search

mammo0 / docker-arkime

A Docker container for Arkime based on Ubuntu
MIT License
32 stars 18 forks source link

Real Time Capture Question #24

Open jagonza1ez opened 1 week ago

jagonza1ez commented 1 week ago

Hi,

I'm using the Arkime container, and I have a question about its capabilities. Does the Arkime container support real-time packet capture, or is it limited to ingesting pre-saved pcap files as described in the README?

Thank you!

mammo0 commented 1 week ago

Hi @jagonza1ez,

I never tried to capture the network traffic from within the Arkime container. Currently my only use case for Arkime is to put already captured .pcap files into it. Therefore, I added the phrase This feature is not tested yet! to the README.

Nevertheless the Arkime capture process should be started if you set the env variable CAPTURE=on and ARKIME_INTERFACE to your network device name, e.g. eth0. To access your host's network device from inside the container it should be possible to forward it with the --device parameter (https://docs.docker.com/reference/cli/docker/container/run/#device). Also the --privileged flag could be needed here. Maybe you can try to run the Arkime container with the following parameter:

docker run \
    -e OS_HOST=opensearch \
    -e OS_PORT=9200 \
    -e CAPTURE=on \
    -e ARKIME_INTERFACE=capturenet0 \
    -v <config_volume>:/data/config \
    -v <pcap_volume>:/data/pcap \
    -v <log_volume>:/data/logs \
    --device=/dev/eth0:/dev/capturenet0 \
    --privileged \
    mammo0/docker-arkime:<tag>

Please tell me, if this works. Then I can update my README. Thank you.