This is an old revision of the document!
Processing the DEFCON 26 CTF PCAPS using Trisul NSM
1. Download the DEFCON26 PCAP , a 5GB file into a directory.
2. Unrar the file and extract the inside PCAP into a filename without spaces defcon26ctf.pcap
1. Install docker on your Linux distro.
2. Create a directory on your system where the results will be stored. Move the PCAP to that directory so the docker container can see the PCAP file.
Run the following lines
mkdir /opt/trisulroot mv defcon26ctf.pcap /opt/trisulroot
Run the trisulnsm/trisul6 docker image over the PCAP
sudo docker run --privileged=true \ --name=trisul1a \ --net=host -v /opt/trisulroot:/trisulroot \ -d trisulnsm/trisul6 \ --pcap dc26ctf.pcap \ --webserver-port 4000
Screenshots
Timeline showing volume of traffic between 10 and 100Mbps over the period of the competition. You can select any timewindow and drill down
Trend
Top flows
PCAP totals dashboard
Exploring HTTP Status 123
Alerts, attacks on Drupal
Pivot to packets from anywhere
Conversations of a particular hosts
Port connections over time