Automate bulk export of PCAPs with Trisul

We recently had an incident where TRP Scripting came to our rescue. I just want to share this with other Trisul users who might want to look at automation of Network and Security Monitoring more.

The customer is a cloud provider who has been running Trisul for a few months now. There was an incident this past week and their team asked us if they could get the following data out of Trisul.

Can I have PCAPs for this host from Jan 2014 – one per day ?

Now you can easily get them a days worth of PCAP from the web UI by Retro → Retro Tools → Pull Packets But try doing this 31 times, one for each day in January. This is tedious work. So we quickly wrote up a tiny script in Ruby using the trisulrp gem to accomplish the task.

The daypcaps.rb script prompts you for a month and saves each days packets neatly into a separate PCAP file.

Here is a sample run

[tuser@rack600126 trp]$ ruby daypcaps.rb  192.168.1.22 12001
Enter PEM pass phrase:
Enter month (YYYY-MM) : 2014-01

Processing Date   = 2014-01-01
Finished Date   = 2014-01-01
Number of bytes = 0
Number of pkts  = 0
Hash            = ec1964c9934fe5016880edef804c488c1f96c21e
Saved pcap file on server = /tmp/TFILT-15864-1392897226.pcap

Processing Date   = 2014-01-02
Finished Date   = 2014-01-02
Number of bytes = 1047657843
Number of pkts  = 1552787
Hash            = 1f6bffb04553ac53103f423711ee0084b238325b
Saved pcap file on server = /tmp/TFILT-15864-1392897228.pcap

Processing Date   = 2014-01-03
Finished Date   = 2014-01-03
Number of bytes = 859401629
Number of pkts  = 1321092
Hash            = d265cfefc4057843635be0c330321ffef14380ad
Saved pcap file on server = /tmp/TFILT-15864-1392897401.pcap

Processing Date   = 2014-01-04
Finished Date   = 2014-01-04
Number of bytes = 142425149
Number of pkts  = 247244
Hash            = 8d3a064559fabff5d00d9e2bc1fa9c638289d5f2
Saved pcap file on server = /tmp/TFILT-15864-1392897539.pcap

This illustrates the real world benefits that the Trisul Remote Protocol enables. We encourage more of our users to explore it. It only needs a wee bit of knowledge of Ruby.

Free Download Trisul 4.0 is just around the corner. Get the early builds here.

Leave a Reply

Your email address will not be published. Required fields are marked *