• Download the Arkime installation scripts from here

• Copy the tar to the Arkime server and extract using the below command

• Move to the extracted folder

• Add permission to execute ‘start.sh’ and ‘stop.sh’ scripts

• Execute the ‘start.sh’ script, the script will perform the following actions

  1. Start Local ES storage node on port 9200

  2. Setup directories for PCAP and Log capture

• Open URL http://<arkime-server-ip>:8005/ from your favourite browser and enter the below credentials

  • User: admin

  • Password: admin

Customer Firewall Configuration

Note: If users want to modify the above-provided ports to run on non-default ports, please refer here to make use of docker port forwarding:

Browser Requirements: Chrome, Safari

Software Requirements

• Ubuntu 22.04

• Docker needs to be installed.

• python3 for running helper scripts.

Components

Open Network Operating System

Open Packet Broker NOS () set of containerized applications built and runs on top of the open-source SONiC NOS. The NOS provides an affordable solution to aggregate, filter, replicate and load balance network traffic from hardware TAPs.

• Filter, Replicate and Load Balance: APB provides the basic functionalities of any packet broker on commodity ASICs including filtering based on L2/L3/L4 headers, replicating traffic with unique identification and providing symmetric load balancing.

• Deep Inspection, Truncate, Tunnel: Advance functions including user-defined offset-based inspection of tunnelled packets (IP-in-IP, VXLAN, MPLS, GRE), forward monitored traffic across data centres using IP underlay. One of the unique value-added features includes the truncation of payload reducing the storage cost at tools farm.

• 5G Ready: APB supports parsing of GTP-C and GTP-U packets, providing advanced filtering and load balancing based on inner headers.

Packet Capture and Viewer

Open-source Arkimer (Moloch) is deployed for capturing packets from the network aggregators and load balancers. The capture module can sniff packets from the NIC and also supports processing packets from pcap files. The captured packets can be visualized using a simplified viewer providing insights into the metadata including packet headers and payloads. This component also writes the metadata to a centralized storage cluster for future analysis.

Centralized Storage and Visualization

For centralized storage Elastic Storage cluster is utilized which supports distributed scalable storage along with automatic sharding. The metadata saved across the elastic cluster is visualized using Kibana which provides drilled-down information about sessions, network stats and dashboards

Benefits

Cloud Network Infrastructure Monitoring

Monitoring a Cloud network with dislocated data centres can create blindspots that might lead to security and compliance issues. The solution provides comprehensive visibility across the cloud infrastructure, providing end-to-end visibility into the application, and traffic flow and making it easier to correlate network and security events across data centres.

Advanced Monitoring

Aviz APB exposes the ASIC capabilities for advanced monitoring including deeper packet inspection for security applications, tunnelling (VXLAN) data across data centres using existing IP underlay, and 5G (GTP) packet processing for load balancing using inner headers. All these advanced capabilities support wire-speed forwarding of monitored traffic.

Distributed Solution

The architecture of the complete solution for packet monitoring and analysis is highly distributed, supporting per-site packet capture, analysis and troubleshooting. The extracted metadata from the monitored traffic is stored in a distributed clustered database for centralized analysis and visualization.

Cost Effective

The solution provides end-to-end visibility and wire-speed access to network traffic without the need for investing in new hardware. OPBNOS is built on open-source NOS SONiC which is supported by the majority of the ASIC and switch vendors, customers can easily upgrade to this solution on their existing hardware. Packet capture, analysis and visualization are performed using open-source software running on commodity x86 hardware running Linux.

APB provides a highly scalable, flexible and affordable solution to aggregate, filter and load balance network traffic from hardware or virtual TAPs to connected tools for analysis and visualization.

It provides line rate traffic forwarding using switching ASIC by configuring flow paths between two or multiple ports, By leveraging the APB solution, enterprises can quickly be scaled up or down to meet the ever-changing demands of network visibility and security tools.

• Download the latest build of APB from here

• APB can be installed by following the

• Login into the switch with default credentials

  • User: admin

  • Password: admin

• Configure

• Configure , these are the ports that connect to network-taps

• Configure , these are the ports that connect to security tools

• to filter and forward traffic

• Verify configured flow

The same rules can also be configured by using the :

The packet stream to Arkime will be fed by APB, providing the capability to filter, load-balance and aggregate traffic from network taps.

Arkime is a large-scale, open-source, indexed packet capture and search system that augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.

Arkime uses Elasticsearch (ES) as its backend data store for storing and indexing network traffic data. Elasticsearch is designed for fast indexing and searching of large volumes of data. It also provides a flexible query language that allows users to easily search and filter data based on various criteria, such as IP addresses, ports, protocols, and time ranges while also being highly scalable and can handle large volumes of data across multiple nodes in a cluster.

Kibana is a free and open frontend application that sits on top of Elasticsearch(ES), providing search and data visualization capabilities for data indexed in Elasticsearch. Kibana is a data visualization and management tool for Elasticsearch that provides real-time histograms, line graphs, pie charts, and maps. Kibana also includes advanced applications such as Canvas, which allows users to create custom dynamic infographics based on their data, and Elastic Maps for visualizing geospatial data.

If the UI is not accessible,

Check the docker status

Check that Arkime and ES docker are running and the status is ‘UP’ if any of the dockers is not visible. Try running the ‘start.sh’ with the correct permissions, if the issue is not resolved try

Check that Elasticsearch is running and the status is ‘green’

Try restarting the dockers

when Arkime is unable to connect correctly with Elasticsearch the Arkime UI may not be reachable

Check that UI is reachable by visiting http://arkime-hostname:8005 from your browser

If ES keeps restarting after a system reboot

Add the vm.max_map_count setting to a sysctl configuration file to make the change persistent across reboots:

1. Open the sysctl configuration file /etc/sysctl.conf using a text editor with root privileges: bash

1. Add the following line to the end of the file:

Save and close the file

1. To apply the changes, either reboot your system or run the following command to reload the sysctl settings:

Changing ES port

If port 9002 is used by another service running on the server, it can be changed in the ‘start.sh’ script before execution

Port format: “Global port:Local port”

Using your favourite text editor, change the ‘Global ports’ to any available and accessible port, also update the same port in the ‘ES_PORT’ attribute.

Changing Arkime Password

Log in to the Web GUI and navigate to User> admin_user ⚙️>Password, enter ‘admin’ as the current password and set a new password for the admin user.

Changing Kibana Port

If port 5601 is used by another service running on the server, it can be changed in the ‘start.sh’ script before execution

also if the ES port was changed, the same can be edited here with the ES node IP.

Stopping Arkime & EC

Execute the ‘stop.sh’ script to stop & delete Arkime and EC docker containers, the script will not delete the data & es_data folder and the stored PCAPs.

Stopping Kibana

Execute the ‘stop.sh’ script to stop & delete Kibana docker containers

External Links

• OPBNOS download link -

• OPBNOS configuration guide -

• Arkime installation script -

• Download the Kibana installation scripts from here

• Copy the tar to the Kibana server and extract using the below command

aviz@npbsrv01:~/OPB_Arkime$ tar -zxvf OPB_Kibana.tar.gz 
OPB_Kibana/
OPB_Kibana/stop.sh
OPB_Kibana/kibana.tar.gz
OPB_Kibana/start.sh
aviz@npbsrv01:~/OPB_Arkime$  

• Move to the extracted folder

• Execute the ‘start.sh’ script, the script will perform the following actions

  1. Start the Kibana node on port 5601

  2. Connect to the ES Storage node on port 9200

• Open URL http://<Kibana-server-ip>:5601/ from your favourite browser

• Create Kibana Dashboards