{"id":463,"date":"2021-02-21T16:17:27","date_gmt":"2021-02-21T21:17:27","guid":{"rendered":"https:\/\/snehpatel.com\/?p=463"},"modified":"2021-03-01T19:26:00","modified_gmt":"2021-03-02T00:26:00","slug":"monitor-full-network-traffic-with-arkime-aka-moloch","status":"publish","type":"post","link":"https:\/\/snehpatel.com\/index.php\/2021\/02\/21\/monitor-full-network-traffic-with-arkime-aka-moloch\/","title":{"rendered":"Monitor full network traffic with Arkime aka. Moloch"},"content":{"rendered":"\n

Monitoring the corporate network is a crucial part to safeguard the network against malicious threat actors. One may argue that there are IDS and IPS to detect malicious traffic on the network. Those advanced security devices can indeed be useful but one cannot see the full picture of the network. For example, IDS and IPS might show the threat detected or blocked by the detection engine (signature) but one might need to investigate further to provide in-depth analysis on the incident or to look for zero-day. That is when full packet capture of the traffic can be of most use.<\/p>\n\n\n\n

So let us look at Arkime or formerly known as Moloch. It is an open-source tool that can index the packet capture, make it search-friendly. There are alternative tools that are available for packet capture such as Wireshark, but those cannot be compared with Arkime as such they don’t contain the capability to process packets at gigabits per second.<\/p>\n\n\n\n

Let’s discuss Arkime’s components. The full system is made of 3 components.<\/p>\n\n\n\n