Arkime is an open-source system for large-scale network analysis and packet capture. It works with your existing security tools to store and index network traffic in standard PCAP format, making it easy to search and access.
The solution includes a simple web interface for browsing, searching, and exporting PCAP files. Arkime also provides APIs for downloading PCAP data and session data in JSON format. Because Arkime uses standard PCAP files, you can analyze the data with other tools, such as Wireshark.
The system has three main parts:
- Capture – A C application that monitors network traffic, writes PCAP files to disk, parses captured packets, and sends metadata (SPI data) to OpenSearch or Elasticsearch.
- Viewer – A Node.js application that runs on each capture machine. It manages the web interface and sends packets to the browser.
- OpenSearch/Elasticsearch – The search database used by Arkime.
Arkime also includes optional tools:
- Cont3xt: Helps gather contextual intelligence to support investigations.
- EsProxy: Adds an extra security layer between capture and OpenSearch or Elasticsearch.
- Parliament: Monitors and provides access to multiple Arkime clusters.
- WiseService: Integrates threat intelligence into session metadata.
Arkime can be deployed across many systems and scaled to handle tens of gigabits per second of traffic. PCAP retention depends on the available disk space on your sensors. Metadata retention depends on the size of your Elasticsearch cluster. Both can be expanded at any time and are fully under your control.
Arkime is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
