Arkime 4.0


Cont3xt, Role Permissions, Hide Graph/Map, Speed Up Initial Load, Wildcard Shortcuts, bug fixes, and more

We are excited to share that Arkime 4.0 is now available! This release includes an entirely new web intelligence investigation application (yay Cont3xt!), a new permissions model with roles, speedier queries by hiding or disabling the graph and map, new AND arrays with ][ syntax vs. OR arrays with [], speedier initial load time by combining multiple calls from the UI into one, shortcut wildcard support, huge afpacket CPU improvements, bug fixes, and much, much more. View a list of all the changes here.

Learn how to upgrade to Arkime 4 now!


Breaking Changes

  • You must be on v3.3.0+ to upgrade to Arkime 4
  • Elasticsearch before 7.10 is not supported
  • Now uses roles for permission checking - userAdmin role required to edit users.
    addUser.js - new --roles option, --admin creates superAdmin user
  • In header auth mode, userAuthIps allows only localhost by default
  • Non-standard pcap files now use the .arkime extension
  • WISE multiES prefix now default to arkime_
  • WISE threatstream source require a manually created md5 index
  • new defaults maxFileSizeG=12, compressES=true
  • pcap compression is turned on by default, disable with simpleCompression=none
  • right-click changed to value-actions in config


Cont3xt centralizes and simplifies gathering contextual intelligence in support of technical investigations. It enriches indicators using commercial and OSINT sources through a structured, consistent, and thorough approach. Learn more here!


Arkime now uses a role permission model to check for user access to resources. Each user can be assigned a list of roles. You can create/update/delete roles on the Arkime or Cont3xt Users page. View default Arkime roles here.

Arkime Shortcuts, Notifiers, Periodic Queries, Views, and Hunts can now be shared via Arkime roles or with specific users.


Fetching the data to compute the graph and map takes much longer than a general Arkime query for sessions. By hiding both the graph and the map, you can speed up session searches. This is particularly useful when issuing queries for long periods of time. You can manually hide the graph and map, and each cluster can be configured with a maximum number of days to auto-disable the graph and map (which can be overridden by user request).


Initially loading the Arkime web application requires a lot of data. To improve the speed of the initial load time many queries have been combined into one, here. Also, some resources are now lazy loaded by waiting for the user to request their presence before loading (for example, the graph and map libraries).


You can now issue queries for many shortcuts simultaneously by using a wildcard like this: ip.src == $TEST_*.


View a list of all the changes here.