While live traffic capture is the predominant mode of Network Security Monitoring, it is also crucial to be able to load packet capture (PCAP) dumps. A couple of key requirements for the PCAP import process

1. The results should be as if the analysis was done as a live traffic capture
2. Timestamps must reflect the PCAP time and not the import time
3. Clock - Import process should be clocked off the packet timestamps. This means that if a PCAP file contained 10 hours of traffic, the import process should not require 10 hours.
4. For practical reasons, encrichment and intel feeds such as Geo-IP, Blacklists, Domain Databases, may reflect current time, rather than PCAP time.

Here are some of the tools in the NSM ecosystem that generate various types of data that need to be orchestrated.

• Argus or SiLK : Try to index them from a flow perspective. Argus or SiLK can do this.
• Bro : turn the PCAPs into bro logs, which record flows, dns, files, http request, and a number of other things
• Suricata / Snort : Run an IDS ruleset over the PCAPs.
• Security Onion : Play the PCAPs using TCP Replay and get all of the above. The latest version of Security Onion includes a script to automate this process.The results are backed by Elastic Search.
• Moloch : Index raw packets for fast recall. Also into elasticsearch.
• NTOP : Traffic monitoring
• Wireshark : The ultimate destination for bit level protocol analysis.
• TrisulNSM : Traffic metrics at its core, but also does flows, packet indexiing, metadata extraction, and other NSM functions. Trisul uses streaming analytics instead of Search as its backend. The free license allows you to import any number of PCAPs as long each PCAP isnt longer than 3 days.

We just released a free Trisul Docker Image that lets you import large PCAP dumps.

First you need to create a root volume, say /opt/trisul6_root that will map into the Docker instance. Then put the PCAP dump into the trisul root volume so that the docker image can read it.

mkdir /opt/trisul6_root
cp myhugeCapture.pcap /opt/trisul6_root 

Run the free trisul6 docker image on the PCAP like so

docker run --privileged=true \
   --name trisul1a \
     --net=host  \
       -v /trisulroot:/trisulroot \
         -d trisulnsm/trisul6 \
           --pcap botnet-capture-20110810-neris.pcap \
              --fine-resolution

Now wait for the import to complete. Trisul is a streaming analytics platform, the time taken to complete the import is not proportional to the size of the PCAP, but to the duration of the PCAP. If your PCAP has two days traffic, then expect the import process to take up to 10-20 minutes. This also depends on the speed of the hard drive.

To check on progress you can do, when the import completes you will get a message asking you to login !

docker logs -f trisul1a 

Of course you can also do the normal docker commands logging into the container docker exec -lt trisul1a /bin/bash Then use top or check the logs located under /usr/local/var/log/trisul-probe/

If you are not interested in IDS alerts that Suricata provides then you can do a single pass analysis with Trisul only. Use the –no-ids switch as shown below

docker run  --name trisul1a --net=host \
   -v /opt/trisul6_root:/trisulroot \ 
     -d trisulnsm/trisul6 \
        --pcap BSidesDE2017_PvJCTF.pcap \
          --no-ids

Trisul can handle compressed PCAP files (gz, bz2) , a large number of PCAPs in a directory, or even a directory tree. Trisul will automatically process the files in order of the timestamp in the first packet in each file. However, Suricata isnt able to handle that. If you need the full IDS alerts + Traffic analytics then you need to process a single uncompressed file at at time. You can use mergecap to combine them outside of Trisul.

Once the import has been completed, the results are stored in a separate context. While logging in you select context you want to see. Login from http://ip-address:3000.

After completion you need to remove the instance and start a new one.

docker stop trisul1a
docker rm trisul1a

Then you can import any number of files one after the other, they will be created in a separate context each time, so you can keep the data sets separate.

The docker image includes a Free License of Trisul that allows PCAPs of a maximum of 3 days. This should suffice for most people.

When you specify –pcap the Docker Image automatically runs two passes over the PCAP file.

1. Pass 1 : Using Trisul, we collect deep traffic metrics, reconstruct and analyze flows, extract metadata, index and store packets. This goes to Layer 0 on the Trisul backend database.
2. Pass 2 : Using Suricata + Trisul, we generate IDS alerts and convert those into metrics and graphs. Examples are vertices from a specific SIGID or Host. Top-k for hosts that are in attacker role, etc. This goes to Layer 1

The final result is a merger of Layer 0 + Layer 1. You can pivot from alerts to flows to TLS certificates down to packets.

The following picture is what it looks like.