Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

:sparkles: What's new :sparkles:

Breaking

• [#3967] All header* auth modes (header, header-jwt, headerOnly, header+digest, header+basic) now default userAuthIps to localhost-only when not explicitly configured
• [#3982] docker.sh: TLS verification is now enforced by default for Elasticsearch/OpenSearch connections, use --insecure to skip verification
• [#3983] multies now defaults multiESHost to 127.0.0.1 instead of binding to all interfaces.

Release

• [#3941] Move to using curl instead of wget everywhere and now depend on curl package
• [#3975] Node 22.22.3

All

• [#3951] Fix UTF-8 mojibake in user names auto-created via header auth (e.g. behind Caddy/oauth2-proxy)

Capture

• [#3954] Add trimEthernetPadding option to strip Ethernet padding/FCS so saved pcap and byte counts match the on-wire IP length
• [#3957] Even when not writing packets still save new sessions midway
• [#3958] Add stateDir config option (default /tmp) for capture state files (drophash, stoppedsessions)
• [#3958] State files now opened with O_NOFOLLOW to prevent symlink attacks
• [#3958] PCAP files now opened with O_NOFOLLOW to prevent symlink attacks
• [#3962] Improved websocket parser; adds websocket.* fields and websocketTextSampleCnt config option
• [#3963] Improved mDNS parsing: handle aggregated queries, unsolicited responses, and flags
• DNS TXT records now capture multiple items
• [#3965] Add diameter.resultCode field (AVP 268) for 4G/5G core auth/error tracking
• [#3965] Add dnp3.funcName and s7comm.funcName decoded ICS function-code names
• [#3965] Add mqtt.connackCode for CONNACK return/reason codes
• [#3965] Add snmp.engineId and snmp.secLevel SNMPv3 fields
• [#3966] Add enip parser
• [#3969] Include up to 12 bytes of UDP payload in the packet dedup hash so RTP and other UDP traffic with identical headers is no longer over-deduplicated
• [#3970] Added full OpenVPN classifier/parser
• [#3972] Improved STUN/TURN parser: extract XOR-PEER-ADDRESS, more methods, and stun.attributes field
• [#3973] Improved OSPF parser: per-(src,dst) sessions and ospf.msgType/routerId/areaId fields, tag weak auth
• [#3977] Improved RADIUS parser: extract radius.msgType, radius.nasIp, and radius.nasPort
• [#3978] New FTP parser: detect multi-line 220- banners and add ftp.banner, ftp.command, ftp.filename, ftp.responseCode fields; tag ftp:password when PASS is seen
• [#3985] Add shared NTLMSSP decoder with ntlm.* fields, wired into SMB, HTTP, LDAP, DCE-RPC, SMTP, IMAP, POP3, and TDS parsers
• [#3985] Add new POP3 parser that captures USER name and NTLM auth blobs
• [#3988] Fix command-socket --notify without --flush crashing capture
• [#3988] Fix crash when using rules with bpfs and different DLTs without using --flush

Multies

• [#3983] Support optional HTTP Basic auth via the new multiESBasicAuth setting

WISE

• [#3968] Improve JSON Array Parsing: shortcut paths now expand arrays at any intermediate position, not just the final value

:arrow_down: Download Info :arrow_down:

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026.