User Tools

Site Tools



Articles about network security monitoring, traffic analytics, setting up measurement, techniques for scaling, threat hunting tips, etc.

Hardware and Data Acquisition

Netflow tunneling

Tunneling Netflow to a remote Trisul involves preserving the original IP address of the switch/router. We describe three methods to achieve it, NAT, GRE, and Shim Tunnels.

Using NAT on gateway to send Netflow to remote Trisul

Using GRE Tunnel to send Netflow to a remote Trisul

Using a Shim Tunnel to send Netflow to a remote Trisul

Use a Shim Tunnel when you cant use GRE or NAT

High availability and Disaster Recovery

Trisul can be setup as High Availability or a D-R Disaster recovery configuration. This section contains articles related to that.

Configure HA using keepalived


NSM and Packet Analytics Concepts


TLS Fingerprinting

Intrusion Detection

Offline analysis with the WRCCDC PCAP dump

In this three part series, we explain techniques and show how to analyze the 2018 WRCCDC PCAP dump using TrisulNSM. We appreciate the kind folks at WRCCDC for making this publicly accessible.

Part 1: Strategy to analyze large PCAP dumps without getting overwhelmed

Part 2: How to use the free TrisulNSM Docker image to process the PCAPs

Part 3: Screenshots and vids showing some of the results and techniques

Netflow analytics

Netflow Configuration

Syslog Configuration

Administration Tips



Security and Hardening

Mount CIFS and NFS with uid, gid option only

A common technique is to mount the archive area onto a NFS or a CIFS share.

One gotcha is you need to add the trisul.trisul user id while mounting the CIFS share. Otherwise the archiver will not be able to access the share.

# get the user and group ID of trisul.trisul
id -u trisul
id -g trisul
# use the uid= and guid= options 
//  /home/TrisDataArchive/  cifs  username=Bob,password=mypassword,uid=995,gid=997,file_mode=0770,dir_mode=0770,noperm 0 0


Tuning Flow Indexes

How to tune flow indexes to optimize disk size based on requirements.

Tuning Flow Database

Useful Scripts and Tools

IPDR Watchdog

Script to watch IPDR system for continuous running and send a email , syslog alert if it stops.

Scan Slices

Scans a directory of slices and checks the status of the directories against METASLICE

Distributed Domain

scripts to connect the hub and probes from different machines

hub distributor

add probe

Install Trisul Apps in offline

install trisul apps using load from cache feature

Install Trisul Apps in Offline

articles.txt · Last modified: 2024/06/25 13:05 by partha