This is an old revision of the document!
Table of Contents
Processing the DEFCON 26 CTF PCAPS using Trisul NSM
We love analyzing PCAP dumps particularly of CTF competitions.
Given only a PCAP file, your task as analyst is to make sense of it from multiple angles. I typically like to start off with a statistical overview.
- What is the timeframe of the CTF?
- What was the bandwidth used over the time duration ?
- What were the top IPs as attackers and as targets?
- What ports were targeted?
- Any red flags from IDS like Snort/Suricata over the duration?
- Top flows download/upload
- then once you have a baseline, You can follow several tracks to investigate in depth. Down to the packet level.
Today, TrisulNSM (Trisul Network Analytics) is the leading platform for performing this sort of analysis over very large PCAP files. This article describes how you can use our free docker image trisulnsm/trisul6
to slurp this PCAP and then have some fun analyzing it.
Credits
Get started
So,lets get started. We assume you have a fairly decent Linux machine ready with Docker installed. Any distro will do because we are going to be using our Docker image.
Steps
- Download the DEFCON26 PCAP , a 5GB file into a directory.
- Unrar the file and extract the inside PCAP into a filename without spaces such as
dc26ctf.pcap
- Create a directory on your system where the results will be stored. Move the PCAP to that directory so the docker container can see the PCAP file.
mkdir /opt/trisulroot mv dc26ctf.pcap /opt/trisulroot
Run the trisulnsm/trisul6 docker image over the PCAP
sudo docker run --privileged=true \ --name=trisul1a \ --net=host -v /opt/trisulroot:/trisulroot \ -d trisulnsm/trisul6 \ --pcap dc26ctf.pcap \ --webserver-port 4000
To check the logs whether the process was kicked off without issues.
docker logs trisul1a -f
If there are no errors here, it means the process has been kicked off. This can take a while to complete. Expect anywhere from 20 minutes to an hour depending on your computer's power and whether you have an SSD. To monitor the progress login to the container and check.
root@unpl:~# docker exec -it trisul1a /bin/bash docker$ # to view process usage docker$ top docker$ # add helper macros for trisul docker$ source /usr/local/share/trisul-probe/trisbashrc dc26ctf1 docker$ # tail the log files docker$ tailf.ns
You might want to take a break and have a coffee !! When you get back you can login to http://ip:4000 to analyze the fun stuff.
Screenshots
Timeline showing volume of traffic between 10 and 100Mbps over the period of the competition. You can select any timewindow and drill down
Trend
Top flows
PCAP totals dashboard
Exploring HTTP Status 123
Alerts, attacks on Drupal
Pivot to packets from anywhere
Conversations of a particular hosts
Port connections over time