Installation Instructions | 5.x Upgrade instructions | FAQ | CHANGELOG | JA4+ Install

A db.pl upgrade is required when upgrading from 4.x

Release

• #2759 CyberChef 10.17.0

Capture

• #2756 parse SMB dialect
• #2758 fix rules not always matching "0" for non array integer fields

Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024.

The EL7 and Ubuntu 18 builds are still available here until 5/1/2024.

Installation Instructions | 5.x Upgrade instructions | FAQ | CHANGELOG | JA4+ Install

A db.pl upgrade is required when upgrading from 4.x

Release

• #2752 Node 18.20.2 (EL 7, Ubuntu 18 still on 18.19.1)

Capture

• #2732 rules support NOT string and integer fields
• #2746 fix DNS parser PUNY length checks
• #2744 fix empty pcap files hanging capture

Viewer

• #2745 don't autocomplete values starting with a quote

Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024.

The EL7 and Ubuntu 18 builds are still available here until 5/1/2024.

Installation Instructions | 5.x Upgrade instructions | FAQ | CHANGELOG | JA4+ Install

A db.pl upgrade is required when upgrading from 4.x

Release

• #2667 support Node 20
• #2734 Node 18.20.1 (EL 7, Ubuntu 18 still on 18.19.1)
• #2737 CyberChef 10.15.0

Capture/Viewer

• #2694 New DNS parser that captures all the answers, enable with dnsOutputAnswers=true (thanks @mcgillowen)

Capture

• #2674 Fix filelist not working in scheme mode
• #2679 cert.alt can be used in rules
• #2699 Disable reader s3 download timeout
• #2726 Fix ZSTD_decompress missing for some builds

Cont3xt

• #2683 lock integration settings
• #2719 snap to dates
• #2730 Arkime/OpenSearch/Elasticsearch integration had insecure logic backwards

Viewer

• #2668 fix pcap export with only default time range and no date param in url
• #2680 add default user settings to viewer config https://arkime.com/settings#user-setting-defaults
• #2681 fix unique of numerical fields
• #2701 Make sure pcap reassembly doesn't starve viewer
• #2704 Support viewUrl having a path
• #2705 Support querying non Arkime indices, enable with queryExtraIndices (thanks @mmguero)
• #2718 Green on black theme improvements, Elyse's fav now
• #2735 help improvements
• #2736 help improvements

Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024.

The EL7 and Ubuntu 18 builds are still available here until 5/1/2024.

Installation Instructions | 5.x Upgrade instructions | Copyright Notices | FAQ | CHANGELOG | JA4+ Install

A db.pl upgrade is required when upgrading from 4.x

Release

• #2631 CyberChef 10.6.0
• #2648 Build for Ubuntu 24.04
• #2655 Support rpm fips installs again
• #2558 Node 18.19.1

Capture

• #2634 add esp packet stats (fixes #1116)
• #2638 support readTruncatedPackets on live captures

db.pl

• #2633 noprompt outputs less warnings
• #2639 fix init not working with large number of indices

JA4+

• Fixed memory leak
• Fixed JA4H issue with long cookies

Parliament

• #2645 Fixed issues not being detected
• #2659 Fixed parliament crashing if userPrefix not set

Viewer

• #2632 fix field labels not expanding fully
• #2637 fix session detail grip

WISE

• #2653 set a threatstream.indicator field

Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el7 download for Centos 7 or RHEL 7. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024

Installation Instructions | 5.x Upgrade instructions | Copyright Notices | FAQ | CHANGELOG | JA4+ Install

A db.pl upgrade is required when upgrading from 4.x

BREAKING

• #2297 s3Compression/simpleCompression now defaults to zstd
• #2297 s3WriteGzip removed, use s3Compression=gzip for gzip instead of new zstd default
• #2297 s3GapPacketPos defaults to TRUE
• #2297 enablePacketDedup defaults to TRUE
• #2299 #2308 authMode defaults to digest now
• #2312 removed old v1 viewer APIs
• #2349 parliament password removed, must configure common auth via the UI before upgrading or manually in the config file see parliament and how do I upgrade to 5
• #2402 WISE/tagger must now use http.request.FIELD/http.response.FIELD when referencing header defined with headers-http-request/headers-http-response
• #2450 Centos 7 build no longers includes pfring support
• #2453 Increase simpleCompressionBlockSize default to 64000

Release

• #2448 zstd 1.5.5, nghttp2 1.57.0, maxmind 1.7.1, yara 4.2.3
• #2443 Centos 7, Ubuntu 18, Alpine use unofficial builds of node
• #2543 node v18.19.0
• #2447 support building on alpine
• #2549 use configure prefix more places (thanks @vpiserchia)
• #2584 AL2023 & Ubuntu22.04 ARM builds

All

• #2316 programs support same config file formats (ini/json/yaml) and retrieval (file, elasticsearch)
• #2419 json/yaml config file formats now allow arrays instead of comma/semi separated
• #2299 #2308 authMode setting added
• #2299 #2408 #2463 added authMode: basic, form, basic+form, basic+oidc, headerOnly, header+digest (same as header), header+basic
• #2387 notifiers for parliament and arkime merged conflicts mitigated by appending "Parliament" to parliament notifiers
• #2396 drop privileges is now AFTER http(s) list
• #2509 add optional login message for form auth
• #2511 new authOIDCScope setting
• #2482 new logoutUrl setting
• #2571 new scheme pcap reading
• #2618 better error message when can't use OpenSearch/Elasticsearch on startup

Capture

• #2295 moloch converted to arkime
• #2312 override ips can now set any field
• #2312 overrideIpsFiles setting
• #2314 packetDropIpsFiles setting
• #2390 can have negative cert.validDays/cert.remainingDays (thanks @mcgillowen)
• #2390 added cert.remainingSeconds/cert.remainingSeconds (thanks @mcgillowen)
• #2390 cert.remainingDays is now based on the firstPacket of session instead of current time (thanks @mcgillowen)
• #2409 JA4 support
• #2409 JA3/JA4 support for smtp STARTTLS
• #2297 always build zstd (except arch)
• #2517 new custom-fields-remap feature
• #2186 count the number of http methods per session
• #2528 new oui.txt location, some names have changes, fixes #2347
• #2539 new tls:has_esni tag if the client hello has esni
• #2553 fix rules range matching not working always
• #2554 support fieldSet tcpflag rules
• #2575 fix startup complaint about aliases, category, and transforms
• #2576 support different dlt for pcap-over-ip
• #2592 fix sometimes not identifying quic protocol correctly
• #2600 add tls:has_ech tag (thanks @renini)
• #2614 new kafka-config section
• #2622 fix malicious quic packet crashing capture

Cont3xt

• #2121 new bulk UI and support for bulk queries
• #2271 lots of keyboard shortcut improvements
• #2383 new array syntax for links substitution
• #2382 new OpenSearch/Elasticsearch integration (config file only)
• #2441 new csv/json file/url/redis integration (config file only)
• #2385 new viewRoles in config file per integration to control access
• #2407 transfer ownership of resources
• #2437 new csv/json data source supports
• #2441 new redis data source support
• #2507 demoMode added
• #2527 skipChildren added
• #2532 new wise integration
• #2565 added punycode decoding

db.pl

• #2588 db.pl won't try and backup indices that don't exist
• #2588 db.pl backup cont3xt indices

ESProxy

• #2483 #2484 support field updates/deletes

Viewer

• #2296 removed x-moloch-auth
• #2392 files/history/stats now have cluster dropdown for multiviewer
• #2402 http.request.FIELD and http.response.FIELD supported
• #2404 add editor for resources
• #2407 transfer ownership of resources
• #2482 added uploadRoles to control who can upload
• #2501 add defaultTimeRange setting
• #2521 add footerTemplate setting
• #2525 add config setting to set spiview category order
• #2523 resize session detail field label/values
• #2552 added %URIEncodedText% for URI encoded substitution (thanks @vpiserchia)
• #2574 fix longstanding issue with backslash search and SMB
• #2601 patch cyberchef xss vuln (https://github.com/gchq/CyberChef/issues/1468)
• #2606 zstd sometimes didn't read all packets
• #2607 improved session detail display
• #2621 session detail link a link now, multi select info column items now

Parliament

• #2377 dashboard-only mode removed, if you want users to just see the dashboard don't assign them the parliamentUser role
• #2395 configuration is now stored in opensearch/elasticsearch
• #2530 add Users page

WISE

• #2537 new urlScrapePrefix/urlScrapeSuffix used with urlScrapeRedirect
• #2537 new jsonl format supported
• #2588 don't setup auth if --webconfig isn't used

Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el7 download for Centos 7 or RHEL 7. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024

Installation Instructions | 5.x Upgrade instructions | Copyright Notices | FAQ | CHANGELOG | JA4+ Install

A db.pl upgrade is required when upgrading from 4.x

BREAKING

• #2297 s3Compression/simpleCompression now defaults to zstd
• #2297 s3WriteGzip removed, use s3Compression=gzip for gzip instead of new zstd default
• #2297 s3GapPacketPos defaults to TRUE
• #2297 enablePacketDedup defaults to TRUE
• #2299 #2308 authMode defaults to digest now
• #2312 removed old v1 viewer APIs
• #2349 parliament password removed, must configure common auth via the UI before upgrading or manually in the config file see parliament and how do I upgrade to 5
• #2402 WISE/tagger must now use http.request.FIELD/http.response.FIELD when referencing header defined with headers-http-request/headers-http-response
• #2450 Centos 7 build no longers includes pfring support
• #2453 Increase simpleCompressionBlockSize default to 64000

Release

• #2448 zstd 1.5.5, nghttp2 1.57.0, maxmind 1.7.1, yara 4.2.3
• #2443 Centos 7, Ubuntu 18, Alpine use unofficial builds of node
• #2543 node v18.19.0
• #2447 support building on alpine
• #2549 use configure prefix more places (thanks @vpiserchia)
• #2584 AL2023 & Ubuntu22.04 ARM builds

All

• #2316 programs support same config file formats (ini/json/yaml) and retrieval (file, elasticsearch)
• #2419 json/yaml config file formats now allow arrays instead of comma/semi separated
• #2299 #2308 authMode setting added
• #2299 #2408 #2463 added authMode: basic, form, basic+form, basic+oidc, headerOnly, header+digest (same as header), header+basic
• #2387 notifiers for parliament and arkime merged conflicts mitigated by appending "Parliament" to parliament notifiers
• #2396 drop privileges is now AFTER http(s) list
• #2509 add optional login message for form auth
• #2511 new authOIDCScope setting
• #2482 new logoutUrl setting
• #2571 new scheme pcap reading
• #2618 better error message when can't use OpenSearch/Elasticsearch on startup

Capture

• #2295 moloch converted to arkime
• #2312 override ips can now set any field
• #2312 overrideIpsFiles setting
• #2314 packetDropIpsFiles setting
• #2390 can have negative cert.validDays/cert.remainingDays (thanks @mcgillowen)
• #2390 added cert.remainingSeconds/cert.remainingSeconds (thanks @mcgillowen)
• #2390 cert.remainingDays is now based on the firstPacket of session instead of current time (thanks @mcgillowen)
• #2409 JA4 support
• #2409 JA3/JA4 support for smtp STARTTLS
• #2297 always build zstd (except arch)
• #2517 new custom-fields-remap feature
• #2186 count the number of http methods per session
• #2528 new oui.txt location, some names have changes, fixes #2347
• #2539 new tls:has_esni tag if the client hello has esni
• #2553 fix rules range matching not working always
• #2554 support fieldSet tcpflag rules
• #2575 fix startup complaint about aliases, category, and transforms
• #2576 support different dlt for pcap-over-ip
• #2592 fix sometimes not identifying quic protocol correctly
• #2600 add tls:has_ech tag (thanks @renini)
• #2614 new kafka-config section

Cont3xt

• #2121 new bulk UI and support for bulk queries
• #2271 lots of keyboard shortcut improvements
• #2383 new array syntax for links substitution
• #2382 new OpenSearch/Elasticsearch integration (config file only)
• #2441 new csv/json file/url/redis integration (config file only)
• #2385 new viewRoles in config file per integration to control access
• #2407 transfer ownership of resources
• #2437 new csv/json data source supports
• #2441 new redis data source support
• #2507 demoMode added
• #2527 skipChildren added
• #2532 new wise integration
• #2565 added punycode decoding

db.pl

• #2588 db.pl won't try and backup indices that don't exist
• #2588 db.pl backup cont3xt indices

ESProxy

• #2483 #2484 support field updates/deletes

Viewer

• #2296 removed x-moloch-auth
• #2392 files/history/stats now have cluster dropdown for multiviewer
• #2402 http.request.FIELD and http.response.FIELD supported
• #2404 add editor for resources
• #2407 transfer ownership of resources
• #2482 added uploadRoles to control who can upload
• #2501 add defaultTimeRange setting
• #2521 add footerTemplate setting
• #2525 add config setting to set spiview category order
• #2523 resize session detail field label/values
• #2552 added %URIEncodedText% for URI encoded substitution (thanks @vpiserchia)
• #2574 fix longstanding issue with backslash search and SMB
• #2601 patch cyberchef xss vuln (https://github.com/gchq/CyberChef/issues/1468)
• #2606 zstd sometimes didn't read all packets
• #2607 improved session detail display

Parliament

• #2377 dashboard-only mode removed, if you want users to just see the dashboard don't assign them the parliamentUser role
• #2395 configuration is now stored in opensearch/elasticsearch
• #2530 add Users page

WISE

• #2537 new urlScrapePrefix/urlScrapeSuffix used with urlScrapeRedirect
• #2537 new jsonl format supported
• #2588 don't setup auth if --webconfig isn't used

Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el7 download for Centos 7 or RHEL 7. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024

Installation Instructions | 5.x Upgrade instructions | Copyright Notices | FAQ | CHANGELOG | JA4+ Install

A db.pl upgrade is required when upgrading from 4.x

✨ What's new ✨

BREAKING

• #2297 s3Compression/simpleCompression now defaults to zstd
• #2297 s3WriteGzip removed, use s3Compression=gzip for gzip instead of new zstd default
• #2297 s3GapPacketPos defaults to TRUE
• #2297 enablePacketDedup defaults to TRUE
• #2299 #2308 authMode defaults to digest now
• #2312 removed old v1 viewer APIs
• #2349 parliament password removed, must configure common auth via the UI before upgrading or manually in the config file see parliament and how do I upgrade to 5
• #2402 WISE/tagger must now use http.request.FIELD/http.response.FIELD when referencing header defined with headers-http-request/headers-http-response
• #2450 Centos 7 build no longers includes pfring support
• #2453 Increase simpleCompressionBlockSize default to 64000

Release

• #2448 zstd 1.5.5, nghttp2 1.57.0, maxmind 1.7.1, yara 4.2.3
• #2443 Centos 7, Ubuntu 18, Alpine use unofficial builds of node
• #2543 node v18.19.0
• #2447 support building on alpine
• #2549 use configure prefix more places (thanks @vpiserchia)

All

• #2316 programs support same config file formats (ini/json/yaml) and retrieval (file, elasticsearch)
• #2419 json/yaml config file formats now allow arrays instead of comma/semi separated
• #2299 #2308 authMode setting added
• #2299 #2408 #2463 added authMode: basic, form, basic+form, basic+oidc, headerOnly, header+digest (same as header), header+basic
• #2387 notifiers for parliament and arkime merged conflicts mitigated by appending "Parliament" to parliament notifiers
• #2396 drop privileges is now AFTER http(s) list
• #2509 add optional login message for form auth
• #2511 new authOIDCScope setting
• #2482 new logoutUrl setting
• #2571 new scheme pcap reading

Capture

• #2295 moloch converted to arkime
• #2312 override ips can now set any field
• #2312 overrideIpsFiles setting
• #2314 packetDropIpsFiles setting
• #2390 can have negative cert.validDays/cert.remainingDays (thanks @mcgillowen)
• #2390 added cert.remainingSeconds/cert.remainingSeconds (thanks @mcgillowen)
• #2390 cert.remainingDays is now based on the firstPacket of session instead of current time (thanks @mcgillowen)
• #2409 JA4 support
• #2409 JA3/JA4 support for smtp STARTTLS
• #2297 always build zstd (except arch)
• #2517 new custom-fields-remap feature
• #2186 count the number of http methods per session
• #2528 new oui.txt location, some names have changes, fixes #2347
• #2539 new tls:has_esni tag if the client hello has esni
• #2553 fix rules range matching not working always
• #2554 support fieldSet tcpflag rules
• #2576 support different dlt for pcap-over-ip

Cont3xt

• #2121 new bulk UI and support for bulk queries
• #2271 lots of keyboard shortcut improvements
• #2383 new array syntax for links substitution
• #2382 new OpenSearch/Elasticsearch integration (config file only)
• #2441 new csv/json file/url/redis integration (config file only)
• #2385 new viewRoles in config file per integration to control access
• #2407 transfer ownership of resources
• #2437 new csv/json data source supports
• #2441 new redis data source support
• #2507 demoMode added
• #2527 skipChildren added
• #2532 new wise integration

ESProxy

• #2483 #2484 support field updates/deletes

Viewer

• #2296 removed x-moloch-auth
• #2392 files/history/stats now have cluster dropdown for multiviewer
• #2402 http.request.FIELD and http.response.FIELD supported
• #2404 add editor for resources
• #2407 transfer ownership of resources
• #2482 added uploadRoles to control who can upload
• #2501 add defaultTimeRange setting
• #2521 add footerTemplate setting
• #2525 add config setting to set spiview category order
• #2523 resize session detail field label/values
• #2552 added %URIEncodedText% for URI encoded substitution (thanks @vpiserchia)

Parliament

• #2377 dashboard-only mode removed, if you want users to just see the dashboard don't assign them the parliamentUser role
• #2395 configuration is now stored in opensearch/elasticsearch
• #2530 add Users page

WISE

• #2537 new urlScrapePrefix/urlScrapeSuffix used with urlScrapeRedirect
• #2537 new jsonl format supported

Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el7 download for Centos 7 or RHEL 7. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024

Hi! After every commit to the main branch of Arkime we build and store the results here. The builds are based on Arkime 5, so if upgrading from Arkime 4, make sure you've followed the upgrading to 5 instructions. If you don't want to run the pre release version, check out our stable release.

Installation Instructions | 5.x Upgrade instructions | FAQ | CHANGELOG | JA4+ Install

The EL7 and Ubuntu 18 builds are still available here until 5/1/2024.

(Please ignore the release timestamp and only pay attention to the Asset timestamps)

Installation Instructions | 5.x Upgrade instructions | Copyright Notices | FAQ | CHANGELOG

A db.pl upgrade is required when upgrading.

✨ What's new ✨

BREAKING

• #2297 s3Compression/simpleCompression now default to zstd
• #2297 s3WriteGzip removed, use s3Compression=gzip
• #2297 s3GapPacketPos defaults to TRUE
• #2297 enablePacketDedup defaults to TRUE
• #2299 authMode defaults to digest now
• #2312 removed old v1 APIs
• #2349 parliament password removed, must configure common auth via the UI before upgrading or manually in the config file see parliament and how do I upgrade to 5
• #2402 WISE/tagger must now use http.request.FIELD/http.response.FIELD when referencing header defined with headers-http-request/headers-http-response
• #2450 Centos 7 build no longers supports pfring
• #2453 Increase simpleCompressionBlockSize default to 64000
• #2299 #2308 Remove anonymous auth as the default

Release

• #2448 zstd 1.5.5, nghttp2 1.57.0, maxmind 1.7.1, yara 4.2.3
• #2448 node v18.18.2 - Centos 7, Ubuntu 18, Alpine use unofficial builds
• #2447 support building on alpine

All

• #2316 programs support same config file formats (ini/json/yaml) and retrieval (file, elasticsearch)
• #2419 json/yaml config file formats now allow arrays instead of comma/semi separated
• #2299 #2308 authMode setting added
• #2299 #2408 #2463 added authMode: basic, form, basic+form, basic+oidc, headerOnly, header+digest (same as header), header+basic
• #2387 notifiers for parliament and arkime merged conflicts mitigated by appending "Parliament" to parliament notifiers
• #2396 drop privileges is now AFTER http(s) list

Capture

• #2295 moloch converted to arkime
• #2312 override ips can now set any field
• #2312 overrideIpsFiles setting
• #2314 packetDropIpsFiles setting
• #2390 can have negative cert.validDays/cert.remainingDays (thanks @mcgillowen)
• #2390 added cert.remainingSeconds/cert.remainingSeconds (thanks @mcgillowen)
• #2390 cert.remainingDays is now based on the firstPacket of session instead of current time (thanks @mcgillowen)
• #2409 JA4 support
• #2409 JA3/JA4 support for smtp STARTTLS
• #2297 always build zstd (except arch)

Cont3xt

• #2121 new bulk UI and support for bulk queries
• #2271 lots of keyboard shortcut improvements
• #2383 new array syntax for links substitution
• #2382 new OpenSearch/Elasticsearch integration (config file only)
• #2441 new csv/json file/url/redis integration (config file only)
• #2385 new viewRoles in config file per integration to control access
• #2407 transfer ownership of resources
• #2437 new csv/json data source supports
• #2441 new redis data source support

ESProxy

• #2483 #2484 support field updates/deletes

Viewer

• #2296 removed x-moloch-auth
• #2392 files/history/stats now have cluster dropdown for multiviewer
• #2402 http.request.FIELD and http.response.FIELD supported
• #2404 add editor for resources
• #2407 transfer ownership of resources
• #2482 added uploadRoles to control who can upload

Parliament

• #2377 dashboard-only mode removed, if you want users to just see the dashboard don't assign them the parliamentUser role
• #2395 configuration is now stored in opensearch/elasticsearch

---

ℹ️ Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el7 download for Centos 7 or RHEL 7. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024

Installation Instructions | 4.x Upgrade instructions | Copyright Notices | FAQ | CHANGELOG

:sparkles: What's new ✨

Release

• curl 8.4.0
• fix viewer systemd file

Capture

• fix zstd hanging capture on full buffer

Viewer

• corrupt http session decoding might hang viewer
• handle uncompressing pcap errors better
• role check in UI didn't always work

All

• handle cookies encoded with bad proxy

---

ℹ️ Download Info

We offer downloads for many different OS versions because of library differences. For example, use the el7 download for Centos 7 or RHEL 7. If you have a libssl version error, it is most likely that the wrong download was used for your OS. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2024.