Reveal and record everything on your network

Trisul Network Analytics 6.0 is the leading hassle-free route to instant actionable insights into your network traffic. In its most basic configuration – just hook up Trisul to a stream of packets either using a mirror port or a fiber optic tap. Trisul converts this stream of packets into a stream of correlated metrics and objects you can immediately use.

Full suite

You dont have to look for storage and reporting platforms that work off the analytics stream produced by Trisul. Everything is included. A database, a packet storage, a web UI, and a API for automation.

Open platform

If you are already a skilled network security analyst, you will love our new LUA API. Trisul gives you LUA hooks into its packet, reassembly, and analytics pipelines. Should you choose to ship everything over to Splunk, Elastic Search, ELSA or other systems – the API lets you do that.

Free download – no questions or hassles.

Just go and download Trisul now and you can be up and running in under 10 minutes. You can run Trisul for free forever with an enforced 3-day retention sliding window. No questions , sales forms, or credit cards asked before installation. We are so confident you will love the new insights that you will come back to us for a full license.


Build comprehensive metrics first

In age of pervasive encryption, a solid base of metrics is better than deep packet inspection
Measure everything at all layers

Do you know what is the baseline concurrent flows in your network ? Trisul will take you to a new world if you are used to simple metrics such as bandwidth utilization and netflow type reports. Trisul not only dramatically enhances common counter groups like Hosts and Applications – but also creates dozens of entirely new groups like TLS Ciphers used, HTTP Content Types, Flow rates and such.

See things in a different light with our advanced counters

It is amazing what you gain when you can answer questions like : So how many unique hosts is my “Asset-1” talk to over time? Trisul uses advanced streaming algorithms to add cardinality , top-N, bottom, elephant flows, long tail keys for any counter group. Our patent pending Delta feature lets you focus on things you saw today that you did not see yesterday. These are all great entry points for automated hunting expeditions using our TRP API (Ruby). Learn more

Stay on top in real time

Any counter in Trisul can be viewed in Real Time using tools that we call “Real Time Stabbers”. This is especially useful for diagnostic applications. All results of our streaming analytics are stored without any loss of resolution, limited only by available storage. Set up intelligent Threshold Bands that alert you when any metric goes out of ‘normal’ bounds.

Put flows to work

Cash in on the astounding value proposition of network flow data

Trisul automatically reconstructs flow information from packets and streams them to its database. If you dont have access to packets you can even just direct Netflow® version 5,9, SFlow, IPFIX. Every single flow is stored without any rollups or summarization in our highly scalable database. Explore flows using our highly interactive “Flow Explorer”.

Flow tools – tag and track

Flow taggers are processors you can use to mark flows with arbitrary string labels. Often these labels themselves are automatically derived from other data types. The real power of Flow Taggers is the ability to query for these tags.

Flow trackers can be used to group flows based on some characteristics. Elephant flows transfer huge volumes of data, long running flows such as VPN go on for hours, high uploaders transfer stuff out of your network, etc. You can also setup threshold alerts on these flow trackers. Read more about Flow Analysis

Get down to the raw packets at any point

The ability to summon network packets is a key capability of network security monitoring. Trisul supports very high speed packet streaming to disk at 10G rates onto vanilla RAID0 arrays. The raw packets are not just stored but indexed just the right amount to enable you to retrieve them quickly. You can drop down to packets from counter metrics, flows, alerts, resources – or even script the process.


We understand full packet storage is not for everyone, so Trisul has powerful rules that allow you to exclude safe traffic or to store only the first X bytes of each flow. Using our LUA API you can even make a storage decision on a per-flow basis.


We believe that data at rest, especially when as sensitive as packet captures, need to be encrypted. Trisul encrypts all packets with AES before storing them.

Merging results into a single PCAP

Stop dealing with dozens of PCAPs files from the same investigation. Trisul transparently marges packets from the results of multiple queries into a single PCAP file. Use the Quick View mode to see the first 100K or so bytes with all a hexdump and a list of strings present.

Extract metadata objects effortlessly

Metadata is data about data ! Its halfway between fully reconstructed content but much deeper than mere flow records. It is now well established that such meta objects have immense value in understanding your traffic as well as for security purposes. Out of the box the following meta data are extracted.

  • Full DNS Records
  • Full HTTP Headers
  • Full TLS Certificate Chains
  • File Hashes including file names
  • TLS parameters only (Common Name, Issuer etc)

You can rapidly search this metadata and from there jump to flows or packets directly. You can even add your own new metadata type using our LUA API.

Meta metrics

Meta metrics are those that feed off other metrics or from meta data. For example : How many flows used RC4 encryption ? Or based on DNS base domain names to IP mappings. You can easily isolate flows to Facebook or Google using our meta metric counter called “Base Domains”

Put IDS alerts and threat intel in context

When you send alert information from Snort or Suricata to Trisul, we integrate it with the rest of the metrics, flows, and packets. The result is dramatically improved context and views of over all alert activity. You can tag flows with alert information, move from alerts to packets, take custom action on each alert via our LUA API.

Real time alert

Trisul opens up a lot of options for you “What happens when you get an alert?”. Use our “Real Time Alert Stabber” to view and explore live alert activity or write a little LUA script to do whatever you want.

Put your traffic under the threat intel lens

Trisul generates flows, metadata like URLS, TLS Certificate information, File Hashes, Fully extracted files – you can use our BadFellas plugin to immediately check these against millions of open threat feeds. Using the LUA API you can integrate any 3rd party threat feed you want.

Its a platform !! Bend Trisul to your shape

Express yourself using a powerful API

You will never be held back from doing something that is not yet baked into the product. Trisul features a high performance LUAJIT API to let you plugin into the same points in Trisul’s packet and reassembly pipelines that our core features do. You can generate your own metadata, create your own metrics, handle extracted files and so on. Watch our GITHUB repo ‘trisul-scripts’ for new content.

Script your hunting

The LUA API gives you access to the live processing, there is another API called TRP (Trisul Remote Protocol) that lets you work with historical data. You write small scripts in Ruby (or Python) to query the same backend that our Web Interface does.

Are you ready to start ?

All you need is a Linux box and 10 minutes ! You can use our built in Free License

Free Download Now