Skip to main content

Arkime

This Integration is part of the Arkime Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool. This integration was integrated and tested with version 3.4.1 (API v3) of Arkime. For older versions, see the Moloch pack (deprecated).

Configure Arkime on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Arkime.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URLTrue
    UsernameTrue
    PasswordTrue
    Use system proxy settingsFalse
    Trust any certificate (not secure)False

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

arkime-connection-list#

Gets a list of nodes and links and returns them to the client.

Base Command#

arkime-connection-list

Input#

Argument NameDescriptionRequired
source_fieldThe source database field name.Optional
destination_fieldThe destination database field name.Optional
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
bounding"last" Query sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional
baseline_dateThe baseline date range to compare connections against. Default is 0, disabled. Options include: 1x - 1 times query range. 2x - 2 times query range. 4x - 4 times query range. 6x - 6 times query range. 8x - 8 times query range. 10x - 10 times query range. 1 - 1 hour. 6 - 6 hours. 24 - 1 day. 48 - 2 days. 72 - 3 days. 168 - 1 week. 336 - 2 weeks. 720 - 1 month. 1440 - 2 months. 4380 - 6 months. 8760 - 1 year.Optional
baseline_viewWhich connections to display when a baseline date range is applied. Default is all. Options include: ‘all’ - All Nodes: all nodes are visible. ‘actual’ - Actual Nodes: nodes present in the “current” timeframe query results are visible. ‘actualold’ - Baseline Nodes: nodes present in the “baseline” timeframe query results are visible. ‘new’ - New Nodes Only: nodes present in the “current” but NOT the “baseline” timeframe are visible. ‘old’ - Baseline Nodes Only: nodes present in the “baseline” but NOT the “current” timeframe are visible.Optional

Context Output#

PathTypeDescription
Arkime.Connection.nodes.idStringThe source ip.
Arkime.Connection.nodes.cntNumberNumber of appearances.
Arkime.Connection.nodes.sessionsNumberNumber of sessions
Arkime.Connection.nodes.inresultNumberThe inresult.
Arkime.Connection.nodes.typeNumberConnection type.
Arkime.Connection.nodes.network.bytesNumberThe bytes.
Arkime.Connection.nodes.totDataBytesNumberThe totDataBytes.
Arkime.Connection.nodes.network.packetsNumberThe packets.
Arkime.Connection.nodes.nodeStringThe node.
Arkime.Connection.nodes.posNumberThe pos.
Arkime.Connection.links.valueNumberThe value.
Arkime.Connection.links.sourceNumberThe source.
Arkime.Connection.links.targetNumberThe target.
Arkime.Connection.links.network.bytesNumberThe bytes.
Arkime.Connection.links.totDataBytesNumberThe totDataBytes.
Arkime.Connection.links.network.packetsNumberThe packets.
Arkime.Connection.links.nodeStringThe node.
Arkime.Connection.recordsFilteredNumberThe number of history items returned in this result.

Command example#

!arkime-connection-list baseline_date=720 start_time=1648817940 stop_time=1649595540

Context Example#

{
"Arkime": {
"Connection": {
"links": [
{
"network.bytes": 96415,
"network.packets": 806,
"node": [
"localhost"
],
"source": 0,
"target": 1,
"totDataBytes": 0,
"value": 2
}
],
"nodes": [
{
"cnt": 1,
"id": "1.1.1.1",
"inresult": 1,
"network.bytes": 96415,
"network.packets": 806,
"node": [
"localhost"
],
"pos": 0,
"sessions": 2,
"totDataBytes": 0,
"type": 1
},
],
"recordsFiltered": 3527811
}
}
}

Human Readable Output#

Connection Results:#

Source IPCountSessionsNode
1.1.1.112localhost

arkime-connection-csv-get#

Gets a list of nodes and links in csv format and returns them to the client.

Base Command#

arkime-connection-csv-get

Input#

Argument NameDescriptionRequired
source_fieldThe source database field name.Optional
destination_fieldThe destination database field name.Optional
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
boundingQuery sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional

Context Output#

PathTypeDescription
Arkime.Connection.InfoFile.NameStringThe file name.
Arkime.Connection.InfoFile.EntryIDStringThe ID for locating the file in the War Room.
Arkime.Connection.InfoFile.SizeNumberThe size of the file (in bytes).
Arkime.Connection.InfoFile.TypeStringThe file type, as determined by libmagic (same as displayed in file entries).
Arkime.Connection.InfoFile.ExtensionStringThe file extension.
Arkime.Connection.InfoFile.InfoStringBasic information about the file.

Command example#

!arkime-connection-csv-get start_time=1648817940 stop_time=1649595540

Context Example#

{
"InfoFile": {
"EntryID": "2681@4060e8c8-61bb-4131-8a47-32a7d97a9726",
"Extension": "csv",
"Info": "text/csv; charset=utf-8",
"Name": "connections_list.csv",
"Size": 1892,
"Type": "ASCII text, with CRLF line terminators"
}
}

Human Readable Output#

arkime-session-pcap-get#

Retrieve the raw session data in pcap format.

Base Command#

arkime-session-pcap-get

Input#

Argument NameDescriptionRequired
idsThe list of ids to return.Required
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional

Context Output#

PathTypeDescription
Arkime.PcapFile.data.nodeStringThe node.
Arkime.PcapFile.data.numNumberThe number.
Arkime.PcapFile.data.nameStringThe name.
Arkime.PcapFile.data.firstNumberThe first.
Arkime.PcapFile.data.fileSizeNumberThe file size.
Arkime.PcapFile.data.packetSizeNumberThe packet size.

Command example#

!arkime-session-pcap-get ids=220516-QHSdz21pJ_xCtJGoL8mbmyNv

Context Example#

{
"InfoFile": {
"EntryID": "2697@4060e8c8-61bb-4131-8a47-32a7d97a9726",
"Extension": "pcap",
"Info": "application/vnd.tcpdump.pcap",
"Name": "raw_session_data.pcap",
"Size": 0,
"Type": "empty"
}
}

Human Readable Output#

arkime-session-csv-get#

Gets a list of sessions and returns them as CSV to the client.

Base Command#

arkime-session-csv-get

Input#

Argument NameDescriptionRequired
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
bounding"last" Query sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional
limitThe number of items to return. Defaults to 100, Max is 2,000,000.Optional
offsetThe entry to start at. Defaults to 0. Default is 0.Optional

Context Output#

PathTypeDescription
Arkime.Session.InfoFile.NameStringThe file name.
Arkime.Session.InfoFile.EntryIDStringThe ID for locating the file in the War Room.
Arkime.Session.InfoFile.SizeNumberThe size of the file (in bytes).
Arkime.Session.InfoFile.TypeStringThe file type, as determined by libmagic (same as displayed in file entries).
Arkime.Session.InfoFile.ExtensionStringThe file extension.
Arkime.Session.InfoFile.InfoStringBasic information about the file.

Command example#

!arkime-session-csv-get start_time=1650190238 stop_time=1650363038 limit=2

Context Example#

{
"InfoFile": {
"EntryID": "2693@4060e8c8-61bb-4131-8a47-32a7d97a9726",
"Extension": "csv",
"Info": "text/csv; charset=utf-8",
"Name": "sessions_list.csv",
"Size": 333,
"Type": "CSV text"
}
}

Human Readable Output#

arkime-session-list#

Gets a list of sessions and returns them to the client.

Base Command#

arkime-session-list

Input#

Argument NameDescriptionRequired
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
bounding"last" Query sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional
limitThe number of items to return. Defaults to 100, Max is 2,000,000.Optional
page_numberThe page at which to start. The default is 0.Optional
page_sizePage size. Minimum page size is 1, maximum is 100.Optional

Context Output#

PathTypeDescription
Arkime.Session.data.firstPacketDateThe first packet.
Arkime.Session.data.rootIdStringThe root Id.
Arkime.Session.data.totDataBytesNumberThe totDataBytes.
Arkime.Session.data.ipProtocolNumberThe IP Protocol.
Arkime.Session.data.nodeStringThe node.
Arkime.Session.data.lastPacketDateThe last packet.
Arkime.Session.data.source.packetsNumberThe source packets.
Arkime.Session.data.source.portNumberThe source port.
Arkime.Session.data.source.ipStringThe source ip.
Arkime.Session.data.source.bytesNumberThe source bytes.
Arkime.Session.data.destination.portNumberThe destination port.
Arkime.Session.data.destination.ipStringThe destination ip.
Arkime.Session.data.destination.packetsNumberThe destination packets
Arkime.Session.data.destination.bytesNumberThe destination bytes.
Arkime.Session.data.client.bytesNumberThe client bytes.
Arkime.Session.data.server.bytesNumberThe server bytes.
Arkime.Session.data.network.packetsNumberThe network packets.
Arkime.Session.data.network.bytesNumberThe network bytes.
Arkime.Session.data.idStringThe data id.
Arkime.Session.graph.xminDateThe graph xmin.
Arkime.Session.graph.xmaxDateThe graph xmax.
Arkime.Session.graph.intervalNumberThe graph interval.
Arkime.Session.graph.sessionsTotalNumberThe graph sessions total.
Arkime.Session.graph.network.packetsTotalNumberThe network packets total.
Arkime.Session.graph.network.bytesTotalNumberThe network bytes total.
Arkime.Session.graph.totDataBytesTotalNumberThe totDataBytesTotal.
Arkime.Session.recordsTotalNumberThe total number of history results stored.
Arkime.Session.recordsFilteredNumberThe number of history items returned in this result.

Command example#

!arkime-session-list start_time=1650190238 stop_time=1650363038 limit=2

Context Example#

{
"Arkime": {
"Session": {
"data": [
{
"client": {
"bytes": 0
},
"destination": {
"as": {},
"bytes": 985952,
"geo": {},
"ip": "1.1.1.1",
"packets": 5110,
"port": 41096
},
"firstPacket": 1649921199252,
"id": "3@220417-Yg7OpiE4Pi1PFaRqu8lztuA6",
"ipProtocol": 6,
"lastPacket": 1650190531644,
"network": {
"bytes": 1701336,
"packets": 10000
},
"node": "localhost",
"rootId": "220414-Yg445Ur1tpRKTKBpr8lhv37w",
"server": {
"bytes": 0
},
"source": {
"as": {},
"bytes": 715384,
"geo": {},
"ip": "1.1.1.1",
"packets": 4890,
"port": 22
},
"totDataBytes": 0
}
],
"graph": {
"interval": 60,
"network.bytesTotal": 0,
"network.packetsTotal": 0,
"sessionsTotal": 0,
"totDataBytesTotal": 0,
"xmax": 1650363038000,
"xmin": 1650190238000
},
"map": {},
"recordsFiltered": 516305,
"recordsTotal": 31698069
}
}
}

Human Readable Output#

Showing 2 results, limit=2

Session List Result:#

IDIP ProtocolStart TimeStop TimeSource IPSource PortDestination IPDestination PortNode
3@220417-Yg7OpiE4Pi1PFaRqu8lztuA662022-04-14 07:26:392022-04-17 10:15:311.1.1.1221.1.1.141096localhost
3@220417-Yg5Kx3oHIahAPJJVD8QwphkQ62022-04-14 07:26:392022-04-17 10:16:191.1.1.1221.1.1.141096localhost

arkime-unique-field-list#

Gets a list of unique field values (with or without counts) and sends them to the client.

Base Command#

arkime-unique-field-list

Input#

Argument NameDescriptionRequired
countsWhether to return counts with he list of unique field values. Defaults to 0. 0 = no counts, 1 - counts.Optional
expression_field_namesComma separated list of expression field names to return.Required
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
boundingQuery sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional
limitThe number of items to return. Defaults to 100, Max is 2,000,000.Optional
page_numberThe page at which to start. The default is 0.Optional
page_sizePage size. Minimum page size is 1, maximum is 100.Optional

Context Output#

PathTypeDescription
Arkime.UniqueField.FieldStringThe field.
Arkime.UniqueField.CountBooleanThe count.

Command example#

!arkime-unique-field-list expression_field_names=dns.ASN counts=0 limit=2

Context Example#

{
"Arkime": {
"UniqueField": [
{
"Field": "AS8075 MICROSOFT-CORP-MSN-AS-BLOCK"
},
{
"Field": "AS15169 GOOGLE"
}
]
}
}

Human Readable Output#

Showing 2 results, limit=2

Unique Field Results:#

FieldCount
AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
AS15169 GOOGLE

Command example#

!arkime-unique-field-list expression_field_names=dns.ASN counts=1 limit=2

Context Example#

{
"Arkime": {
"UniqueField": [
{
"Count": " 241",
"Field": "AS8075 MICROSOFT-CORP-MSN-AS-BLOCK"
},
{
"Count": " 183",
"Field": "AS15169 GOOGLE"
}
]
}
}

Human Readable Output#

Showing 2 results, limit=2

Unique Field Results:#

FieldCount
AS8075 MICROSOFT-CORP-MSN-AS-BLOCK241
AS15169 GOOGLE183

arkime-multi-unique-field-list#

Gets an intersection of unique field values (with or without counts) and sends them to the client.

Base Command#

arkime-multi-unique-field-list

Input#

Argument NameDescriptionRequired
countsWhether to return counts with he list of unique field values. Defaults to 0. 0 = no counts, 1 - counts.Optional
expression_field_namesComma separated list of expression field names to return.Required
database_fieldThe database field to return unique data for. Either exp or field is required, field is given priority if both are present.Optional
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
boundingQuery sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional
limitThe number of items to return. Defaults to 100, Max is 2,000,000.Optional
page_numberThe page at which to start. The default is 0.Optional
page_sizePage size. Minimum page size is 1, maximum is 100.Optional

Context Output#

PathTypeDescription
Arkime.UniqueField.FieldStringThe field.
Arkime.UniqueField.CountBooleanThe count.

Command example#

!arkime-multi-unique-field-list expression_field_names=destination.ip counts=1 database_field=dns.ASN limit=2

Context Example#

{
"Arkime": {
"UniqueField": [
{
"Count": " 10153",
"Field": "1.1.1.1"
},
{
"Count": " 1957",
"Field": "1.1.1.1"
}
]
}
}

Human Readable Output#

Showing 2 results, limit=2

Unique Field Results:#

FieldCount
1.1.1.110153
1.1.1.11957

Command example#

!arkime-multi-unique-field-list expression_field_names=destination.ip counts=0 database_field=dns.ASN limit=2

Context Example#

{
"Arkime": {
"UniqueField": [
{
"Field": "1.1.1.1"
},
{
"Field": "1.1.1.1"
}
]
}
}

Human Readable Output#

Showing 2 results, limit=2

Unique Field Results:#

FieldCount
1.1.1.1
1.1.1.1

arkime-field-list#

Gets available database field objects pertaining to sessions.

Base Command#

arkime-field-list

Input#

Argument NameDescriptionRequired
array_responseWhether to return an array of fields, otherwise returns a map.Optional

Context Output#

PathTypeDescription
Arkime.Field.friendlyNameStringThe friendly name.
Arkime.Field.typeStringThe type.
Arkime.Field.groupStringThe group.
Arkime.Field.helpStringThe help.
Arkime.Field.dbFieldStringThe dbField.

Command example#

!arkime-field-list

Context Example#

{
"Arkime": {
"Field": [
{
"dbField": "asnall",
"dbField2": "asnall",
"exp": "asn",
"friendlyName": "All ASN fields",
"group": "general",
"help": "Search all ASN fields",
"regex": "(^asn\\.(?:(?!\\.cnt$).)*$|\\.asn$)",
"type": "termfield"
}
]
}
}

Human Readable Output#

Fields Results:#

Friendly NameTypeGroupHelpDB Field
All ASN fieldstermfieldgeneralSearch all ASN fieldsasnall
ASNtermfielddnsGeoIP ASN string calculated from the IP from DNS resultdns.ASN
ASNtermfielddnsGeoIP ASN string calculated from the IPs for mailserversdns.mailserverASN
ASNtermfielddnsGeoIP ASN string calculated from the IPs for nameserversdns.nameserverASN
Dst ASNtermfieldgeneralGeoIP ASN string calculated from the destination IPdestination.as.full
ASNtermfieldemailGeoIP ASN string calculated from the Email IP addressemail.ASN
ASNtermfieldsocksGeoIP ASN string calculated from the SOCKS destination IPsocks.ASN
Src ASNtermfieldgeneralGeoIP ASN string calculated from the source IPsource.as.full
XFF ASNtermfieldhttpGeoIP ASN string calculated from the X-Forwarded-For Headerhttp.xffASN
AssetlotermfieldgeneralAsset nameasset
Asset CntintegergeneralUnique number of Asset nameassetCnt
TypeuptermfieldbgpBGP Type fieldbgp.type
BytesintegergeneralTotal number of raw bytes sent AND received in a sessionnetwork.bytes
Dst BytesintegergeneralTotal number of raw bytes sent by destination in a sessiondestination.bytes
Src BytesintegergeneralTotal number of raw bytes sent by source in a sessionsource.bytes
Alt NamelotermfieldcertCertificate alternative namescert.alt
Alt Name CntintegercertUnique number of Certificate alternative namescert.altCnt
Cert CntintegercertCount of certificatescertCnt
CurvetermfieldcertCurve Algorithmcert.curve
HashlotermfieldcertSHA1 hash of entire certificatecert.hash
Issuer CNlotermfieldcertIssuer's common namecert.issuerCN
Issuer ONtermfieldcertIssuer's organization namecert.issuerON
Not AfterdatecertCertificate is not valid after this datecert.notAfter
Not BeforedatecertCertificate is not valid before this datecert.notBefore
Public AlgorithmtermfieldcertPublic Key Algorithmcert.publicAlgorithm
Days remainingintegercertCertificate is still valid for this many dayscert.remainingDays
Serial NumberlotermfieldcertSerial Numbercert.serial
Subject CNlotermfieldcertSubject's common namecert.subjectCN
Subject ONtermfieldcertSubject's organization namecert.subjectON
Days Valid ForintegercertCertificate is valid for this many days totalcert.validDays
Community IdtermfieldgeneralCommunity id flow hashnetwork.community_id
All country fieldsuptermfieldgeneralSearch all country fieldsgeoall
GEOuptermfielddnsGeoIP country string calculated from the IP from DNS resultdns.GEO
GEOuptermfielddnsGeoIP country string calculated from the IPs for mailserversdns.mailserverGEO
GEOuptermfielddnsGeoIP country string calculated from the IPs for nameserversdns.nameserverGEO
Dst CountryuptermfieldgeneralDestination Countrydestination.geo.country_iso_code
GEOuptermfieldemailGeoIP country string calculated from the Email IP addressemail.GEO
GEOuptermfieldsocksGeoIP country string calculated from the SOCKS destination IPsocks.GEO
Src CountryuptermfieldgeneralSource Countrysource.geo.country_iso_code
XFF GEOuptermfieldhttpGeoIP country string calculated from the X-Forwarded-For Headerhttp.xffGEO
Data bytesintegergeneralTotal number of data bytes sent AND received in a sessiontotDataBytes
Dst data bytesintegergeneralTotal number of data bytes sent by destination in a sessionserver.bytes
Src data bytesintegergeneralTotal number of data bytes sent by source in a sessionclient.bytes
Dst ASN NumberintegergeneralGeoIP ASN Number calculated from the destination IPdestination.as.number
Dst ASN NametermfieldgeneralGeoIP ASN Name calculated from the destination IPdestination.as.organization.name
HostlotermfielddhcpDHCP Hostdhcp.host
Host CntintegerdhcpUnique number of DHCP Hostdhcp.hostCnt
Hostname TokenslotextfielddhcpDHCP Hostname Tokensdhcp.hostTokens
Transaction idlotermfielddhcpDHCP Transaction Iddhcp.id
Transaction id CntintegerdhcpUnique number of DHCP Transaction Iddhcp.idCnt
Client MAClotermfielddhcpClient ethernet MACdhcp.mac
Client MAC CntintegerdhcpUnique number of Client ethernet MACdhcp.macCnt
Client OUItermfielddhcpClient ethernet OUIdhcp.oui
Client OUI CntintegerdhcpUnique number of Client ethernet OUIdhcp.ouiCnt
TypeuptermfielddhcpDHCP Typedhcp.type
Type CntintegerdhcpUnique number of DHCP Typedhcp.typeCnt
Op CodeuptermfielddnsDNS lookup op codedns.opcode
Op Code CntintegerdnsUnique number of DNS lookup op codedns.opcodeCnt
PunylotermfielddnsDNS lookup punycodedns.puny
Puny CntintegerdnsUnique number of DNS lookup punycodedns.punyCnt
Query ClassuptermfielddnsDNS lookup query classdns.qc
Query Class CntintegerdnsUnique number of DNS lookup query classdns.qcCnt
Query TypeuptermfielddnsDNS lookup query typedns.qt
Query Type CntintegerdnsUnique number of DNS lookup query typedns.qtCnt
Status CodeuptermfielddnsDNS lookup return codedns.status
Status Code CntintegerdnsUnique number of DNS lookup return codedns.statusCnt
Dst DSCPintegergeneralDestination non zero differentiated services class selector set for sessiondstDscp
Dst DSCP CntintegergeneralUnique number of Destination non zero differentiated services class selector set for sessiondstDscpCnt
Src DSCPintegergeneralSource non zero differentiated services class selector set for sessionsrcDscp
Src DSCP CntintegergeneralUnique number of Source non zero differentiated services class selector set for sessionsrcDscpCnt
email.authorizationtermfieldemailEmail header authorizationemail.header-authorization
Body MagictermfieldemailThe content type of body determined by libfile/magicemail.bodyMagic
Body Magic CntintegeremailUnique number of The content type of body determined by libfile/magicemail.bodyMagicCnt
Content-TypetermfieldemailEmail content-type headeremail.contentType
Content-Type CntintegeremailUnique number of Email content-type headeremail.contentTypeCnt
ReceiverlotermfieldemailEmail to addressemail.dst
Receiver CntintegeremailUnique number of Email to addressemail.dstCnt
Attach Content-TypetermfieldemailEmail attachment content typesemail.fileContentType
Attach Content-Type CntintegeremailUnique number of Email attachment content typesemail.fileContentTypeCnt
FilenamestermfieldemailEmail attachment filenamesemail.filename
Filenames CntintegeremailUnique number of Email attachment filenamesemail.filenameCnt
HeaderlotermfieldemailEmail has the header setemail.header
Header CntintegeremailUnique number of Email has the header setemail.headerCnt
Header ValuetermfieldemailEmail has the header valueemail.headerValue
Header Value CntintegeremailUnique number of Email has the header valueemail.headerValueCnt
Attach MD5stermfieldemailEmail attachment MD5semail.md5
Attach MD5s CntintegeremailUnique number of Email attachment MD5semail.md5Cnt
IdtermfieldemailEmail Message-Id headeremail.id
Id CntintegeremailUnique number of Email Message-Id headeremail.idCnt
Mime-VersiontermfieldemailEmail Mime-Header headeremail.mimeVersion
Mime-Version CntintegeremailUnique number of Email Mime-Header headeremail.mimeVersionCnt
SMTP HellolotermfieldemailSMTP HELO/EHLOemail.smtpHello
SMTP Hello CntintegeremailUnique number of SMTP HELO/EHLOemail.smtpHelloCnt
SenderlotermfieldemailEmail from addressemail.src
Sender CntintegeremailUnique number of Email from addressemail.srcCnt
SubjecttermfieldemailEmail subject headeremail.subject
Subject CntintegeremailUnique number of Email subject headeremail.subjectCnt
X-Mailer HeadertermfieldemailEmail X-Mailer headeremail.useragent
X-Mailer Header CntintegeremailUnique number of Email X-Mailer headeremail.useragentCnt
email.x-priorityintegeremailEmail header x-priorityemail.header-x-priority
FilenamefileandgeneralArkime offline pcap filenamefileand
GRE IPipgeneralGRE ip addresses for sessiongreIp
GRE IP ASNtermfieldgeneralGeoIP ASN string calculated from the GRE ip addresses for sessiongreASN
GRE IP CntintegergeneralUnique number of GRE ip addresses for sessiongreIpCnt
GRE IP GEOuptermfieldgeneralGeoIP country string calculated from the GRE ip addresses for sessiongreGEO
GRE IP RIRuptermfieldgeneralRegional Internet Registry string calculated from GRE ip addresses for sessiongreRIR
All Host fieldslotermfieldgeneralSearch all Host fieldshostall
HostlotermfielddnsDNS lookup hostnamedns.host
All HostlotermfielddnsShorthand for host.dns or host.dns.nameserverdnshostall
Host CntintegerdnsUnique number of DNS lookup hostnamedns.hostCnt
MX HostlotermfielddnsHostnames for Mail Exchange Serverdns.mailserverHost
MX Host CntintegerdnsUnique number of Hostnames for Mail Exchange Serverdns.mailserverHostCnt
NS HostlotermfielddnsHostnames for Name Serverdns.nameserverHost
NS Host CntintegerdnsUnique number of Hostnames for Name Serverdns.nameserverHostCnt
Hostname TokenslotextfielddnsDNS lookup hostname tokensdns.hostTokens
HostnamelotermfieldemailEmail hostnamesemail.host
Hostname CntintegeremailUnique number of Email hostnamesemail.hostCnt
Hostname TokenslotextfieldemailEmail Hostname Tokensemail.hostTokens
HostnamelotermfieldhttpHTTP host header fieldhttp.host
Hostname CntintegerhttpUnique number of HTTP host header fieldhttp.hostCnt
Hostname TokenslotextfieldhttpHTTP host Tokens header fieldhttp.hostTokens
HostnamelotermfieldquicQUIC host header fieldquic.host
Hostname CntintegerquicUnique number of QUIC host header fieldquic.hostCnt
Hostname TokenslotextfieldquicQUIC host tokens header fieldquic.hostTokens
HostnametermfieldsmbSMB Host namesmb.host
Hostname CntintegersmbUnique number of SMB Host namesmb.hostCnt
HostlotermfieldsocksSOCKS destination hostsocks.host
Hostname TokenslotextfieldsocksSOCKS Hostname Tokenssocks.hostTokens
http.authorizationtermfieldhttpRequest header authorizationhttp.request-authorization
http.authorization CntintegerhttpUnique number of Request header authorizationhttp.request-authorizationCnt
Auth TypelotermfieldhttpHTTP Auth Typehttp.authType
Auth Type CntintegerhttpUnique number of HTTP Auth Typehttp.authTypeCnt
Body MagictermfieldhttpThe content type of body determined by libfile/magichttp.bodyMagic
Body Magic CntintegerhttpUnique number of The content type of body determined by libfile/magichttp.bodyMagicCnt
http.content-typetermfieldhttpResponse header content-typehttp.response-content-type
http.content-type CntintegerhttpUnique number of Request header content-typehttp.request-content-typeCnt
Cookie KeystermfieldhttpThe keys to cookies sent up in requestshttp.cookieKey
Cookie Keys CntintegerhttpUnique number of The keys to cookies sent up in requestshttp.cookieKeyCnt
Cookie ValuestermfieldhttpThe values to cookies sent up in requestshttp.cookieValue
Cookie Values CntintegerhttpUnique number of The values to cookies sent up in requestshttp.cookieValueCnt
Has Src or Dst HeaderlotermfieldhttpShorthand for http.hasheader.src or http.hasheader.dsthhall
Has Dst HeaderlotermfieldhttpResponse has header presenthttp.responseHeader
Has Dst Header CntintegerhttpUnique number of Response has header presenthttp.responseHeaderCnt
Response Header ValueslotermfieldhttpContains response header valueshttp.responseHeaderValue
Response Header Values CntintegerhttpUnique number of Contains response header valueshttp.responseHeaderValueCnt
Has Src HeaderlotermfieldhttpRequest has header presenthttp.requestHeader
Has Src Header CntintegerhttpUnique number of Request has header presenthttp.requestHeaderCnt
Request Header ValueslotermfieldhttpContains request header valueshttp.requestHeaderValue
Request Header Values CntintegerhttpUnique number of Contains request header valueshttp.requestHeaderValueCnt
Has Value in Src or Dst HeaderlotermfieldhttpShorthand for http.hasheader.src.value or http.hasheader.dst.valuehhvalueall
http.locationtermfieldhttpResponse header locationhttp.response-location
Body MD5lotermfieldhttpMD5 of http body responsehttp.md5
Body MD5 CntintegerhttpUnique number of MD5 of http body responsehttp.md5Cnt
Request MethodtermfieldhttpHTTP Request Methodhttp.method
Request Method CntintegerhttpUnique number of HTTP Request Methodhttp.methodCnt
http.origintermfieldhttpRequest header originhttp.request-origin
http.referertermfieldhttpRequest header refererhttp.request-referer
http.referer CntintegerhttpUnique number of Request header refererhttp.request-refererCnt
Request BodytermfieldhttpHTTP Request Bodyhttp.requestBody
http.servertermfieldhttpResponse header serverhttp.response-server
Status CodeintegerhttpResponse HTTP numeric status codehttp.statuscode
Status Code CntintegerhttpUnique number of Response HTTP numeric status codehttp.statuscodeCnt
URItermfieldhttpURIs for requesthttp.uri
URI CntintegerhttpUnique number of URIs for requesthttp.uriCnt
QS KeystermfieldhttpKeys from query string of URIhttp.key
QS Keys CntintegerhttpUnique number of Keys from query string of URIhttp.keyCnt
URI PathtermfieldhttpPath portion of URIhttp.path
URI Path CntintegerhttpUnique number of Path portion of URIhttp.pathCnt
URI TokenslotextfieldhttpURIs Tokens for requesthttp.uriTokens
QS ValuestermfieldhttpValues from query string of URIhttp.value
QS Values CntintegerhttpUnique number of Values from query string of URIhttp.valueCnt
UsertermfieldhttpHTTP Auth Userhttp.user
UseragenttermfieldhttpUser-Agent Headerhttp.useragent
Useragent CntintegerhttpUnique number of User-Agent Headerhttp.useragentCnt
Useragent TokenslotextfieldhttpUser-Agent Header Tokenshttp.useragentTokens
User CntintegerhttpUnique number of HTTP Auth Userhttp.userCnt
VersiontermfieldhttpHTTP version numberhttpversion
Dst VersiontermfieldhttpResponse HTTP version numberhttp.serverVersion
Dst Version CntintegerhttpUnique number of Response HTTP version numberhttp.serverVersionCnt
Src VersiontermfieldhttpRequest HTTP version numberhttp.clientVersion
Src Version CntintegerhttpUnique number of Request HTTP version numberhttp.clientVersionCnt
Hunt IDtermfieldgeneralThe ID of the packet search job that matched this sessionhuntId
Hunt NametermfieldgeneralThe name of the packet search job that matched this sessionhuntName
ICMP CodeintegergeneralICMP code field valuesicmp.code
ICMP TypeintegergeneralICMP type field valuesicmp.type
Arkime IDtermfieldgeneralArkime ID for the session_id
Initial RTTintegergeneralInitial round trip time, difference between SYN and ACK timestamp divided by 2 in msinitRTT
All IP fieldsipgeneralSearch all ip fieldsipall
IPipdnsIP from DNS resultdns.ip
IPipdnsShorthand for ip.dns or ip.dns.nameserverdnsipall
IP CntintegerdnsUnique number of IP from DNS resultdns.ipCnt
IPipdnsIPs for mailserversdns.mailserverIp
IP CntintegerdnsUnique number of IPs for mailserversdns.mailserverIpCnt
IPipdnsIPs for nameserversdns.nameserverIp
IP CntintegerdnsUnique number of IPs for nameserversdns.nameserverIpCnt
Dst IPipgeneralDestination IPdestination.ip
IPipemailEmail IP addressemail.ip
IP CntintegeremailUnique number of Email IP addressemail.ipCnt
IP ProtocollotermfieldgeneralIP protocol number or friendly nameipProtocol
IPipsocksSOCKS destination IPsocks.ip
Src IPipgeneralSource IPsource.ip
XFF IPiphttpX-Forwarded-For Headerhttp.xffIp
XFF IP CntintegerhttpUnique number of X-Forwarded-For Headerhttp.xffIpCnt
ChanneltermfieldircChannels joinedirc.channel
Channel CntintegerircUnique number of Channels joinedirc.channelCnt
NicknametermfieldircNicknames setirc.nick
Nickname CntintegerircUnique number of Nicknames setirc.nickCnt
isis.msgTypelotermfieldisisISIS Msg Type fieldisis.msgType
cnametermfieldkrb5Kerberos 5 cnamekrb5.cname
cname Cntintegerkrb5Unique number of Kerberos 5 cnamekrb5.cnameCnt
Realmtermfieldkrb5Kerberos 5 Realmkrb5.realm
Realm Cntintegerkrb5Unique number of Kerberos 5 Realmkrb5.realmCnt
snametermfieldkrb5Kerberos 5 snamekrb5.sname
sname Cntintegerkrb5Unique number of Kerberos 5 snamekrb5.snameCnt
Auth TypetermfieldldapThe auth type of ldap bindldap.authtype
Auth Type CntintegerldapUnique number of The auth type of ldap bindldap.authtypeCnt
Bind NametermfieldldapThe bind name of ldap bindldap.bindname
Bind Name CntintegerldapUnique number of The bind name of ldap bindldap.bindnameCnt
Src or Dst MAClotermfieldgeneralShorthand for mac.src or mac.dstmacall
Dst MAClotermfieldgeneralDestination ethernet mac addresses set for sessiondestination.mac
Dst MAC CntintegergeneralUnique number of Destination ethernet mac addresses set for sessiondestination.mac-cnt
Src MAClotermfieldgeneralSource ethernet mac addresses set for sessionsource.mac
Src MAC CntintegergeneralUnique number of Source ethernet mac addresses set for sessionsource.mac-cnt
Modbus Exception CodeintegermodbusModbus Exception Codesmodbus.exccode
Modbus Exception Code CntintegermodbusUnique number of Modbus Exception Codesmodbus.exccodeCnt
Modbus Function CodeintegermodbusModbus Function Codesmodbus.funccode
Modbus Function Code CntintegermodbusUnique number of Modbus Function Codesmodbus.funccodeCnt
Modbus Protocol IDintegermodbusModbus Protocol ID (should always be 0)modbus.protocolid
Modbus Transaction IDsintegermodbusModbus Transaction IDsmodbus.transactionid
Modbus Transaction IDs CntintegermodbusUnique number of Modbus Transaction IDsmodbus.transactionidCnt
Modbus Unit IDintegermodbusModbus Unit IDmodbus.unitid
UserlotermfieldmysqlMysql user namemysql.user
VersiontermfieldmysqlMysql server version stringmysql.version
Arkime NodetermfieldgeneralArkime node name the session was recorded onnode
HostlotermfieldoracleOracle Hostoracle.host
Hostname TokenslotextfieldoracleOracle Hostname Tokensoracle.hostTokens
ServicelotermfieldoracleOracle Serviceoracle.service
UserlotermfieldoracleOracle Useroracle.user
Dst OUItermfieldgeneralDestination ethernet oui set for sessiondstOui
Dst OUI CntintegergeneralUnique number of Destination ethernet oui set for sessiondstOuiCnt
Src OUItermfieldgeneralSource ethernet oui set for sessionsrcOui
Src OUI CntintegergeneralUnique number of Source ethernet oui set for sessionsrcOuiCnt
PacketsintegergeneralTotal number of packets sent AND received in a sessionnetwork.packets
Dst PacketsintegergeneralTotal number of packets sent by destination in a sessiondestination.packets
Src PacketsintegergeneralTotal number of packets sent by source in a sessionsource.packets
Payload Dst HexlotermfieldgeneralFirst 8 bytes of destination payload in hexdstPayload8
Payload Dst UTF8termfieldgeneralFirst 8 bytes of destination payload in utf8dstPayload8
Payload HexlotermfieldgeneralFirst 8 bytes of payload in hexfballhex
Payload Src HexlotermfieldgeneralFirst 8 bytes of source payload in hexsrcPayload8
Payload Src UTF8termfieldgeneralFirst 8 bytes of source payload in utf8srcPayload8
Payload UTF8lotermfieldgeneralFirst 8 bytes of payload in hexfballutf8
All port fieldsintegergeneralSearch all port fieldsportall
Dst PortintegergeneralSource Portdestination.port
PortintegersocksSOCKS destination portsocks.port
Src PortintegergeneralSource Portsource.port
ApplicationtermfieldpostgresqlPostgresql applicationpostgresql.app
DatabasetermfieldpostgresqlPostgresql databasepostgresql.db
UsertermfieldpostgresqlPostgresql user namepostgresql.user
ProtocolstermfieldgeneralProtocols set for sessionprotocol
Protocols CntintegergeneralUnique number of Protocols set for sessionprotocolCnt
User-AgenttermfieldquicUser-Agentquic.useragent
User-Agent CntintegerquicUnique number of User-Agentquic.useragentCnt
VersiontermfieldquicQUIC Versionquic.version
Version CntintegerquicUnique number of QUIC Versionquic.versionCnt
Endpoint IPipradiusRadius endpoint ip addresses for sessionradius.endpointIp
Endpoint IP ASNtermfieldradiusGeoIP ASN string calculated from the Radius endpoint ip addresses for sessionradius.endpointASN
Endpoint IP CntintegerradiusUnique number of Radius endpoint ip addresses for sessionradius.endpointIpCnt
Endpoint IP GEOuptermfieldradiusGeoIP country string calculated from the Radius endpoint ip addresses for sessionradius.endpointGEO
Endpoint IP RIRuptermfieldradiusRegional Internet Registry string calculated from Radius endpoint ip addresses for sessionradius.endpointRIR
Framed IPipradiusRadius framed ip addresses for sessionradius.framedIp
Framed IP ASNtermfieldradiusGeoIP ASN string calculated from the Radius framed ip addresses for sessionradius.framedASN
Framed IP CntintegerradiusUnique number of Radius framed ip addresses for sessionradius.framedIpCnt
Framed IP GEOuptermfieldradiusGeoIP country string calculated from the Radius framed ip addresses for sessionradius.framedGEO
Framed IP RIRuptermfieldradiusRegional Internet Registry string calculated from Radius framed ip addresses for sessionradius.framedRIR
MAClotermfieldradiusRadius Macradius.mac
MAC CntintegerradiusUnique number of Radius Macradius.macCnt
UsertermfieldradiusRADIUS userradius.user
All rir fieldsuptermfieldgeneralSearch all rir fieldsrirall
RIRuptermfielddnsRegional Internet Registry string calculated from IP from DNS resultdns.RIR
RIRuptermfielddnsRegional Internet Registry string calculated from IPs for mailserversdns.mailserverRIR
RIRuptermfielddnsRegional Internet Registry string calculated from IPs for nameserversdns.nameserverRIR
Dst RIRuptermfieldgeneralDestination RIRdstRIR
RIRuptermfieldemailRegional Internet Registry string calculated from Email IP addressemail.RIR
RIRuptermfieldsocksRegional Internet Registry string calculated from SOCKS destination IPsocks.RIR
Src RIRuptermfieldgeneralSource RIRsrcRIR
XFF RIRuptermfieldhttpRegional Internet Registry string calculated from X-Forwarded-For Headerhttp.xffRIR
Arkime Root IDtermfieldgeneralArkime ID of the first session in a multi session streamrootId
Scrubbed BylotermfieldgeneralSPI data was scrubbed byscrubby
Session LengthintegergeneralSession Length in milliseconds so farlength
Session SegmentsintegergeneralNumber of segments in session so farsegmentCnt
DomaintermfieldsmbSMB domainsmb.domain
Domain CntintegersmbUnique number of SMB domainsmb.domainCnt
FilenametermfieldsmbSMB files opened, created, deletedsmb.filename
Filename CntintegersmbUnique number of SMB files opened, created, deletedsmb.filenameCnt
OStermfieldsmbSMB OS informationsmb.os
OS CntintegersmbUnique number of SMB OS informationsmb.osCnt
SharetermfieldsmbSMB shares connected tosmb.share
Share CntintegersmbUnique number of SMB shares connected tosmb.shareCnt
UsertermfieldsmbSMB Usersmb.user
User CntintegersmbUnique number of SMB Usersmb.userCnt
VersiontermfieldsmbSMB Version informationsmb.version
Version CntintegersmbUnique number of SMB Version informationsmb.versionCnt
CommunitytermfieldsnmpSNMP Communitysnmp.community
Community CntintegersnmpUnique number of SNMP Communitysnmp.communityCnt
Error CodeintegersnmpSNMP Error Codesnmp.error
Error Code CntintegersnmpUnique number of SNMP Error Codesnmp.errorCnt
TypetermfieldsnmpSNMP Typesnmp.type
Type CntintegersnmpUnique number of SNMP Typesnmp.typeCnt
VariabletermfieldsnmpSNMP Variablesnmp.variable
Variable CntintegersnmpUnique number of SNMP Variablesnmp.variableCnt
VersionintegersnmpSNMP Versionsnmp.version
Version CntintegersnmpUnique number of SNMP Versionsnmp.versionCnt
UsertermfieldsocksSOCKS authenticated usersocks.user
Src ASN NumberintegergeneralGeoIP ASN Number calculated from the source IPsource.as.number
Src ASN NametermfieldgeneralGeoIP ASN Name calculated from the source IPsource.as.organization.name
Arkime Source NodetermfieldgeneralSource Arkime node name the session was recorded on when using send to clustersrcNode
HASSHlotermfieldsshSSH HASSH fieldssh.hassh
HASSH CntintegersshUnique number of SSH HASSH fieldssh.hasshCnt
HASSH ServerlotermfieldsshSSH HASSH Server fieldssh.hasshServer
HASSH Server CntintegersshUnique number of SSH HASSH Server fieldssh.hasshServerCnt
KeytermfieldsshSSH Keyssh.key
Key CntintegersshUnique number of SSH Keyssh.keyCnt
VersionlotermfieldsshSSH Software Versionssh.version
Version CntintegersshUnique number of SSH Software Versionssh.versionCnt
Start TimesecondsgeneralSession Start TimefirstPacket
Stop TimesecondsgeneralSession Stop TimelastPacket
TagstermfieldgeneralTags set for sessiontags
Tags CntintegergeneralUnique number of Tags set for sessiontagsCnt
TCP Flag ACKintegergeneralCount of packets with only the ACK flag settcpflags.ack
TCP Flag FINintegergeneralCount of packets with FIN flag settcpflags.fin
TCP Flag PSHintegergeneralCount of packets with PSH flag settcpflags.psh
TCP Flag RSTintegergeneralCount of packets with RST flag settcpflags.rst
TCP Flag SYNintegergeneralCount of packets with SYN and no ACK flag settcpflags.syn
TCP Flag SYN-ACKintegergeneralCount of packets with SYN and ACK flag settcpflags.syn-ack
TCP Flag URGintegergeneralCount of packets with URG flag settcpflags.urg
CipheruptermfieldtlsSSL/TLS cipher fieldtls.cipher
Cipher CntintegertlsUnique number of SSL/TLS cipher fieldtls.cipherCnt
JA3lotermfieldtlsSSL/TLS JA3 fieldtls.ja3
JA3 CntintegertlsUnique number of SSL/TLS JA3 fieldtls.ja3Cnt
JA3SlotermfieldtlsSSL/TLS JA3S fieldtls.ja3s
JA3S CntintegertlsUnique number of SSL/TLS JA3S fieldtls.ja3sCnt
Src or Dst Session IdlotermfieldgeneralShorthand for tls.sessionid.src or tls.sessionid.dsttlsidall
Dst Session IdlotermfieldtlsSSL/TLS Dst Session Idtls.dstSessionId
Src Session IdlotermfieldtlsSSL/TLS Src Session Idtls.srcSessionId
VersiontermfieldtlsSSL/TLS version fieldtls.version
Version CntintegertlsUnique number of SSL/TLS version fieldtls.versionCnt
UserlotermfieldgeneralExternal user set for sessionuser
User CntintegergeneralUnique number of External user set for sessionuserCnt
View NameviewandgeneralArkime view nameviewand
VLanintegergeneralvlan valuenetwork.vlan.id
VLan CntintegergeneralUnique number of vlan valuenetwork.vlan.id-cnt

arkime-spigraph-get#

Gets a list of values for a field with counts and graph data and returns them to the client.

Base Command#

arkime-spigraph-get

Input#

Argument NameDescriptionRequired
fieldThe database field to get data for. Defaults to “node”.Required
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
bounding"last" Query sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional

Context Output#

PathTypeDescription
Arkime.SpiGraph.items.nameStringThe name.
Arkime.SpiGraph.items.countNumberThe count.
Arkime.SpiGraph.items.graph.xminDateThe graph xmin.
Arkime.SpiGraph.items.graph.xmaxDateThe graph xmax.
Arkime.SpiGraph.items.graph.intervalNumberThe graph interval.
Arkime.SpiGraph.items.graph.sessionsTotalNumberThe sessions total.
Arkime.SpiGraph.items.graph.network.packetsTotalNumberThe network packets total.
Arkime.SpiGraph.items.graph.network.bytesTotalDateThe network bytesTotal.
Arkime.SpiGraph.items.graph.totDataBytesTotalDateThe graph totDataBytesTotal.
Arkime.SpiGraph.graph.xminDateThe graph xmin.
Arkime.SpiGraph.graph.xmaxDateThe graph xmax.
Arkime.SpiGraph.graph.intervalNumberThe graph interval.
Arkime.SpiGraph.graph.sessionsTotalNumberThe graph sessionsTotal.
Arkime.SpiGraph.graph.network.packetsTotalNumberThe network packetsTotal.
Arkime.SpiGraph.graph.network.bytesTotalDateThe network bytesTotal.
Arkime.SpiGraph.graph.totDataBytesTotalDateThe graph totDataBytesTotal.
Arkime.SpiGraph.recordsTotalNumberThe total number of history results stored.
Arkime.SpiGraph.recordsFilteredNumberThe number of hunts returned in this result.

Command example#

!arkime-spigraph-get field=220516-QHSdz21pJ_xCtJGoL8mbmyNv

Context Example#

{
"InfoFile": {
"EntryID": "2701@4060e8c8-61bb-4131-8a47-32a7d97a9726",
"Extension": "json",
"Info": "application/json",
"Name": "spi_graph.json",
"Size": 512,
"Type": "ASCII text, with very long lines (512), with no line terminators"
}
}

Human Readable Output#

arkime-spiview-get#

Gets a list of field values with counts and returns them to the client.

Base Command#

arkime-spiview-get

Input#

Argument NameDescriptionRequired
spiComma separated list of db fields to return. Optionally can be followed by :{count} to specify the number of values returned for the field (defaults to 100).Required
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
boundingQuery sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional

Context Output#

PathTypeDescription
Arkime.SpiView.spi.destination.ip.doc_count_error_upper_boundNumberDestination ip - doc_count_error_upper_bound.
Arkime.SpiView.spi.destination.ip.sum_other_doc_countNumberDestination ip - sum_other_doc_count.
Arkime.SpiView.spi.destination.ip.buckets.keyStringDestination ip - buckets key.
Arkime.SpiView.spi.destination.ip.buckets.doc_countNumberDestination ip - buckets doc_count.
Arkime.SpiView.errorUnknownThe SpiView error.
Arkime.SpiView.recordsTotalNumberThe total number of history results stored.
Arkime.SpiView.recordsFilteredNumberThe number of history items returned in this result.

Command example#

!arkime-spiview-get spi=220516-QHSdz21pJ_xCtJGoL8mbmyNv

Context Example#

{
"InfoFile": {
"EntryID": "2705@4060e8c8-61bb-4131-8a47-32a7d97a9726",
"Extension": "json",
"Info": "application/json",
"Name": "spi_view.json",
"Size": 188,
"Type": "ASCII text, with no line terminators"
}
}

Human Readable Output#

arkime-session-tag-add#

Add tag(s) to individual session(s) by id or by query.

Base Command#

arkime-session-tag-add

Input#

Argument NameDescriptionRequired
tagsComma separated list of tags to add to session(s).Required
session_idsComma separated list of sessions to add tag(s) to.Optional
segmentsWhether to add tags to linked session segments. Default is no. Options include: no - Don’t add tags to linked segments all - Add tags to all linked segments time - Add tags to segments occurring in the same time period.Optional
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
boundingQuery sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional

Context Output#

PathTypeDescription
Arkime.AddSessionTags.successBooleanSuccess status.
Arkime.AddSessionTags.textStringText from response

Command example#

!arkime-session-tag-add tags=test ids=220425-L2AXYh6W4UJOSqilt0i3iDIL segments=time

Context Example#

{
"Arkime": {
"Tag": {
"success": true,
"text": "Tags added successfully"
}
}
}

Human Readable Output#

Session Tag Results:#

SuccessText
trueTags added successfully

arkime-session-tag-remove#

Removes tag(s) from individual session(s) by id or by query.

Base Command#

arkime-session-tag-remove

Input#

Argument NameDescriptionRequired
tagsComma separated list of tags to add to session(s).Required
session_idsComma separated list of sessions to add tag(s) to.Optional
segmentsWhether to add tags to linked session segments. Default is no. Options include: no - Don’t add tags to linked segments all - Add tags to all linked segments time - Add tags to segments occurring in the same time period.Optional
dateThe number of hours of data to return (-1 means all data). Defaults to 1.Optional
expressionThe search expression string.Optional
start_timeIf the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.Optional
stop_timeIf the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.Optional
viewThe view name to apply before the expression.Optional
orderComma separated list of db field names to sort on. Data is sorted in order of the list supplied. Optionally can be followed by :asc or :desc for ascending or descending sorting.Optional
fieldsComma separated list of db field names to return. Default is ipProtocol, rootId, totDataBytes, srcDataBytes, dstDataBytes, firstPacket, lastPacket, srcIp, srcPort, dstIp, dstPort, totPackets, srcPackets, dstPackets, totBytes, srcBytes, dstBytes, node, http.uri, srcGEO, dstGEO, email.subject, email.src, email.dst, email.filename, dns.host, cert, irc.channel, http.xffGEO.Optional
boundingQuery sessions based on different aspects of a session’s time. Options include: ‘first’ - First Packet: the timestamp of the first packet received for the session. ‘last’ - Last Packet: The timestamp of the last packet received for the session. ‘both’ - Bounded: Both the first and last packet timestamps for the session must be inside the time window. ‘either’ - Session Overlaps: The timestamp of the first packet must be before the end of the time window AND the timestamp of the last packet must be after the start of the time window. ‘database’ - Database: The timestamp the session was written to the database. This can be up to several minutes AFTER the last packet was received.Optional
strictlyWhen set the entire session must be inside the date range to be observed, otherwise if it overlaps it is displayed. Overwrites the bounding parameter, sets bonding to ‘both’.Optional

Context Output#

PathTypeDescription
Arkime.AddSessionTags.successBooleanSuccess status.
Arkime.AddSessionTags.textStringText from response.

Command example#

!arkime-session-tag-remove tags=test ids=220425-L2AXYh6W4UJOSqilt0i3iDIL segments=time

Context Example#

{
"Arkime": {
"Tag": {
"success": true,
"text": "Tags removed successfully"
}
}
}

Human Readable Output#

Session Tag Results:#

SuccessText
trueTags removed successfully

arkime-pcap-file-list#

Gets a list of PCAP files that Arkime knows about.

Base Command#

arkime-pcap-file-list

Input#

Argument NameDescriptionRequired
limitThe number of items to return. Defaults to 100, Max is 10,000.Optional
page_numberThe page at which to start. The default is 0.Optional
page_sizePage size. Minimum page size is 1, maximum is 100.Optional

Context Output#

PathTypeDescription
Arkime.File.recordsTotalNumberThe total number of hunts Arkime has.
Arkime.File.recordsFilteredNumberThe number of hunts returned in this result.
Arkime.File.data.nodeStringThe file data node.
Arkime.File.data.packetPosEncodingStringThe file data packetPosEncoding.
Arkime.File.data.numNumberThe data number.
Arkime.File.data.nameStringThe data name.
Arkime.File.data.lockedNumberThe file data locked.
Arkime.File.data.firstNumberThe file data first.
Arkime.File.data.compressionNumberThe file data compression.
Arkime.File.data.packetsSizeNumberThe file data packets size.
Arkime.File.data.filesizeNumberThe file data file size.
Arkime.File.data.packetsNumberThe file data packets.

Command example#

!arkime-pcap-file-list limit=2

Context Example#

{
"Arkime": {
"PcapFile": {
"data": [
{
"compression": 0,
"filesize": 1073744628,
"first": 1655844995,
"locked": 0,
"name": "/opt/arkime/raw/localhost-220621-00000384.pcap",
"node": "localhost",
"num": 384,
"packetPosEncoding": "gap0",
"packets": 5069126,
"packetsSize": 1073744628
},
{
"compression": 0,
"first": 1655854856,
"locked": 0,
"name": "/opt/arkime/raw/localhost-220621-00000385.pcap",
"node": "localhost",
"num": 385,
"packetPosEncoding": "gap0"
}
],
"recordsFiltered": 39,
"recordsTotal": 39
}
}
}

Human Readable Output#

Showing 2 results, limit=2

Files List Result:#

NodeNameNumberFirstFile SizePacket Size
localhost/opt/arkime/raw/localhost-220621-00000384.pcap3841970-01-20 03:57:2410737446281073744628
localhost/opt/arkime/raw/localhost-220621-00000385.pcap3851970-01-20 03:57:34
Edit this page
Report an Issue