mammo0
Real Time Capture Question
Hi,
I'm using the Arkime container, and I have a question about its capabilities. Does the Arkime container support real-time packet capture, or is it limited to ingesting pre-saved pcap files as described in the README?
Thank you!
Hi @jagonza1ez,
I never tried to capture the network traffic from within the Arkime container. Currently my only use case for Arkime is to put already captured .pcap files into it. Therefore, I added the phrase This feature is not tested yet! to the README.
Nevertheless the Arkime capture process should be started if you set the env variable CAPTURE=on and ARKIME_INTERFACE to your network device name, e.g. eth0.
To access your host's network device from inside the container it should be possible to forward it with the --device parameter (https://docs.docker.com/reference/cli/docker/container/run/#device). Also the --privileged flag could be needed here.
Maybe you can try to run the Arkime container with the following parameter:
docker run \
-e OS_HOST=opensearch \
-e OS_PORT=9200 \
-e CAPTURE=on \
-e ARKIME_INTERFACE=capturenet0 \
-v <config_volume>:/data/config \
-v <pcap_volume>:/data/pcap \
-v <log_volume>:/data/logs \
--device=/dev/eth0:/dev/capturenet0 \
--privileged \
mammo0/docker-arkime:<tag>
Please tell me, if this works. Then I can update my README. Thank you.
