Logo

A powerful, easily deployable network traffic analysis tool suite

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

Supported Protocols

Malcolm uses Zeek and Arkime to analyze network traffic. These tools provide varying degrees of visibility into traffic transmitted over the following network protocols:

Traffic Wiki Organization/Specification Arkime Zeek
Internet layer 🔗 🔗
Border Gateway Protocol (BGP) 🔗 🔗  
Building Automation and Control (BACnet) 🔗 🔗  
Bristol Standard Asynchronous Protocol (BSAP) 🔗 🔗🔗  
Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) 🔗 🔗  
Dynamic Host Configuration Protocol (DHCP) 🔗 🔗
Distributed Network Protocol 3 (DNP3) 🔗 🔗  
Domain Name System (DNS) 🔗 🔗
EtherCAT 🔗 🔗  
EtherNet/IP / Common Industrial Protocol (CIP) 🔗 🔗 🔗  
FTP (File Transfer Protocol) 🔗 🔗  
GENISYS   🔗🔗  
GE SRTP 🔗 🔗  
Google Quick UDP Internet Connections (gQUIC) 🔗 🔗
HART IP 🔗 🔗🔗🔗  
Hypertext Transfer Protocol (HTTP) 🔗 🔗
IPsec 🔗 🔗  
Internet Relay Chat (IRC) 🔗 🔗
Lightweight Directory Access Protocol (LDAP) 🔗 🔗
Kerberos 🔗 🔗
Modbus 🔗 🔗  
MQ Telemetry Transport (MQTT) 🔗 🔗  
MySQL 🔗 🔗
NT Lan Manager (NTLM) 🔗 🔗  
Network Time Protocol (NTP) 🔗 🔗  
Oracle 🔗 🔗  
Open Platform Communications Unified Architecture (OPC UA) Binary 🔗 🔗  
Open Shortest Path First (OSPF) 🔗 🔗🔗🔗  
OpenVPN 🔗 🔗🔗  
PostgreSQL 🔗 🔗  
Process Field Net (PROFINET) 🔗 🔗  
PROFINET IO CM (Input/Output Context Manager) 🔗 🔗🔗  
Remote Authentication Dial-In User Service (RADIUS) 🔗 🔗
Remote Desktop Protocol (RDP) 🔗 🔗  
Remote Framebuffer (RFB) 🔗 🔗  
S7comm / Connection Oriented Transport Protocol (COTP) 🔗 🔗 🔗 🔗  
Secure Shell (SSH) 🔗 🔗
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) 🔗 🔗
Session Initiation Protocol (SIP) 🔗 🔗  
Server Message Block (SMB) / Common Internet File System (CIFS) 🔗 🔗
Simple Mail Transfer Protocol (SMTP) 🔗 🔗
Simple Network Management Protocol (SNMP) 🔗 🔗
SOCKS 🔗 🔗
STUN (Session Traversal Utilities for NAT) 🔗 🔗
Synchrophasor 🔗🔗 🔗  
Syslog 🔗 🔗
Tabular Data Stream (TDS) 🔗 🔗 🔗
Telnet / remote shell (rsh) / remote login (rlogin) 🔗🔗 🔗🔗
TFTP (Trivial File Transfer Protocol) 🔗 🔗  
WireGuard 🔗 🔗🔗  
various tunnel protocols (e.g., GTP, GRE, Teredo, AYIYA, IP-in-IP, etc.) 🔗  

Additionally, Zeek is able to detect and, where possible, log the type, vendor and version of various other software protocols.

As part of its network traffic analysis, Zeek can extract and analyze files transferred across the protocols it understands. In addition to generating logs for transferred files, deeper analysis is done into the following file types:

See automatic file extraction and scanning for additional features related to file scanning.

See Zeek log integration for more information on how Malcolm integrates Arkime sessions and Zeek logs for analysis.