Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

:sparkles: What's new 6.3.1 :sparkles:

Capture

• [#3940] Fix ISAKMP parser on UDP/4500 (NAT-T) misparsed ESP packets without the non-ESP marker

Viewer

• [#3942] Fix hiding packets when we shouldn't

:sparkles: What's new 6.3.0 :sparkles:

BREAKING

• [#3911] ArkimeParserBuf_t.buf is now a heap-allocated pointer (uint8_t *buf[2]). You must use pb->bufSize[which] instead of sizeof(pb->buf[which])

All

• [#3920] Log more information on role failures

Capture

• [#3910] Corrupt UDP packets could have invalid byte counts
• [#3910] TCP DNS packets might not be parsed correctly depending on segmentation
• [#3911], [#3913] TCP sequence wrapping tests and improvements
• [#3912] Fix IKEv2 encryption/hash parsing
• [#3913] Fix WISE plugin skipping fields after array-typed fields
• [#3913] Fix S3 listing deadlock when bucket/prefix is empty
• [#3914] Fix ASN.1 OID decoding of first arc per X.690
• [#3916] Improved NTP and IS-IS parsing
• [#3917] Improved LUA ip handling
• [#3917] Add DHCPv6 relay parsing
• [#3917] Improved SMB parsing of share/filename
• [#3917] Improved SNMP GetBulkRequest parsing
• [#3917] Extract VNI from GENEVE tunnels
• [#3918] scheme http no longer requires a port (defaults to 80/443)
• [#3918] fix SNMP sessions showing up as LDAP too
• [#3919] Remove ftp protocol if we are sure smtp
• [#3923] Packets with more than 8 VLANs marked as corrupt
• [#3923] UDP packets enforce length correctly
• [#3924], [#3930] Remove trailing slash from wiseURL
• [#3927] Cap IMAP/SMTP/HTTP Header buffer lengths
• [#3932] Skip byte-based UDP classifiers on UDP/53 to avoid DNS false-matches
• [#3933] Reassemble TLS ClientHello across multiple QUIC Initial packets
• [#3935] Validate QUIC packet lengths

Cont3xt

• [#3928] Threatstream: ignore per-user host override unless user/key also per-user
• [#3928] csvjson: add 60s timeout and 1GB content/body limits on remote feed loads

Viewer

• [#3898] show error msg in spiview when All selected but not allowed
• [#3906] add copy button to History Elasticsearch Query section
• [#3908] fix download entire pcap missing filename
• [#3921] Fix Cap Restart graph markers, Session Detail labels slider width, Field Actions dropdown, Stats Shrink Index, and shortcut ($) autocomplete in search expression
• [#3928] Cap /api/sessions/summary length parameter at 1000
• [#3931] Remove last manualQuery option which wasn't implemented
• [#3934] Fix not handling sessions correctly with no PCAP

:arrow_down: Download Info :arrow_down:

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in May 2026, please upgrade.