Recently the launch of the capture system was announced, network packet storage and indexing Arkime 3.1, which provides tools to visually assess traffic flows and search for information related to network activity.
The project was developed originally by AOL with the goal of creating an open and deployable replacement for commercial network packet processing platforms on their servers that can scale to handle traffic at speeds of tens of gigabits per second.
About Arkime
For those unfamiliar with Arkime, let me tell you that formerly known as Moloch which was a toolkit to capture and index traffic in standard PCAP format and it also provides tools for quick access to indexed data. Using the PCAP format greatly simplifies integration with existing traffic analyzers such as Wireshark. The amount of data stored is limited only by the size of the available disk array. The session metadata is indexed in a cluster based on the Elasticsearch engine.
To analyze the accumulated information, a web interface is proposed that allows browsing, searching and exporting samples. The web interface provides several display modes: from general statistics, connection maps and visual graphs with data on changes in network activity to tools for studying individual sessions, analyzing activity in the context of the protocols used and analyzing data from PCAP dumps.
An API is also provided to allow third-party applications to pass captured packet data in PCAP format and parsed sessions in JSON format.
arkime It has three basic components:
- Traffic Capture System is a multithreaded C application for monitoring traffic, writing PCAP dumps to disk, analyzing captured packets, and sending session metadata (Stateful Packet Inspection) (SPI) and protocols to the Elasticsearch cluster. Encrypted storage of PCAP files is possible.
- A web interface based on the Node.js platform that runs on each traffic capture server and handles requests related to accessing indexed data and transferring PCAP files through the API.
- Elasticsearch-based metadata store.
Main novelties of Arkime 3.1
In this new released version one of the most important changes that stands out is the change of the project name, since as above I commented on the project It was previously known as Moloch and the developers comment that the project has experienced growth and a significant change and they thought it was a good time to change the name to Arkime.
Another of the changes that stands out is the completely new user interface for WISE configuration, creating and updating WISE sources and WISE statistics. This is a powerful new tool to help users get started with WISE or improve their WISE service without spending time on configuration or source files.
On the other hand, also highlights that support for IETF QUIC, GENEVE, VXLAN-GPE protocols was addedIn addition, support was added for the Q-in-Q (Double VLAN) type, which allows encapsulating VLAN tags in second-level tags to expand the number of VLANs to 16 million.
Of the other changes that stand out:
- Added support for the "floating" field type.
- The Amazon Elastic Compute Cloud writer has been moved to use the IMDSv2 (Instance Metadata Service) protocol.
- Code refactoring to add UDP tunnels.
- Added support for elasticsearchAPIKey and elasticsearchBasicAuth.
Finally, if you are interested in knowing more about this new version, you can consult the details In the following link.
Get Arkime
For those who are interested in being able to obtain this utility, they should know that the code of the traffic capture component is written in C and the interface is implemented in Node.js / JavaScript. The source code is distributed under the Apache 2.0 license. Work on Linux and FreeBSD is supported.
Ready packages are Arch, CentOS and Ubuntu ready and can be obtained from the link below.