Install Arkime (Moloch) Full Packet Capture tool on Ubuntu

Install Arkime (Moloch) Full Packet Capture tool on Ubuntu

Welcome to our tutorial on how to install Arkime (Moloch) Full Packet Capture tool on Ubuntu. Arkime, formerly Moloch “is a large scale, open source, indexed packet capture and search system“.

Using Debian system? then check the guide below;

From Linux Command Line to use spee...
From Linux Command Line to use to test Internet Speed

Install Arkime (Moloch) Full Packet Capture tool on Debian 11

According to its Github repository page, some of the features of Arkime tool include;

  • It stores and indexes network traffic in standard PCAP format, providing fast, indexed access.
  • Provides an intuitive web interface for PCAP browsing, searching, and exporting.
  • Exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly.
  • Stores and exports all packets in standard PCAP format, allowing you to also use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.

Install Arkime (Moloch) Full Packet Capture tool on Ubuntu

You can either install Arkime (Moloch) Full Packet Capture tool on Ubuntu using prebuilt binary packages or simply build it from the source yourself.

Installing Arkime using Prebuilt Binary on Ubuntu

Download Arkime Binary Installer

In order to install Arkime using the prebuilt binary on Ubuntu, navigate to the downloads page and grab the binary installer for your Ubuntu flavour, which in my setup is Ubuntu 20.04.

You can as well grab the link to the binary installer and pull it using curl or wget command. For example, the command below downloads the current stable release version of Arkime binary installer for Ubuntu 20.04;


Run System Update

Update your system package cache;

apt update

Install Arkime (Moloch) Full Packet Capture tool on Ubuntu

Next, install Arkime (Moloch) Full Packet Capture tool on Ubuntu using the downloaded binary installer.

apt install ./moloch_3.1.1-1_amd64.deb

If you want, you can as well build Arkime by building it from the source. Check the installation page for instructions.

Install Elasticsearch on Ubuntu

Arkime uses Elasticsearch as a search and indexing engine. Therefore, install Elasticsearch by running the command below;

Import the Elastic stack PGP repository signing Key

wget -qO - --no-check-certificate | sudo apt-key add -

Install Elasticsearch APT repository;

wget -qO - | gpg --dearmor > /etc/apt/trusted.gpg.d/elastic.gpg

Update package cache and install Elasticsearch;

apt update
apt install elasticsearch

Configure Elasticsearch JVM options depending on the size of your memory;

vim /etc/elasticsearch/jvm.options

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space


Save and exit the configuration file.

Configure Arkime (Moloch) on Ubuntu

Configuring Arkime

Once the installation is done, run the script below to configure Arkime (Moloch);

Answer the script prompts accordingly;


Select an interface to monitor;

Found interfaces: lo;enp0s3;enp0s8
Semicolon ';' seperated list of interfaces to monitor [eth1] enp0s8

Choose whether to install Elasticsearch automatically or you want to install manually yourself (We have already installed Elasticsearch, hence choose no).

Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no

Set Elasticsearch server URL, localhost:9200 in this setup. Just press Enter to accept the defaults.

Elasticsearch server URL [http://localhost:9200] ENTER

Set encryption password. Be sure to replace the password.

Password to encrypt S2S and other things [no-default] changeme

The configuration of Arkime then runs.

Moloch - Creating configuration files
Installing systemd start files, use systemctl
Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days
Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited
Download GEO files? (yes or no) [yes] yes
Moloch - Downloading GEO files

Running Elasticsearch

Start and enable Elasticsearch to run on system boot;

systemctl enable --now elasticsearch

Verify if Elasticsearch is running;

curl http://localhost:9200
  "name" : "ubuntu20",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "bc-twCeeSsSmgjYT6HlkXA",
  "version" : {
    "number" : "7.11.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "ff17057114c2199c9c1bbecc727003a907c0db7a",
    "build_date" : "2021-02-15T13:44:09.394032Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  "tagline" : "You Know, for Search"

Initialize Elasticsearch Moloch configuration

Run the command below to initialize Elasticsearch Arkime/Moloch configuration.

/opt/arkime/db/ http://localhost:9200 init

Create Arkime/Moloch Admin User Account

You can use the /opt/arkime/bin/ script to create Arkime/Moloch user account;

/opt/arkime/bin/ --help
addUser.js []    []

  --admin               Has admin privileges
  --apionly             Can only use api, not web pages
  --email               Can do email searches
  --expression    Forced user expression
  --remove              Can remove data (scrub, delete tags)
  --webauth             Can auth using the web auth header or password
  --webauthonly         Can auth using the web auth header only, password ignored
  --packetSearch        Can create a packet search job (hunt)

Config Options:
  -c       Config file to use
  -n         Node name section to use in config file
  --insecure            Allow insecure HTTPS

Run the command below to create Arkime/Moloch admin user account. Replace the username and password accordingly.

/opt/arkime/bin/ admin "Moloch SuperAdmin" changeme --admin

Running Arkime Services

Arkime is made up of 3 components:

  • capture – A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets, and sends metadata (SPI data) to elasticsearch.
  • viewer – A node.js application that runs per capture machine. It handles the web interface and transfer of PCAP files.
  • elasticsearch – The search database technology powering Arkime.

We already started Elasticsearch.

Now start and enable Moloch Capture and viewer services to run on system boot;

systemctl enable --now arkimecapture
systemctl enable --now arkimeviewer

Check the status;

systemctl status arkimecapture
● arkimecapture.service - Arkime Capture
     Loaded: loaded (/etc/systemd/system/arkimecapture.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-11-12 21:02:08 EAT; 27s ago
   Main PID: 4125 (sh)
      Tasks: 2 (limit: 1133)
     Memory: 30.2M
        CPU: 389ms
     CGroup: /system.slice/arkimecapture.service
             ├─4125 /bin/sh -c /opt/arkime/bin/capture -c /opt/arkime/etc/config.ini  >> /opt/arkime/logs/capture.log 2>&1
             └─4126 /opt/arkime/bin/capture -c /opt/arkime/etc/config.ini

Nov 12 21:02:07 debian11 systemd[1]: Starting Arkime Capture...
Nov 12 21:02:08 debian11 systemd[1]: Started Arkime Capture.
systemctl status arkimeviewer
● arkimeviewer.service - Arkime Viewer
     Loaded: loaded (/etc/systemd/system/arkimeviewer.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-11-12 21:02:33 EAT; 48s ago
   Main PID: 4147 (sh)
      Tasks: 8 (limit: 1133)
     Memory: 42.1M
        CPU: 2.457s
     CGroup: /system.slice/arkimeviewer.service
             ├─4147 /bin/sh -c /opt/arkime/bin/node viewer.js -c /opt/arkime/etc/config.ini  >> /opt/arkime/logs/viewer.log 2>&1
             └─4148 /opt/arkime/bin/node viewer.js -c /opt/arkime/etc/config.ini

Nov 12 21:02:33 debian11 systemd[1]: Started Arkime Viewer.

Sometime, when you reboot your system, Elasticsearch may take some time before it starts. This thus affects the start of the Arkime capture and viewer services.

We have made some few updates to both Arkime capture and viewer services such that they only start after Elasticsearch has started. Please note that with this change, you may miss the traffic capture while Elasticsearch starts.

Add these lines to the Arkime capture and viewer service files; elasticsearch.service elasticsearch.service

You can use sed to update these services;

sed -i 's/ elasticsearch.service/' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service
sed -i '/After=/a elasticsearch.service' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service
systemctl daemon-reload

This will ensure that Arkime capture and viewer will start only after Elasticsearch.

Log Files

You can find Arkime/Moloch logs and Elasticsearch logs on the log files;

Adjusting Arkime/Moloch configurations;

if you ever want to update Arkime/Moloch configs, check the configuration file /opt/arkime/etc/config.ini.

Accessing Arkime/Moloch Web Interface

Moloch is listening on port 8005/tcp by default.

If UFW is running, open this port on it to allow external access.

ufw allow 8005/tcp

You can then access Arkime/Moloch using the URL, http://MOLOCHHOST:8005 with your favorite browser.

Want to enable HTTPS? See this guide.

You will be prompted to enter the basic user authentication credentials you create above.

Install Arkime (Moloch) Full Packet Capture tool on Ubuntu

Upon successful authentication, you land on Arkime Web interface.

arkime moloch web interface
Install Arkime (Moloch) Full Packet Capture tool on Ubuntu

And that is how simple it is to install Arkime (Moloch) Full Packet Capture tool on Ubuntu.


Arkime Installation README.txt

Arkime Demo (Credentials: arkime:arkime)

Arkime Demo

Further Reading

Arkime Settings page

Arkime Faqs


  1. hiii
    while installing it i got an error
    ( systemctl enable –now arkimeviewer )
    error- Failed to enable unit: Unit file /etc/systemd/system/arkimeviewer.service is masked


Please enter your comment!
Please enter your name here