Frequently asked questions

Trisul Network Analytics

Whole nine yards network and security monitoring

1. How does Trisul work ?

Trisul captures network traffic from one or more network interfaces. Each packet is then passed through a set of algorithms to compute various statistics. Flow records, resources (such as URLs), security alerts, are also generated. Finally the packets are tucked away for later investigation.

2. I am only interested in network usage monitoring. Can I use Trisul ?

Absolutely. You can turn off saving raw packets or flows. This bare bones version of Trisul is still a very powerful usage monitor.

3. Can I use Trisul with Netflow ?

Yes. If your security needs are limited, Netflow is an attractive option. Trisul can process Netflow feeds from routers instead of raw packets from a local interface.

4. Is it feasible to save raw packets from a storage perspective ?

Trisul is most useful at the perimeters where the link speeds are still less than 100Mbps. However, Trisul comes with a very powerful mechanism to cut down on volume intelligently. You can specify various rules such as

Save only headers for subnet X
Save only the first 10MB for all sessions
Save 100MB for sessions involving ports 3000-4000
Dont save anything for subnet Y

This helps substantially with many enterprise tasks like site backups, antivirus pushes, software updates, etc.

5. What about the security of the raw packets ?

Trisul encrypts raw packets using the fast AES-128 cipher in CTR mode before storing them. So even if your server is stolen or compromised no one can get at the raw data.

6. How long can Trisul store data ?

Trisul's data retention is solely determined by the disk space availability. You can dynamically add storage to boost data retention.

7. How do I access Trisul ?

Web Trisul is the Ruby on Rails application that allows you to access Trisul. Also available is a protocol called TRP (Trisul Remote Protocol) which presents a way for clients to connect securely via TLS to interact with Trisul

8. Why is IE not recommended ?

Webtrisul uses Gerbilcharts, a SVG based charting library for its large and interactive charts. This saves considerable rasterization load on the server. IE is the only major browser not to support SVG. So, if you use IE, Webtrisul will fall back to rasterization and generate PNG charts. IE9 promises SVG, so lets wait !

9. How can I scale Trisul ?

Trisul loves fast disks and more CPU cores.

10. Is there a FreeBSD port ?

Not at this time.

11. How does Trisul do security alerts ?

Trisul accepts security alerts from Snort (to be installed separately by you). Snort writes alerts in binary format to a Unix socket, Trisul reads the alerts from the Unix socket and correlates them with statistics, flows, and raw packets.