A db.pl upgrade is required when upgrading from Arkime 5 or earlier
Support Arkime's ongoing development! Become a GitHub Sponsor!
:sparkles: What's new :sparkles:
Known Bugs
- With offline pcaps, if you have a bpf filter in your config file, even a empty one, you must use --libpcap with capture
BREAKING
- #3138 settings parseSMTP & parseSMB removed, use disableParsers instead
- #3138 plugins must end with a supported extension, e.g. .so, .lua, .py
- #3138 setting luaFiles now defaults to no files
- #3212 with capture --scheme is now the default, use --libpcap for previous behaviour
- #3281 Remove Ubuntu 20.04 builds
- #3293 db.pl now requires a leading http:// or https:// in OpenSearch/Elasticsearch URLs
- #3306 WISE now requires webBasePath to be set if you use a non-default base path — set it in Arkime 5 before upgrading
- #3422 Cont3xt ThreatFox integration now requires an API key (free at https://auth.abuse.ch/)
- #3427 Capture now adds the first VLAN tag back to packets when saving to disk. This may affect existing BPF filters — set tpacketv3OldVlan=true to disable.
- #3468 Digest/Form users who haven't changed their password since Dec 2019 will not be able to log in. A userAdmin can reset their passwords.
- #3473 dnsOutputAnswers defaults to TRUE now
- #3488 When talking to remote viewers, only viewUrl is used now — webBasePath is no longer used
- #3492 Viewer now expires PCAPs even if pcapDir is not set, defaulting to /opt/arkime/raw. Previously, PCAPs were not expired when pcapDir was unset.
- #3552 Users now inherit the 7 extra permissions from their Roles unless explicitly overridden
- #3583 Fixed: IPv4 sessions with identical src and dst IP addresses may have had an incorrect community_id. Old sessions will retain the incorrect value.
- #3591 The geoLite2Country setting now looks for a City database file first by default
- #3601 The unkEthernet/unkIpProtocol plugins are removed. The saveUnknownPackets setting now saves unknown/corrupt packets as real Arkime sessions.
Release
- Node 22.22.0
- #3342 Container based on Debian 13 now
- Container includes geoipupdate
- docker.sh supports --ilm and --ism options
- #3502 FreeBSD builds
- #3518 easybutton defaults to --nothirdparty now
- #3718 Build for Ubuntu 26.04
- #3726 docker.sh supports --wait-for-db option
All
- Migrated to Vue3!! (misc PRs)
- Remove Webpack tech debt (misc PRs)
- #3286 support oidc end_session endpoint and token if logoutUrl not set,
new logoutUrlMethod setting
- #3306 eslint upgraded to v9
- #3364 eslint vue files and enforce recommended rules
- #3468 remove support for old password storage
- #3476 new authJwsAlgorithm setting, defaults to RS256
- #3552 Users and Roles now inherit for the 7 extra settings if not specificly set.
- #3747 New /api/appversion API
Capture
- #3138 lua plugin now autoloads *.lua scripts in parsers directory
if lua plugin is used
- #3208 vlan id is now stored in order seen
- #3268 New python support, *.py scripts in parsers directory auto loaded
use disablePython=true to disable
- #3357 Basic SCTP support
- #3375 For WISE/Rules fields that are lower/upper case, capture updates string
- #3427 Add first vlan back to packet in AFPacket mode
- #3460 DNS compress pointer chaining max increased to 10
- #3461 New DHCP Session linking
- #3473 dnsOutputAnswers defults to TRUE now
- #3479 Per thread compression to ES should help with busy capture
- #3481 ArkimePacket free list, should help with memory fragmentation on busy capture
- #3494 Update field friendlyNames in db if they don't match capture
- #3501 Added reader-bpf
- #3517 Netmap FreeBSD support
- #3547 Fix erspan vlan truncating at 7 bits instead of 12 bits
- #3566 fix the sessions length being off by 1ms sometimes
- #3583 Fix community_id for v4 sessions with same src/dst port sorting
- #3591 geoLite2Country setting now looks for City file first by default
- #3618 Fix S3 scheme prefix handling
- #3618 Fix S3 scheme not process over 1000 S3 items
- #3620 Simple DNS RRSIG/DS/NSEC parsing
- #3622 Added disableIp4Defrag setting
- #3623 Initial ES-IS protocol support
- #3624 saveUnknownPackets supports common strings
- #3630 tds7 protocol support
- #3637 Initial bacnet protocol support
- #3638 NTP protocol improvements
- #3640 Initial isakmp protocol support
- #3642 Initial tftp protocol support
- #3643 Improved rdp parser
- #3644 Improved snmp parser
- #3645 Improved mqtt parser
- #3651 Added basic sip parser
- #3652 Added basic stun parser
- #3653, #3666 Improve krb5 parser
- #3654 Added turn support to stun parser
- #3655 Handle different quic salts for draft23, draft29, v2
- #3655 More ssdp keywords
- #3656 Parse udp facebook quic
- #3657 Added classifiers for: plex-gdm, samsung-smartview, whatsapp, ubiquiti-ubnt, xid
- #3659 Added classifier for nbds and parser for nbns
- #3660 Added basic ptp parser
- #3661 Added isakmp cert decoding
- #3663 Added dcerpc parsing
- #3668 Added basic dnp3 parsing
- #3670 Added basic wireguard classifier
- #3672 Added some telcom protocols: m3ua, sccp, tcap, camel, diameter
- #3676 Added basic imap parser
- #3677 Align structures and remove unimportant atomic counts to help when using large number of packetThreads
- #3678 Added classifier: gearman, esio; parser: pana
- #3681 Added synchrophasor parser
- #3682 Added s7comm parser
- #3686 Added websocket detection
- #3687 Added c122 parser
- #3699 writer-s3 always uses 0xffff for snapLen now
- #3699 writer-s3 fix gzip memory leak
- #3702 support redis:// for config
- #3706 Don't close stdin after using "-" for filename
- #3706 Cert UTCTime/GneralizedTime offset parsing fixes
- #3706 Fix rules _dropBySession not working consistently
- #3709 Fix scheme mode only queueing up to two files for later
- #3710 Fix SCTP chunk alignment, add maxSctpOutOfOrderPackets setting and check
- #3711 Fix SCTP databytes
- #3711 Fix SCTP protoid should be 32 bits
- #3724 fix ja4plus plugin to match rust implementation for edge cases
- #3731 fix crash on quit when freeing http zstrm data structures
- #3731 fix dedup increase message having incorrect values
- #3731 performance improvements with dedup and arkime_memcasestr
- #3739 disablePython defaults to true now
Capture/Viewer
- #3197 new sessionsStarted and sessionsPresent in files tab
- #3210 new vlan.dot1q and vlan.dot1ad expressions
- #3308 City and Region from MMDB
- #3434 SCTP protoId
- #3463 Added dhcp.classId
- #3464 Added id for dhcpv6
- #3465 Added dhcp.requestIp
- #3566 New packetRange field to support spanning timeline display
- #3601 Save corrupt and unknown sessions as real Arkime sessions based on saveUnknownPackets
Contrib
- #3637 increased max tzsp-forwarder packet to 64000
- #3674 added new netflow2arkime.pl script
ESProxy
- #3750 - fix httpsAgent race condition with client certificates
Viewer
- #3326 BIG search expression
- #3343 Basic internationalization support
(most translations contributed by Cursor using Claude 4 Sonnet)
- #3341 Check files index mapping on start
- #3366 Sankey diagram on SPI Graph page
- #3374 Allow multiviewer to change password if usersElasticsearch is set
- #3376 multiviewer logs history for only clusters selected
- #3399 Now track ES node ids in dstats so on Shards tab we can show
which node is missing for node_left. ES should do this for us!
- #3423 Periodic Queries and Hunts can now notify on multiple notifiers
- #3439 multiviewer config now supports defaultCluster setting
- #3474 support 15 and 30 minute query time ranges
- #3488 only use viewUrl for remote URL
- #3492,#3536 default pcapDir to /opt/arkime/raw
- #3495 Speed improvements for add/removing tags and exporting CSV
- #3497 Process pcap files in blocks for speed improvements
- #3498 Optimize pcap ressembly memory usage for speed improvements
- #3522 Can set max scrolls and display current scrolls
- #3528 IP OR array queries should be more efficient now
- #3567 Hunts allow updating of fields while running
- #3728 support expression autocomplete more places
- #3742 ArkimeTables support i18n
- #3743 Consistent expression parser error messages
Parliament
- #3395 Low disk space monitoring for capture and ES hosts
- #3395 Navbar ES status indicator cycles through clusters with issues w/highlighting
- #3395 Clickable issue table rows navigate to node stats
- #3395 Issue filters persist in URL parameters
- #3395 Toggle to show/hide all issues
- #3395 Display ES version in cluster tooltips
Cont3xt
- #3405 Keyword/regex highlighting in integration and overview cards via ?highlight= parameter
or via Search bar mode selector to switch between query search and highlight pattern modes
- #3422 ThreatFox integration
- #3421 Zetalytics integration
- #3406 Domain Tools Whois Integration
- #3410 crt.sh integration
- #3407 Greynoise malicious tidbit
Multies
- #3430 Handle when ES cluster returns 503 better
WISE
- #3435 New wise urlapi source
db.pl
- #3581 New db.pl show-nodes command
- #3600 The init/wipe/upgrade commands warn if using different settings
- #3603 Support repairing bad mapping with stats index
:arrow_down: Download Info :arrow_down:
We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in April 2026, please upgrade.
