利用moloch 网络回溯系统读取pcap文件
一、安装moloch 的环境
[root@clusternode0x86 moloch]# uname -r
3.10.0-514.el7.x86_64
ES环境 是由三节点组成的ES6
[clusteruser@clusternode0x71 ~]$ ./opt/elasticsearch/bin/elasticsearch -V
Version: 6.0.0, Build: 8f0685b/2017-11-10T18:41:22.859Z, JVM: 1.8.0_151
[clusteruser@clusternode0x71 config]$ cat elasticsearch.yml
cluster.name: test_elastic
node.name: clusternode0x71
bootstrap.system_call_filter: false
node.master: true
node.data: false
network.host: 192.168.104.71
http.port: 9200
transport.tcp.port: 9300
#transport.tcp.compress: true
discovery.zen.ping.unicast.hosts: ["192.168.104.71","192.168.104.72","192.168.104.73"]
#discovery.zen.minimum_master_nodes: 1
#discovery.zen.ping_timeout: 3s
#gateway.expected_data_nodes: 2
#gateway.recover_after_time: 5m
#gateway.recover_after_data_nodes: 2
#node.max_local_storage_nodes: 1
#action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*
#xpack.security.enabled: false
http.cors.enabled: true
http.cors.allow-origin: "*"
#end my config info
71节点为主节,72,73为数据节点
[clusteruser@clusternode0x72 config]$ cat elasticsearch.yml
#add my config info
cluster.name: test_elastic
node.name: clusternode0x72
node.master: false
node.data: true
bootstrap.system_call_filter: false
network.host: 192.168.104.72
http.port: 9200
transport.tcp.port: 9300
#transport.tcp.compress: true
discovery.zen.ping.unicast.hosts: ["192.168.104.71","192.168.104.72","192.168.104.73"]
#discovery.zen.minimum_master_nodes: 1
#discovery.zen.ping_timeout: 3s
#gateway.expected_data_nodes: 2
#gateway.recover_after_time: 5m
#gateway.recover_after_data_nodes: 2
#node.max_local_storage_nodes: 1
#end my config info
二、安装moloch
安装相关的依赖软件包
yum install wget curl pcre pcre-devel pkgconfig flex bison gcc-c++ zlib-devel e2fsprogs-devel openssl-devel file-devel make gettext libuuid-devel perl-JSON bzip2-libs bzip2-devel perl-libwww-perl libpng-devel xz libffi-devel
yum install libyaml-devel
官网下moloch-1.6.1-1.x86_64.rpm
#rpm -ivh moloch-1.6.1-1.x86_64.rpm
三、由于主要用读取pcap文件,所以加编辑配置文件
[root@clusternode0x86 etc]# pwd
/data/moloch/etc
在config.ini文件的 [default] 区域中加入 readTruncatedPackets=true
四、清空数据
/data/moloch/db/db.pl 192.168.104.71:9200 wipe
或是 moloch_clear.sh
五、读取pcap包,moloch自动写入ES
moloch-capture -r /data/moloch/raw/infile.pcap --host clusternode0x86
六、ES初始化 ~/db/dp.pl http://es:9200 init
七、启动服务
systemctl start molochcapture.service
systemctl start molochviewer.service
八、增加用户
在~/bin目录下运行 ./moloch_add_user.sh admin admin admin --admin ,为用户admin 增设口令