Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

:sparkles: What's new :sparkles:

Known Bugs

• an empty bpf= in the config file drops all traffic, comment it out please

BREAKING

• [#3138] settings parseSMTP & parseSMB removed, use disableParsers instead
• [#3138] plugins must end with a supported extension, e.g. .so, .lua, .py
• [#3138] setting luaFiles now defaults to no files
• [#3212] with capture --scheme is now the default, use --libpcap for previous behaviour
• [#3281] Remove Ubuntu 20.04 builds
• [#3293] db.pl now requires a leading http:// or https:// in OpenSearch/Elasticsearch URLs
• [#3306] WISE now requires webBasePath to be set if you use a non-default base path — set it in Arkime 5 before upgrading
• [#3422] Cont3xt ThreatFox integration now requires an API key (free at https://auth.abuse.ch/)
• [#3427] Capture now adds the first VLAN tag back to packets when saving to disk. This may affect existing BPF filters — set tpacketv3OldVlan=true to disable.
• [#3468] Digest/Form users who haven't changed their password since Dec 2019 will not be able to log in. A userAdmin can reset their passwords.
• [#3473] dnsOutputAnswers defaults to TRUE now
• [#3488] When talking to remote viewers, only viewUrl is used now — webBasePath is no longer used
• [#3492] Viewer now expires PCAPs even if pcapDir is not set, defaulting to /opt/arkime/raw. Previously, PCAPs were not expired when pcapDir was unset.
• [#3552] Users now inherit the 7 extra permissions from their Roles unless explicitly overridden
• [#3583] Fixed: IPv4 sessions with identical src and dst IP addresses may have had an incorrect community_id. Old sessions will retain the incorrect value.
• [#3591] The geoLite2Country setting now looks for a City database file first by default
• [#3601] The unkEthernet/unkIpProtocol plugins are removed. The saveUnknownPackets setting now saves unknown/corrupt packets as real Arkime sessions.

Release

• Node 22.22.0
• [#3342] Container based on Debian 13 now
• Container includes geoipupdate
• docker.sh supports --ilm and --ism options
• [#3502] FreeBSD builds
• [#3518] easybutton defaults to --nothirdparty now
• [#3718] Build for Ubuntu 26.04
• [#3726] docker.sh supports --wait-for-db option

All

• Migrated to Vue3!! (misc PRs)
• Remove Webpack tech debt (misc PRs)
• [#3286] support oidc end_session endpoint and token if logoutUrl not set, new logoutUrlMethod setting
• [#3306] eslint upgraded to v9
• [#3364] eslint vue files and enforce recommended rules
• [#3468] remove support for old password storage
• [#3476] new authJwsAlgorithm setting, defaults to RS256
• [#3552] Users and Roles now inherit for the 7 extra settings if not specificly set.
• [#3747] New /api/appversion API

Capture

• [#3138] lua plugin now autoloads *.lua scripts in parsers directory if lua plugin is used
• [#3208] vlan id is now stored in order seen
• [#3268] New python support, *.py scripts in parsers directory auto loaded use disablePython=true to disable
• [#3357] Basic SCTP support
• [#3375] For WISE/Rules fields that are lower/upper case, capture updates string
• [#3427] Add first vlan back to packet in AFPacket mode
• [#3460] DNS compress pointer chaining max increased to 10
• [#3461] New DHCP Session linking
• [#3473] dnsOutputAnswers defults to TRUE now
• [#3479] Per thread compression to ES should help with busy capture
• [#3481] ArkimePacket free list, should help with memory fragmentation on busy capture
• [#3494] Update field friendlyNames in db if they don't match capture
• [#3501] Added reader-bpf
• [#3517] Netmap FreeBSD support
• [#3547] Fix erspan vlan truncating at 7 bits instead of 12 bits
• [#3566] fix the sessions length being off by 1ms sometimes
• [#3583] Fix community_id for v4 sessions with same src/dst port sorting
• [#3591] geoLite2Country setting now looks for City file first by default
• [#3618] Fix S3 scheme prefix handling
• [#3618] Fix S3 scheme not process over 1000 S3 items
• [#3620] Simple DNS RRSIG/DS/NSEC parsing
• [#3622] Added disableIp4Defrag setting
• [#3623] Initial ES-IS protocol support
• [#3624] saveUnknownPackets supports common strings
• [#3630] tds7 protocol support
• [#3637] Initial bacnet protocol support
• [#3638] NTP protocol improvements
• [#3640] Initial isakmp protocol support
• [#3642] Initial tftp protocol support
• [#3643] Improved rdp parser
• [#3644] Improved snmp parser
• [#3645] Improved mqtt parser
• [#3651] Added basic sip parser
• [#3652] Added basic stun parser
• [#3653], [#3666] Improve krb5 parser
• [#3654] Added turn support to stun parser
• [#3655] Handle different quic salts for draft23, draft29, v2
• [#3655] More ssdp keywords
• [#3656] Parse udp facebook quic
• [#3657] Added classifiers for: plex-gdm, samsung-smartview, whatsapp, ubiquiti-ubnt, xid
• [#3659] Added classifier for nbds and parser for nbns
• [#3660] Added basic ptp parser
• [#3661] Added isakmp cert decoding
• [#3663] Added dcerpc parsing
• [#3668] Added basic dnp3 parsing
• [#3670] Added basic wireguard classifier
• [#3672] Added some telcom protocols: m3ua, sccp, tcap, camel, diameter
• [#3676] Added basic imap parser
• [#3677] Align structures and remove unimportant atomic counts to help when using large number of packetThreads
• [#3678] Added classifier: gearman, esio; parser: pana
• [#3681] Added synchrophasor parser
• [#3682] Added s7comm parser
• [#3686] Added websocket detection
• [#3687] Added c122 parser
• [#3699] writer-s3 always uses 0xffff for snapLen now
• [#3699] writer-s3 fix gzip memory leak
• [#3702] support redis:// for config
• [#3706] Don't close stdin after using "-" for filename
• [#3706] Cert UTCTime/GneralizedTime offset parsing fixes
• [#3706] Fix rules _dropBySession not working consistently
• [#3709] Fix scheme mode only queueing up to two files for later
• [#3710] Fix SCTP chunk alignment, add maxSctpOutOfOrderPackets setting and check
• [#3711] Fix SCTP databytes
• [#3711] Fix SCTP protoid should be 32 bits
• [#3724] fix ja4plus plugin to match rust implementation for edge cases
• [#3731] fix crash on quit when freeing http zstrm data structures
• [#3731] fix dedup increase message having incorrect values
• [#3731] performance improvements with dedup and arkime_memcasestr
• [#3739] disablePython defaults to true now

Capture/Viewer

• [#3197] new sessionsStarted and sessionsPresent in files tab
• [#3210] new vlan.dot1q and vlan.dot1ad expressions
• [#3308] City and Region from MMDB
• [#3434] SCTP protoId
• [#3463] Added dhcp.classId
• [#3464] Added id for dhcpv6
• [#3465] Added dhcp.requestIp
• [#3566] New packetRange field to support spanning timeline display
• [#3601] Save corrupt and unknown sessions as real Arkime sessions based on saveUnknownPackets ## Contrib
• [#3637] increased max tzsp-forwarder packet to 64000
• [#3674] added new netflow2arkime.pl script

ESProxy

• [#3750] - fix httpsAgent race condition with client certificates

Viewer

• [#3326] BIG search expression
• [#3343] Basic internationalization support (most translations contributed by Cursor using Claude 4 Sonnet)
• [#3341] Check files index mapping on start
• [#3366] Sankey diagram on SPI Graph page
• [#3374] Allow multiviewer to change password if usersElasticsearch is set
• [#3376] multiviewer logs history for only clusters selected
• [#3399] Now track ES node ids in dstats so on Shards tab we can show which node is missing for node_left. ES should do this for us!
• [#3423] Periodic Queries and Hunts can now notify on multiple notifiers
• [#3439] multiviewer config now supports defaultCluster setting
• [#3474] support 15 and 30 minute query time ranges
• [#3488] only use viewUrl for remote URL
• [#3492],#3536 default pcapDir to /opt/arkime/raw
• [#3495] Speed improvements for add/removing tags and exporting CSV
• [#3497] Process pcap files in blocks for speed improvements
• [#3498] Optimize pcap ressembly memory usage for speed improvements
• [#3522] Can set max scrolls and display current scrolls
• [#3528] IP OR array queries should be more efficient now
• [#3567] Hunts allow updating of fields while running
• [#3728] support expression autocomplete more places
• [#3742] ArkimeTables support i18n
• [#3743] Consistent expression parser error messages

Parliament

• [#3395] Low disk space monitoring for capture and ES hosts
• [#3395] Navbar ES status indicator cycles through clusters with issues w/highlighting
• [#3395] Clickable issue table rows navigate to node stats
• [#3395] Issue filters persist in URL parameters
• [#3395] Toggle to show/hide all issues
• [#3395] Display ES version in cluster tooltips

Cont3xt

• [#3405] Keyword/regex highlighting in integration and overview cards via ?highlight= parameter or via Search bar mode selector to switch between query search and highlight pattern modes
• [#3422] ThreatFox integration
• [#3421] Zetalytics integration
• [#3406] Domain Tools Whois Integration
• [#3410] crt.sh integration
• [#3407] Greynoise malicious tidbit

Multies

• [#3430] Handle when ES cluster returns 503 better

WISE

• [#3435] New wise urlapi source

db.pl

• [#3581] New db.pl show-nodes command
• [#3600] The init/wipe/upgrade commands warn if using different settings
• [#3603] Support repairing bad mapping with stats index

:arrow_down: Download Info :arrow_down:

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in April 2026, please upgrade.