Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » docker » How to analyze large PCAP files using TrisulNSM Docker
Trace: How to analyze large PCAP files using TrisulNSM Docker
docker:pcap_analysis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docker:pcap_analysis [2018/02/26 23:51] – [How to analyze large PCAP files using TrisulNSM Docker] veeradocker:pcap_analysis [2018/03/02 17:27] (current) – [Instructions : How to run the Docker image over PCAPs] veera
Line 27: Line 27:
 ===== Instructions : How to run the Docker image over PCAPs ===== ===== Instructions : How to run the Docker image over PCAPs =====
  
-<note>  +Put the PCAP dump into the shared docker volume so that the container can read the PCAP.
-We are assuming here that you have a Linux system with Docker installed. +
-</note> +
- +
-First you need to create a //root volume//, say ''/opt/trisul6_root'' that will map into the Docker instance. Then put the PCAP dump into the trisul root volume so that the docker image can read it.+
  
 <code> <code>
-mkdir /opt/trisul6_root +mkdir /opt/trisulroot 
-cp myhugeCapture.pcap /opt/trisul6_root +cp myhugeCapture.pcap /opt/trisulroot 
 </code> </code>
  
  
- +Run the trisul6 docker image on the PCAP 
-Run the free trisul6 docker image on the PCAP like so+
  
 <code bash> <code bash>
 +
 docker run --privileged=true \ docker run --privileged=true \
    --name trisul1a \    --name trisul1a \
-     --net=host +    --net=host 
-       -v /trisulroot:/trisulroot \ +      -v /opt/trisulroot:/trisulroot \ 
-         -d trisulnsm/trisul6 \ +       -d trisulnsm/trisul6 \ 
-           --pcap botnet-capture-20110810-neris.pcap \ +        --fine-resolution \ 
-              --fine-resolution+         --pcap myhugeCapture.pcap 
 </code> </code>
  
  
-Now wait for the import to complete. Trisul is a streaming analytics platform, the time taken to complete the import is not proportional to the size of the PCAP, but to the duration of the PCAP. If your PCAP has two days traffic, then expect the import process to take up to 10-20 minutes.  This also depends on the speed of the hard drive.+Now wait for the import to complete. The time taken to complete the import is not proportional to the size of the PCAP, but to the duration of the PCAP. If your PCAP has two days traffic, then expect the import process to take up to 10-20 minutes.  
  
-To check on progress you can dowhen the import completes you will get a message asking you to login !+To check on progress , tail the log and wait for confirmation message!
  
 <code> <code>
Line 71: Line 68:
 <code bash> <code bash>
 docker run  --name trisul1a --net=host \ docker run  --name trisul1a --net=host \
-   -v /opt/trisul6_root:/trisulroot \ +   -v /opt/trisulroot:/trisulroot \ 
      -d trisulnsm/trisul6 \      -d trisulnsm/trisul6 \
         --pcap BSidesDE2017_PvJCTF.pcap \         --pcap BSidesDE2017_PvJCTF.pcap \
docker/pcap_analysis.1519669295.txt.gz · Last modified: 2018/02/26 23:51 by veera