PCAP Download - Malcolm + Hedgehog

[Kymki]

Describe the bug Issue when trying to download pcap with arkime via web-page as described here; https://github.com/cisagov/Malcolm/blob/main/docs/arkime.md#ArkimePCAPExport

To Reproduce Steps to reproduce the behavior:

1. Go to 'https://malcolm.test/arkime/session'
2. Click on down arrow on the right of the screen
3. Click on 'export pcap'
4. Download of the pcap does not start

Expected behavior Expecting a download of the relative pcap.

Screenshots and/or Logs log.txt

Malcolm Version:

• Malcolm Version [ v24.04.0]
• Hedgehog Version [v24.04.0]

Malcolm installed via

• [ISO] provided on virtual machine

Hedgehog installed via

• [ISO] provided on virtual machine

Additional context Issue present with Hedgehog configured as a sensor to send data to Malcolm Server. Same network segment and no firewall between. Tried to download pcap on Malcolm server directly, with no success. It seems that the sensor does not handle the request by the arkime viewer to provide the pcap. Tried to download very small pcap with the same result.

[mmguero]

When you're trying to do the PCAP download, are you sure that what you're viewing is an Arkime session (and not a row for a Zeek log, suricata alert, etc.). Click the eyeball button to the right of the search bar and select Arkime Sessions there (see the screenshot for the menu I'm talking about)

If that doesn't work, you can check a few more things:

• The output of ./scripts/logs -s arkime when you try to do the PCAP export, to see what errors are happening
• In the hedgehog configuration, do you have the ACL set correctly to allow the IP address of the Malcolm server?
• Ports 8005/tcp and 8006/tcp need to be routeable to the hedgehog from the Malcolm server.

[Kymki]

Closed. It was a routing problem due to the fact that I put sensors over a VPN; Malcolm server does not talk directly with them but I managed to solve the issue tuning my iptables inside the VPN concentrator. Thanks.