[[Run Trisul]]
 
Trace: » Run Trisul
Table of Contents
Okay, so you have successfully installed Trisul. Right ? If not, see this page How to install ?

Run Trisul

Key files

Before running Trisul, a quick overview of some of the key files and directories is in order.

File Location Purpose
trisulConfig.xml /usr/local/etc/trisul Contains all options required to run trisul
sttrisul /usr/local/share/trisul Script to start trisul. If you installed via an RPM or DEB, you can use the init script instead. (eg. service trisul start)
ktrisul /usr/local/share/trisul Kills a running instance of trisul
ns-001.log /usr/local/var/log/trisul Log file (will roll over to ns-002 etc)
TRISULDB.SQDB /usr/local/var/lib/trisul/CAPRINGS The SQLITE3 database. This contains both configuration and output traffic data. You can use the SQLITE3 command line tool to view the tables.
RCF_xxx.CAP /usr/local/var/lib/trisul/CAPRINGS/CURR The capture file ring. You typically view them via an analyzer that supports the Trisul Remote Protocol. They are in a slightly modified PCAP format (documentation needed)

Now we have a basic understanding of the layout and key files. We can jump in and do a trial run.

A quick run

Trisul can run in one of two modes

  1. Offline : Used to process capture files
  2. Online : Monitor a live network continuously

Let us run the online version of Trisul.

  • First log in as root
  • Move to the share directory ( cd /usr/local/share/trisul )
  • Type ./sttrisul to start the process
  • Trisul is now running and monitoring traffic on the eth0 interface by default
  • Visit some websites in order to generate traffic on the eth0 interface
  • You can let it run for a while (say 3 minutes or so)
  • Type ./ktrisul to stop Trisul

Our first session is complete. Let us look at results from our first run.

Results from our first run

While Trisul ran it did the following things

  1. Opened the network adapter and gave up root privileges and acquired nobody.nobody ( see Privileges for more)
  2. Initialized the directory where the raw files are stored in a ring
  3. Initialized SSL/TLS, loaded its certificate for secure communications for the Trisul Remote Protocol (TRP)
  4. Initialized the SQLITE3 database
  5. Tracked statistics and flows and saved them in the SQLITE3 database
  6. Saved the raw packets in the ring directory

Whats in the database ?

Let us look at the database using the SQLITE3 command line tool.

  • Move to the output directory ( cd /usr/var/lib/trisul/CAPRINGS )
  • Check the files there via ls
[vivek@localhost CAPRINGS]$ ls
CURR  TRISULDB.SQDB  TRISULDB_TEMPL.SQDB
[vivek@localhost CAPRINGS]$
  • The file named TRISULDB.SQDB is the output database
  • Type sqlite3 TRISULDB.SQDB to access the SQLITE command prompt
[vivek@localhost CAPRINGS]$ sqlite3 TRISULDB.SQDB 
SQLite version 3.3.13
Enter .help for instructions
sqlite> 
sqlite>
  • Some useful commands are .tables (to see list of tables) and .schema <tablename>
sqlite> .tables
TRISUL_ACCESS_POINTS     TRISUL_SESSION_GROUPS    TRISUL_TRF_HISTS       
TRISUL_CAPTURE_PROFILES  TRISUL_SESSION_HISTS     TRISUL_TRF_HOSTS       
TRISUL_CAP_STATS         TRISUL_SESS_TCPS         TRISUL_TRF_SUBNETS     
TRISUL_COUNTER_GROUPS    TRISUL_SESS_TRF_VOIPS    TRISUL_TRF_TABLEMAPS   
TRISUL_CTL_COUNTERVARS   TRISUL_SESS_VOIPS        TRISUL_TRF_TOPPERS     
TRISUL_KEYS              TRISUL_TRF_AGGREGATES    TRISUL_WEB_USERS       
TRISUL_PLUGINS           TRISUL_TRF_APPS        
TRISUL_RUN_STATS         TRISUL_TRF_DIRMACS     
sqlite>
  • Let us quickly look at the host traffic in TRISUL_TRF_HOSTS (for a detailed description of tables see the Database Details page)
  • Do a select * from trisul_trf_hosts;
  • To look at TCP flows, do a select * from trisul_sess_tcps;
  • You can interpret this data via Web Trisul or if you read the Database Details page

Whats in the CURR directory ?

In the same directory as TRISULDB.SQDB (see the “Whats in the database ? ” section ) you will also find a subdirectory called CURR. This directory contains a bunch of files that form the raw capture ring.

  • Do a ls to list the files (you will see something like the following)
total 2140
-rw-r----- 1 nobody nobody 103521 2008-06-06 12:17 RCF_10.cap
-rw-r----- 1 nobody nobody 102908 2008-06-06 12:18 RCF_11.cap
-rw-r----- 1 nobody nobody 102848 2008-06-06 12:18 RCF_12.cap
-rw-r----- 1 nobody nobody 103242 2008-06-06 12:18 RCF_13.cap
-rw-r----- 1 nobody nobody 103602 2008-06-06 12:18 RCF_14.cap
-rw-r----- 1 nobody nobody 102651 2008-06-06 12:24 RCF_1.cap
-rw-r----- 1 nobody nobody 103015 2008-06-06 12:24 RCF_2.cap
-rw-r----- 1 nobody nobody 102707 2008-06-06 12:33 RCF_3.cap
-rw-r----- 1 nobody nobody  82784 2008-06-06 12:34 RCF_4.cap
-rw-r----- 1 nobody nobody 102764 2008-06-06 12:16 RCF_5.cap
-rw-r----- 1 nobody nobody 102998 2008-06-06 12:16 RCF_6.cap
-rw-r----- 1 nobody nobody 102644 2008-06-06 12:17 RCF_7.cap
-rw-r----- 1 nobody nobody 103185 2008-06-06 12:17 RCF_8.cap
-rw-r----- 1 nobody nobody 102680 2008-06-06 12:17 RCF_9.cap

Each of these files contain raw traffic. Trisul maintains an in memory index of these files to speed up retrieval. Upon startup Trisul scans each of these files to rebuild the in-memory index.

End of tour

 
run.txt · Last modified: 2008/06/07 03:14 by vivek
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki