Moloch Logo

Moloch is a large scale, open source, full packet capturing, indexing, and database system.

Moloch augments your current security infrastructure by storing and indexing network traffic in standard PCAP format, while also providing fast indexed access. Moloch is not meant to replace Intrusion Detection Systems (IDS), instead it provides more visibility. Moloch is built with an intuitive UI/UX which reduces the analysis time of suspected incidents.
The owl takes security seriously! Access to Moloch is protected by using HTTPS with digest passwords or by using an authentication providing web server proxy. All PCAPs are stored on the installed Moloch sensors and are only accessed by utilizing the Moloch interface or API. Moloch supports encrypting the PCAP files at rest.
Moloch is designed to be deployed across multiple clustered systems providing the ability to scale to handle multiple gigabits/sec of traffic. PCAP retention is based on available sensor disk space while metadata retention is based on the scale of the Elasticsearch cluster. Both rentention sizes can be increased at anytime as they are under your complete control.
An intuitive web interface is provided for PCAP browsing, searching, analysis, and PCAP carving for exporting. Moloch stores and exports all packets in standard PCAP format allowing you to use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.
APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly.

Moloch Demo View

We have a demo instance of Moloch running for you to explore and upload sample capture files to interact with. Wet your beak and give Moloch a try!

Username and password are both "moloch".

Warning: Anyone can see anything you upload.


On the Sessions tab you can view indexed sessions for the selected time period.

  The search bar allows for powerful search queries to narrow down the data. Click the owl for available fields.

  Get more information about any session and view the session's packet data by clicking the green "+" button.

  Click any of the links in the session information to apply search criteria.

  Click and drag an area in the timeline to filter sessions by time.

  You can export search results as PCAP or CSV by clicking the "Actions" drop down menu on the top right.

Tip: right click for more options.

SPI View

The SPI View tab allows you you to view unique values with session counts for each of the captured fields. Change your search query or selected time period to limit results.

  Click any row to expand its contents.

  Click any of the links in the expanded section to apply search criteria. Right click for more options!

Tip: Right click to change which fields automatically loaded.

SPI Graph

The SPI Graph tab shows a temporal view for the top unique values of any field.

  Click and drag an area in the timeline to filter statistics by time.

  Make a selection from the SPI Graph drop down to view the unique values for different fields.


On the Connections tab you can view a network graph of your search results.

  Click and drag a node to lock it into place in the graph.

  Click on a node to view more information or hide it.

  Make a selection from the Src and Dst drop downs to visualize your data based upon different captured field relationships.


On the Stats tab you can view statistics about each Molcoh capture node and Elasticsearch node.

  Click on a table header to sort the table.

  Enter text into the node filter input box to search the results.

Moloch Estimators

Use these estimators as a starting point for deciding on the number of machines needed for capture and ES nodes.

Average gigabits per second

Capture Machines More info in FAQ

Calculating the number of machines needed for capturing is relatively simple. It is based on the average traffic rate, the number of days of retention, how much space is available on each machine, and the avg amount of traffic each machine can handle. If more then one machine is required, we highly recommend getting a NPB to load balance the traffic across the cluster. We suggest RAID 5 or RAID 6 for capture disks.

Moloch makes it possible to not save encrypted packets, other then the session negotiation. If you plan on using this feature select the percentage of TLS/QUIC traffic on the network. Most networks will see 10-40% of TLS traffic, resulting in huge disk space savings.

PCAP RetentionDays
Disk Size
Disks per machine
TLS Percentage
Avg per machine
Space Required All disks for data
One disk extra
Two disks extra
RAID 6 or RAID 5 + Hot Spare
Elasticsearch Machines More info in FAQ

Calculating the number of machines needed for Elasticsearch is a fine art. It heavily depends on the type of traffic that Moloch will be seeing plus of course the traffic rate and number of days of retention. Each node requires 64GB - 128GB of memory: 30GB for ES, and 34-96GB for OS disk cache. For large machines plan on running multiple nodes per host. You may want to read more recomendations from Elastic's Reference and Blog.

Many scaling guides will recommend you do NOT use RAID 5, assuming you will use Elasticsearch replication. However by default Moloch does NOT enable replication, so it is strongly recommended that you DO use RAID 5 or RAID 6. If you decide to use Elasticsearch replication you will need more machines, but don't need RAID 5 in theory.

The calculated host counts are just estimates.

ES Retention Days
Disk Size
Disks per machine
Nodes per machine
  Total Space Required All disks for data
One disk extra
Two disks extra
RAID 6 or RAID 5 + Hot Spare
Average traffic mix
High DNS/HTTP traffic
Pathological traffic mix


BEFORE upgrading from ES 5 to ES 6 read the How do I upgrade to ES 6 FAQ entry.

BEFORE upgrading to Moloch 1.5 you must be on Moloch 1.0 or 1.1 and finished any reindexing.

BEFORE upgrading to Moloch 1.0 or 1.1 read the How do I upgrade to Moloch 1.0 FAQ entry.
Upgrading to 1.0 takes some time, work, and requires ES 5.x.

BEFORE upgrading from ES 2 to ES 5 read the How do I upgrade to ES 5 FAQ entry.

  Loading Moloch downloads...


Find help by reading the FAQs at Github or ask a question in the Moloch Google Group.


We maintain a FAQ on our Wiki at GitHub.


Join the moloch-fpc Google Group.


Join our Slack server to discuss Moloch.