Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 2 How to run TrisulNSM over the PCAP dump
Trace:
offline:wrccdc_pcaps_trisulnsm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
offline:wrccdc_pcaps_trisulnsm [2018/05/12 17:01] – [Run the Docker image over the pcaps] veeraoffline:wrccdc_pcaps_trisulnsm [2018/05/13 00:11] – [Install Docker] veera
Line 9: Line 9:
   * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]]    * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] 
   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump
-  * Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)+  * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]]
  
  
Line 18: Line 18:
  
  
-Firstly install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Articles Page"]] +First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Docker section on the articles Page"]] 
  
  
Line 62: Line 62:
  
  
-A quick note on the command line options we're using+A quick note on the command line options we're using. For a complete list of options see [[https://github.com/trisulnsm/docker#options|github/trisulnsm]]
  
 |''--name'' | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| |''--name'' | We give the instance a name of trisul1n. So it makes it easier to manipulate the system|
Line 71: Line 71:
  
  
-Upon completion your ''docker logs -f trisul1n'' should show something like below.+=== Wait for completion === 
 + 
 +Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command
  
 +
 +<code>
 +docker logs -f trisul1n
 +</code>
 +
 +The rough time taken in our very modest system was around 40 seconds per file.   When the processing finishes you will see something like this. 
  
 <code> <code>
Line 89: Line 97:
  
  
 +==== Next ====
  
-Using Trisul to analyze the PCAPs  
  
- +Thats it ! Now you are ready to analyze the network data using TrisulThat is [[offline:wrccdc_pcaps_results|Part 3 of this series]]
-File extraction +
- +
-<code> +
-DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l +
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe +
--rw-r--r-- 1 trisul trisul   287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe +
--rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe +
--rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe +
-DOCKER:unpl:root savedfiles$  +
- +
- +
-</code>+
  
  
offline/wrccdc_pcaps_trisulnsm.txt · Last modified: 2018/05/13 00:12 by veera