Arkime 6

Arkime Tab, Internationalization, Sankey, Parliament, Users, Session Spanning, Bug Fixes, and More

✨ Download Arkime 6 RC3 now! ✨

This is a Release Candidate: stable enough for testing, but not yet recommended for production. Your feedback helps us ship a solid final release!

Arkime 6: Faster. Smarter. Ready for your network. We are pleased to announce the release of Arkime 6 RC 2! This open-source network analysis and packet capture tool just got even better. This release delivers significant performance gains, modern code architecture, and powerful new features to accelerate your incident response and threat investigation.

Highlights of Arkime 6:

Performance, Performance, Performance: We've focused heavily on improving the performance of both the capture and viewer applications. The three most noticeable improvements:

• Faster PCAP downloads - A top complaint from users was PCAP download speed, and we've addressed it head-on. In our tests we show at least 5x faster downloads compared to Arkime 5.
• Faster hunts - Hunts should now run at least 2x faster than with Arkime 5.
• Capture speed - Folks who are monitoring busy networks with lots of sessions per second will see an increased capacity as we now support multi-threaded compression with OpenSearch/Elasticsearch, improved memory allocation algorithms, and removed several false sharing usage patterns.

Code Modernization: Much of Arkime's codebase is over 10 years old. In Arkime 6, we've modernized large portions of the application—making it easier to maintain, more secure, and more welcoming to new contributors. One of the largest tasks behind the scenes was upgrading all of the UI from Vue 2 to Vue 3. Arkime 6 also requires Node.js 22, keeping the platform on the latest LTS release.

Python: Capture can now use Python for its scripting engine! Now you can write protocol decoders, classifiers, and parsers in Python instead of C! No more wrestling with C code—build custom parsers in Python and contribute back to the community.

Parsing: More than 30 new protocol parsers and classifiers have been added to capture, and we improved several of the existing ones. Opus has made it easier than ever to add new parsers and classifiers, so we expect this number to grow rapidly in future releases as the community contributes new ones.

Smaller but notable features:

• capture:
  • Point geoLite2Country to a City database to get region and city fields in addition to country
  • When in AFPacket mode we add the first vlan back to the packet when saving to disk
  • Initial FreeBSD support with official builds, including netmap and bpf capture methods
  • Much improved SCTP support
  • The saveUnknownPackets setting now saves corrupt and unknown packets as first-class Arkime sessions, replacing the need for the unkEthernet/unkIpProtocol plugins
• viewer:
  • Expanded search expression editor for those complex expressions
  • Better node tracking: see which OpenSearch/Elasticsearch host disappeared, not just the node ID
  • Periodic Queries and Hunts can now notify on multiple notifiers
  • IP OR array queries should be more efficient now
• docker:
  • We've moved to Debian 13 for our base image
  • Improvements for new users getting started with docker-compose
• cont3xt:
  • UI Refresh
  • Several new integrations: ThreatFox, Zetalytics, Domain Tools, crt.sh, Greynoise
  • Keyword/regex highlighting in integration and overview cards
• parliament:
  • Refresh of the UI
  • Monitors low OpenSearch/Elasticsearch disk space and notifies when low

Learn how to upgrade to Arkime 6 now!

Breaking Changes

• Node.js 22 is now required (>= 22.15.0)
• You must be on v5.2.0 or later to upgrade to v6.x
• A db.pl upgrade is required
• Arkime capture plugins must end with .so, .lua, or .py now
• The luaFiles setting now defaults to EMPTY
• If the Lua plugin is enabled, any file ending in .lua in the parsers directories will be automatically loaded
• Capture now defaults to the --scheme method for reading offline pcaps, use --libpcap for previous behaviour
• Ubuntu 20.04 is no longer supported
• db.pl requires leading http/https for OpenSearch/Elasticsearch URLs
• WISE now requires webBasePath be set when using one, please set in Arkime 5 before upgrading to Arkime 6
• Cont3xt ThreatFox integration requires api key (free on site https://auth.abuse.ch/)
• AFPacket mode now restores the first VLAN tag when saving packets. This may affect BPF filters—use tpacketv3OldVlan=true to disable.
• Digest/Form Users that haven't changed their password since Dec 2019 will not be able to login, userAdmin can reset their passwords
• The setting dnsOutputAnswers now defaults to TRUE
• When talking to remote viewers, only the viewUrl is used, and not webBasePath
• Viewer now always expires PCAPs (using /opt/arkime/raw if pcapDir is unset) — previously it would not expire if pcapDir was missing
• IPv4 sessions with the same src/dst IP could have had an incorrect community_id, this has been fixed but old sessions will be incorrect
• geoLite2Country setting now looks for City file first by default
• The parseSMTP and parseSMB settings have been removed, use disableParsers instead
• The unkEthernet and unkIpProtocol plugins have been removed; the saveUnknownPackets setting now saves unknown/corrupt packets as real Arkime sessions
• New authJwsAlgorithm setting, defaults to RS256
• arkime_packet_log no longer prints exactly logEveryXPackets, instead that is just the minimum; it also only prints TCP info now.

View a detailed list of all the changes and download it now!