Network situational awareness and retro analysis
Trisul is a Linux based application that passively listens to network traffic and tracks a number of traffic metrics across all layers. It correlates these traffic metrics with raw flow data and full packet captures. You can even add in alerts from an IDS to complete the picture.
You can download Trisul and run it completely free. No nags or crippled functionality. However, only the most recent 3-days are available for analysis in the free version.
Key features:
Meter everything – Trisul measures over 120 traffic statistics at all layers in your network. These include simple statistics like Host Traffic, Host Connections, MAC Traffic to complex ones like Traffic by HTTP Content Type, Flow creation rate. You can create your own counting policies by a powerful rule based method. These traffic stats are stored unsummarized for long term storage in a format designed for quick reporting. In fact, you can use Trisul with only metering enabled and still get one of the best traffic monitors available today.
Flows – Includes a powerful bi-directional flow generator which stores every flow seen in a high performance data store. You can store billions of flows over months and still get a great response. The flow store is integrated with the metering information, alerts, and raw packets so you can jump from one to the other. Another key Trisul innovation is a flow tracker – which is a snapshot of interesting flows taken every 10 minutes.
Packet store – A high performance flexible packet storage engine is the backbone of the Trisul forensics subsystem. You can apply a set of policies to include, exclude, or flow cap (eg: only store 10MB per flow) raw packets storage. The packets are encrypted before they are written to disk for added security. Trisul includes powerful tools to retrieve raw packets in tcpdump format or to play them back for deeper analysis using a feature we call “Cross Drill”.
Alerts – Trisul can accept IDS alerts and integrate them with the other types of data. Alerts and signatures turn into another type of meter. You can view alert trends, group and query alerts, pull up related flows, or get the pcap of the alert flow. Trisul also supports malware alerts from a plugin called Badfellas, threshold crossing alerts, and flow tracker alerts.
Web and script interface – All interactions are via a powerful web interface with completely configurable dashboards, users, and permissions. You also get advanced features like PDF reporting, and emailing reports. For the serious researcher we offer a remote scripting interface called Trisul Remote Protocol. This allows you to query and retrieve data from Trisul using a language like Ruby.