Skip to content

Instantly share code, notes, and snippets.

@peterblazejewicz

peterblazejewicz/README.md

Last active July 16, 2025 16:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save peterblazejewicz/607dd8964bf376cc1f61517d14f04c3f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save peterblazejewicz/607dd8964bf376cc1f61517d14f04c3f to your computer and use it in GitHub Desktop.
Download ZIP
Arkime packet capture and viewer setup using Docker image running on Ubuntu 24 LTS
Raw
README.md

Setup

Running all three required components: OpenSearch/Capture/Viewer on the same Ubuntu host using Docker compose tool. Setup modified to run everything within Docker on the same Ubuntu host. All data/volumes shared from same directory (arkime).

Directory structure

|-- docker-compose.yml
|-- etc
|   |-- config.ini
`-- raw

Running

First setup opensearch

sudo docker compose up -d opensearch
echo "INIT" | sudo docker run --rm -i --network arkime-setup_arkime-net -v ./etc:/opt/arkime/etc ghcr.io/arkime/arkime/arkime:v5-latest /opt/arkime/db/db.pl http://opensearch:9200 init

and stop it after setup:

sudo docker compose down

Run all containers at once via compose up

sudo docker compose up -d

[+] Running 3/3
 ✔ Container opensearch      Running                                                                                                                                                                                                  0.0s 
 ✔ Container arkime-capture  Running                                                                                                                                                                                                  0.0s 
 ✔ Container arkime-viewer   Running

Let it run for 15 seconds or so, and create default user for arkime-viewer

sudo docker exec arkime-viewer /opt/arkime/bin/arkime_add_user.sh admin "Admin User" YOUR_PASSWORD --admin

This should allow to log into viewer instance (:8005) using admin/PASSWORD credentials. One should be able to check credentails from viewer instance afterwards.

Results

NAME             IMAGE                                    COMMAND                  SERVICE          CREATED          STATUS          PORTS
arkime-capture   ghcr.io/arkime/arkime/arkime:v5-latest   "/opt/arkime/bin/doc…"   arkime-capture   21 minutes ago   Up 21 minutes   
arkime-viewer    ghcr.io/arkime/arkime/arkime:v5-latest   "/opt/arkime/bin/doc…"   arkime-viewer    21 minutes ago   Up 19 minutes   0.0.0.0:8005->8005/tcp, [::]:8005->8005/tcp
opensearch       opensearchproject/opensearch:2.11.0      "./opensearch-docker…"   opensearch       21 minutes ago   Up 21 minutes   9300/tcp, 9600/tcp, 0.0.0.0:9200->9200/tcp, [::]:9200->9200/tcp, 9650/tcp
Raw
docker_compose.yml
services:
opensearch:
image: opensearchproject/opensearch:2.11.0
container_name: opensearch
environment:
- discovery.type=single-node
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
- DISABLE_SECURITY_PLUGIN=true
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- opensearch-data:/usr/share/opensearch/data
networks:
- arkime-net
ports:
- "9200:9200"
arkime-viewer:
image: ghcr.io/arkime/arkime/arkime:v5-latest
container_name: arkime-viewer
depends_on:
- opensearch
volumes:
- ./etc:/opt/arkime/etc
- ./raw:/opt/arkime/raw
networks:
- arkime-net
ports:
- "8005:8005"
command: /opt/arkime/bin/docker.sh viewer
arkime-capture:
image: ghcr.io/arkime/arkime/arkime:v5-latest
container_name: arkime-capture
depends_on:
- opensearch
volumes:
- ./etc:/opt/arkime/etc
- ./raw:/opt/arkime/raw
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
restart: on-failure
command: /opt/arkime/bin/docker.sh capture --update-geo
environment:
- ARKLIME_INTERFACE=YOURINTERFACENAME
volumes:
opensearch-data:
networks:
arkime-net:
Raw
etc_config.ini
[default]
# OpenSearch/Elasticsearch configuration
elasticsearch=http://opensearch:9200
# File storage
pcapDir=/opt/arkime/raw
# Authentication mode
authMode=digest
# Enable cron queries (required for one node)
cronQueries=true
# Network interface for capture
interface=enp2s0
# Web interface settings
passwordSecret=MySecretPassword123!
# Viewer settings
viewPort=8005
viewHost=::
# Basic security
expireCheckInterval=60
maxFileSizeG=4
[ubuntu]
# OpenSearch/Elasticsearch configuration for capture (host network mode)
elasticsearch=http://IPOFYOURUBUNTUHOST:9200
# Network interface for capture
interface=YOURINTERFACENAME
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment