Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Analyzing the WRCCDC PCAP dump using TrisulNSM : Part 2 How to run TrisulNSM over the PCAP dump
Trace:
offline:wrccdc_pcaps_trisulnsm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
offline:wrccdc_pcaps_trisulnsm [2018/05/12 16:26] – created veeraoffline:wrccdc_pcaps_trisulnsm [2018/05/13 00:12] (current) – [Download the PCAPs] veera
Line 9: Line 9:
   * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]]    * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] 
   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump   * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump
-  * Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)+  * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]] 
 + 
 + 
 +===== Instructions to run TrisulNSM over the PCAPs ===== 
 + 
 + 
 +==== Install Docker ==== 
 + 
 + 
 +First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Docker section on the articles Page"]]  
 + 
 + 
 +==== Download the PCAPs ==== 
 + 
 + 
 +First choose a root directory to be used as the shared Docker "root" volume. Let us say we select ''/opt/trisulroot5'' as the base directory. You need to create a subdirectory inside that and put the PCAPs there.  
 + 
 + 
 +Here have downloaded the first 8 files into the directory  ''/opt/trisulroot5/wrccdc'' You can download as many as you want. Just make sure you have enough disk space for the results. 
 + 
 + 
 +<code> 
 +root@unpl:~# ls -lh /opt/trisulroot5/wrccdc/ 
 +total 3.8G 
 +-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010014000000000.pcap 
 +-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010103000000000.pcap 
 +-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010232000000000.pcap 
 +-rw-r--r-- 1 root root 477M May 10 12:28 wrccdc.2018-03-23.010356000000000.pcap 
 +-rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010717000000000.pcap 
 +-rw-r--r-- 1 root root 477M May 10 12:29 wrccdc.2018-03-23.010904000000000.pcap 
 +-rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011313000000000.pcap 
 +-rw-r--r-- 1 root root 477M Mar 23 20:13 wrccdc.2018-03-23.011338000000000.pcap 
 +root@unpl:~#  
 +</code> 
 + 
 + 
 + 
 +==== Run the Docker image over the pcaps ==== 
 + 
 +Next step is to run the ''trisulnsm/trisul6'' Docker image over the PCAPs that you have placed in the sub directory.  The first time you run this , docker will download the image over the network. So make sure you have internet access from the machine. 
 + 
 + 
 +<code> 
 + 
 +sudo docker run  --name=trisul1n \ 
 +  --privileged=true --net=host -v /opt/trisulroot5:/trisulroot 
 +      -d trisulnsm/trisul6  --enable-file-extraction   \ 
 +          --webserver-port 4000 --websockets-port 4003 \ 
 +          --fine-resolution 
 +              --pcap  wrccdc 
 +</code> 
 + 
 + 
 +A quick note on the command line options we're using. For a complete list of options see [[https://github.com/trisulnsm/docker#options|github/trisulnsm]] 
 + 
 +|''--name'' | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| 
 +|''--privileged''| Goes along with the ''--enable-file-extraction'' option. Used to dump suspected malicious files transferred over the network | 
 +|''--webserver-port 4000'' | We are using these two ports for web access rather than the default (3000,3003). Skip these flags if you're okay with 3000,3003. Also ensure the firewalls allow these ports| 
 +|''--fine-resolution''|Use 1-second timeseries data instead of the default 1-minute. We noticed that WRCCDC is very high traffic hence high-resolution timeseries is better for metrics| 
 +|''--pcap''|We use the name of the subdirectory ''wrccdc''. Recall that we put the PCAPs in the shared volume /opt/trisulroot5/wrccrc. This name is relative to the base  path.  Trisul will run over the PCAPs in this directory, then use Suricata to do a 2nd pass over it and re-index the data in Trisul| 
 + 
 + 
 +=== Wait for completion === 
 + 
 +Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command.  
 + 
 + 
 +<code> 
 +docker logs -f trisul1n 
 +</code> 
 + 
 +The rough time taken in our very modest system was around 40 seconds per file.   When the processing finishes you will see something like this.  
 + 
 +<code> 
 + 
 +Finished elapsed : 328 seconds 
 + 
 + 
 +==== SUCCESSFULLY IMPORTED FROM PCAP REPO /trisulroot/wrccdc ===== 
 +==== TO VIEW DASHBOARDS ===== 
 +==== 1. login to the Web Trisul interface ===== 
 +==== 2. select wrccdc1 on the Login Screen ===== 
 + 
 +Started TrisulNSM docker image. Sleeping. 
 + 
 +</code> 
 + 
 + 
 +==== Next ==== 
 + 
 + 
 +Thats it ! Now you are ready to analyze the network data using Trisul. That is [[offline:wrccdc_pcaps_results|Part 3 of this series]].  
  
offline/wrccdc_pcaps_trisulnsm.1526122589.txt.gz · Last modified: 2018/05/12 16:26 by veera