User Tools
offline:defcon26ctf
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
offline:defcon26ctf [2018/11/12 17:28] veera [PCAP totals dashboard] |
offline:defcon26ctf [2018/11/12 17:30] (current) veera [Port connections over time] |
||
|---|---|---|---|
| Line 78: | Line 78: | ||
| Click on //Retro > Retro Counters// to view a Timeline showing traffic bandwidth. Here we see between 10 and 100Mbps spanning a 3-day period of the competition. From here you can select any timewindow and drill down into Counters. | Click on //Retro > Retro Counters// to view a Timeline showing traffic bandwidth. Here we see between 10 and 100Mbps spanning a 3-day period of the competition. From here you can select any timewindow and drill down into Counters. | ||
| - | {{:offline:dc26-1.png?600|}} | + | {{:offline:dc26-1.png?800|}} |
| Line 87: | Line 87: | ||
| - | {{:offline:dc26-2.png?600|}} | + | {{:offline:dc26-2.png?800|}} |
| Line 94: | Line 94: | ||
| Click on //Dashboards > Sessions// to see top flows by volume, long lived flows, download, upload. This is a really good place to start because in many CTF or even enterprise loads - elephant flows ((Elephant flows are large volume flows that dominate the bulk of the data transfer)) dominate the overall volume of data. Here we see a single flow from IP 10.13.37.8 pushing nearly 800MB in a 10 Min transfer. | Click on //Dashboards > Sessions// to see top flows by volume, long lived flows, download, upload. This is a really good place to start because in many CTF or even enterprise loads - elephant flows ((Elephant flows are large volume flows that dominate the bulk of the data transfer)) dominate the overall volume of data. Here we see a single flow from IP 10.13.37.8 pushing nearly 800MB in a 10 Min transfer. | ||
| - | {{:offline:dc26-3.png?600|}} | + | {{:offline:dc26-3.png?800|}} |
| Line 118: | Line 118: | ||
| Select //Alerts > Show All > IDS// to show the IDS alert categories seen. You can then click on an alert to drill down further or pull up PCAPs. | Select //Alerts > Show All > IDS// to show the IDS alert categories seen. You can then click on an alert to drill down further or pull up PCAPs. | ||
| - | {{:offline:dc26-6.png?600|}} | + | {{:offline:dc26-6.png?800|}} |
| Line 125: | Line 125: | ||
| Trisul lets you seamlessly pivot from any analysis point to PCAPs. You can pull down entire PCAP or use the super nifty "PCAP Headers" to only see the top of the PCAP. In the PCAP headers, we show the 'strings' seen in the PCAP header, the actual Hexdump, and a TSHARK like packet summary. | Trisul lets you seamlessly pivot from any analysis point to PCAPs. You can pull down entire PCAP or use the super nifty "PCAP Headers" to only see the top of the PCAP. In the PCAP headers, we show the 'strings' seen in the PCAP header, the actual Hexdump, and a TSHARK like packet summary. | ||
| - | {{:offline:dc26-7.png?600|}} | + | {{:offline:dc26-7.png?800|}} |
| Line 133: | Line 133: | ||
| - | {{:offline:dc26-8.png?600|}} | + | {{:offline:dc26-8.png?800|}} |
| Line 140: | Line 140: | ||
| The last one here is quite interesting. Go to Retro Counters > Select the entire Time interval and then select "Apps". We find that CTF contestants attacking different ports on different days. Hmm, maybe something to look deeper into. | The last one here is quite interesting. Go to Retro Counters > Select the entire Time interval and then select "Apps". We find that CTF contestants attacking different ports on different days. Hmm, maybe something to look deeper into. | ||
| - | {{:offline:dc26-9.png?600|}} | + | {{:offline:dc26-9.png?800|}} |
| + | |||
| + | ===== Conclusion===== | ||
| Hope network analysis enthusiasts find this useful. The docker image bundles a [[https://trisul.org|Free License of Trisul]]. PCAP dumps upto 3 days in time can be imported. | Hope network analysis enthusiasts find this useful. The docker image bundles a [[https://trisul.org|Free License of Trisul]]. PCAP dumps upto 3 days in time can be imported. | ||
offline/defcon26ctf.1542043684.txt.gz · Last modified: 2018/11/12 17:28 by veera
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
