Do you have packet capture (PCAP) files collecting dust waiting to be consulted only when an alert fires ? If so, you might be missing out on critical insights into your network.
Trisul converts your PCAP files into statistical and topper sketches for hundreds of datapoints, points out elephant and mice flows, and basically lets you start exploring along multiple routes easily.
This blog describes how to run Trisul over PCAP dumps. Part 2 will describe how you can run Snort over the same PCAP dump and integrate the data with Trisul. Free Everything described here is completely free if you can arrange your dumps in 3-day chunks.
Lets jump right into it.
PCAP dataset dump structure can be anything
Trisul is rather powerful in how it processes PCAP dumps.
- Sorts all PCAPs in directories and subdirectories in time order. The sorting is done not by filename or timestamp but by looking at the first packet in each file. So you can name your files whatever you want, put it in whatever sub directory you want.
- Natively handles gzip and bzip2 compressed files.
- Ignores all files that dont look like PCAP files
Run Trisul over your PCAPs
First you create a new context for this data set
cd /usr/local/share/trisul ./mknewcontext mybigpcap1
Then run trisul and point it to the top level directory. You can of course, point it to a file if you have just one PCAP file to process.
trisul -demon /usr/local/etc/trisul/trisulConfig.xml -mode offline -in /home/vince/pcaps2013
Wait for a while, the processing time depends more on the time window in the PCAP file rather than the traffic volumes. You can monitor the progress by tailing the log file
Check if everything went through fine
Once completed, you can log in and create a web context for this data set.
- Login as admin
- Select Admin → Contexts → Add Existing
- Select the new dataset and press Create
- Log out and log back in on the new context
A good place to start exploring is : Retro Counters
(Topper sketching in action)