FAQ Common questions about Trisul

If you have a question and couldn't find it here, just send us an email

  • How does Trisul work


    Trisul captures network traffic from one or more network interfaces. Each packet is then passed through a set of algorithms to compute various statistics. Flow records, resources (such as URLs), security alerts, are also generated. Finally the packets are tucked away for later investigation.

  • I am only interested in network usage monitoring. Can I use Trisul


    Absolutely. You can turn off saving raw packets or flows. This bare bones version of Trisul is still a very powerful usage monitor.

  • Can I use Trisul with Netflow


    Yes. If your security needs are limited, Netflow is an attractive option. Trisul can process Netflow feeds from routers instead of raw packets from a local interface.

  • How do I access Trisul


    Web Trisul is the Ruby on Rails application that allows you to access Trisul. Also available is a protocol called TRP (Trisul Remote Protocol) which presents a way for clients to connect securely via TLS to interact with Trisul

  • How does Trisul do security alerts


    Trisul accepts security alerts from Snort (to be installed separately by you). Snort writes alerts in binary format to a Unix socket, Trisul reads the alerts from the Unix socket and correlates them with statistics, flows, and raw packets.

  • Is it feasible to save raw packets from a storage perspective


    Trisul is most useful at the perimeters where the link speeds are still less than 100Mbps. However, Trisul comes with a very powerful mechanism to cut down on volume intelligently. You can specify various rules such as

    * Save only headers for subnet X
    * Save only the first 10MB for all sessions
    * Save 100MB for sessions involving ports 3000-4000
    * Dont save anything for subnet Y

    This helps substantially with many enterprise tasks like site backups, antivirus pushes, software updates, etc.

  • What about the security of the raw packets


    Trisul encrypts raw packets using the fast AES-128 cipher in CTR mode before storing them. So even if your server is stolen or compromised no one can get at the raw data.

  • How long can Trisul store data


    Trisul’s data retention is solely determined by the disk space availability. You can dynamically add storage to boost data retention.

  • How can I scale Trisul ?


    Trisul loves fast disks and more CPU cores.