In a previous blog I walked through the download and installation of Arkime onto an Ubuntu VM, if you haven’t covered that subject you should go back and complete that blog first. To follow this demo you should have your Elasticsearch database configured, initialised and connected to the arkime sensor, with the sensor listening on the local interface you configured during installation. If your Elasticsearch is running correctly you should be able to browse to it https://localhost:9200 , logging in with the credentials configured during setup, to check it’s status.
You should also be able to browse to the Arkime UI at http://localhost:8005 and log in with the admin credentials configured previously. At the default ‘session‘ screen you will see captured network traffic for the period that the sensor has been live. The time window can be adjusted manually or by selecting a predefined timeframe, such as ‘last hour’ in this example. Basic DTG, source/destination IP and Port information, packets, protocls can all be viewed from the session view.
The histogram can be adjusted here depending on your prefence, to show sessions (in grey as above), packets/bytes/data bytes (blue and red). There is a world map available to plot the geolocation of any public IP addresses that are captured (in this demo I am only capturing internal traffic).
By clickin the blue + on the left of each row, these can be expanded to show greater detail with the option to download PCAP.
The link tab opens another window to display the complete session information. The session id is displayed in the search window.
Session Profile Information (SPI) view. Here you the traffic can be grouped and analysed by protocol/traffic type with session counts for each specific grouping.
By expanding the general grouping and selecting ‘Load All’ we can get a list and count of all source and estination IPs broken down by protocol.
SPI Graph view allows you to compare different connection attributes in the same historgram view. Here I have selected 2 different SRC IPs to compare to the full traffic capture.
Connections view gives you a visual representaion of you network including Src/Dst IP addresses, link weight, detailed node information (by hovering over each node), nodes can be manoeuvred into position, fixed and the graph can be exported as a PNG format.
In this we have confirmed the functionality of our Arkime sensor and elasticsearch backend, and walked through the main views session, SPI, SPI Graph and Connections. In future blogs I will cover searching and search syntax, the hunt function, uploading PCAP files for analysis and more indepth analysis of captured traffic.