Moloch Estimators

Use these estimators as a starting point for deciding on the number of machines needed for capture and ES nodes.

Average gigabits per second

Capture Machines More info in FAQ

Calculating the number of machines needed for capturing is relatively simple. It is based on the average traffic rate, the number of days of retention, how much space is available on each machine, and the avg amount of traffic each machine can handle. If more then one machine is required, we highly recommend getting a NPB to load balance the traffic across the cluster. We suggest RAID 5 or RAID 6 for capture disks.

Moloch makes it possible to not save encrypted packets, other then the session negotiation. If you plan on using this feature select the percentage of TLS/QUIC traffic on the network. Most networks will see 10-40% of TLS traffic, resulting in huge disk space savings.


PCAP RetentionDays
Disk Size
Disks per machine
TLS Percentage
Avg per machine
Space Required All disks for data
RAID 0
One disk extra
RAID 5
Two disks extra
RAID 6 or RAID 5 + Hot Spare
Elasticsearch Machines More info in FAQ

Calculating the number of machines needed for Elasticsearch is a fine art. It heavily depends on the type of traffic that Moloch will be seeing plus of course the traffic rate and number of days of retention. Each node requires 64GB - 128GB of memory: 30GB for ES, and 34-96GB for OS disk cache. For large machines plan on running multiple nodes per host. You may want to read more recomendations from Elastic's Reference and Blog.

Many scaling guides will recommend you do NOT use RAID 5, assuming you will use Elasticsearch replication. However by default Moloch does NOT enable replication, so it is strongly recommended that you DO use RAID 5 or RAID 6. If you decide to use Elasticsearch replication you will need more machines, but don't need RAID 5 in theory.

The calculated host counts are just estimates.


ES Retention Days
Disk Size
Disks per machine
Nodes per machine
Replication
  Total Space Required All disks for data
RAID 0
One disk extra
RAID 5
Two disks extra
RAID 6 or RAID 5 + Hot Spare
Average traffic mix
High DNS/HTTP traffic
Pathological traffic mix
Moloch Logo