User Tools
offline:wrccdc_pcaps_trisulnsm
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
offline:wrccdc_pcaps_trisulnsm [2018/05/12 11:31] veera [Run the Docker image over the pcaps] |
offline:wrccdc_pcaps_trisulnsm [2018/05/12 18:42] (current) veera [Download the PCAPs] |
||
|---|---|---|---|
| Line 9: | Line 9: | ||
| * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] | * [[offline:wrccdc_pcaps|Part 1: Approach how to avoid getting overwhelmed by large PCAPS]] | ||
| * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump | * Part 2: How to use the free TrisulNSM Docker Image to analyze the PCAP dump | ||
| - | * Part 3: Screenshots & video of possible analysis paths (using TrisulNSM) | + | * [[offline:wrccdc_pcaps_results|Part 3: Screenshots & video of possible analysis paths (using TrisulNSM)]] |
| Line 18: | Line 18: | ||
| - | Firstly install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Articles Page"]] | + | First install Docker on your host platform. We recommend Ubuntu 16.04 of CentOS 7.4. We have instructions on the [[https://www.trisul.org/devzone/doku.php/articles#docker|"Docker section on the articles Page"]] |
| Line 27: | Line 27: | ||
| - | Here have downloaded the first 8 files into the directory ''/opt/trisulroot5/wrccdc'' | + | Here have downloaded the first 8 files into the directory ''/opt/trisulroot5/wrccdc'' You can download as many as you want. Just make sure you have enough disk space for the results. |
| Line 62: | Line 62: | ||
| - | A quick note on the command line options we're using | + | A quick note on the command line options we're using. For a complete list of options see [[https://github.com/trisulnsm/docker#options|github/trisulnsm]] |
| |''--name'' | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| | |''--name'' | We give the instance a name of trisul1n. So it makes it easier to manipulate the system| | ||
| Line 71: | Line 71: | ||
| - | Upon completion your ''docker logs -f trisul1n'' should show something like below. | + | === Wait for completion === |
| + | |||
| + | Now TrisulNSM is crunching the PCAPs. You can monitor the progress by running the following command. | ||
| + | |||
| + | <code> | ||
| + | docker logs -f trisul1n | ||
| + | </code> | ||
| + | |||
| + | The rough time taken in our very modest system was around 40 seconds per file. When the processing finishes you will see something like this. | ||
| <code> | <code> | ||
| Line 89: | Line 97: | ||
| + | ==== Next ==== | ||
| - | Using Trisul to analyze the PCAPs | ||
| - | + | Thats it ! Now you are ready to analyze the network data using Trisul. That is [[offline:wrccdc_pcaps_results|Part 3 of this series]]. | |
| - | File extraction | + | |
| - | + | ||
| - | <code> | + | |
| - | DOCKER:unpl:root savedfiles$ ls /tmp/savedfiles/*.exe -l | + | |
| - | -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_f91a_10.128.0.201__PsGetsid.exe | + | |
| - | -rw-r--r-- 1 trisul trisul 287392 May 11 12:52 /tmp/savedfiles/00_00_fb80_10.128.0.201__PsGetsid.exe | + | |
| - | -rw-r--r-- 1 trisul trisul 12582912 May 11 12:52 /tmp/savedfiles/00_01_dbcf_10.150.0.70__chocolate_debug.exe | + | |
| - | -rw-r--r-- 1 trisul trisul 42846720 May 11 12:52 /tmp/savedfiles/00_01_df63_10.150.0.70__chocolate_debug.exe | + | |
| - | DOCKER:unpl:root savedfiles$ | + | |
| - | + | ||
| - | + | ||
| - | </code> | + | |
offline/wrccdc_pcaps_trisulnsm.1526124684.txt.gz · Last modified: 2018/05/12 11:31 by veera
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
