Trisul screencast – retrieve POST data from full packet capture

This is a real story. I spent about 30 mins composing and posting a thoughtful message to an online forum. Upon hitting submit, something broke and the server returned an error. Hitting the back button or pressing refresh did not work. After a burst of profanity, I recalled that we have a full capture NSM tool (Trisul) running in our company. In a little $500 appliance, capturing every flow, URL, and packet our two ISP connections see.

I was able to recover my message within 1 minute.

This little 4-minute screencast shows you how to

  1. Pull up list of URLs
  2. Use the form to filter POST requests to specific server
  3. Pull out PCAPs into a reconstruction tool like Unsniff Network Analyzer
  4. Locate data in reconstructed (ie, unzipped, dechunked) content

Please excuse the poor audio and the developers voice !

The next post will be about automating this whole process using Ruby and Trisul Remote Protocol.

——————————–

Deploy Trisul Network Analytics today to track everything about your network along with a slick web based user interface to perform complex drilldowns. All you need is a Linux box.

It is totally free for monitoring a recent 3-day window. Get it now.

Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.