Arkime, an open-source network capture and analysis tool, is a game-changer for anyone working with large-scale network traffic. Designed to simplify packet capture and enable detailed analysis, Arkime offers robust search capabilities, seamless integration with existing security tools, and an intuitive web interface. Whether you’re troubleshooting network issues or investigating potential security threats, Arkime provides the visibility and insights needed to understand your traffic in depth. In this blog, i’ll demonstrate how to install, configure, and effectively use Arkime to harness the power of your network data.
I have followed the indepth guides provided on the Arkime website, and decided to run a fresh Ubuntu 24.04.1 LTS VMWare Virtual Machine.
Arkime requires a database to store the Packet Capture (PCAP) data, the guide recommends either OpenSearch or ElasticSearch. Because of our previous ElasticSearch tech blogs I will use that in this demo as the backend Database. I followed the Elastic debian APT installation process documented HERE. The following commands allowed me to successfully install an ElasticSearch instance.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install elasticsearchElastic installs with a default user ‘elastic’ and generates you a password, be sure to copy this into your password manager.
Once ElasticSearch is installed you need to increase you Java Virtual Machine (JVM) Heap memory to a minimum of 4GB. Mine had been set to 4GB by default so didn’t need to be changed.
vim /etc/elasticsearch/jvm.options
# you are looking for the following lines to change
-Xms1g
-Xmx1g
Next I downloaded the Arkime sensor package from HERE. To match my version of Ubuntu desktop I downloaded ‘arkime_5.5.1-1.ubuntu2404_amd64.deb’.
From within the same directory as the downloaded package install using the following command.
apt install ./arkime-*.debOnce downloaded you can run the Arkime configuration script at /opt/arkime/bin/configure.
# Check which interface is live on your VM to monitor
ip a
# run the configure script (these are the settings that worked for me)
/opt/arkime/bin/Configure
# Interface: ens33
# Install Elasticsearch: no (already installed)
# OpenSearch/Elasticsearch URL: https://localhost:9200
# OpenSearch/Elasticsearch User: elastic
# OpenSearch/Elasticsearch Password: Password generated during elastic install
# Password: A new password, not the ES password
# Download GeoIP: yes
# You can check any of these settings if you get issues
vim /opt/arkime/etc/config.iniInitialise the connection to the ElasticSearch database, add an admin user and enable the arkime sensor/viewer.
/opt/arkime/db/db.pl --esuser elastic https://localhost:9200 init
# you will be prompted to enter you elastic user password
/opt/arkime/bin/arkime_add_user.sh admin "Admin User" changeme --admin
systemctl enable --now arkimecapture
systemctl enable --now arkimeviewer
# To check the status of Arkime and ElasticSearch
sleep 1
tail /opt/arkime/logs/*.log
curl -u admin:changeme --digest http://localhost:8005/eshealth.json
# If everything is healthy this should show successful curl/GET requests as below.
Navigate to http://localhost:8005 and you should have access to Arkime viewer showing PCAP from the interface you set during configuration.
In this demo I have set up a small demo instance of Arkime for testing and training purposes using Ubuntu and ElasticSearch. In future blogs I will use this instance to demonstrate the Arkime functionality such as timeline/connection/map viewers to gain insight into you network traffic.