A powerful, easily deployable network traffic analysis tool suite
Malcolm serves a web browser-based upload form for uploading PCAP files and Zeek logs at https://localhost/upload/ if you are connecting locally.
Additionally, there is a writable
files directory on an SFTP server served on port 8022 (e.g.,
sftp://USERNAME@localhost:8022/files/ if you are connecting locally).
The types of files supported are:
Files uploaded via these methods are monitored and moved automatically to other directories for processing to begin, generally within one minute of completion of the upload.
In addition to be processed for uploading, Malcolm events will be tagged according to the components of the filenames of the PCAP files or Zeek log archives files from which the events were parsed. For example, records created from a PCAP file named
ACME_Scada_VLAN10.pcap would be tagged with
VLAN10. Tags are extracted from filenames by splitting on the characters
- (dash), and
_ (underscore). These tags are viewable and searchable (via the
tags field) in Arkime and OpenSearch Dashboards. This behavior can be changed by modifying the
AUTO_TAG environment variable in
Tags may also be specified manually with the browser-based upload form.
The Analyze with Zeek and Analyze with Suricata checkboxes may be used when uploading PCAP files to cause them to be analyzed by Zeek and Suricata, respectively. This is functionally equivalent to the
SURICATA_AUTO_ANALYZE_PCAP_FILES environment variables described above, only on a per-upload basis. Zeek can also automatically carve out files from file transfers; see Automatic file extraction and scanning for more details.