Table of Contents
Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 2 How to run TrisulNSM over the PCAP dump
In this article, we show you step by step instructions to run the free TrisulNSM Docker image over the PCAP dumps.
This is Part-2 of a 3 Part series
- Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump
Instructions to run TrisulNSM over the PCAPs
First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the "Docker section on the articles Page"
Download the PCAPs
First choose a root directory to be used as the shared Docker “root” volume. Let us say we select
/opt/trisulroot5 as the base directory. You need to create a subdirectory inside that and put the PCAPs there.
Here have downloaded the first 8 files into the directory
/opt/trisulroot5/wrccdc You can download as many as you want. Just make sure you have enough disk space for the results.
root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/ total 3.8G -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap -rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap -rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap root@unpl:~#
Run the Docker image over the pcaps
Next step is to run the
trisulnsm/trisul6 Docker image over the PCAPs that you have placed in the sub directory. The first time you run this , docker will download the image over the network. So make sure you have internet access from the machine.
sudo docker run --name=trisul1n \ --privileged=true --net=host -v /opt/trisulroot5:/trisulroot \ -d trisulnsm/trisul6 --enable-file-extraction \ --webserver-port 4000 --websockets-port 4003 \ --fine-resolution \ --pcap wrccdc
A quick note on the command line options we're using. For a complete list of options see github/trisulnsm
|We give the instance a name of trisul1n. So it makes it easier to manipulate the system
| Goes along with the
–enable-file-extraction option. Used to dump suspected malicious files transferred over the network
|We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports
|Use 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics
|We use the name of the subdirectory
wrccdc. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base path. Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul
Wait for completion
Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command.
docker logs -f trisul1n
The rough time taken in our very modest system was around 40 seconds per file. When the processing finishes you will see something like this.
Finished elapsed : 328 seconds ==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc ===== ==== TO VIEW DASHBOARDS ===== ==== 1. login to the Web Trisul interface ===== ==== 2. select wrccdc1 on the Login Screen ===== Started TrisulNSM docker image. Sleeping.
Thats it ! Now you are ready to analyze the network data using Trisul. That is Part 3 of this series.