While live traffic capture is the predominant mode of Network Security Monitoring, it is also crucial to be able to load packet capture (PCAP) dumps. A couple of key requirements for the PCAP import process
Here are some of the tools in the NSM ecosystem that generate various types of data that need to be orchestrated.
This article explains how the new Trisul Docker Image can help you analyze PCAPs offline.
Put the PCAP dump into the shared docker volume so that the container can read the PCAP.
mkdir /opt/trisulroot cp myhugeCapture.pcap /opt/trisulroot
Run the trisul6 docker image on the PCAP
docker run --privileged=true \ --name trisul1a \ --net=host \ -v /opt/trisulroot:/trisulroot \ -d trisulnsm/trisul6 \ --fine-resolution \ --pcap myhugeCapture.pcap
Now wait for the import to complete. The time taken to complete the import is not proportional to the size of the PCAP, but to the duration of the PCAP. If your PCAP has two days traffic, then expect the import process to take up to 10-20 minutes.
To check on progress , tail the log and wait for confirmation message!
docker logs -f trisul1a
Of course you can also do the normal docker commands logging into the container
docker exec -lt trisul1a /bin/bash Then use
top or check the logs located under
If you are not interested in IDS alerts that Suricata provides then you can do a single pass analysis with Trisul only. Use the
–no-ids switch as shown below
docker run --name trisul1a --net=host \ -v /opt/trisulroot:/trisulroot \ -d trisulnsm/trisul6 \ --pcap BSidesDE2017_PvJCTF.pcap \ --no-ids
Once loaded you need to point your browser to ip:3000 and select the newly created context for the run.
After you login here are some suggested steps
Trisul can handle compressed PCAP files (gz, bz2) , a large number of PCAPs in a directory, or even a directory tree. Trisul will automatically process the files in order of the timestamp in the first packet in each file. However, Suricata isnt able to handle that. If you need the full IDS alerts + Traffic analytics then you need to process a single uncompressed file at at time. You can use mergecap to combine them outside of Trisul.
Once the import has been completed, the results are stored in a separate context. While logging in you select context you want to see. Login from http://ip-address:3000.
After completion you need to remove the instance and start a new one.
docker stop trisul1a docker rm trisul1a
Then you can import any number of files one after the other, they will be created in a separate context each time, so you can keep the data sets separate.
The docker image includes a Free License of Trisul that allows PCAPs of a maximum of 3 days. This should suffice for most people.
When you specify
–pcap the Docker Image automatically runs two passes over the PCAP file.
The final result is a merger of Layer 0 + Layer 1. You can pivot from alerts to flows to TLS certificates down to packets.