Arkime exporting 0 byte PCAP

[riley611]

Good afternoon, I am attempting to export PCAP from Arkime. I have attempted different variations of the export, all resulting with a 0 byte PCAP file. Thanks for any advice or insight.

[mmguero]

Here's a couple of things you can try:

• Try applying the Arkime Sessions view before doing the export operation, does that change things? Of the three data sources in Malcolm (Zeek logs, Suricata alerts, and Arkime sessions), only Arkime Sessions have PCAP backing.
  
• You could look at the output of ./scripts/logs -s arkime while you try the export. Are there any errors observed there?

[riley611]

no it does not, thank you! I just updated. I wonder what else might be missing from control_vars.conf that may be preventing the suricata/zeek logs from populating malcolm dashboard.

[mmguero]

so are you getting PCAP correctly now?

[riley611]

I restarted hedgehog, and still only export 0 byte pcap files from arkime

[mmguero]

It could be one of a few things happening here:

1. Malcolm is unable to contact the Hedgehog on port 8005/tcp, because either it's being blocked by the hedgehog's software firewall (which is what MALCOLM_REQUEST_ACL should have taken care of) or some other firewall or something else you have in between. There are a few things we could do to check this:

   • on Hedgehog, as root, run ufw status, you should see a rule for port 8005/tcp for your Malcolm's IP address
   • on Malcolm run portping #.#.#.# 8005 where #.#.#.# is the Hedgehog IP address, it should report OPEN

2. Hedgehog by default is using zstd compression on PCAPs, and if you're requesting payloads that are very recent it might not have them flushed to disk yet. You could try exporting a PCAP from a bit older time frame (like an hour ago or something) and see if that does anything different?

3. Let's try it making sure you are trying to only export PCAP for arkime sessions, apply the Arkime Sessions view like this before the export:
   

Beyond that, could you watch the output of ./scripts/logs -s arkime on Malcolm while you try to export the PCAP, and/or the output of the arkime viewer log in /opt/sensor/sensor_ctl/log/ at the same time?

[riley611]

I think you're on to something with #2, I did have some luck there. It worked one time when I went back 3 days, and then it stopped working. I think I may rerun the configure-capture.py and disable zstd. I've completely disabled both UFWs, and my 8005 is still blocked, playing with our network firewall but not seeing any log traffic that would be blocking it.

[riley611]

It can also take a while, I'm finding, got a few more files --took almost 10 minutes to get a .5mb PCAP

[mmguero]

If you're getting PCAP at all then you're no longer blocked on 8005/tcp from malcolm to the hedgehog, as that's the only port it goes over. I've never seen anything take nearly that long for that small of a PCAP file.