Arkime 6

Arkime Tab, Internationalization, Sankey, Parliament, Users, Session Spanning, Bug Fixes, and More

✨ Download Arkime 6 now! ✨

Arkime 6: Faster. Smarter. Ready for your network. We are pleased to announce the release of Arkime 6! This open-source network analysis and packet capture tool just got even better. This release delivers significant performance gains, modern code architecture, and powerful new features to accelerate your incident response and threat investigation.

Highlights of Arkime 6:

Performance, Performance, Performance: We've focused heavily on improving the performance of both the capture and viewer applications. The three most noticeable improvements:

• Faster PCAP Downloads - We've addressed a top user request by overhauling PCAP downloads. Our tests show speeds at least 5x faster than Arkime 5.
• Faster hunts - Hunts should now run at least 2x faster than with Arkime 5.
• Enhanced Capture Capacity - Environments monitoring high-traffic networks will benefit from multi-threaded compression with OpenSearch/Elasticsearch, improved algorithms, and the elimination of several false sharing patterns.

Code Modernization: Much of Arkime's codebase is over 10 years old. In Arkime 6, we've modernized large portions of the application—making it easier to maintain, more secure, and more welcoming to new contributors. One of the largest tasks behind the scenes was upgrading all of the UI from Vue 2 to Vue 3. Arkime 6 also requires Node.js 22.

Python: Capture can now use Python for its scripting engine! Now you can write protocol decoders, classifiers, and parsers in Python instead of C! No more wrestling with C code—build custom parsers in Python and contribute back to the community.

Extensive Parsing: Arkime 6 introduces over 30 new protocol parsers and classifiers, along with improvements to many existing ones. Claude Opus has made it easier than ever to add new parsers and classifiers, so we expect this number to grow rapidly as the community continues to contribute.

New ways to install and use Arkime:

• Alkeme — A brand new terminal UI (TUI) for Arkime, giving you a powerful interactive experience right from your terminal.
• Homebrew TAP — macOS and Linux users can now install Arkime with brew install arkime/arkime/arkime.
• FreeBSD packages — Initial FreeBSD builds are now available, with netmap and bpf capture support.

Smaller but notable features:

• capture:
  • Point geoLite2Country to a City database to get region and city fields in addition to country
  • When in AFPacket mode we add the first vlan back to the packet when saving to disk
  • Much improved SCTP support
  • The saveUnknownPackets setting now saves corrupt and unknown packets as first-class Arkime sessions, replacing the need for the unkEthernet/unkIpProtocol plugins
• viewer:
  • Expanded search expression editor for those complex expressions
  • Expression autocomplete supported in more places
  • New 15 and 30 minute query time ranges
  • Hunts allow updating of fields while running
  • Better node tracking: see which OpenSearch/Elasticsearch host disappeared, not just the node ID
  • Periodic Queries and Hunts can now notify on multiple notifiers
  • Improved efficiency for IP OR array queries
• docker:
  • We've moved to Debian 13 for our base image
  • Container now includes geoipupdate for easy GeoIP database updates
  • docker.sh supports --wait-for-db to wait for OpenSearch/Elasticsearch to be ready
  • docker.sh supports --ilm and --ism options for index lifecycle management
  • Streamlined experience for new users getting started with docker-compose
• cont3xt:
  • UI Refresh
  • Several new integrations: ThreatFox, Zetalytics, Domain Tools, crt.sh, Greynoise
  • Keyword/regex highlighting in integration and overview cards
• parliament:
  • Refresh of the UI
  • Monitors low OpenSearch/Elasticsearch disk space and notifies when low

Learn how to upgrade to Arkime 6 now!

Breaking Changes

• Node.js 22 is now required (>= 22.15.0)
• You must be on v5.2.0 or later to upgrade to v6.x
• A db.pl upgrade is required
• Arkime capture plugins must end with .so, .lua, or .py now
• The luaFiles setting now defaults to EMPTY
• If the Lua plugin is enabled, any file ending in .lua in the parsers directories will be automatically loaded
• Capture now defaults to the --scheme method for reading offline pcaps, use --libpcap for previous behaviour
• Ubuntu 20.04 is no longer supported
• db.pl now requires a leading http:// or https:// in OpenSearch/Elasticsearch URLs
• WISE now requires webBasePath to be set if you use a non-default base path — set it in Arkime 5 before upgrading
• Cont3xt ThreatFox integration now requires an API key (free at https://auth.abuse.ch/)
• AFPacket mode now restores the first VLAN tag when saving packets. This may affect BPF filters—use tpacketv3OldVlan=true to disable.
• Digest/Form users who haven't changed their password since Dec 2019 will not be able to log in. A userAdmin can reset their passwords.
• The setting dnsOutputAnswers now defaults to TRUE
• When talking to remote viewers, only viewUrl is used now — webBasePath is no longer used
• Viewer now expires PCAPs even if pcapDir is not set, defaulting to /opt/arkime/raw. Previously, PCAPs were not expired when pcapDir was unset.
• Fixed: IPv4 sessions with identical src and dst IP addresses may have had an incorrect community_id. Old sessions will retain the incorrect value.
• The geoLite2Country setting now looks for a City database file first by default
• The parseSMTP and parseSMB settings have been removed, use disableParsers instead
• The unkEthernet and unkIpProtocol plugins have been removed; the saveUnknownPackets setting now saves unknown/corrupt packets as real Arkime sessions
• The new authJwsAlgorithm setting defaults to RS256
• arkime_packet_log now treats logEveryXPackets as a minimum rather than an exact interval, and only prints TCP info
• Users now inherit the 7 extra permissions from their Roles unless explicitly overridden
• The disablePython setting now defaults to true

View a detailed list of all the changes and download it now!