Web interface specification
- Author : Tomáš Mokoš
Viewer is a feature of Moloch that makes processing of captured data easier with the use of web browser GUI. Viewer offers access to numerous services, most notably :
- Sessions
- SPI View
- SPI Graph
- Connections
- Upload
- Files
- Users
- Stats
Sessions
Main tab illustrated below contains:
- Search field – here you can enter different search filtering rules. Being similar to Wireshark, it enables, for example, to search results containing source/destination IP address (ip.dst== X.X.X.X && ip.src== X.X.X.X), port(port.dst 80 || port.src 80), web URL (http.uri == www.foo.com), time of delivery, etc.
- Country map – results are cross referenced with GeoIP database and the number of occurrences from a given country is displayed on a map using shades of the color purple.
- Occurrence frequency chart – this bar chart represents traffic in a given time period. the y-axis can be set to represent number of sessions, packets or bytes of data.
- Record window – displays individual connections and their parameters, including times of beginning and end of session, source and destination IP addresses, source and destination port, packet count and session size in bytes. After unpacking, the session can be exported to a PCAP file, where you can add your own tag and see detailed information about the nature and origin of the packet. A DNS request is Illustrated below
SPI View
SPI (Session Profile Information) View is used to take a deeper look at connection metrics. Instead of writing queries manually, queries can be expanded by clicking on the respective actions in SPI view, which adds the requested item to a query by using AND or AND NOT operators. This tab also provides a quick view of occurrence frequency of all items requested the user. Furthermore, SPI view also offers a quick summary of monitored IP addresses in a given time period, HTTP response codes, IRC NICKs/channels, etc.
SPI Graph
SPI Graph provides user with visualization of any given item contained in SPI View. This tab is very useful for displaying activity for a type of SPI, as well as in-depth analysis. Illustration below displays the demand for HTTP with http.method view selected. Displayed bar charts represent the amount of sessions/packets/databytes captured. To the right of each chart, after clicking View Map button, a map containing origins of the sessions is displayed. Methods GET, POST, HEAD OPTIONS and CONNECT are also displayed below. Maximum number of charts displayed can be set by the Max Elements field, with the default value being 20 and the maximum value being 500. Charts can also be sorted by number of sessions or by name. Moloch also offers a refresh rate setting from 5 to 60 seconds.
Connections
Connections tab provides user with a tree graph rooted in a source or destination node of user’s own selection. Illustration below displays relations between source IP address and destination IP address and port, with 500 sessions displayed using the query size setting. Minimum query size is 100 and maximum size is 100000. Furthermore, minimum number of connections can be set to values from 1(like in the case below) to 5. Node dist defines the distance of nodes in pixels. Any node in the graph can be moved after clicking the Unlock button. Source nodes are marked in violet and destination nodes are marked in yellow. By clicking a node, information about the node is displayed: Type (source/destination), Links (number of connected nodes), number of sessions, bytes, databytes and packets. Nodes can also be hidden by clicking Hide Node. This tab is appropriate for users who prefer node data analysis over visualization.
Upload
This tab is used to import PCAP files selected by clicking on Search button and clicking upload. Tags (separated by commas) can be appended to the imported packets, however, this option must be enabled in data/moloch/etc/config.ini. The Upload option is in experimental state and can be enabled by the following command
/data/moloch/bin/moloch-capture --copy -n {NODE} -r {TMPFILE}
NODE is the node name, TMPFILE is the file to be imported, CONFIG is the configuration file and TAGS are the tags to be appended.
Files
Files tab displays the table of archived PCAP files. Details include: file number, node, file name, whether the file is locked, upload date and file size. File size (in GB) is defined in data/moloch/etc/config.ini using the maxFileSizeG parameter. If a file is locked, Moloch cannot delete it and it must be deleted manually.
Users
Users tab defines access rights to individual users. It allows to add/remove user accounts and to edit their passwords.
Stats
Stats tab provides visual representation and table display of metrics for each node. Other display options can also be used:
| Packets/Sec | Sessions/Sec | Active TCP Sessions | Total Dropped/Sec | Free Space (MB) |
|---|---|---|---|---|
| Free Space (%) | Fragments Queue | Active UDP Sessions | Input Dropped/Sec | Bytes/Sec |
| Memory | Active Fragments | Active ICMP Sessions | Active Sessions | Bits/Sec |
| ES Queue | Overload Dropped/Sec | Disk Queue | CPU | Memory (%) |
| Waiting Queue | Fragments Dropped/Sec | Closing Queue | Packet Queue | ES Dropped/Sec |
Statistics for each node display: current time on the node, number of sessions, remaining free storage, CPU usage, RAM usage, number of packets in queue, number of packets per second, number of bytes per second, number of lost packets per second, number of packets dropped due to congestion and number of packets dropped by Elasticsearch per second. Charts depicting visualization of these stats can be displayed by clicking the plus(+) icon. Elasticsearch statistics contain number of files saved under unique ID, HDD size, Heap size, OS usage, CPU usage, bytes read per second, bytes written per second and number of searches per second.
- CRZP Komplexný systém pre detekciu útokov a archiváciu dát – Moloch
- Report Projekt 1-2 – Marek Brodec