Arkime, previously known as Moloch, is a powerful open-source tool designed for large-scale indexed packet capture and search. It conveniently stores captured packets in the PCAP format, which you can analyze using tools like Wireshark. Arkime features a user-friendly web interface for browsing, searching, and exporting PCAP files. It’s optimized for deployment across multiple systems and can handle gigabits of traffic per second.
In this guide, we’ll cover how to install the Arkime Packet Capture tool on Ubuntu 20.04.
Prerequisites
- An Ubuntu 20.04 server
- Root access configured on the server
Getting Started
First, update your system packages to their latest versions. Execute the following command:
apt-get update -y
Following the update, install necessary dependencies with:
apt-get install gnupg2 curl wget -y
Install Elasticsearch
Since Arkime relies on Elasticsearch for indexing and searching, installing Elasticsearch is crucial. By default, Ubuntu repositories don’t include the latest Elasticsearch version, so we’ll add its repository first.
Add the GPG key with this command:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch --no-check-certificate | apt-key add -
Then, add the Elasticsearch repository using:
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list
Update the package list and install Elasticsearch with:
apt-get update -y apt-get install elasticsearch -y
Edit the Elasticsearch configuration to set Java memory allocation:
nano /etc/elasticsearch/jvm.options
Adjust these lines:
-Xms1g -Xmx1g
Save, exit, and enable Elasticsearch to start on boot:
systemctl enable --now elasticsearch
Verify Elasticsearch is listening on port 9200:
ss -antpl | grep 9200
Validate the Elasticsearch setup:
curl http://localhost:9200
Expected output:
{
"name" : "ubuntu2004",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "9g2B-tNaQl-rjuV32eCgpg",
"version" : {
"number" : "7.11.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "ff17057114c2199c9c1bbecc727003a907c0db7a",
"build_date" : "2021-02-15T13:44:09.394032Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Install and Configure Arkime
Download the latest Arkime version:
wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/moloch_2.7.1-1_amd64.deb
Install the package with:
apt install ./moloch_2.7.1-1_amd64.deb
Configure Arkime:
/data/moloch/bin/Configure
You’ll need to select a network interface:
Found interfaces: lo;eth0;eth1 Semicolon ';' separated list of interfaces to monitor [eth1] eth0
Finish the configuration and observe the output:
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Elasticsearch server URL [http://localhost:9200]
Password to encrypt S2S and other things [no-default]
Password to encrypt S2S and other things [no-default] mypassword
Moloch - Creating configuration files
Installing systemd start files, use systemctl
Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days
Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited
Download GEO files? (yes or no) [yes] yes
9) Visit http://MOLOCHHOST:8005 with your favorite browser.
user: admin
password: THEPASSWORD from step #6
If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program.
See https://molo.ch/faq#maxmind
Any configuration changes can be made to /data/moloch/etc/config.ini
See https://molo.ch/faq#moloch-is-not-working for issues
Additional information can be found at:
* https://molo.ch/faq
* https://molo.ch/settings
Initialize Elasticsearch Arkime Configuration
Initialize the Arkime configuration in Elasticsearch:
/data/moloch/db/db.pl http://localhost:9200 init
Create an admin user for Arkime:
/data/moloch/bin/moloch_add_user.sh admin "Moloch SuperAdmin" mypassword --admin
Start and Manage Arkime Services
Arkime consists of three components: capture, viewer, and Elasticsearch. Start services for capture and viewer:
systemctl enable --now molochcapture systemctl enable --now molochviewer
Verify the status of these services:
systemctl status molochcapture molochviewer
Sample output:
? molochcapture.service - Moloch Capture
Loaded: loaded (/etc/systemd/system/molochcapture.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-03-01 11:40:08 UTC; 10s ago
Main PID: 11313 (sh)
Tasks: 7 (limit: 4691)
Memory: 206.6M
CGroup: /system.slice/molochcapture.service
??11313 /bin/sh -c /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.ini >> /data/moloch/logs/capture.log 2>&1
??11315 /data/moloch/bin/moloch-capture -c /data/moloch/etc/config.ini
Mar 01 11:40:08 ubuntu2004 systemd[1]: Starting Moloch Capture...
Mar 01 11:40:08 ubuntu2004 systemd[1]: Started Moloch Capture.
? molochviewer.service - Moloch Viewer
Loaded: loaded (/etc/systemd/system/molochviewer.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-03-01 11:40:13 UTC; 5s ago
Main PID: 11361 (sh)
Tasks: 12 (limit: 4691)
Memory: 51.9M
CGroup: /system.slice/molochviewer.service
??11361 /bin/sh -c /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini >> /data/moloch/logs/viewer.log 2>&1
??11362 /data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini
Mar 01 11:40:13 ubuntu2004 systemd[1]: Started Moloch Viewer.
Check the viewer log with:
tail -f /data/moloch/logs/viewer.log
Your log should indicate:
Express server listening on port 8005 in development mode
For capture log:
tail -f /data/moloch/logs/capture.log
Expected capture log output:
Mar 1 11:40:49 http.c:382 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 201 http://localhost:9200/dstats/_doc/ubuntu2004-1209-5 806/154 0ms 51ms Mar 1 11:40:49 http.c:382 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 200 http://localhost:9200/_bulk 3737/327 0ms 51ms Mar 1 11:40:50 http.c:382 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 200 http://localhost:9200/_bulk 7246/451 0ms 51ms Mar 1 11:40:51 http.c:382 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 200 http://localhost:9200/stats/_doc/ubuntu2004?version_type=external&version=22 805/149 0ms 51ms Mar 1 11:40:53 http.c:382 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 200 http://localhost:9200/stats/_doc/ubuntu2004?version_type=external&version=23 805/149 0ms 52ms Mar 1 11:40:54 http.c:382 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 201 http://localhost:9200/dstats/_doc/ubuntu2004-1210-5 806/154 0ms 51ms Mar 1 11:40:54 http.c:382 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 200 http://localhost:9200/_bulk 2830/302 0ms 51ms
Access Arkime Web Interface
With Arkime active and listening on port 8005, confirm this with:
ss -antpl | grep 8005
Anticipate this output:
LISTEN 0 511 *:8005 *:* users:(("node",pid=11362,fd=20))
To access the Arkime web interface, open your browser and navigate to http://your-server-ip:8005. Log in with your admin credentials:
Enter your admin username and password to proceed to the Arkime dashboard:
Conclusion
Congratulations! You’ve successfully installed and configured the Arkime packet capture tool on your Ubuntu 20.04 server. Explore Arkime’s functionalities and start capturing packets. For questions or further clarification, feel free to reach out.
FAQ
- What is Arkime?
Arkime is an open-source, large-scale solution for indexed packet capture and search, storing data in PCAP format for later analysis. - Why do I need Elasticsearch with Arkime?
Elasticsearch is used for indexing and searching the captured packet data, ensuring efficient data retrieval. - Which Ubuntu version is this guide compatible with?
This installation guide is specifically for Ubuntu 20.04. - How can I access the Arkime web interface?
Access it by navigating to http://your-server-ip:8005 in your web browser with correct admin credentials. - Is there any specific hardware requirement?
For demonstration purposes, an Elasticsearch server with at least 3G of memory is recommended, however, production environments may require more.