Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== Analyzing the WRCCDC PCAPs : Part 3 Analysis using TrisulNSM ====== In this article we will just show pictures and a video of how you might analyze the imported PCAP dumps using Trisul. This is Part-3 of a 3 Part series * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] * [[offline:wrccdc_pcaps_trisulnsm|Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump]] * Part 3: Screenshots & video of analysis paths (using TrisulNSM) Time to show and tell. ===== Video showing UI navigations ===== Trisul has a ton of features and it can be a bit daunting at first where to start, where to go next and so fortm. A sample video made by one of our engineers showing the various places where you can start and gives you a feel for the capabilities. //There is a music soundtrack but no narration// {{youtube>iwtYmrHsiLw?large}} ===== Monitoring Techniques ===== Here are a few screenshots of the dataset showing the monitoring and baseline building techniques described in [[offline:wrccdc_pcaps|Part-1 of this series]] ==== Start from PCAP Summary Dashboard==== //Open with Dashboards > Show All > scroll down to the bottom and locate PCAP Summary// The best place to start is the PCAP summary. Wireshark users can think of it as a supercharged ''capinfos''. It shows you bandwidth usage chart in bytes, packets, total time, number of flows, number of various types of metadata extracted, alerts, etc. You can click on any item to follow an analysis path from there. [{{ :offline:w5.png?direct&400 |The PCAP summary dashboard is a good starting point}}] ==== Hosts Dashboard ==== //Open with Dashboards > Hosts// The Hosts dashboard is a good top level dashboard to give you a baseline view of host activity. See which internal and external are most active. By volume, by connections, etc. You can click the small button next to each item to drilldown from that. But right now we're just baseline building. You can check out the Apps dashboard for a similar view of Application activity. {{ :offline:w3.png?direct&400 |Hosts activity dashboard}} ==== Get an overview of flow activity ==== [{{ :offline:w10.png?direct&400 |Flow dashboard gives you Top-K flows on several parameters}}] ==== Viewing IDS Alerts ==== {{ :offline:wrccdc1.png?direct&400 |}} ==== Retro Analysis - view advanced counters ==== [{{ :offline:retro_time.png?direct&400 |Select a timeframe and then view 100s of metrics}}] Here we are seeing the JA3 TLS Fingerprints [{{ :offline:w19.png?direct&400 |Here we are seeing the JA3 TLS Fingerprints, building a baseline model}}] ===== Drilldown techniques ===== ==== Explore flows ==== [{{ :offline:w23-scan.png?400 |Jump to flows , query flows}}] ==== Trisul EDGE: Graph analytics discover relationships ==== [{{ :offline:w20.png?400 |Click on any key to reveal neighbors, then finally jump to flows }}] ==== File Extraction ==== [{{ :offline:w14.png?direct&400 | Check if any EXE/ZIP etc were downloaded}}] ==== Drilldown to Packets ==== [{{ :offline:wrccdc2.png?direct&400 |From any place you can grab the packets, if you think the volume can be handled by Wireshark}}] ==== File extraction ==== <code> DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe DOCKER:unpl:root savedfiles$ </code>