Welcome to our tutorial on how to install Arkime (Moloch) Full Packet Capture tool on Ubuntu. Arkime, formerly Moloch “is a large scale, open source, indexed packet capture and search system“.
Using Debian system? then check the guide below;
Install Arkime (Moloch) Full Packet Capture tool on Debian 11
According to its Github repository page, some of the features of Arkime tool include;
- It stores and indexes network traffic in standard PCAP format, providing fast, indexed access.
- Provides an intuitive web interface for PCAP browsing, searching, and exporting.
- Exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly.
- Stores and exports all packets in standard PCAP format, allowing you to also use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.
Install Arkime (Moloch) Full Packet Capture tool on Ubuntu
You can either install Arkime (Moloch) Full Packet Capture tool on Ubuntu using prebuilt binary packages or simply build it from the source yourself.
Installing Arkime using Prebuilt Binary on Ubuntu
Download Arkime Binary Installer
In order to install Arkime using the prebuilt binary on Ubuntu, navigate to the downloads page and grab the binary installer for your Ubuntu flavour, which in my setup is Ubuntu 20.04.
You can as well grab the link to the binary installer and pull it using curl
or wget
command. For example, the command below downloads the current stable release version of Arkime binary installer for Ubuntu 20.04;
wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/moloch_3.1.1-1_amd64.deb
Run System Update
Update your system package cache;
apt update
Install Arkime (Moloch) Full Packet Capture tool on Ubuntu
Next, install Arkime (Moloch) Full Packet Capture tool on Ubuntu using the downloaded binary installer.
apt install ./moloch_3.1.1-1_amd64.deb
If you want, you can as well build Arkime by building it from the source. Check the installation page for instructions.
Install Elasticsearch on Ubuntu
Arkime uses Elasticsearch as a search and indexing engine. Therefore, install Elasticsearch by running the command below;
Import the Elastic stack PGP repository signing Key
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch --no-check-certificate | sudo apt-key add -
Install Elasticsearch APT repository;
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor > /etc/apt/trusted.gpg.d/elastic.gpg
Update package cache and install Elasticsearch;
apt update
apt install elasticsearch
Configure Elasticsearch JVM options depending on the size of your memory;
vim /etc/elasticsearch/jvm.options
...
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms512m
-Xmx512m
...
Save and exit the configuration file.
Configure Arkime (Moloch) on Ubuntu
Configuring Arkime
Once the installation is done, run the script below to configure Arkime (Moloch);
Answer the script prompts accordingly;
/opt/arkime/bin/Configure
Select an interface to monitor;
Found interfaces: lo;enp0s3;enp0s8 Semicolon ';' seperated list of interfaces to monitor [eth1] enp0s8
Choose whether to install Elasticsearch automatically or you want to install manually yourself (We have already installed Elasticsearch, hence choose no).
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no
Set Elasticsearch server URL, localhost:9200 in this setup. Just press Enter to accept the defaults.
Elasticsearch server URL [http://localhost:9200] ENTER
Set encryption password. Be sure to replace the password.
Password to encrypt S2S and other things [no-default] changeme
The configuration of Arkime then runs.
... Moloch - Creating configuration files Installing systemd start files, use systemctl Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited Download GEO files? (yes or no) [yes] yes Moloch - Downloading GEO files ...
Running Elasticsearch
Start and enable Elasticsearch to run on system boot;
systemctl enable --now elasticsearch
Verify if Elasticsearch is running;
curl http://localhost:9200
{ "name" : "ubuntu20", "cluster_name" : "elasticsearch", "cluster_uuid" : "bc-twCeeSsSmgjYT6HlkXA", "version" : { "number" : "7.11.1", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "ff17057114c2199c9c1bbecc727003a907c0db7a", "build_date" : "2021-02-15T13:44:09.394032Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" }
Initialize Elasticsearch Moloch configuration
Run the command below to initialize Elasticsearch Arkime/Moloch configuration.
/opt/arkime/db/db.pl http://localhost:9200 init
Create Arkime/Moloch Admin User Account
You can use the /opt/arkime/bin/moloch_add_user.sh
script to create Arkime/Moloch user account;
/opt/arkime/bin/moloch_add_user.sh --help
addUser.js [] [ ] Options: --admin Has admin privileges --apionly Can only use api, not web pages --email Can do email searches --expression Forced user expression --remove Can remove data (scrub, delete tags) --webauth Can auth using the web auth header or password --webauthonly Can auth using the web auth header only, password ignored --packetSearch Can create a packet search job (hunt) Config Options: -c Config file to use -n Node name section to use in config file --insecure Allow insecure HTTPS
Run the command below to create Arkime/Moloch admin user account. Replace the username and password accordingly.
/opt/arkime/bin/arkime_add_user.sh admin "Moloch SuperAdmin" changeme --admin
Running Arkime Services
Arkime is made up of 3 components:
- capture – A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets, and sends metadata (SPI data) to elasticsearch.
- viewer – A node.js application that runs per capture machine. It handles the web interface and transfer of PCAP files.
- elasticsearch – The search database technology powering Arkime.
We already started Elasticsearch.
Now start and enable Moloch Capture and viewer services to run on system boot;
systemctl enable --now arkimecapture
systemctl enable --now arkimeviewer
Check the status;
systemctl status arkimecapture
● arkimecapture.service - Arkime Capture Loaded: loaded (/etc/systemd/system/arkimecapture.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-11-12 21:02:08 EAT; 27s ago Main PID: 4125 (sh) Tasks: 2 (limit: 1133) Memory: 30.2M CPU: 389ms CGroup: /system.slice/arkimecapture.service ├─4125 /bin/sh -c /opt/arkime/bin/capture -c /opt/arkime/etc/config.ini >> /opt/arkime/logs/capture.log 2>&1 └─4126 /opt/arkime/bin/capture -c /opt/arkime/etc/config.ini Nov 12 21:02:07 debian11 systemd[1]: Starting Arkime Capture... Nov 12 21:02:08 debian11 systemd[1]: Started Arkime Capture.
systemctl status arkimeviewer
● arkimeviewer.service - Arkime Viewer Loaded: loaded (/etc/systemd/system/arkimeviewer.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-11-12 21:02:33 EAT; 48s ago Main PID: 4147 (sh) Tasks: 8 (limit: 1133) Memory: 42.1M CPU: 2.457s CGroup: /system.slice/arkimeviewer.service ├─4147 /bin/sh -c /opt/arkime/bin/node viewer.js -c /opt/arkime/etc/config.ini >> /opt/arkime/logs/viewer.log 2>&1 └─4148 /opt/arkime/bin/node viewer.js -c /opt/arkime/etc/config.ini Nov 12 21:02:33 debian11 systemd[1]: Started Arkime Viewer.
Sometime, when you reboot your system, Elasticsearch may take some time before it starts. This thus affects the start of the Arkime capture and viewer services.
We have made some few updates to both Arkime capture and viewer services such that they only start after Elasticsearch has started. Please note that with this change, you may miss the traffic capture while Elasticsearch starts.
Add these lines to the Arkime capture and viewer service files;
After=network.target elasticsearch.service
Requires=network.target elasticsearch.service
You can use sed to update these services;
sed -i 's/network.target/network.target elasticsearch.service/' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service
sed -i '/After=/a Requires=network.target elasticsearch.service' /etc/systemd/system/arkimecapture.service /etc/systemd/system/arkimeviewer.service
systemctl daemon-reload
This will ensure that Arkime capture and viewer will start only after Elasticsearch.
Log Files
You can find Arkime/Moloch logs and Elasticsearch logs on the log files;
/opt/arkime/logs/viewer.log
/opt/arkime/logs/capture.log
/var/log/elasticsearch/*
Adjusting Arkime/Moloch configurations;
if you ever want to update Arkime/Moloch configs, check the configuration file /opt/arkime/etc/config.ini
.
Accessing Arkime/Moloch Web Interface
Moloch is listening on port 8005/tcp by default.
If UFW is running, open this port on it to allow external access.
ufw allow 8005/tcp
You can then access Arkime/Moloch using the URL, http://MOLOCHHOST:8005
with your favorite browser.
Want to enable HTTPS? See this guide.
You will be prompted to enter the basic user authentication credentials you create above.
Upon successful authentication, you land on Arkime Web interface.
And that is how simple it is to install Arkime (Moloch) Full Packet Capture tool on Ubuntu.
Reference
Arkime Installation README.txt
Arkime Demo (Credentials: arkime:arkime)
Do you have instructions on how to setup a cert so its using SSL to hit https://MOLOCHHOST:8005 vs http?
Hi Kevin,
Please refer here.