Monitor full network traffic with Arkime aka. Moloch

Monitoring the corporate network is a crucial part to safeguard the network against malicious threat actors. One may argue that there are IDS and IPS to detect malicious traffic on the network. Those advanced security devices can indeed be useful but one cannot see the full picture of the network. For example, IDS and IPS might show the threat detected or blocked by the detection engine (signature) but one might need to investigate further to provide in-depth analysis on the incident or to look for zero-day. That is when full packet capture of the traffic can be of most use.

So let us look at Arkime or formerly known as Moloch. It is an open-source tool that can index the packet capture, make it search-friendly. There are alternative tools that are available for packet capture such as Wireshark, but those cannot be compared with Arkime as such they don’t contain the capability to process packets at gigabits per second.

Let’s discuss Arkime’s components. The full system is made of 3 components.

Capture
Viewer
Elasticsearch (My Fav)

As the name suggests for “capture” it is a part that is used to monitor network traffic and write that traffic as PCAP format to disk. Then the metadata is parsed and sent to elasticsearch to make it searchable using a web interface provided by the viewer component.

Capturing all the traffic in the network is sweet as candy on first look but it gets bitter when you will be running it 24/7 in a large enterprise. Since we are not compromising what we are collecting it takes lots of storage. I used the estimator on the official website and boi I was shocked. It needs a whopping 152 TB for the capture machine and another space around 30 TB for the elasticsearch machine.