The perfect combo: Arkime and Wireshark

How do you filter through the vast amount of network traffic to find the needle in the haystack?

Sure, you can create a BPF capture filter and further narrow down the data using display filters in Wireshark. But first, you need to ensure you have a tap on the link where the data of interest is flowing.

And don’t you need to see the data before you can even start thinking about filtering?

I belive Arkime could add lots of value and save time when you dig into the world of packet decode and security analysis, but what's Arkime anyway?

Arkime (formerly Moloch) is a powerful open-source, large-scale, full-packet capture and indexing system. It allows for comprehensive packet capture across network segments, such as critical links like an egress interface to the internet, and provides an intuitive web interface for analyzing network traffic. Arkime excels at session-based exploration, offering detailed session metadata (SPI details), a connection graph, and map views for quick, high-level insights. Once relevant traffic is identified, users can easily filter and download the associated packet capture (PCAP) files for deeper analysis using tools like Wireshark.

I’ve installed Arkime on a Protectli device (8 Ethernet ports, 16GB RAM, 1TB SSD) in my home lab and connected a tap from my egress internet link to the system. It continuously captures all packets on the link, typically running for several days or even weeks at a time.

This is perfect for statistics and an easy tool to filter traffic I want to go deeper with Wireshark.

With Arkime, virtually every field indexed can be used to create filters, and it’s as simple as clicking. In the following example, I was curious about connection requests from a node in Russia.

To set the filter, I simply clicked on Russia on the map, which automatically generated a display filter in Arkime.

Then, by clicking the "Download PCAP" button, I saved the filtered packet capture, and with just a double-click, I opened it in Wireshark.

Even though I’ve always had a capture interface—whether through an SSH tunnel, ERSPAN, or similar setup on my internet link—it was always a cumbersome process to catch the right data for analysis. This new setup with Arkime, however, is extremely convenient for me. It’s always active, and with the appliance maintaining around 800GB of PCAPs from the last few days or weeks, it has quickly become my preferred choice for seamless packet analysis.

If you're interested in learning more about network technology or Wireshark, be sure to check out the training curriculum from AnyWeb-Training or reach out to us directly via e-mail or phone.

AnyWeb covers the entire lifecycle of IT solutions with their consulting, implementation, support, and training services. As a well-established and trusted partner, they are the ideal choice for your networking and security projects.

BTW. I'll present at ShrakFest Vienna early November, you still can register

https://sharkfest.wireshark.org/sfeu/

#wireshark #wiresharkfoundation #cybersecurity #packets_dont_lie #anyweb