Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== Processing the DEFCON 26 CTF PCAPS using Trisul NSM ====== With the right tools, analyzing large PCAP dumps can be lots of fun. This article is a step-by-step of using TrisulNSM to dive into the DEFCON26 CTF PCAP ((The PCAPs can be accessed from the [[https://www.defcon.org/html/links/dc-ctf.html|DEFCON 26 CTF Competition website]])) Given only a PCAP file, your first task as an analyst is to make sense of it from multiple angles. I typically like to start off with a statistical overview. - What is the timeframe of the CTF? - What was the bandwidth used over the time duration ? - What were the top IPs as attackers and as targets? - What ports were targeted? - Any red flags from IDS like Snort/Suricata over the duration? - Top flows download/upload - then once you have a baseline, You can follow several tracks to investigate in depth. Down to the packet level. [[https://trisul.org|TrisulNSM (Trisul Network Analytics)]] is the leading platform today for performing this kind of analysis over very large PCAP files. This article describes how you can use our free docker image ''trisulnsm/trisul6'' to slurp this PCAP and then have some fun analyzing it. ===== Get started ===== So,lets get started. We assume you have a fairly decent Linux machine ready with Docker installed. Any distro will do because we are going to be using our Docker image. Steps - Download the DEFCON26 PCAP , a 5GB file into a directory. - Unrar the file and extract the inside PCAP into a filename without spaces such as ''dc26ctf.pcap'' - Create a directory on your system where the results will be stored. Move the PCAP to that directory so the docker container can see the PCAP file. <code bash> mkdir /opt/trisulroot mv dc26ctf.pcap /opt/trisulroot </code> Run the trisulnsm/trisul6 docker image over the PCAP <code bash> sudo docker run --privileged=true \ --name=trisul1a \ --net=host -v /opt/trisulroot:/trisulroot \ -d trisulnsm/trisul6 \ --pcap dc26ctf.pcap \ --webserver-port 4000 </code> To check the logs whether the process was kicked off without issues. <code bash> docker logs trisul1a -f </code> If there are no errors here, it means the process has been kicked off. This can take a while to complete. Expect anywhere from 20 minutes to an hour depending on your computer's power and whether you have an SSD. To monitor the progress login to the container and check. <code bash> root@unpl:~# docker exec -it trisul1a /bin/bash docker$ # to view process usage docker$ top docker$ # add helper macros for trisul docker$ source /usr/local/share/trisul-probe/trisbashrc dc26ctf1 docker$ # tail the log files docker$ tailf.ns </code> You might want to take a break and have a coffee !! When you get back you can login to http://ip:4000 to analyze the fun stuff. ===== Screenshots ===== Timeline showing volume of traffic between 10 and 100Mbps over the period of the competition. You can select any timewindow and drill down {{:offline:dc26-1.png?400|}} Trend {{:offline:dc26-2.png?400|}} Top flows {{:offline:dc26-3.png?400|}} PCAP totals dashboard {{:offline:dc26-4.png?400|}} Exploring HTTP Status 123 {{:offline:dc26-5.png?400|}} Alerts, attacks on Drupal {{:offline:dc26-6.png?400|}} Pivot to packets from anywhere {{:offline:dc26-7.png?400|}} Conversations of a particular hosts {{:offline:dc26-8.png?400|}} Port connections over time {{:offline:dc26-9.png?400|}}