How to Install Arkime Moloch Packet Capture Tool on Ubuntu 22.04
Arkime is a free, open-source, large-scale indexed packet capture and search tool that stores and indexes network traffic in PCAP format. It is also known as Moloch, which is designed to be deployed across multiple clustered systems, providing the ability to scale to handle multiple gigabits per second of traffic. Arkime has a built-in admin interface that helps you browse, search, and export PCAP. You can use other PCAP ingesting tools to analyze your workflow.
This tutorial will show you how to install the Arkime Packet Capture tool on Ubuntu 22.04.
Prerequisites
- A server running Ubuntu 22.04.
- A root password is configured on the server.
Getting Started
Before starting, you will need to update your system packages to the latest version. You can update them with the following command:
apt-get update -y
Once all the packages are updated, install the required dependencies using the following command:
apt-get install gnupg2 curl wget -y
Next, you will also need to install Libssl and Libffi libraries to your system. You can download and install both by running the following command:
wget http://es.archive.ubuntu.com/ubuntu/pool/main/libf/libffi/libffi7_3.3-4_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2_amd64.deb
dpkg -i libffi7_3.3-4_amd64.deb
dpkg -i libssl1.1_1.1.1f-1ubuntu2_amd64.deb
ln -s /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/local/lib/
ln -s /usr/lib/x86_64-linux-gnu/libffi.so.7 /usr/local/lib/
Once all the packages are installed, you can proceed to the next step.
Install Elasticsearch
Arkime uses Elasticsearch for indexing and searching. So Elasticsearch must be installed in your system. By default, the latest version of Elasticsearch is not included in the Ubuntu default repository. So you will need to add the Elasticsearch repository to your system.
First, add the GPG key with the following command:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch --no-check-certificate | apt-key add -
Next, add the Elasticsearch repository to the APT with the following command:
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list
Next, update the repository and install the Elasticsearch package with the following command:
apt-get update -y
apt-get install elasticsearch -y
Once the Elasticsearch is installed edit the Elasticsearch configuration file and set the Java memory:
nano /etc/elasticsearch/jvm.options
Change the following lines:
-Xms500m -Xmx500m
Save and close the file, then enable the Elasticsearch service to start at system reboot with the following command:
systemctl enable --now elasticsearch
By default, Elasticsearch listens on port 9200. You can check it with the following command:
ss -antpl | grep 9200
You should get the following output:
LISTEN 0 4096 [::ffff:127.0.0.1]:9200 *:* users:(("java",pid=30581,fd=291)) LISTEN 0 4096 [::1]:9200 [::]:* users:(("java",pid=30581,fd=290))
You can also check Elasticsearch with the following command:
curl http://localhost:9200
You should get the following output:
{ "name" : "ubuntu2204", "cluster_name" : "elasticsearch", "cluster_uuid" : "6QiUfVa4Q9G8lxHjuVLjUQ", "version" : { "number" : "7.17.5", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "8d61b4f7ddf931f219e3745f295ed2bbc50c8e84", "build_date" : "2022-06-23T21:57:28.736740635Z", "build_snapshot" : false, "lucene_version" : "8.11.1", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" }
At this point, Elasticsearch is installed and running. You can now proceed to the next step.
Install and Configure Arkime
First, download the latest version of Arkime with the following command:
wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.2-1_amd64.deb
Once the package is downloaded, install the downloaded package with the following command:
apt install ./arkime_3.4.2-1_amd64.deb
Once the Arkime is installed, run the following command to configure it:
/opt/arkime/bin/Configure
You will be asked to specify the network interface as shown below:
Found interfaces: lo;eth0;eth1 Semicolon ';' seperated list of interfaces to monitor [eth1] eth0
Type your network interface name and hit Enter to continue. Once the configuration is finished, you should get the following output:
Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] no Elasticsearch server URL [http://localhost:9200] Password to encrypt S2S and other things, don't use spaces [no-default] password Arkime - Creating configuration files Installing systemd start files, use systemctl Arkime - Installing /etc/logrotate.d/arkime to rotate files after 7 days Arkime - Installing /etc/security/limits.d/99-arkime.conf to make core and memlock unlimited Download GEO files? You'll need a MaxMind account https://arkime.com/faq#maxmind (yes or no) [yes] no Arkime - NOT downloading GEO files Arkime - Configured - Now continue with step 4 in /opt/arkime/README.txt 4) The Configure script can install elasticsearch for you or you can install yourself systemctl start elasticsearch.service 5) Initialize/Upgrade Elasticsearch Arkime configuration a) If this is the first install, or want to delete all data /opt/arkime/db/db.pl http://ESHOST:9200 init b) If this is an update to a moloch/arkime package /opt/arkime/db/db.pl http://ESHOST:9200 upgrade 6) Add an admin user if a new install or after an init /opt/arkime/bin/arkime_add_user.sh admin "Admin User" THEPASSWORD --admin 7) Start everything systemctl start arkimecapture.service systemctl start arkimeviewer.service 8) Look at log files for errors /opt/arkime/logs/viewer.log /opt/arkime/logs/capture.log 9) Visit http://arkimeHOST:8005 with your favorite browser. user: admin password: THEPASSWORD from step #6 If you want IP -> Geo/ASN to work, you need to setup a maxmind account and the geoipupdate program. See https://arkime.com/faq#maxmind Any configuration changes can be made to /opt/arkime/etc/config.ini See https://arkime.com/faq#moloch-is-not-working for issues Additional information can be found at: * https://arkime.com/faq * https://arkime.com/settings
Once you are finished, you can proceed to the next step.
Initialize Elasticsearch Arkime configuration
Next, you will need to initialize the Elasticsearch Arkime configuration. You can do it with the following command:
/opt/arkime/db/db.pl http://localhost:9200 init
Next, create an admin user account for Arkime with the following command:
/opt/arkime/bin/arkime_add_user.sh admin "Moloch SuperAdmin" password --admin
Next, update the Geo database using the following command:
/opt/arkime/bin/arkime_update_geo.sh
Once you are finished, you can proceed to the next step.
Start and Manage Arkime Services
Arkime is made from three components, capture, viewer and elasticsearch. So you will need to start the service for each component.
You can start the Arkimecapture and Arkimeviewer service and enable them to start at system reboot with the following command:
systemctl enable --now arkimecapture
systemctl enable --now arkimeviewer
You can now check the status of both services with the following command:
systemctl status arkimecapture arkimeviewer
You should get the following output:
? arkimecapture.service - Arkime Capture Loaded: loaded (/etc/systemd/system/arkimecapture.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-08-15 03:55:10 UTC; 1min 0s ago Process: 33704 ExecStartPre=/opt/arkime/bin/arkime_config_interfaces.sh -c /opt/arkime/etc/config.ini -n default (code=exited, status=0/S> Main PID: 33724 (sh) Tasks: 7 (limit: 2242) Memory: 213.2M CPU: 806ms CGroup: /system.slice/arkimecapture.service ??33724 /bin/sh -c "/opt/arkime/bin/capture -c /opt/arkime/etc/config.ini >> /opt/arkime/logs/capture.log 2>&1" ??33725 /opt/arkime/bin/capture -c /opt/arkime/etc/config.ini Aug 15 03:55:09 ubuntu2204 systemd[1]: Starting Arkime Capture... Aug 15 03:55:10 ubuntu2204 systemd[1]: Started Arkime Capture. ? arkimeviewer.service - Arkime Viewer Loaded: loaded (/etc/systemd/system/arkimeviewer.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-08-15 03:08:39 UTC; 47min ago Main PID: 31759 (sh) Tasks: 12 (limit: 2242) Memory: 56.7M CPU: 2.127s CGroup: /system.slice/arkimeviewer.service ??31759 /bin/sh -c "/opt/arkime/bin/node viewer.js -c /opt/arkime/etc/config.ini >> /opt/arkime/logs/viewer.log 2>&1" ??31760 /opt/arkime/bin/node viewer.js -c /opt/arkime/etc/config.ini Aug 15 03:08:39 ubuntu2204 systemd[1]: Started Arkime Viewer.
You can check the viewer log with the following command:
tail -f /opt/arkime/logs/viewer.log
You can now check the capture log with the following command:
tail -f /opt/arkime/logs/capture.log
You should see the following output:
Aug 15 03:57:20 http.c:389 moloch_http_curlm_check_multi_info(): 2/3 ASYNC 201 http://localhost:9200/arkime_dstats/_doc/ubuntu2204-1408-5 804/159 0ms 20ms Aug 15 03:57:20 http.c:389 moloch_http_curlm_check_multi_info(): 1/3 ASYNC 200 http://localhost:9200/arkime_stats/_doc/ubuntu2204?version_type=external&version=66 798/157 0ms 24ms Aug 15 03:57:22 http.c:389 moloch_http_curlm_check_multi_info(): 1/3 ASYNC 200 http://localhost:9200/_bulk 715/221 0ms 10ms Aug 15 03:57:22 http.c:389 moloch_http_curlm_check_multi_info(): 1/3 ASYNC 200 http://localhost:9200/arkime_stats/_doc/ubuntu2204?version_type=external&version=67 805/158 0ms 12ms Aug 15 03:57:24 http.c:389 moloch_http_curlm_check_multi_info(): 1/3 ASYNC 200 http://localhost:9200/_bulk 1471/253 0ms 24ms Aug 15 03:57:24 http.c:389 moloch_http_curlm_check_multi_info(): 1/3 ASYNC 200 http://localhost:9200/arkime_stats/_doc/ubuntu2204?version_type=external&version=68 806/157 0ms 18ms Aug 15 03:57:25 http.c:389 moloch_http_curlm_check_multi_info(): 1/3 ASYNC 201 http://localhost:9200/arkime_dstats/_doc/ubuntu2204-1409-5 808/159 0ms 10ms
Access Arkime Web Interface
At this point, Arkime is started and listening on port 8005. You can check it with the following command:
ss -antpl | grep 8005
You should get the following output:
LISTEN 0 511 *:8005 *:* users:(("node",pid=11362,fd=20))
Now, open your web browser and access the Arkime web interface using the URL http://your-server-ip:8005. You will be asked to provide your admin username and password as shown below:
Provide your admin username, password and click on the Sign In button. You should see the Arkime dashboard in the following page:
Conclusion
Congratulations! you have successfully installed and configured the Arkime packet capture tool on Ubuntu 22.04 server. You can now explore the Arkime for more functionality and start capturing packets. Feel free to ask me if you have any questions.