Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== Analyzing the WRCCDC PCAPs : Part 3 Analysis using TrisulNSM ====== In this article we will just show pictures and a video of how you might analyze the imported PCAP dumps using Trisul. This is Part-3 of a 3 Part series * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] * [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump]] * Part 3: Screenshots & video of analysis paths (using TrisulNSM) Time to show and tell. ===== Video showing UI navigations ===== A sample video made by one of our engineers showing the analysis paths. {{youtube>iwtYmrHsiLw?large}} ===== Monitoring Techniques ===== Here are a few screenshots of the dataset showing the monitoring and baseline building techniques described in [[offline:wrccdc_pcaps|Part-1 of this series]] ==== Start from PCAP Summary Dashboard==== [{{ :offline:w5.png?direct&400 |The PCAP summary dashboard is a good starting point}}] ==== Hosts Dashboard ==== {{ :offline:w3.png?direct&400 |Hosts activity dashboard}} ==== Get an overview of flow activity ==== [{{ :offline:w10.png?direct&400 |Flow dashboard gives you Top-K flows on several parameters}}] ==== Viewing IDS Alerts ==== {{ :offline:wrccdc1.png?direct&400 |}} ==== Retro Analysis - view advanced counters ==== [{{ :offline:retro_time.png?direct&400 |Select a timeframe and then view 100s of metrics}}] Here we are seeing the JA3 TLS Fingerprints [{{ :offline:w19.png?direct&400 |Here we are seeing the JA3 TLS Fingerprints, building a baseline model}}] ===== Drilldown techniques ===== ==== Explore flows ==== [{{ :offline:w23-scan.png?400 |Jump to flows , query flows}}] ==== Trisul EDGE: Graph analytics discover relationships ==== [{{ :offline:w20.png?400 |Click on any key to reveal neighbors, then finally jump to flows }}] ==== File Extraction ==== [{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}] ==== Drilldown to Packets ==== [{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}] ==== File extraction ==== <code> DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe DOCKER:unpl:root savedfiles$ </code>