrisulNSM Docker instance to process Netflow v5/v9/IPFIX/SFlow using the //--netflow-mode// parameter.
<code>
sudo docker run  --net=host -v /opt/trisul6_root:/trisulroot \
        -d trisulnsm/trisul6 --interface enp5s0 --netflow-mode</code> 

In the above command, notice that you mapped the volume using -v of the host directory ///opt/trisul6_root//.That is where all the persistent data is kept.

Logon on https://localhost:3000 and you can dive right in. Click on [[https://www.trisul.org/docs/ug/basicusage/index.html|Trisul Docs:Basic Usage]] to get started.

{{:tips:docker_ui_login.png?600|}}

With the Netflow Pcap Dumped, The Trisul UI will look like this.

{{:tips:docker_ui.png?600|}}