Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

:sparkles: What's new 6.3.1 :sparkles:

Capture

• #3940 Fix ISAKMP parser on UDP/4500 (NAT-T) misparsed ESP packets without the non-ESP marker

Viewer

• #3942 Fix hiding packets when we shouldn't

:sparkles: What's new 6.3.0 :sparkles:

BREAKING

• #3911 ArkimeParserBuf_t.buf is now a heap-allocated pointer (uint8_t *buf[2]). You must use pb->bufSize[which] instead of sizeof(pb->buf[which])

All

• #3920 Log more information on role failures

Capture

• #3910 Corrupt UDP packets could have invalid byte counts
• #3910 TCP DNS packets might not be parsed correctly depending on segmentation
• #3911, #3913 TCP sequence wrapping tests and improvements
• #3912 Fix IKEv2 encryption/hash parsing
• #3913 Fix WISE plugin skipping fields after array-typed fields
• #3913 Fix S3 listing deadlock when bucket/prefix is empty
• #3914 Fix ASN.1 OID decoding of first arc per X.690
• #3916 Improved NTP and IS-IS parsing
• #3917 Improved LUA ip handling
• #3917 Add DHCPv6 relay parsing
• #3917 Improved SMB parsing of share/filename
• #3917 Improved SNMP GetBulkRequest parsing
• #3917 Extract VNI from GENEVE tunnels
• #3918 scheme http no longer requires a port (defaults to 80/443)
• #3918 fix SNMP sessions showing up as LDAP too
• #3919 Remove ftp protocol if we are sure smtp
• #3923 Packets with more than 8 VLANs marked as corrupt
• #3923 UDP packets enforce length correctly
• #3924, #3930 Remove trailing slash from wiseURL
• #3927 Cap IMAP/SMTP/HTTP Header buffer lengths
• #3932 Skip byte-based UDP classifiers on UDP/53 to avoid DNS false-matches
• #3933 Reassemble TLS ClientHello across multiple QUIC Initial packets
• #3935 Validate QUIC packet lengths

Cont3xt

• #3928 Threatstream: ignore per-user host override unless user/key also per-user
• #3928 csvjson: add 60s timeout and 1GB content/body limits on remote feed loads

Viewer

• #3898 show error msg in spiview when All selected but not allowed
• #3906 add copy button to History Elasticsearch Query section
• #3908 fix download entire pcap missing filename
• #3921 Fix Cap Restart graph markers, Session Detail labels slider width, Field Actions dropdown, Stats Shrink Index, and shortcut ($) autocomplete in search expression
• #3928 Cap /api/sessions/summary length parameter at 1000
• #3931 Remove last manualQuery option which wasn't implemented
• #3934 Fix not handling sessions correctly with no PCAP

:arrow_down: Download Info :arrow_down:

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in May 2026, please upgrade.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

:sparkles: What's new :sparkles:

BREAKING

• #3911 ArkimeParserBuf_t.buf is now a heap-allocated pointer (uint8_t *buf[2]). You must use pb->bufSize[which] instead of sizeof(pb->buf[which])

All

• #3920 Log more information on role failures

Capture

• #3910 Corrupt UDP packets could have invalid byte counts
• #3910 TCP DNS packets might not be parsed correctly depending on segmentation
• #3911, #3913 TCP sequence wrapping tests and improvements
• #3912 Fix IKEv2 encryption/hash parsing
• #3913 Fix WISE plugin skipping fields after array-typed fields
• #3913 Fix S3 listing deadlock when bucket/prefix is empty
• #3914 Fix ASN.1 OID decoding of first arc per X.690
• #3916 Improved NTP and IS-IS parsing
• #3917 Improved LUA ip handling
• #3917 Add DHCPv6 relay parsing
• #3917 Improved SMB parsing of share/filename
• #3917 Improved SNMP GetBulkRequest parsing
• #3917 Extract VNI from GENEVE tunnels
• #3918 scheme http no longer requires a port (defaults to 80/443)
• #3918 fix SNMP sessions showing up as LDAP too
• #3919 Remove ftp protocol if we are sure smtp
• #3923 Packets with more than 8 VLANs marked as corrupt
• #3923 UDP packets enforce length correctly
• #3924, #3930 Remove trailing slash from wiseURL
• #3927 Cap IMAP/SMTP/HTTP Header buffer lengths
• #3932 Skip byte-based UDP classifiers on UDP/53 to avoid DNS false-matches
• #3933 Reassemble TLS ClientHello across multiple QUIC Initial packets
• #3935 Validate QUIC packet lengths

Cont3xt

• #3928 Threatstream: ignore per-user host override unless user/key also per-user
• #3928 csvjson: add 60s timeout and 1GB content/body limits on remote feed loads

Viewer

• #3898 show error msg in spiview when All selected but not allowed
• #3906 add copy button to History Elasticsearch Query section
• #3908 fix download entire pcap missing filename
• #3921 Fix Cap Restart graph markers, Session Detail labels slider width, Field Actions dropdown, Stats Shrink Index, and shortcut ($) autocomplete in search expression
• #3928 Cap /api/sessions/summary length parameter at 1000
• #3931 Remove last manualQuery option which wasn't implemented
• #3934 Fix not handling sessions correctly with no PCAP

:arrow_down: Download Info :arrow_down:

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in May 2026, please upgrade.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

:sparkles: What's new :sparkles:

BREAKING

• #3874 The user-auto-create and user-role-mappings sections now limit what
  loop and exception Javascript can be used for security.
• #3881 Command sockets now chmod(0660) and removes Other access.

Release

• #3864 CyberChef 10.23.0
• #3870 docker.sh supports generic --db with help examples

All

• #3831 New TOTP support for wise config instead of code - requires db.pl upgrade
• #3865 Add syslog notifier
• #3866 Add snmp notifier
• #3888 Can now use - for password with addUser.js to get prompted

Capture

• #3871 Packets with more than 10 ip/ethernet headers are now marked as corrupt
• #3896 Improve MQTT parsing and tests

Capture/Viewer

• #3833 New simpleDEKEncoding setting which controls how the DEK is encrypted
• #3857 Fix scheme pcapNG not handling large files (thanks @wegman12)

db.pl

• #3860 Add --compression option

Viewer

• #3842 Add internationalized aria-labels
• #3863 Add per-cluster serverSecret in S2S auth for multicluster pcap retrieval
• #3878 Add JWT decoding support for header auth mode
• #3877 Add ESIndices codec column
• #3891 Improve tcp reassembly display when packets are retransmitted

:arrow_down: Download Info :arrow_down:

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in April 2026, please upgrade.