Moloch Packet Analytics

Project Name: Moloch Packet Analytics
Description: Moloch Packet Analytics includes understanding MOLOCH and Elasticsearch to a great extent. Packet Forensics and Analytics will help you to understand MOLOCH for Packet Analytics & Elasticsearch for forensics indexing for packet. Both will perform this activity in Real Time so as to resolve many issues like DOS attack, DDOS Attack, Insider Threats, Access Intelligence, Bandwidth Issue and many more..

Author: Rohit D Sadgune

Summary of Content

MOLOCH Concept
Architecture of MOLOCH
Installation of MOLOCH & Elasticsearch

MOLOCH Concept

MOLOCH Introduction:

MOLOCH is an open source having a huge scale of IPv4 packet Analytics view. MOLOCH can index PCAP file for further packet forensics analysis and give a analytical view to end user. On behalf of the packet forensics index we can easily search, which reduces the time & increases the efficiency in security operation center or forensics investigation.

The MOLCH is build to capture every packet which is getting transmitted over the network and it integrates the elasticsearch for indexing purpose. Finally data can be exported in PCAP/CSV format for further analysis.

Specific Details about MOLOCH:

This is not an IDS.
No support for IPv6 till date.

Components of MOLOCH:

Capture

A C language application that sniffs the network interface, parses the traffic, and creates the Session Profile Information (SPI data) and writes it to disk

DB (Elasticsearch)

Elasticsearch is used for forensics indexing i.e storing and searching through the SPI data generated by the capture component.
Powered by Apache Lucene (http://lucene.apache.org)
Requests over HTTP(s)
Results returned in JSON
Network traffic doesn’t fit the mould for relational DBs. (So no SQL is used)
Data can automatically be shared between various platforms.