Arkime

v6.4.0 Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 14d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

big-data c javascript network-monitoring nsm packet-capture

+2 more

pcap security

Affected surfaces

auth rbac breaking_upgrade

Summary

AI summary

Breaking changes to header auth defaults and Docker TLS; Capture adds parsers (ENIP, OpenVPN, RADIUS, FTP, STUN/TURN, OSPF, MQTT, SNMPv3) plus stateDir config; Multies gains HTTP Basic auth; WISE improves JSON array parsing.

Changes in this release

Type	Severity	Summary	CVE
Breaking
Breaking	Medium	All header auth modes default userAuthIps to localhost-only when not explicitly configured. All header auth modes default userAuthIps to localhost-only when not explicitly configured. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Breaking	Medium	docker.sh enforces TLS verification for Elasticsearch/OpenSearch connections by default. docker.sh enforces TLS verification for Elasticsearch/OpenSearch connections by default. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Breaking	Medium	multies defaults multiESHost to 127.0.0.1 instead of binding to all interfaces. multies defaults multiESHost to 127.0.0.1 instead of binding to all interfaces. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature
Feature	Medium	Added trimEthernetPadding option to strip Ethernet padding/FCS from saved PCAPs. Added trimEthernetPadding option to strip Ethernet padding/FCS from saved PCAPs. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Improved websocket parser adds websocket.* fields and websocketTextSampleCnt config option. Improved websocket parser adds websocket.* fields and websocketTextSampleCnt config option. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Improved mDNS parsing handles aggregated queries, unsolicited responses, and flags. Improved mDNS parsing handles aggregated queries, unsolicited responses, and flags. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added diameter.resultCode field (AVP 268) for 4G/5G core auth/error tracking. Added diameter.resultCode field (AVP 268) for 4G/5G core auth/error tracking. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added dnp3.funcName and s7comm.funcName decoded ICS function-code names. Added dnp3.funcName and s7comm.funcName decoded ICS function-code names. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added mqtt.connackCode for CONNACK return/reason codes. Added mqtt.connackCode for CONNACK return/reason codes. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added snmp.engineId and snmp.secLevel SNMPv3 fields. Added snmp.engineId and snmp.secLevel SNMPv3 fields. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added enip parser. Added enip parser. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added full OpenVPN classifier/parser. Added full OpenVPN classifier/parser. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Improved STUN/TURN parser extracts XOR-PEER-ADDRESS, more methods, and stun.attributes field. Improved STUN/TURN parser extracts XOR-PEER-ADDRESS, more methods, and stun.attributes field. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Improved OSPF parser with per-(src,dst) sessions and ospf.msgType/routerId/areaId fields, tags weak auth. Improved OSPF parser with per-(src,dst) sessions and ospf.msgType/routerId/areaId fields, tags weak auth. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Improved RADIUS parser extracts radius.msgType, radius.nasIp, and radius.nasPort. Improved RADIUS parser extracts radius.msgType, radius.nasIp, and radius.nasPort. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	New FTP parser detects multi-line 220- banners and adds ftp.banner, ftp.command, ftp.filename, ftp.responseCode fields; tags ftp:password when PASS is seen. New FTP parser detects multi-line 220- banners and adds ftp.banner, ftp.command, ftp.filename, ftp.responseCode fields; tags ftp:password when PASS is seen. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Added shared NTLMSSP decoder with ntlm.* fields, wired into multiple parsers. Added shared NTLMSSP decoder with ntlm.* fields, wired into multiple parsers. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Improve JSON Array Parsing: shortcut paths now expand arrays at any intermediate position. Improve JSON Array Parsing: shortcut paths now expand arrays at any intermediate position. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	State files opened with O_NOFOLLOW to prevent symlink attacks. State files opened with O_NOFOLLOW to prevent symlink attacks. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	PCAP files now opened with O_NOFOLLOW to prevent symlink attacks. PCAP files now opened with O_NOFOLLOW to prevent symlink attacks. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	DNS TXT records now capture multiple items. DNS TXT records now capture multiple items. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Include up to 12 bytes of UDP payload in packet dedup hash for RTP and similar traffic. Include up to 12 bytes of UDP payload in packet dedup hash for RTP and similar traffic. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	New POP3 parser captures USER name and NTLM auth blobs. New POP3 parser captures USER name and NTLM auth blobs. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	multies supports optional HTTP Basic auth via multiESBasicAuth setting. multies supports optional HTTP Basic auth via multiESBasicAuth setting. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Low	System now depends on curl package; wget replaced with curl everywhere. System now depends on curl package; wget replaced with curl everywhere. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Feature	Low	Added stateDir config option (default /tmp) for capture state files. Added stateDir config option (default /tmp) for capture state files. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Feature	Low	Capture still saves new sessions midway even when not writing packets. Capture still saves new sessions midway even when not writing packets. Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Feature	Low	Added shared NTLMSSP decoder with ntlm.* fields, integrated into SMB, HTTP, LDAP, DCE-RPC, SMTP, IMAP, POP3, and TDS parsers. Added shared NTLMSSP decoder with ntlm.* fields, integrated into SMB, HTTP, LDAP, DCE-RPC, SMTP, IMAP, POP3, and TDS parsers. Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fix command-socket `--notify` without `--flush` crashing capture. Fix command-socket `--notify` without `--flush` crashing capture. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Fix crash when using rules with bpfs and different DLTs without `--flush`. Fix crash when using rules with bpfs and different DLTs without `--flush`. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Bugfix	Low	Fix UTF-8 mojibake in user names auto-created via header auth. Fix UTF-8 mojibake in user names auto-created via header auth. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—
Other	Low	Node.js upgraded to version 22.22.3. Node.js upgraded to version 22.22.3. Source: granite4.1:30b@2026-05-20-audit Confidence: high	—

Full changelog

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

:sparkles: What's new :sparkles:

Breaking

#3967 All header* auth modes (header, header-jwt, headerOnly, header+digest, header+basic) now default userAuthIps to localhost-only when not explicitly configured
#3982 docker.sh: TLS verification is now enforced by default for Elasticsearch/OpenSearch connections, use --insecure to skip verification
#3983 multies now defaults multiESHost to 127.0.0.1 instead of binding to all interfaces.

Release

#3941 Move to using curl instead of wget everywhere and now depend on curl package
#3975 Node 22.22.3

All

#3951 Fix UTF-8 mojibake in user names auto-created via header auth (e.g. behind Caddy/oauth2-proxy)

Capture

#3954 Add trimEthernetPadding option to strip Ethernet padding/FCS so saved pcap and byte counts match the on-wire IP length
#3957 Even when not writing packets still save new sessions midway
#3958 Add stateDir config option (default /tmp) for capture state files (drophash, stoppedsessions)
#3958 State files now opened with O_NOFOLLOW to prevent symlink attacks
#3958 PCAP files now opened with O_NOFOLLOW to prevent symlink attacks
#3962 Improved websocket parser; adds websocket.* fields and websocketTextSampleCnt config option
#3963 Improved mDNS parsing: handle aggregated queries, unsolicited responses, and flags
DNS TXT records now capture multiple items
#3965 Add diameter.resultCode field (AVP 268) for 4G/5G core auth/error tracking
#3965 Add dnp3.funcName and s7comm.funcName decoded ICS function-code names
#3965 Add mqtt.connackCode for CONNACK return/reason codes
#3965 Add snmp.engineId and snmp.secLevel SNMPv3 fields
#3966 Add enip parser
#3969 Include up to 12 bytes of UDP payload in the packet dedup hash so RTP and other UDP traffic with identical headers is no longer over-deduplicated
#3970 Added full OpenVPN classifier/parser
#3972 Improved STUN/TURN parser: extract XOR-PEER-ADDRESS, more methods, and stun.attributes field
#3973 Improved OSPF parser: per-(src,dst) sessions and ospf.msgType/routerId/areaId fields, tag weak auth
#3977 Improved RADIUS parser: extract radius.msgType, radius.nasIp, and radius.nasPort
#3978 New FTP parser: detect multi-line 220- banners and add ftp.banner, ftp.command, ftp.filename, ftp.responseCode fields; tag ftp:password when PASS is seen
#3985 Add shared NTLMSSP decoder with ntlm.* fields, wired into SMB, HTTP, LDAP, DCE-RPC, SMTP, IMAP, POP3, and TDS parsers
#3985 Add new POP3 parser that captures USER name and NTLM auth blobs
#3988 Fix command-socket --notify without --flush crashing capture
#3988 Fix crash when using rules with bpfs and different DLTs without using --flush

Multies

#3983 Support optional HTTP Basic auth via the new multiESBasicAuth setting

WISE

#3968 Improve JSON Array Parsing: shortcut paths now expand arrays at any intermediate position, not just the final value

:arrow_down: Download Info :arrow_down:

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026.

Breaking Changes

header* auth modes now default userAuthIps to localhost-only when not explicitly configured
docker.sh enforces TLS verification for Elasticsearch/OpenSearch by default; use `--insecure` to skip
`multiESHost` in multies defaults to `127.0.0.1` instead of binding to all interfaces

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Arkime

Get notified when new releases ship.

About Arkime

Arkime is an open source, large scale, full packet capturing, indexing, and database system.

All releases →