docker:pcap_analysis
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
docker:pcap_analysis [2018/02/26 19:24] – [How to analyze large PCAP dumps using the free TrisulNSM Docker] vivek | docker:pcap_analysis [2018/03/02 17:27] (current) – [Instructions : How to run the Docker image over PCAPs] veera | ||
---|---|---|---|
Line 7: | Line 7: | ||
- **Clock** - The import process should be clocked off the packet timestamps. This means that if a PCAP file contained 10 hours of traffic, the import process should not require 10 hours. This means a tcpreplay based rig , even if the timestamp issues are solved, will not be optimal for large timeframes. | - **Clock** - The import process should be clocked off the packet timestamps. This means that if a PCAP file contained 10 hours of traffic, the import process should not require 10 hours. This means a tcpreplay based rig , even if the timestamp issues are solved, will not be optimal for large timeframes. | ||
- **Encrichment and intel** feeds such as Geo-IP, Blacklists, Domain Databases, may reflect current time, rather than PCAP time. This is for practical reasons. | - **Encrichment and intel** feeds such as Geo-IP, Blacklists, Domain Databases, may reflect current time, rather than PCAP time. This is for practical reasons. | ||
+ | - **Search vs Streaming** import PCAP is a bit harder for streaming pipelines like Trisul compared to Elastic Search backends. This is due to the possibility of the streaming window closing before all the events come in. | ||
===== Tools ===== | ===== Tools ===== | ||
Line 26: | Line 27: | ||
===== Instructions : How to run the Docker image over PCAPs ===== | ===== Instructions : How to run the Docker image over PCAPs ===== | ||
- | < | + | Put the PCAP dump into the shared docker |
- | We are assuming here that you have a Linux system with Docker installed. | + | |
- | </ | + | |
- | + | ||
- | First you need to create a //root volume//, say ''/ | + | |
< | < | ||
- | mkdir /opt/trisul6_root | + | mkdir /opt/trisulroot |
- | cp myhugeCapture.pcap /opt/trisul6_root | + | cp myhugeCapture.pcap /opt/trisulroot |
</ | </ | ||
- | + | Run the trisul6 docker image on the PCAP | |
- | Run the free trisul6 docker image on the PCAP like so | + | |
<code bash> | <code bash> | ||
+ | |||
docker run --privileged=true \ | docker run --privileged=true \ | ||
| | ||
- | --net=host | + | |
- | | + | -v /opt/ |
- | | + | |
- | | + | --fine-resolution \ |
- | | + | --pcap myhugeCapture.pcap |
</ | </ | ||
- | Now wait for the import to complete. | + | Now wait for the import to complete. |
- | To check on progress | + | To check on progress , tail the log and wait for confirmation |
< | < | ||
Line 70: | Line 68: | ||
<code bash> | <code bash> | ||
docker run --name trisul1a --net=host \ | docker run --name trisul1a --net=host \ | ||
- | -v /opt/trisul6_root:/ | + | -v /opt/trisulroot:/ |
-d trisulnsm/ | -d trisulnsm/ | ||
--pcap BSidesDE2017_PvJCTF.pcap \ | --pcap BSidesDE2017_PvJCTF.pcap \ | ||
--no-ids | --no-ids | ||
</ | </ | ||
+ | |||
+ | |||
+ | ==== Analysis ==== | ||
+ | |||
+ | Once loaded you need to point your browser to ip:3000 and select the newly created context for the run. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | After you login here are some suggested steps | ||
+ | |||
+ | - Go to Retro Counters to get details metrics and toppers across 40+ counter groups | ||
+ | - Use the "PCAP Totals" | ||
+ | - Tools > Explore to query flows. | ||
+ | |||
+ | {{: | ||
docker/pcap_analysis.1519653286.txt.gz · Last modified: 2018/02/26 19:24 by vivek