Moloch

Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Simple security is implemented by using HTTPS and HTTP digest password support or by using apache in front. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic.
Moloch logo

Arkime

Large scale, open-source network analysis and packet capture system.


Description

Augments current security infrastructure to store and index network traffic in standard PCAP format. Intuitive web interface for PCAP browsing, searching, and exporting. Exposes APIs for downloading PCAP data and JSON formatted session data.


Features

  • Stores and exports all packets in standard PCAP format
  • Scalable to handle tens of gigabits/second of traffic
  • PCAP retention based on available sensor disk space
  • Metadata retention based on Elasticsearch cluster scale

Components

  • Capture: Threaded C application that monitors network traffic, writes PCAP formatted files to local disk, parses captured packets, and sends metadata to OpenSearch/Elasticsearch.
  • Viewer: Node.js web server for interacting with Arkime.

Configuration

Most system configuration is located in the /opt/arkime/etc/config.ini file. Variables are documented on the Settings page.


Security

Access protected by HTTPS with digest passwords or authentication providing web server proxy. PCAPs stored on sensors and accessed only through Arkime interface or API.


Maintainers

Best way to reach us is on Slack. Request an invitation to join the Arkime Slack workspace here.





> Visit Moloch Website <
Best Search
Popular Tags