Last active
February 25, 2025 04:10
-
-
Save jstrosch/63910bdf7117f8f53a26227cfd56b6c6 to your computer and use it in GitHub Desktop.
This script is designed to facilitate the process of ingesting PCAPs with Arkime. It will clear the local elastic database and process the PCAP using "moloch-capture" service. This script was primarily designed to be used with the following course on PluralSight: https://www.pluralsight.com/courses/network-analysis-arkime
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| #Author: Josh Stroschein (@jstrosch) | |
| #Date: 28 Nov 2020 | |
| #Desc: Script used to process a PCAP file with Arkime (formerly Moloch) | |
| PCAP=$1 | |
| # Ensure there is at least one argument | |
| if [ $# -eq 0 ]; then | |
| echo "[!] Usage: $0 'path to PCAP file'"; | |
| exit 1; | |
| fi | |
| # Test if file exists | |
| if [ ! -f "$PCAP" ]; then | |
| echo "[!] PCAP file doesn't exist, please provide a valid path to your PCAP" | |
| exit 1; | |
| fi | |
| # clear Arkime | |
| echo "[*] Clearing previous Arkime data..." | |
| printf 'WIPE\n' | /opt/arkime/db/db.pl http://localhost:9200 wipe > /dev/null | |
| rm -f /opt/arkime/raw/* | |
| # process PCAP | |
| echo "[*] Capturing new PCAP..." | |
| /opt/arkime/bin/capture -r ${1} -t $(echo ${1}) > /dev/null | |
| # Restart Arkime Viewer - artifacts from previous PCAPs linger if you don't do this | |
| echo "[*] Restarting Arkime Viewer..." | |
| sudo systemctl restart arkimeviewer.service | |
| # Done! | |
| echo "[*] Complete - please allow a brief period for data to populate" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment