Moloch Logo

Moloch is a large scale, open source, full packet capturing, indexing, and database system.

Moloch is not meant to replace Intrusion Detection Systems (IDS). Moloch augments your current security infrastructure by storing and indexing network traffic in standard PCAP format, while also providing fast indexed access. Moloch is built with an intuitive UI/UX which reduces the analysis time of suspected incidents.
Security
The owl takes security seriously! Access to Moloch is protected by using HTTPS with digest passwords or by using an authentication providing web server proxy. All PCAPs are stored on the installed Moloch sensors and are only accessed by utilizing the Moloch interface or API.
Scalability
Moloch is designed to be deployed across multiple clustered systems providing the ability to scale to handle multiple gigabits/sec of traffic. PCAP retention is based on available sensor disk space while metadata retention is based on the scale of the Elasticsearch cluster. Both rentention sizes can be increased at anytime as they are under your complete control.
Interface
An intuitive web interface is provided for PCAP browsing, searching, analysis, and PCAP carving for exporting. Moloch stores and exports all packets in standard PCAP format allowing you to use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.
APIs
APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly.

Moloch Demo View

We have a demo instance of Moloch running for you to explore and upload sample capture files to interact with; Wet your beak and give Moloch a try!

  Username and password are both "moloch".
  Warning: Anyone can see anything you upload.

Sessions

On the Sessions tab you can view indexed sessions for the selected time period.

  The search bar allows for powerful search queries to narrow down the data. Click the owl for available fields.

  Get more information about any session and view the session's packet data by clicking the green "+" button.

  Click any of the links in the session information to apply search criteria.

  Click and drag an area in the timeline to filter sessions by time.

  You can export search results as PCAP or CSV by clicking the "Actions" drop down menu on the top right.

  Tip: right click for more options.

SPI View

The SPI View tab allows you you to view unique values with session counts for each of the captured fields. Change your search query or selected time period to limit results.

  Click any row to expand its contents.

  Click any of the links in the expanded section to apply search criteria. Right click for more options!

  Tip: Right click to change which fields automatically loaded.

SPI Graph

The SPI Graph tab shows a temporal view for the top unique values of any field.

  Click and drag an area in the timeline to filter statistics by time.

  Make a selection from the SPI Graph drop down to view the unique values for different fields.


Connections

On the Connections tab you can view a network graph of your search results.

  Click and drag a node to lock it into place in the graph.

  Click on a node to view more information or hide it.

  Make a selection from the Src and Dst drop downs to visualize your data based upon different captured field relationships.


Stats

On the Stats tab you can view statistics about each Molcoh capture node and Elasticsearch node.

  Click on a table header to sort the table.

  Enter text into the node filter input box to search the results.

Moloch Estimators

Use these estimators as a starting point for deciding on the number of machines needed for capture and ES nodes.

Average gigabits per second

Capture Machines More info in FAQ
Calculating the number of machines needed for capturing is relatively simple. It is based on the average traffic rate, the number of days of retention and how much space is available on each machine. If more then one machine is required, we highly recommend getting a NPB to load balance the traffic across the cluster. We suggest RAID 5 or RAID 6 for capture disks.

PCAP Retention Days
Disk Size
Disks per machine
Total Space Required All disks for data
RAID 0
One disk extra
RAID 5
Two disks extra
RAID 5 + Hot Spare or RAID 6
Elasticsearch Machines More info in FAQ
Calculating the number of machines needed for Elasticsearch is a fine art. It heavily depends on the type of traffic that Moloch will be seeing plus of course the traffic rate and number of days of retention. These node counts and host counts are just estimates. Each node requires 64GB - 128GB of memory: 32GB for ES, and 32-96GB for OS disk cache. For large machines plan on running multiple nodes per host. We also include the minimum number of hosts recommended based on a 50G per shard maximum that some guides suggest.

Many scaling guides will recommend you do NOT use RAID 5, assuming you will use Elasticsearch replication. However by default Moloch does NOT enable replication, so it is strongly recommended that you DO use RAID 5 or RAID 6. If you decide to use Elasticsearch replication you will need twice the number of machines below, but don't need RAID 5 in theory.

ES Retention Days
Disk Size
Disks per machine
Nodes per machine
  Total Space Required All disks for data
RAID 0
One disk extra
RAID 5
Two disks extra
RAID 5 + Hot Spare or RAID 6
Average traffic mix
Min using a 50GB shard max
for average traffic
High DNS/HTTP traffic
Min using a 50GB shard max
for high DNS/HTTP traffic

Downloads Changelog

We have started offering official rpm and deb builds of Moloch for CentOS and Ubuntu 64bit machines.

  BEFORE upgrading from ES 2 to ES 5 read the How do I upgrade to ES 5 FAQ entry.

  After installing package please read /data/moloch/README.txt for post install instructions.

Please open a Github Issue for any suggestions or problems.

  Loading Moloch downloads...


Help

Find help by reading the FAQs at Github or ask a question in the Moloch Google Group.

FAQ

We maintain a FAQ on our Wiki at GitHub.

Questions

Join the moloch-fpc Google Group.

Slack

Join our Slack server to discuss Moloch.