🛰️ Network detection (NIDS/NDR)
Arkime
Full packet capture, indexed and searchable like a SIEM.
Why use it
Arkime captures every packet on the wire and indexes the metadata in OpenSearch so you can pivot from any session to its raw PCAP in seconds. It's how you actually answer "what did that attacker do" rather than "they touched something".
What you get
- Lossless packet capture at line rate
- Searchable session metadata (src/dst, ports, bytes, JA3)
- One-click PCAP export per session
- Tagging and hunt workflows
- Integration with Suricata alerts as overlay
System requirements
| Cpu | 8 cores recommended |
|---|---|
| Ram | 16 GB+ |
| Disk | 1 TB+ (NVMe strongly recommended) |
| Os | Linux |
| Docker | Yes |
Installation
Use the official ISO or run on a dedicated Linux box. Install OpenSearch, then Arkime's capture and viewer. Configure your SPAN interface in /opt/arkime/etc/config.ini. Run db.pl http://localhost:9200 init once, then start the capture and viewer services.
Suggested configuration
Size disk for at least 7 days of full PCAP at your peak traffic — homelabs typically need 500 GB to 2 TB. Use BPF filters to drop video/streaming traffic if you're tight on space. Enable rules-based tagging so Suricata alerts highlight relevant sessions.
Integration ideas
- Overlay Suricata EVE alerts on Arkime sessions
- Pivot from a SIEM alert to the matching PCAP
- Feed file extractions into VirusTotal lookups
Alternatives
- Stenographer — Lower-overhead PCAP writer, no UI.
- tcpdump + manual workflow — Free and simple, no search.
Cyentrix verdict
The "I want to see exactly what happened" tool. Heavy on disk and ops, but worth every byte after your first real incident.