Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Processing the DEFCON 26 CTF PCAPS using Trisul NSM
Trace: Processing the DEFCON 26 CTF PCAPS using Trisul NSM
offline:defcon26ctf

This is an old revision of the document!

Table of Contents

Processing the DEFCON 26 CTF PCAPS using Trisul NSM

We love analyzing PCAP dumps particularly of CTF competitions.

Given only a PCAP file, your task as analyst is to make sense of it from multiple angles. I typically like to start off with a statistical overview.

  1. What is the timeframe of the CTF?
  2. What was the bandwidth used over the time duration ?
  3. What were the top IPs as attackers and as targets?
  4. What ports were targeted?
  5. Any red flags from IDS like Snort/Suricata over the duration?
  6. Top flows download/upload
  7. then once you have a baseline, You can follow several tracks to investigate in depth. Down to the packet level.

Today, TrisulNSM (Trisul Network Analytics) is the leading platform for performing this sort of analysis over very large PCAP files. This article describes how you can use our free docker image trisulnsm/trisul6 to slurp this PCAP and then have some fun analyzing it.

Credits

DEFCON 26 CTF Competition

Get started

So,lets get started. We assume you have a fairly decent Linux machine ready with Docker installed. Any distro will do because we are going to be using our Docker image.

Steps

  1. Download the DEFCON26 PCAP , a 5GB file into a directory.
  2. Unrar the file and extract the inside PCAP into a filename without spaces such as dc26ctf.pcap
  3. Create a directory on your system where the results will be stored. Move the PCAP to that directory so the docker container can see the PCAP file. 
mkdir /opt/trisulroot
mv dc26ctf.pcap /opt/trisulroot

Run the trisulnsm/trisul6 docker image over the PCAP 

 sudo docker run  --privileged=true  \
     --name=trisul1a    \
      --net=host -v /opt/trisulroot:/trisulroot   \
        -d trisulnsm/trisul6 \
         --pcap dc26ctf.pcap \
           --webserver-port 4000

To check the logs whether the process was kicked off without issues. 

docker logs trisul1a -f

If there are no errors here, it means the process has been kicked off. This can take a while to complete. Expect anywhere from 20 minutes to an hour depending on your computer's power and whether you have an SSD. To monitor the progress login to the container and check. 

root@unpl:~# docker exec -it trisul1a /bin/bash
docker$  # to view process usage 
docker$  top
 
docker$  # add helper macros for trisul
docker$  source /usr/local/share/trisul-probe/trisbashrc dc26ctf1
 
docker$  # tail the log files 
docker$  tailf.ns

You might want to take a break and have a coffee !! When you get back you can login to http://ip:4000 to analyze the fun stuff.

Screenshots

Timeline showing volume of traffic between 10 and 100Mbps over the period of the competition. You can select any timewindow and drill down

Trend

Top flows

PCAP totals dashboard

Exploring HTTP Status 123

Alerts, attacks on Drupal

Pivot to packets from anywhere

Conversations of a particular hosts

Port connections over time

offline/defcon26ctf.1542041640.txt.gz · Last modified: 2018/11/12 22:24 by veera