moloch v2.0 releases: open source, large scale, full packet capturing, indexing, and database system

Moloch is an open source, large scale, full packet capturing, indexing, and database system. Moloch augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. An intuitive and simple web interface is provided for PCAP browsing, searching, and exporting. Moloch exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly. Moloch stores and exports all packets in standard PCAP format allow you to also use your favourite PCAP ingesting tools, such as Wireshark, during your analysis workflow.

Access to Moloch is protected by using HTTPS with digest passwords or by using an authentication providing web server proxy. All PCAPs are stored on the sensors and are only accessed using the Moloch interface or API. Moloch is not meant to replace an IDS but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle tens of gigabits/sec of traffic. PCAP retention is based on available sensor disk space. Metadata retention is based on the Elasticsearch cluster scale. Both can be increased at any time and are under your complete control.

Sessions Tab

SPI View Tab


Here are some sample deployments of Moloch for different network architectures. Most folks will probably run a hybrid of the following since no one solution fits all. The ability to scale capturing can be done horizontally by adding more capture machines, vertically by adding more CPUs/disk, or both. We usually recommend scaling horizontally unless physically space constrained, and using a network packet broker in front of multiple machines. However it is possible to use big machines, with lots of cpu/disk, and run moloch-capture with more threads.


  • A box represents a physical machine.
  • It is possible to run multiple capture processes per machine or have a single capture process to listen to multiple interfaces – (FAQ Answer)
  • Recommend “Big Data” style boxes for capture – (FAQ Answer)
  • Run multiple Elasticsearch processes per machine since each ES node should be configured at most to 30G – (FAQ Answer)
  • Except for single host deployments, it is recommended/useful that all operator access flows through a single Apache/viewer combination that can provide better authentication, logging, and a single choke point – (FAQ Answer)


  • All ES instances should have iptables for port 9200-920N and 9300-930N, where N is the number of ES instances per machine, and only allow the other elasticsearch, capture and viewer machines to connect
  • All viewer hosts, except the apache/viewer box, should have iptables for port 8005 and only allow other viewer machines to connect. The viewer must listen on OS interface if using multiple machines
  • The shared viewer instances can listen on localhost since only apache talks to it

Single Host

Multiple Hosts Monitoring Multiple Network Segments

Multiple Hosts Monitoring High Traffic Networks


  • Using a Network Packet Broker (NPB) allows traffic to be load balanced and recombined. This is especially useful in HA or asymmetric routing cases
  • By using an NPB, other security devices can see the same traffic moloch sees
  • When running multiple moloch-captures on the same host make sure the IO doesn’t overwhelm the disk and other subsystems.
  • Use a TAP with high traffic networks since many mirror ports drop traffic under heavy load
  • Operators use an apache fronted viewer and don’t hit the other viewers directly. The apache provides authentication.
  • Lockdown ES and moloch viewer with iptables

Multiple Clusters


  • It is possible to use a single ES cluster using the prefix= ini configuration
  • Operator uses apache fronted viewers and doesn’t hit the other viewers directly. The apache provides authentication. Can use virtual paths to route to different clusters.
  • NPBs are recommended for high traffic networks

Changelog v2.0

– NOTICE: This versions requires ES 6.7.x (6.8.2+/7.3+ recommended) or later
– NOTICE: upgrade is required, see
– release – cyberchef 8.30.0, node 10.16.2, yara 3.10.0
– release – include sample headers parsing and turn them on by default
– release – easybutton supports osx
– all – Fix some elasticsearch deprecation warnings
– all – elasticsearch 7 support
– db – backup command now saves meta data so restore can do a rollback (thanks codesniffer)
– db – improve optimize to deal with connection closed better
– parliament – Can configure multiple of each type of notifier
– viewer – Can display pcap retention in Capture Stats tab
– viewer – Added uploadFileSizeLimit
– viewer – Can interact with users in multiES if usersElasticsearch is set
– viewer – Can just delete SPI
– viewer – Added shortcuts feature
– viewer – add bytes as a graphing choice
– viewer – support ip == ipv4 and ip == ipv6 expressions
– viewer – pivot dropdown option in spiview (issue #1135)
– viewer – optional milisecond display
– viewer – Support view parameter for unique/multiunique
– viewer – Support ES client auth and insecure better (thanks Scott)
– viewer – Lots of stats summing, avg, sorting fixes
– capture – Initial ipv6 gtp support
– capture – no longer send packet lengths to ES by default (enablePacketLen)
– capture – add truncated-pcap tag to sessions where all pcap isn’t written
– capture – fixed ja3s mishandling of 10/11 extension types (thanks Norwegian Healthcare CERT)
– capture – fixed ja3 mishandling of 11 extension types (thanks Norwegian Healthcare CERT)
– capture – Added startsWith,contains,endsWith rule expression modifier
– capture – honor the caTrustFile directive (thanks Matt)
– capture – fix data bytes calulations for icmp/udp (thanks Brian)
– capture – initial vxlan support
– capture – Myricom/AFPacket improvements (thanks Scott)
– capture – updates to classifiers: telnet, mpls
– suricata – support timezones and slashes in signatures better
– suricata – support huge alert lines
– wise – support arrays for json elements

Download && Tutorial

Copyright 2012-2017 AOL Inc

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services