Listen to this Post
Arkime (previously Moloch) is a robust open-source network analysis and packet capture solution designed for large-scale traffic monitoring. Unlike Wireshark, Arkime stores and indexes network traffic in standard PCAP format, enabling fast, indexed access. It features an intuitive web interface for PCAP browsing, searching, and exporting, making it a valuable tool for cybersecurity professionals.
Key Features of Arkime
1. Sessions Page
Displays indexed sessions for a selected time period and search expression, including a timeline graph and a map of session results.
2. SPI View Page
Shows unique values with session counts for each captured field (Session Profile Information).
3. SPI Graph Page
Provides a temporal view of the top unique values for any field.
4. Connections Page
Displays a network graph of search results, helping visualize relationships between hosts.
5. Parliament Application
Groups Arkime clusters with links, Elasticsearch health status, and issues.
6. Cont3xt Application
Centralizes contextual intelligence gathering for technical investigations.
Arkime’s Core Components
1. Capture – A threaded C application that:
- Monitors network traffic
- Writes PCAP files to disk
- Parses packets
- Sends metadata (SPI data) to OpenSearch/Elasticsearch
2. Viewer – A Node.js application that:
- Provides the web interface
- Transfers packets to the browser
- OpenSearch/Elasticsearch – Powers Arkime’s search and indexing capabilities.
Getting Started with Arkime
1. Installation
Download from arkime.com/install.
2. Running Arkime
After installation, access the web interface at `http://localhost:8005`.
You Should Know: Essential Commands & Practical Usage
Linux Setup & Basic Commands
Install Arkime on Debian/Ubuntu wget https://arkime.com/downloads/arkime_4.0.0-1_amd64.deb sudo dpkg -i arkime_4.0.0-1_amd64.deb Start Arkime Capture sudo systemctl start arkimecapture Configure Elasticsearch for Arkime sudo /opt/arkime/bin/arkime_config_interfaces.sh -i eth0
Windows Alternative (Using WSL2)
wsl --install -d Ubuntu sudo apt update && sudo apt install arkime
Viewing & Analyzing Captured Traffic
Search for specific IP traffic in Arkime curl -XGET "http://localhost:9200/arkime_sessions/_search?q=ip.src:192.168.1.1" Export PCAP for analysis in Wireshark tshark -r /opt/arkime/raw/capture.pcap -Y "http.request" -w http_traffic.pcap
Advanced Network Analysis
Monitor live traffic with Arkime sudo /opt/arkime/bin/capture -i eth0 -o /opt/arkime/raw/ Filter DNS queries in Arkime arkime_query 'protocols:dns' --json | jq '.hits.hits[]._source'
What Undercode Say
Arkime is a game-changer for network forensics, offering scalability and deep packet inspection without the limitations of traditional tools like Wireshark. Its integration with Elasticsearch makes it ideal for SOC analysts, incident responders, and threat hunters.
Additional Linux & Windows Commands for Network Analysis
Linux (Packet Inspection & Forensics)
Extract HTTP User-Agents from PCAP tshark -r traffic.pcap -T fields -e http.user_agent | sort | uniq -c Find suspicious IPs communicating over non-standard ports arkime_query 'port:<1024 AND NOT (port:80 OR port:443)' --json Monitor real-time Arkime logs journalctl -u arkimecapture -f
Windows (PowerShell for Network Analysis)
List active network connections
Get-NetTCPConnection | Where-Object { $_.State -eq "Established" }
Capture traffic with PowerShell & export to Arkime
New-NetEventSession -Name "ArkimeCapture" -CaptureMode SaveToFile -LocalFilePath "C:\Arkime\capture.etl"
Expected Output:
A fully operational Arkime deployment with indexed network traffic, searchable via Elasticsearch, and exportable PCAPs for further analysis in tools like Wireshark.
For more details, visit: arkime.com
References:
Reported By: Ouardi Mohamed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
