Moloch: Network traffic analyzer: Installation

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Summary

Moloch is an open-source, large scale, full packet capturing, indexing, and a database system. The captured traffic can be processed on multiple nodes and then be presented via a web interface to the admin.

Requirements

  • Operating system: Ubuntu 18.04 bionic amd64
  • Packages: git

Installation

Instructions for using the prebuilt Moloch packages.

(helpful: http://moloch.3ilson.com/)

Basic Moloch Installation steps:

1) Download a Moloch build for 64bit Ubuntu 14.04, Ubuntu 16.04, Centos 6, or Centos 7 from http://molo.ch/index.html#downloads
2) Install package
3) Configure basic moloch items by running the Configure script (this needs to be done only once)
    /data/moloch/bin/Configure
4) The Configure script can install elasticsearch for you or you can install yourself
     /sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04
     systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04
5) Initialize/Upgrade Elasticsearch Moloch configuration
 a) If this is the first install, or want to delete all data
     /data/moloch/db/db.pl http://ESHOST:9200 init
 b) If this is an update to moloch package
     /data/moloch/db/db.pl http://ESHOST:9200 upgrade
6) Add an admin user if a new install or after an init
     /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin
7) Start everything
  a) If using upstart (Centos 6 or sometimes Ubuntu 14.04):
     /sbin/start molochcapture
     /sbin/start molochviewer
  b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04)
     systemctl start molochcapture.service
     systemctl start molochviewer.service
8) Look at log files for errors
     /data/moloch/logs/viewer.log
     /data/moloch/logs/capture.log
9) Visit http://MOLOCHHOST:8005 with your favorite browser.
     user: admin
     password: THEPASSWORD from step #6

Any configuration changes can be made to /data/moloch/etc/config.ini See https://molo.ch/faq#moloch-is-not-working for issues

Additional information can be found at:

 * https://molo.ch/faq
 * https://molo.ch/settings

Importing PCAP files

Note: Moloch only can not analyze the newer pcap-ng (.pcapng) file format. If you have .pcapng files you can convert them with this command

tshark -f pcap -r YOUR_FILE.pcapng -w NEW_FILE.pcap

now you can load the pcap file into the moloch viewer:

sudo /data/moloch/bin/moloch-capture -r NEW_FILE.pcap

View data

View Connection Graph

Moloch Graph.png

View sessions

Moloch Sessions.png

References