Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » offline » Processing the DEFCON 26 CTF PCAPS using Trisul NSM
Trace:
offline:defcon26ctf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
offline:defcon26ctf [2018/11/12 17:27]
veera [Screenshots] 		offline:defcon26ctf [2018/11/12 17:30] (current)
veera [Port connections over time]
Line 78: Line 78:
 Click on //Retro > Retro Counters// to view a Timeline showing traffic bandwidth. Here we see between 10 and 100Mbps spanning a 3-day period of the competition. From here you can select any timewindow and drill down into Counters. ​ Click on //Retro > Retro Counters// to view a Timeline showing traffic bandwidth. Here we see between 10 and 100Mbps spanning a 3-day period of the competition. From here you can select any timewindow and drill down into Counters. ​
  
-{{:​offline:​dc26-1.png?​600|}}+{{:​offline:​dc26-1.png?​800|}}
  
  
Line 87: Line 87:
  
  
-{{:​offline:​dc26-2.png?​600|}}+{{:​offline:​dc26-2.png?​800|}}
  
  
Line 94: Line 94:
 Click on //​Dashboards > Sessions// to see top flows by volume, long lived flows, download, upload. ​ This is a really good place to start because in many CTF or even enterprise loads - elephant flows ((Elephant flows are large volume flows that dominate the bulk of the data transfer)) ​ dominate the overall volume of data. Here we see a single flow from IP 10.13.37.8 pushing nearly 800MB in a 10 Min transfer. ​ Click on //​Dashboards > Sessions// to see top flows by volume, long lived flows, download, upload. ​ This is a really good place to start because in many CTF or even enterprise loads - elephant flows ((Elephant flows are large volume flows that dominate the bulk of the data transfer)) ​ dominate the overall volume of data. Here we see a single flow from IP 10.13.37.8 pushing nearly 800MB in a 10 Min transfer. ​
  
-{{:​offline:​dc26-3.png?​600|}}+{{:​offline:​dc26-3.png?​800|}}
  
  
Line 103: Line 103:
 The PCAP Totals dashboard is an excellent place to start off your analysis. On a single dashboard you can see the traffic details, number of unique host, apps, VLANS, TLS Certificates,​ IDS Alerts, HTTP URLS, SNI, JA3 TLS Fingerprints,​ and over 40 other types of metrics. You can then click on them to drill down further. ​ The PCAP Totals dashboard is an excellent place to start off your analysis. On a single dashboard you can see the traffic details, number of unique host, apps, VLANS, TLS Certificates,​ IDS Alerts, HTTP URLS, SNI, JA3 TLS Fingerprints,​ and over 40 other types of metrics. You can then click on them to drill down further. ​
  
-{{:​offline:​dc26-4.png?​600|}}+{{:​offline:​dc26-4.png?​800|}}
  
 ==== Edge Graph Analytics ==== ==== Edge Graph Analytics ====
Line 111: Line 111:
 Exploring HTTP Status 123 Exploring HTTP Status 123
  
-{{:​offline:​dc26-5.png?​600|}}+{{:​offline:​dc26-5.png?​800|}}
  
  
Line 118: Line 118:
 Select //Alerts > Show All > IDS// to show the IDS alert categories seen.  You can then click on an alert to drill down further or pull up PCAPs.  ​ Select //Alerts > Show All > IDS// to show the IDS alert categories seen.  You can then click on an alert to drill down further or pull up PCAPs.  ​
  
-{{:​offline:​dc26-6.png?​600|}}+{{:​offline:​dc26-6.png?​800|}}
  
  
Line 125: Line 125:
 Trisul lets you seamlessly pivot from any analysis point to PCAPs. You can pull down entire PCAP or use the super nifty "PCAP Headers"​ to only see the top of the PCAP. In the PCAP headers, we show the '​strings'​ seen in the PCAP header, the actual Hexdump, and a TSHARK like packet summary.  ​ Trisul lets you seamlessly pivot from any analysis point to PCAPs. You can pull down entire PCAP or use the super nifty "PCAP Headers"​ to only see the top of the PCAP. In the PCAP headers, we show the '​strings'​ seen in the PCAP header, the actual Hexdump, and a TSHARK like packet summary.  ​
  
-{{:​offline:​dc26-7.png?​600|}}+{{:​offline:​dc26-7.png?​800|}}
  
  
Line 133: Line 133:
  
  
-{{:​offline:​dc26-8.png?​600|}}+{{:​offline:​dc26-8.png?​800|}}
  
  
Line 140: Line 140:
 The last one here is quite interesting. Go to Retro Counters > Select the entire Time interval and then select "​Apps"​. ​ We find that CTF contestants attacking different ports on different days. Hmm, maybe something to look deeper into.  The last one here is quite interesting. Go to Retro Counters > Select the entire Time interval and then select "​Apps"​. ​ We find that CTF contestants attacking different ports on different days. Hmm, maybe something to look deeper into. 
  
-{{:​offline:​dc26-9.png?​600|}}+{{:​offline:​dc26-9.png?​800|}}
  
 +
 +===== Conclusion=====
  
 Hope network analysis enthusiasts find this useful. ​  The docker image  bundles a [[https://​trisul.org|Free License of Trisul]]. PCAP dumps upto 3 days in time can be imported. ​ Hope network analysis enthusiasts find this useful. ​  The docker image  bundles a [[https://​trisul.org|Free License of Trisul]]. PCAP dumps upto 3 days in time can be imported. ​
offline/defcon26ctf.1542043653.txt.gz · Last modified: 2018/11/12 17:27 by veera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki