Arkime

Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti

Sissejuhatus

TODO

Tööpõhimõte

TODO

Paigaldamine

Kopeerimine aadressilt https://arkime.com/ 

# apt-get install /

elasticsearch indeksid 

root@arkime:~# curl -X GET 'http://localhost:9200/_cat/indices?v'
health status index                   uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   arkime_lookups_v30      FGw_xJPoTs-jvz4DjxS1Pg   1   0          0            0       208b           208b
green  open   arkime_sequence_v30     f8tUoA-fRrCZymYIgdf38g   1   0          1            2     46.1kb         46.1kb
green  open   arkime_queries_v30      okT70OfMRtyPITC2PWp9Ww   1   0          0            0       208b           208b
green  open   arkime_users_v30        8HnSt20gSb2NxXFeIA-XIA   1   0          1            0     57.1kb         57.1kb
green  open   arkime_dstats_v30       RJA3vHVrQriP8En6FncXHw   2   0         58            0       42kb           42kb
green  open   arkime_files_v30        U5bv7llBTtSFu57hvX-L-w   2   0          4            0     26.8kb         26.8kb
green  open   arkime_fields_v30       MJw-MM1lQHGX2gpDdMsi4A   1   0        351           33    157.9kb        157.9kb
green  open   arkime_sessions3-220319 sBg0H5c3S4qkX4MPHUgprA   1   0       1174            0      4.3mb          4.3mb
green  open   arkime_stats_v30        RYO8pUy2SbWzO-Kb1rzRJg   1   0          1           65    314.5kb        314.5kb
green  open   arkime_history_v1-22w11 njg8liv8R3yfZV_vyFo8Mw   1   0         33            0    100.7kb        100.7kb
green  open   arkime_hunts_v30        1JMhkbhLTMaIrHY_Zt6sgQ   1   0          0            0       208b           208b

Misc

Proxmox host peal mirrori haldamine

Kahe mirrori tekitamine 

# cat br-arkime.sh
ovs-vsctl -- set Bridge vmbr0 mirrors=@m100,@m103 \
  -- --id=@enp4s0 get Port enp4s0 \
  -- --id=@enp2s0 get Port enp2s0 \
  -- --id=@tap100i1 get Port tap100i1 \
  -- --id=@tap103i1 get Port tap103i1 \
  -- --id=@m100 create Mirror name=arkime \
  select-dst-port=@enp4s0 select-src-port=@enp4s0 \
  output-port=@tap100i1 \
  -- --id=@m103 create Mirror name=arkimetk \
  select-dst-port=@enp2s0 select-src-port=@enp2s0 \
  output-port=@tap103i1

Mirror tekitamine 

# cat br-arkime.sh 
ovs-vsctl -- set Bridge vmbr0 mirrors=@m141 \
  -- --id=@enp7s0 get Port enp7s0 \
  -- --id=@tap141i1 get Port tap141i1 \
  -- --id=@m141 create Mirror name=arkime \
  select-dst-port=@enp7s0 select-src-port=@enp7s0 \
  output-port=@tap141i1

Kõigi mirrorite eemaldamine 

# ovs-vsctl clear bridge vmbr0 mirrors

Proxmox guest peal mirrori kasutamine

Virtuaalses arvutis mirrorist osa saamiseks

  • tekitada täiendav E1000 draiveriga võrguliides
  • öelda
root@arkime:~# cat start-arkime.sh 
ifconfig enp6s19 up
ethtool -G enp6s19 rx 2048 tx 2048

Tulemusena on liiklus 

root@arkime:~# tcpdump -nei enp6s19

Kasulikud lisamaterjalid

  • TODO
Pärit leheküljelt "https://www.auul.pri.ee/wiki/index.php?title=Arkime&oldid=180"