Arkime 5

Cont3xt Bulk Search, Improved Session Detail Display, Unified Configs, Unified Auth, JA4 Support, Additional Multiviewer Support, Offline PCAP Retrieval Improvements, Bug Fixes, and More

✨ Download Arkime 5 now! ✨

We are pleased to announce the release of Arkime 5! This open-source network analysis and packet capture tool just got even better. Our latest release offers new features, enhancements and bug fixes to speed up your incident response and empower your security and network teams to investigate and mitigate threats.

This release introduces a highly anticipated feature: Cont3xt Bulk Search! Now, you have the power to simultaneously enrich multiple indicators with just a single query, streamlining data analysis process like never before. We've revamped our user interface to help you navigate through and analyze the wealth of information more intuitively.

The session details section has been redesigned to minimize unused space. On large screens, the layout displays a dual-column structure, enabling you to access a greater amount of information without the need for scrolling.

After coming to our senses, all applications now utilize a unified configuration subsystem. This enhancement enables support for multiple configuration file formats (ini, json, yaml) and facilitates retrieval from both disk and network sources. The Arkime authorization model has been standardized across all applications and finally includes basic and form authorization.

JA4 support has been added and is visible as new session fields for viewing and searching. For those wanting JA4+ support, it can be added through an easy-to-install plugin.

To enhance the user experience, multiviewer dropdowns have been added to the Files, History, and Stats tabs, allowing users to perform searches against multiple viewers on these pages.

In this release, we have also introduced the ability to ingest offline PCAP directly from various network sources, such as S3 and HTTP(S).

In the spirit of continuous improvement, we have addressed numerous bugs and introduced several minor features. For a detailed overview, please refer to the release notes. Thank you for your continued support!

Learn how to upgrade to Arkime 5 now!

Breaking Changes

You must be on v4.3.2 or later to upgrade to v5.x
A db.pl upgrade is required when upgrading
Restart wiseService before capture when upgrading
s3Compression/simpleCompression now defaults to zstd
s3WriteGzip removed, use s3Compression=gzip for old behavior
s3GapPacketPos defaults to TRUE
enablePacketDedup defaults to TRUE
authMode defaults to digest instead of anonymous
Removed old v1 APIs
The Parliament password has been removed. You must create a parliament.ini file or [parliament] section in your arkime config.ini before upgrading. See Parliament and how do I upgrade to 5. You can configure common auth via the Parliament settings UI before upgrading or manually in the config file.
WISE/tagger must now use http.request.FIELD/http.response.FIELD when referencing header defined with headers-http-request/headers-http-response
Centos 7 build no longers supports pfring
simpleCompressionBlockSize defaults to 64000
simpleGzipBlockSize defaults to 32000
right-click changed to value-actions in config

View a detailed list of all the changes and download it now!

Cont3xt Bulk Search

Cont3xt was integrated into the Arkime ecosystem with the release of version 4.0. For detailed information, please refer the Cont3xt documentation. In version 5, we have introduced a bulk search feature, enabling you to enrich multiple indicators simultaneously. The user interface has undergone a full rewrite, incorporating multiple columns to minimize empty space and present all data on a single, streamlined page. As part of our user-centric enhancements, we now offer a severity emoji map, facilitating the quick identification of crucial indicators.

JA4 Support

Arkime now features JA4 support, with JA4 values accessible through the http.ja4 field, allowing for convenient viewing and searching. For enhanced JA4+ support, a downloadable plugin is required. To learn more and install the plugin, refer to the provided resource to learn more.

Improved Session Detail Display

The session detail section has undergone a comprehensive redesign, strategically enhancing the presentation of information within the confines of screen dimensions and minimizing superfluous space :) On large screens, the layout adopts a dual-column structure, facilitating an expanded view of information without the need of scrolling. To optimize space, field labels and values display on the same line, with extensive values wrapped, and lengthy field labels truncated with an ellipsis.

Moreover, the session detail section now boasts heightened customizability. Users possess the flexibility to adjust label widths, thereby allocating more screen real estate to accommodate long values or field labels. Notably, each section and subsection within the session detail is collapsible, with user preferences persistently stored. This ensures customization while traversing through sessions during the analytical processes.

Additional Multiviewer Support

Multiviewer support has been incorporated into the Files, History, and Stats tabs. Within a Multiviewer interface on these pages, a dropdown menu has been introduced, presenting all associated viewers for selection. By default, all viewers are pre-selected, allowing users the flexibility to conduct searches across all viewers or specifically choose viewers for searches on these pages. This enhancement provides a more customizable and efficient user experience when using Multiviewers.

Unified Authorization

Every application within the Arkime ecosystem now adheres to a unified authorization model, centralized into a new common module that each application imports and utilizes.

A noteworthy change is the removal of anonymous mode as the default authorization, which has been replaced by digest. Furthermore, a range of new authorization modes can be configured, including basic, form, basic+form, basic+oidc, headerOnly, header+digest (equivalent to header), and header+basic. Detailed information on these modes can be found in the Settings Documentation.

It's important to note that Parliament has deprecated the previous JWT authorization model, replacing it with Arkime common authorization. This change was alluded to in Arkime 4.0, encouraging users to configure common authorization within the Parliament Settings page. In Arkime version 5, this configuration is now mandatory. Users can implement common authentication through the Parliament Settings Page prior to upgrading to version 5 or manually in the configuration file. For details, please refer to the Parliament documentation and the upgrade guide for version 5.

Unified Configurations

Every application within the Arkime ecosystem now seamlessly employs a unified configuration subsystem. This enables the straightforward addition of new file formats, such as json and yaml. Arkime further supports the retrieval of configuration files from various sources, including local files, http(s), and OpenSearch/Elasticsearch. Notably, the introduction of json and yaml file formats enhances the native format of lists, eliminating the need for comma-separated strings. For details on all configuration settings, we invite you to explore the Settings Documentation.

Offline PCAP Retrieval Improvements

Arkime has advanced its capabilities to directly import PCAP files from S3 or http(s) URLs, eliminating the need for prior file downloads. Capture now accommodates URLs on the command line, providing specifications on how to retrieve the files. For in-depth information, explore the detailed resource on how to leverage this functionality.

Bug Fixes and More

Arkime 5 includes an extensive array of improvements, comprising numerous bug fixes, minor feature additions, and upgraded dependencies.

Notable minor features encompass integrations for Arkime, Elasticsearch/OpenSearch, CSV, JSON, and Redis within Cont3xt. Simplification and enhanced user experience was introduced by allowing Parliament and Arkime to share the same notifiers. Additional enhancements involve the introduction of configurable links in the Parliament navbar to WISE and Cont3xt. Ownership transfer functionalities have been extended to Arkime and Cont3xt resources, encompassing views, shortcuts, periodic queries, and link groups. Furthermore, edit roles have been incorporated for Arkime resources, specifically targeting views, shortcuts, and periodic queries.

Among the bug fixes, notable resolutions include the enforcement of user time limits on unique endpoints, the flexibility to add Arkime DB fields in any order within the same group, and the replacement of unappealing JSON errors in the Arkime navbar with a more generic "Error loading health" message. These collective improvements contribute to a more refined and robust Arkime experience.