Difference between revisions of "Moloch: Network traffic analyzer: Installation"
Jump to navigation
Jump to search
Jostrowski (talk | contribs) (Installation guide) |
Jostrowski (talk | contribs) |
||
Line 1: | Line 1: | ||
== Summary == | == Summary == | ||
Moloch is an open-source, large scale, full packet capturing, indexing, and a database system. | Moloch is an open-source, large scale, full packet capturing, indexing, and a database system. The captured traffic can be processed on multiple nodes and then be presented via a web interface to the admin. | ||
== Requirements == | == Requirements == | ||
Latest revision as of 12:38, 30 October 2019
Summary
Moloch is an open-source, large scale, full packet capturing, indexing, and a database system. The captured traffic can be processed on multiple nodes and then be presented via a web interface to the admin.
Requirements
- Operating system: Ubuntu 18.04 bionic amd64
- Packages: git
Installation
Instructions for using the prebuilt Moloch packages.
(helpful: http://moloch.3ilson.com/)
Basic Moloch Installation steps:
1) Download a Moloch build for 64bit Ubuntu 14.04, Ubuntu 16.04, Centos 6, or Centos 7 from http://molo.ch/index.html#downloads 2) Install package 3) Configure basic moloch items by running the Configure script (this needs to be done only once) /data/moloch/bin/Configure 4) The Configure script can install elasticsearch for you or you can install yourself /sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04 systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04 5) Initialize/Upgrade Elasticsearch Moloch configuration a) If this is the first install, or want to delete all data /data/moloch/db/db.pl http://ESHOST:9200 init b) If this is an update to moloch package /data/moloch/db/db.pl http://ESHOST:9200 upgrade 6) Add an admin user if a new install or after an init /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin 7) Start everything a) If using upstart (Centos 6 or sometimes Ubuntu 14.04): /sbin/start molochcapture /sbin/start molochviewer b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04) systemctl start molochcapture.service systemctl start molochviewer.service 8) Look at log files for errors /data/moloch/logs/viewer.log /data/moloch/logs/capture.log 9) Visit http://MOLOCHHOST:8005 with your favorite browser. user: admin password: THEPASSWORD from step #6
Any configuration changes can be made to /data/moloch/etc/config.ini See https://molo.ch/faq#moloch-is-not-working for issues
Additional information can be found at:
* https://molo.ch/faq * https://molo.ch/settings
Importing PCAP files
Note: Moloch only can not analyze the newer pcap-ng (.pcapng) file format. If you have .pcapng files you can convert them with this command
tshark -f pcap -r YOUR_FILE.pcapng -w NEW_FILE.pcap
now you can load the pcap file into the moloch viewer:
sudo /data/moloch/bin/moloch-capture -r NEW_FILE.pcap