Kuburitswa kweiyo sisitimu yekutora, kuchengetedza uye indexing network packet Arkime 3.1 yakagadziridzwa, ichipa maturusi ekutarisa nekuona kuyerera kwetraffic uye kutsvaga ruzivo rwune chekuita netiweki chiitiko. Iyo purojekiti yakatanga kugadzirwa neAOL nechinangwa chekugadzira yakavhurika uye inogona kuendesa kutsiva yekutengeserana network packet processing mapuratifomu, inokwanisa kukwira kugadzirisa traffic nekumhanya kwemakumi emagigabits pasekondi. The traffic capture component code yakanyorwa muC, uye iyo interface inoshandiswa muNode.js/JavaScript. Iyo kodhi kodhi inogoverwa pasi peiyo Apache 2.0 rezinesi. Inotsigira basa paLinux uye FreeBSD. Yakagadzirirwa-yakagadzirwa mapakeji akagadzirirwa Arch, CentOS uye Ubuntu.
Arkime inosanganisira maturusi ekutora uye indexing traffic mune yekuzvarwa PCAP fomati, uye zvakare inopa maturusi ekukurumidza kuwana kune indexed data. Iko kushandiswa kweiyo PCAP fomati inorerutsa zvakanyanya kubatanidzwa nearipo anoongorora traffic seWireshark. Huwandu hwe data yakachengetwa inongogumira chete nehukuru hweiyo iripo disk array. Session metadata inorongedzerwa muchikwata chakavakirwa painjini yeElasticsearch.
Kuti uongorore ruzivo rwakaunganidzirwa, webhu interface inopihwa iyo inobvumidza iwe kufamba, kutsvaga uye kutumira masampula. Iyo yewebhu interface inopa akati wandei ekuona modhi - kubva kune akajairwa manhamba, mamepu ekubatanidza uye anoona magirafu ane data pamusoro pekuchinja kwetiweki chiitiko kune zvishandiso zvekudzidza zvidzidzo zvega, kuongorora chiitiko mumamiriro ezvibvumirano zvakashandiswa uye kupatsanura data kubva kuPCAP dumps. An API inopihwa zvakare iyo inokutendera kuti utumire data nezve akatorwa mapaketi muPCAP fomati uye disassembled zvikamu muJSON fomati kune yechitatu-bato zvikumbiro.
Arkime ine zvikamu zvitatu zvakakosha:
- Iyo traffic yekutora system ndeye yakawanda-yakarukwa C application yekutarisa traffic, kunyora marasi muPCAP fomati kune diski, kufambisa mapaketi akabatwa uye kutumira metadata nezve masesheni (SPI, Stateful packet inspection) uye mapuroteni kuElasticsearch cluster. Zvinogoneka kuchengeta mafaira ePCAP mune encrypted fomu.
- A web interface yakavakirwa paNode.js papuratifomu, iyo inomhanya pane yega yega traffic traffic server uye inogadzirisa zvikumbiro zvine chekuita nekuwana indexed data uye kuendesa PCAP mafaera kuburikidza neAPI.
- Metadata chengetedzo yakavakirwa paElasticsearch.
Mukuburitswa kutsva:
- Yakawedzerwa rutsigiro rweIETF QUIC, GENEVE, VXLAN-GPE mapuroteni.
- Yakawedzerwa rutsigiro rwemhando yeQ-in-Q (Double VLAN), iyo inokutendera kuti uvhare maVLAN tag mumatagi echipiri-chikamu kuti uwedzere huwandu hweVLAN kusvika mamirioni gumi nematanhatu.
- Yakawedzera rutsigiro rwe "float" yemunda mhando.
- Iyo yekurekodha module muAmazon Elastic Compute Cloud yakashandurwa kuti ishandise IMDSv2 (Instance Metadata Service) protocol.
- Iyo kodhi yakagadziridzwa kuti iwedzere UDP tunnel.
- Yakawedzerwa rutsigiro rwe elasticsearchAPIKey uye elasticsearchBasicAuth.
Source: opennet.ru