Building a Scalable Network Traffic Capture System with Moloch (Arkime)

The article begins with a scenario where a colleague needs to analyze network packets from a business backend, leading to the decision to build a traffic back‑trace system using Moloch (now Arkime).

Architecture Overview – The system consists of three core components: Capture (stores PCAP files and indexes metadata in Elasticsearch), Elasticsearch (search and analytics engine), and Viewer (web UI). Data is fed from a switch’s mirror port.

Hardware Requirements – Example hardware: Dell PowerEdge R720 with Intel Xeon E5‑2650, 100 GB RAM, 8 TB disk. It is recommended to separate Capture and Elasticsearch nodes when resources allow.

Moloch Installation

rpm -ivh moloch-nightly.x86_64.rpm

pfring Installation (optional high‑performance capture)

cd /etc/yum.repos.d/
wget http://packages.ntop.org/centos-stable/ntop.repo -O ntop.repo
wget http://packages.ntop.org/centos-stable/epel-7.repo -O epel.repo
yum erase zeromq3
yum clean all
yum update
yum install pfring

Elasticsearch Installation & Tuning

rpm -ivh elasticsearch-5.6.2.rpm

# Edit JVM options
vim jvm.options
# Xms32g
# Xmx32g

# Disable disk‑space alerts and set network host
vim elasticsearch.yml
cluster.routing.allocation.disk.threshold_enabled: false
network.host: 10.10.7.7

After installing, verify the node with:

curl http://10.10.7.7:9200

Configuration Optimization

# Configure Moloch interfaces and Elasticsearch URL
/data/moloch-nightly/bin/Configure
Found interfaces: bond0;em1;em2;em3;em4;lo
Select interface: em4
Elasticsearch server URL [http://localhost:9200] http://10.10.7.7:9200
Password:

Set free‑space retention (default 5 %):

freeSpaceG = 5%

Schedule daily index expiration:

# daily.sh
#!/bin/sh
CONFIGESHOSTPORT=10.100.10.7:9200
RETAINNUMDAYS=1
/data/moloch-nightly/db/db.pl $ESHOSTPORT expire daily $RETAINNUMDAYS

# crontab entry
01 04 * * * /data/moloch-nightly/db/daily.sh >> /var/log/moloch/daily.log 2>&1

Network Card and High‑Performance Settings

# Ring buffer size
ethtool -G eth0 rx 4096 tx 4096
# Disable offloads
ethtool -K eth0 rx off tx off gs off tso off gso off

# Use basic magic mode and pfring
magicMode=basic
pcapReadMethod=pfring
pcapWriteMethod=simple
pcapWriteSize=2560000
packetThreads=5
maxPacketsInQueue=200000

Monitor traffic with dstat -n and verify capture rates.

Using the Viewer

Access the web UI at http://10.10.7.7:8005 with the admin credentials created during setup. The interface allows searching by IP, protocol, time range, and exporting PCAP files (e.g., 200 MB per second in the author’s environment).

Conclusion

Moloch provides a robust solution for large‑scale packet capture, indexing, and analysis, enabling deep inspection of TCP retransmissions, MySQL slow queries, HTTP response times, and other network‑level metrics that can drive business insights.