Moloch: Network traffic analyzer: Installation

From Embedded Lab Vienna for IoT & Security
Revision as of 12:38, 30 October 2019 by Jostrowski (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Summary

Moloch is an open-source, large scale, full packet capturing, indexing, and a database system. The captured traffic can be processed on multiple nodes and then be presented via a web interface to the admin.

Requirements

  • Operating system: Ubuntu 18.04 bionic amd64
  • Packages: git

Installation

Instructions for using the prebuilt Moloch packages.

(helpful: http://moloch.3ilson.com/)

Basic Moloch Installation steps: 

1) Download a Moloch build for 64bit Ubuntu 14.04, Ubuntu 16.04, Centos 6, or Centos 7 from http://molo.ch/index.html#downloads
2) Install package
3) Configure basic moloch items by running the Configure script (this needs to be done only once)
    /data/moloch/bin/Configure
4) The Configure script can install elasticsearch for you or you can install yourself
     /sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04
     systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04
5) Initialize/Upgrade Elasticsearch Moloch configuration
 a) If this is the first install, or want to delete all data
     /data/moloch/db/db.pl http://ESHOST:9200 init
 b) If this is an update to moloch package
     /data/moloch/db/db.pl http://ESHOST:9200 upgrade
6) Add an admin user if a new install or after an init
     /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin
7) Start everything
  a) If using upstart (Centos 6 or sometimes Ubuntu 14.04):
     /sbin/start molochcapture
     /sbin/start molochviewer
  b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04)
     systemctl start molochcapture.service
     systemctl start molochviewer.service
8) Look at log files for errors
     /data/moloch/logs/viewer.log
     /data/moloch/logs/capture.log
9) Visit http://MOLOCHHOST:8005 with your favorite browser.
     user: admin
     password: THEPASSWORD from step #6

Any configuration changes can be made to /data/moloch/etc/config.ini See https://molo.ch/faq#moloch-is-not-working for issues

Additional information can be found at: 

 * https://molo.ch/faq
 * https://molo.ch/settings

Importing PCAP files

Note: Moloch only can not analyze the newer pcap-ng (.pcapng) file format. If you have .pcapng files you can convert them with this command 

tshark -f pcap -r YOUR_FILE.pcapng -w NEW_FILE.pcap

now you can load the pcap file into the moloch viewer: 

sudo /data/moloch/bin/moloch-capture -r NEW_FILE.pcap

View data

View Connection Graph

Moloch Graph.png

View sessions

Moloch Sessions.png

References

Retrieved from "https://wiki.elvis.science/index.php?title=Moloch:_Network_traffic_analyzer:_Installation&oldid=2178"