Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Processing the DEFCON 26 CTF PCAPS using Trisul NSM
Trace: Processing the DEFCON 26 CTF PCAPS using Trisul NSM
offline:defcon26ctf

This is an old revision of the document!

Processing the DEFCON 26 CTF PCAPS using Trisul NSM

DEFCON 26 CTF Competition

1. Download the DEFCON26 PCAP , a 5GB file into a directory. 2. Unrar the file and extract the inside PCAP into a filename without spaces defcon26ctf.pcap

1. Install docker on your Linux distro.

2. Create a directory on your system where the results will be stored. Move the PCAP to that directory so the docker container can see the PCAP file.

Run the following lines 

mkdir /opt/trisulroot
mv defcon26ctf.pcap /opt/trisulroot

Run the trisulnsm/trisul6 docker image over the PCAP 

 sudo docker run  --privileged=true  \
     --name=trisul1a    \
      --net=host -v /opt/trisulroot:/trisulroot   \
        -d trisulnsm/trisul6 \
         --pcap dc26ctf.pcap \
           --webserver-port 4000

Screenshots

Timeline showing volume of traffic between 10 and 100Mbps over the period of the competition. You can select any timewindow and drill down

Trend

Top flows

PCAP totals dashboard

Exploring HTTP Status 123

Alerts, attacks on Drupal

Pivot to packets from anywhere

Conversations of a particular hosts

Port connections over time

offline/defcon26ctf.1542030507.txt.gz · Last modified: 2018/11/12 19:18 by veera