{"id":10913,"date":"2021-11-13T00:43:06","date_gmt":"2021-11-12T21:43:06","guid":{"rendered":"https:\/\/kifarunix.com\/?p=10913"},"modified":"2024-03-18T08:09:42","modified_gmt":"2024-03-18T05:09:42","slug":"install-arkime-moloch-full-packet-capture-tool-on-debian","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-arkime-moloch-full-packet-capture-tool-on-debian\/","title":{"rendered":"Install Arkime (Moloch) Full Packet Capture tool on Debian 11"},"content":{"rendered":"\n<p>Welcome to our tutorial on how to install Arkime (Moloch) Full Packet Capture tool on Debian.&nbsp;<a href=\"https:\/\/arkime.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Arkime<\/a>, formerly known as Moloch<em>&nbsp;\u201cis a large scale, open source, indexed packet capture and search system<\/em>\u201c.<\/p>\n\n\n\n<p>Using Ubuntu system? Follow the link below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-arkime-moloch-full-packet-capture-tool-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Arkime (Moloch) Full Packet Capture tool on Ubuntu<\/a><\/p>\n\n\n\n<p>According to its&nbsp;<a href=\"https:\/\/github.com\/arkime\/arkime\" target=\"_blank\" rel=\"noreferrer noopener\">Github repository<\/a>&nbsp;page, some of the features of Arkime tool include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It stores and indexes network traffic in standard PCAP format, providing fast, indexed access.<\/li>\n\n\n\n<li>Provides an intuitive web interface for PCAP browsing, searching, and exporting.<\/li>\n\n\n\n<li>Exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly.<\/li>\n\n\n\n<li>Stores and exports all packets in standard PCAP format, allowing you to also use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Install Arkime on Debian<\/h2>\n\n\n\n<p>You can install Arkime on Debian by either:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#prebuild-binary\">using prebuilt binary packages<\/a> or<\/li>\n\n\n\n<li><a href=\"#build-from-source\">simply build it from the source<\/a>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"prebuild-binary\">Install Arkime using Prebuilt Binary on Debian<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Download Arkime Binary Installer<\/h4>\n\n\n\n<p>There is no binary installer for Debian as of this writing.  As a result, we will be using the installer for Ubuntu system, and preferably Ubuntu 20.04.<\/p>\n\n\n\n<p>Thus, navigate to the&nbsp;<a href=\"https:\/\/arkime.com\/downloads\" target=\"_blank\" rel=\"noreferrer noopener\">downloads page<\/a>&nbsp;and grab the binary installer for Ubuntu.<\/p>\n\n\n\n<p>You can as well grab the link to the binary installer and pull it using&nbsp;<code><strong>curl<\/strong><\/code>&nbsp;or&nbsp;<strong><code>wget<\/code><\/strong>&nbsp;command.<\/p>\n\n\n\n<p>For example, the command below downloads the current stable release version of Arkime binary installer for Ubuntu 20.04;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/s3.amazonaws.com\/files.molo.ch\/builds\/ubuntu-20.04\/arkime_3.1.1-1_amd64.deb<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Run System Update<\/h4>\n\n\n\n<p>Update your system package cache;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Installing Arkime Debian<\/h4>\n\n\n\n<p>Next, install Arkime using the downloaded binary installer.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install .\/arkime_3.1.1-1_amd64.deb<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Reading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nNote, selecting 'arkime' instead of '.\/arkime_3.1.1-1_amd64.deb'\nThe following additional packages will be installed:\n  ethtool libauthen-sasl-perl libclone-perl libcommon-sense-perl libdata-dump-perl libencode-locale-perl libfile-listing-perl libfont-afm-perl libhtml-form-perl\n  libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl\n  libhttp-negotiate-perl libio-html-perl libio-socket-ssl-perl libjson-perl libjson-xs-perl liblwp-mediatypes-perl liblwp-protocol-https-perl libmailtools-perl\n  libnet-http-perl libnet-smtp-ssl-perl libtimedate-perl libtry-tiny-perl libtypes-serialiser-perl liburi-perl libwww-perl libwww-robotrules-perl libyaml-0-2 libyaml-dev\nSuggested packages:\n  libdigest-hmac-perl libgssapi-perl libcrypt-ssleay-perl libauthen-ntlm-perl libyaml-doc\nThe following NEW packages will be installed:\n  arkime ethtool libauthen-sasl-perl libclone-perl libcommon-sense-perl libdata-dump-perl libencode-locale-perl libfile-listing-perl libfont-afm-perl libhtml-form-perl\n  libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl\n  libhttp-negotiate-perl libio-html-perl libio-socket-ssl-perl libjson-perl libjson-xs-perl liblwp-mediatypes-perl liblwp-protocol-https-perl libmailtools-perl\n  libnet-http-perl libnet-smtp-ssl-perl libtimedate-perl libtry-tiny-perl libtypes-serialiser-perl liburi-perl libwww-perl libwww-robotrules-perl libyaml-0-2 libyaml-dev\n0 upgraded, 36 newly installed, 0 to remove and 29 not upgraded.\nNeed to get 1,931 kB\/101 MB of archives.\nAfter this operation, 330 MB of additional disk space will be used.\nDo you want to continue? [Y\/n] y\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Elasticsearch on Debian<\/h3>\n\n\n\n<p>Arkime uses Elasticsearch as a search and indexing engine. Ensure you provide as much RAM for Elasticsearch.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote td_pull_quote td_pull_center is-layout-flow wp-block-quote-is-layout-flow\">\n<p>NOTE: It is recommended that you run Elasticsearch on a different node apart from the one running Arkime. This is because Arkime capture and viewer will fail to start if Elasticsearch takes time to start. You can however update the Arkime capture and viewer services to run after ES service if you want to run everything on the same host.<\/p>\n<\/blockquote>\n\n\n\n<p>Therefore, install Elasticsearch by running the command below;<\/p>\n\n\n\n<p>Import the Elastic stack PGP repository signing Key<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -qO - https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/elastic.gpg<\/code><\/pre>\n\n\n\n<p>Install Elasticsearch APT repository;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main\" &gt; \/etc\/apt\/sources.list.d\/elastic-7.x.list<\/code><\/pre>\n\n\n\n<p>Update package cache and install Elasticsearch;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install elasticsearch -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"build-from-source\">Install Arkime by building it from the source<\/h3>\n\n\n\n<p>If you want, you can as well install Arkime by building it from the source. Check the&nbsp;<a href=\"https:\/\/github.com\/arkime\/arkime#install\" target=\"_blank\" rel=\"noreferrer noopener\">installation page<\/a>&nbsp;for instructions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Arkime (Moloch) on Debian<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Configuring Arkime<\/h4>\n\n\n\n<p>Once the installation is done, run the script below to configure Arkime (Moloch);<\/p>\n\n\n\n<p>Answer the script prompts accordingly;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>opt\/arkime\/bin\/Configure<\/code><\/pre>\n\n\n\n<p>Select an interface to monitor;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Found interfaces: lo;enp0s3;enp0s8\nSemicolon ';' seperated list of interfaces to monitor &#91;eth1] <strong>enp0s8<\/strong><\/code><\/pre>\n\n\n\n<p>Choose whether to install Elasticsearch automatically or you want to install manually yourself.<\/p>\n\n\n\n<p>(<strong>We have already installed Elasticsearch, hence choose no<\/strong>).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) &#91;no] <strong>no<\/strong> &#91;or <strong>SIMPLY PRESS ENTER<\/strong>]<\/code><\/pre>\n\n\n\n<p>Set Elasticsearch server URL, localhost:9200 in this setup. Just press Enter to accept the defaults.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Elasticsearch server URL &#91;http:\/\/localhost:9200] <strong>ENTER<\/strong><\/code><\/pre>\n\n\n\n<p>Set encryption password. Be sure to replace the password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Password to encrypt S2S and other things &#91;no-default] <strong>changeme<\/strong><\/code><\/pre>\n\n\n\n<p>The configuration of Arkime then runs.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nMoloch - Creating configuration files\nInstalling systemd start files, use systemctl\nMoloch - Installing \/etc\/logrotate.d\/moloch to rotate files after 7 days\nMoloch - Installing \/etc\/security\/limits.d\/99-moloch.conf to make core and memlock unlimited\nDownload GEO files? (yes or no) &#91;yes] <strong>yes<\/strong>\nMoloch - Downloading GEO files\n...<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n2021-11-12 20:46:36 URL:https:\/\/www.iana.org\/assignments\/ipv4-address-space\/ipv4-address-space.csv [23328\/23328] -&gt; \"\/tmp\/tmp.O4R9DwNay1\" [1]\n2021-11-12 20:46:37 URL:https:\/\/raw.githubusercontent.com\/wireshark\/wireshark\/master\/manuf [1920087\/1920087] -&gt; \"\/tmp\/tmp.pa0Tq0aSb2\" [1]\n\nArkime - Configured - Now continue with step 4 in \/opt\/arkime\/README.txt\n\n 4) The Configure script can install elasticsearch for you or you can install yourself\n      systemctl start elasticsearch.service\n 5) Initialize\/Upgrade Elasticsearch Arkime configuration\n  a) If this is the first install, or want to delete all data\n      \/opt\/arkime\/db\/db.pl http:\/\/ESHOST:9200 init\n  b) If this is an update to a moloch\/arkime package\n      \/opt\/arkime\/db\/db.pl http:\/\/ESHOST:9200 upgrade\n 6) Add an admin user if a new install or after an init\n      \/opt\/arkime\/bin\/arkime_add_user.sh admin \"Admin User\" THEPASSWORD --admin\n 7) Start everything\n      systemctl start arkimecapture.service\n      systemctl start arkimeviewer.service\n 8) Look at log files for errors\n      \/opt\/arkime\/logs\/viewer.log\n      \/opt\/arkime\/logs\/capture.log\n 9) Visit http:\/\/arkimeHOST:8005 with your favorite browser.\n      user: admin\n      password: THEPASSWORD from step #6\n\nIf you want IP -&gt; Geo\/ASN to work, you need to setup a maxmind account and the geoipupdate program.\nSee https:\/\/arkime.com\/faq#maxmind\n\nAny configuration changes can be made to \/opt\/arkime\/etc\/config.ini\nSee https:\/\/arkime.com\/faq#moloch-is-not-working for issues\n\nAdditional information can be found at:\n  * https:\/\/arkime.com\/faq\n  * https:\/\/arkime.com\/settings\n\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Running Elasticsearch<\/h4>\n\n\n\n<p>Start and enable Elasticsearch to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now elasticsearch<\/code><\/pre>\n\n\n\n<p>Verify if Elasticsearch is running;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl http:\/\/localhost:9200<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>{\n  \"name\" : \"debian11\",\n  \"cluster_name\" : \"elasticsearch\",\n  \"cluster_uuid\" : \"tm5rhTHyTleSIwP6NMZBjA\",\n  \"version\" : {\n    \"number\" : \"7.15.2\",\n    \"build_flavor\" : \"default\",\n    \"build_type\" : \"deb\",\n    \"build_hash\" : \"93d5a7f6192e8a1a12e154a2b81bf6fa7309da0c\",\n    \"build_date\" : \"2021-11-04T14:04:42.515624022Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"8.9.0\",\n    \"minimum_wire_compatibility_version\" : \"6.8.0\",\n    \"minimum_index_compatibility_version\" : \"6.0.0-beta1\"\n  },\n  \"tagline\" : \"You Know, for Search\"\n}\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Initialize Elasticsearch Moloch configuration<\/h4>\n\n\n\n<p>Run the command below to initialize Elasticsearch Arkime\/Moloch configuration.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/opt\/arkime\/db\/db.pl http:\/\/localhost:9200 init<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>It is STRONGLY recommended that you stop ALL Arkime captures and viewers before proceeding.  Use 'db.pl http:\/\/localhost:9200 backup' to backup db first.\n\nThere is 1 elastic search data node, if you expect more please fix first before proceeding.\n\nThis is a fresh Arkime install\nErasing\nCreating\nFinished<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Create Arkime\/Moloch Admin User Account<\/h4>\n\n\n\n<p>You can use the <code><strong>\/opt\/arkime\/bin\/arkime_add_user.sh<\/strong><\/code> script to create Arkime\/Moloch user account;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/bin\/arkime_add_user.sh -h<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\naddUser.js [<config options>] <user id> <user friendly name> <password> [<options>]\n\nOptions:\n  --admin               Has admin privileges\n  --apionly             Can only use api, not web pages\n  --email               Can do email searches\n  --expression  <expr>  Forced user expression\n  --remove              Can remove data (scrub, delete tags)\n  --webauth             Can auth using the web auth header or password\n  --webauthonly         Can auth using the web auth header only, password ignored\n  --packetSearch        Can create a packet search job (hunt)\n  --createOnly          Only create the user if it doesn't exist\n\nConfig Options:\n  -c <config file>      Config file to use\n  -n <node name>        Node name section to use in config file\n  --insecure            Disable certificate verification for https calls\n<\/code><\/pre>\n\n\n\n<p>Run the command below to create Arkime\/Moloch admin user account.<\/p>\n\n\n\n<p>Replace the username and password accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/bin\/arkime_add_user.sh admin \"Arkime SuperAdmin\" changeme --admin<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Arkime Services<\/h3>\n\n\n\n<p>Arkime is made up of 3 components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><strong>capture<\/strong>&nbsp;\u2013 A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets, and sends metadata (SPI data) to elasticsearch.<\/em><\/li>\n\n\n\n<li><em><strong>viewer<\/strong>&nbsp;\u2013 A&nbsp;node.js&nbsp;application that runs per capture machine. It handles the web interface and transfer of PCAP files.<\/em><\/li>\n\n\n\n<li><em><strong>elasticsearch<\/strong>&nbsp;\u2013 The search database technology powering Arkime.<\/em><\/li>\n<\/ul>\n\n\n\n<p>We already started Elasticsearch.<\/p>\n\n\n\n<p>Now start and enable Moloch Capture and viewer services to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now arkimecapture<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now arkimeviewer<\/code><\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status arkimecapture<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf arkimecapture.service - Arkime Capture\n     Loaded: loaded (\/etc\/systemd\/system\/arkimecapture.service; enabled; vendor preset: enabled)\n     Active: active (running) since Fri 2021-11-12 21:02:08 EAT; 27s ago\n   Main PID: 4125 (sh)\n      Tasks: 2 (limit: 1133)\n     Memory: 30.2M\n        CPU: 389ms\n     CGroup: \/system.slice\/arkimecapture.service\n             \u251c\u25004125 \/bin\/sh -c \/opt\/arkime\/bin\/capture -c \/opt\/arkime\/etc\/config.ini  &gt;&gt; \/opt\/arkime\/logs\/capture.log 2&gt;&amp;1\n             \u2514\u25004126 \/opt\/arkime\/bin\/capture -c \/opt\/arkime\/etc\/config.ini\n\nNov 12 21:02:07 debian11 systemd[1]: Starting Arkime Capture...\nNov 12 21:02:08 debian11 systemd[1]: Started Arkime Capture.\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status arkimeviewer<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf arkimeviewer.service - Arkime Viewer\n     Loaded: loaded (\/etc\/systemd\/system\/arkimeviewer.service; enabled; vendor preset: enabled)\n     Active: active (running) since Fri 2021-11-12 21:02:33 EAT; 48s ago\n   Main PID: 4147 (sh)\n      Tasks: 8 (limit: 1133)\n     Memory: 42.1M\n        CPU: 2.457s\n     CGroup: \/system.slice\/arkimeviewer.service\n             \u251c\u25004147 \/bin\/sh -c \/opt\/arkime\/bin\/node viewer.js -c \/opt\/arkime\/etc\/config.ini  &gt;&gt; \/opt\/arkime\/logs\/viewer.log 2&gt;&amp;1\n             \u2514\u25004148 \/opt\/arkime\/bin\/node viewer.js -c \/opt\/arkime\/etc\/config.ini\n\nNov 12 21:02:33 debian11 systemd[1]: Started Arkime Viewer.\n<\/code><\/pre>\n\n\n\n<p>At this point, if you reboot your server, Arkime capture and viewer services may fail to start, due to slow starting of elasticsearch service.<\/p>\n\n\n\n<p>Here is a temporary solution. Configure these services to start only when Elasticsearch starts. You may miss the traffic capture during the period when Elasticsearch is starting.<\/p>\n\n\n\n<p>Add these lines;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>After=network.target elasticsearch.service\nRequires=network.target elasticsearch.service<\/code><\/pre>\n\n\n\n<p>You can use sed to update these services;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i 's\/network.target\/network.target elasticsearch.service\/' \/etc\/systemd\/system\/arkimecapture.service \/etc\/systemd\/system\/arkimeviewer.service<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/After=\/a Requires=network.target elasticsearch.service' \/etc\/systemd\/system\/arkimecapture.service \/etc\/systemd\/system\/arkimeviewer.service<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>This will ensure that Arkime capture and viewer will start only after Elasticsearch.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Log Files<\/h3>\n\n\n\n<p>You can find Arkime\/Moloch logs and Elasticsearch logs on the log files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/logs\/viewer.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/opt\/arkime\/logs\/capture.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/log\/elasticsearch\/*<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Adjusting Arkime\/Moloch configurations;<\/h4>\n\n\n\n<p>if you ever want to update Arkime configs, check the configuration file&nbsp;<code><strong>\/opt\/arkime\/etc\/config.ini<\/strong><\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Accessing Arkime Web Interface<\/h2>\n\n\n\n<p>Moloch is listening on port 8005\/tcp by default.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altnp | grep 8005<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>LISTEN 0      511                     *:8005             *:*    users:((\"node\",pid=1021,fd=26))<\/code><\/pre>\n\n\n\n<p>If UFW is running, open this port on it to allow external access.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow 8005\/tcp<\/code><\/pre>\n\n\n\n<p>You can then access Arkime\/Moloch using the URL,&nbsp;<code><strong>http:\/\/ARKIMEHOST:8005<\/strong><\/code>&nbsp;with your favorite browser.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"arkime-with-ssl\"><a href=\"#arkime-with-ssl\">Accessing Arkime with SSL\/TLS<\/a><\/h3>\n\n\n\n<p>If you want to use SSL\/TLS serts, update the lines below by uncommenting them and then specify the full paths to the files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/arkime\/etc\/config.ini<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n# Cert file to use, comment out to use http instead\n#certFile=\/opt\/arkime\/etc\/arkime.cert\n<strong>certFile=\/opt\/arkime\/etc\/arkime.cert<\/strong>\n...\n# Private key file to use, comment out to use http instead\n#keyFile=\/opt\/arkime\/etc\/arkime.key\n<strong>keyFile=\/opt\/arkime\/etc\/arkime.key<\/strong>\n...<\/code><\/pre>\n\n\n\n<p>Next, restart Arkime viewer;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart arkimeviewer<\/code><\/pre>\n\n\n\n<p>You can then access your Arkime using the url: <code><strong>https:\/\/ARKIMEHOST-DOMAIN-NAME:8005<\/strong><\/code><\/p>\n\n\n\n<p>You will be prompted to enter the basic user authentication credentials you create above. We didnt enable SSL in our case (screenshot below).<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1371\" height=\"392\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication.png\" alt=\"Install Arkime (Moloch) Full Packet Capture tool on Debian\" class=\"wp-image-7995\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication.png?v=1614108170 1371w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication-768x220.png?v=1614108170 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication-150x43.png?v=1614108170 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication-300x86.png?v=1614108170 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication-696x199.png?v=1614108170 696w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication-1068x305.png?v=1614108170 1068w\" sizes=\"(max-width: 1371px) 100vw, 1371px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/arkime-moloch-authentication.png\"><\/a><\/p>\n\n\n\n<p>Upon successful authentication, you land on Arkime Web interface.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1904\" height=\"913\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/arkime-dashboard.png\" alt=\"\" class=\"wp-image-10914\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/arkime-dashboard.png?v=1636753014 1904w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/arkime-dashboard-768x368.png?v=1636753014 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/arkime-dashboard-1536x737.png?v=1636753014 1536w\" sizes=\"(max-width: 1904px) 100vw, 1904px\" \/><\/figure>\n\n\n\n<p>And that is how simple it is to install Arkime on Debian.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reference<\/h3>\n\n\n\n<p><a href=\"https:\/\/raw.githubusercontent.com\/arkime\/arkime\/master\/release\/README.txt\" target=\"_blank\" rel=\"noreferrer noopener\">Arkime Installation README.txt<\/a><\/p>\n\n\n\n<p>Arkime Demo (Credentials: <strong>arkime:arkime<\/strong>)<\/p>\n\n\n\n<p><a href=\"https:\/\/demo.arkime.com\/?date=-1\" target=\"_blank\" rel=\"noreferrer noopener\">Arkime Demo<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-arkime-moloch-full-packet-capture-tool-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Arkime (Moloch) Full Packet Capture tool on Ubuntu<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our tutorial on how to install Arkime (Moloch) Full Packet Capture tool on Debian.&nbsp;Arkime, formerly known as Moloch&nbsp;\u201cis a large scale, open source,<\/p>\n","protected":false},"author":3,"featured_media":10915,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121],"tags":[4270,4271,4269,4267,4268],"class_list":["post-10913","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-arkime-on-debian-11","tag-arkime-services-fail-to-start-after-rebooting","tag-debian-11-arkime","tag-install-arkime-moloch-full-packet-capture-tool-on-debian-11","tag-install-arkime-debian","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10913"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=10913"}],"version-history":[{"count":10,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10913\/revisions"}],"predecessor-version":[{"id":21611,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10913\/revisions\/21611"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10915"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=10913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=10913"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=10913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}