[[Trisul Remote Protocol]]
 
Trace: » Trisul Remote Protocol
Table of Contents

Trisul Remote Protocol

Trisul Remote Protocol allows network analyzers to connect securely to Trisul and perform live monitoring or forensic analysis.

Unsniff 2.0 uses this protocol, but we expect other analyzers like Wireshark to also exploit this feature. The ultimate goal is to integrate this into a centralized system like http://sguil.sourceforge.net/.

Features

  1. A binary protocol
  2. Runs on top of TLS security layer
  3. Requires analyzers to present valid client certificates
  4. Enables real time top-N queries ( Who are the top hosts right now ? )
  5. Enables historical queries ( Who were the top hosts around 8:30 last night ? )
  6. Enables traffic details ( What is the usage history of host 192.168.2.200 ? )
  7. Enables controlled metering ( Which were the top hosts using the DNS protocol at 8:30 last night ? )
  8. Enables filtering for forensics ( I want to see raw packets between 8:30 and 8:40 last night of hosts 192.168.1.200,201,156 )
  9. Compresses large transfers, like raw packets. (Network packets compress really well !)
  10. Allows multiple connections from analyzers

Specification

There is no formal specification of the protocol yet.

The code

A ruby library called “TheRat” is available as part of the WebTrisul source code which contains a client for the TRP. You can use this library to create your own ruby tools to interact with Trisul using the TRP.

The file PulseProtocolCmd.h contains the protocol messages and the C++ structures.

Until a format spec is available, please look at the code.

 
trisul_remote_protocol.txt · Last modified: 2008/06/02 01:56 by vivek
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki