provide alternate configuration for Arkime capture to listen on the interface directly rather than post-processing PCAPs

[mmguero]

When Malcolm captures live traffic by monitoring local network interfaces the Zeek and Suricata containers capture directly from the interface, but Arkime doesn't: instead, the pcap-capture container uses netsniff-ng or tcpdump to create a PCAP file which is then periodically rolled over and processed by capture in the arkime container.

The reason it's done that way is due to the requirement that network_mode: host is set for the ability to capture on an interface: with Zeek and Suricata we are just writing log files into directories that are then watched and picked up by other containers without direct signalling between them. However, Arkime can't do that because it needs to communicate with the opensearch container to write the metadata directly. That container is not network_mode: host, so it can't communicate with it. In other words, there's not a way for a container to be both network_mode: host and communicate with the internal OpenSearch container (at least not that I'm aware of).

However, we now have a few different configurations that might not be constrained like that:

• "dockerized hedgehog" ("capture-only" Malcolm configuration (aka "dockerized Hedgehog") #254)
• kubernetes (?)

I'd like to look at creating a container that allows arkime capture to be run live and would write directly to the URL specified by the OPENSEARCH_PRIMARY environment variable. I'm thinking it would be very similar to how we have a suricata and suricata-live, zeek and zeek-live container: we have an arkime container that does the Viewer process and processes uploaded files, and then an arkime-live container that is only going to be used in the few scenarios listed above.

[mmguero]

Here are the scenarios where live arkime capture is required:

• when MALCOLM_PROFILE=malcolm (see "capture-only" Malcolm configuration (aka "dockerized Hedgehog") #254)
  • not required per-se, but required as in it's the only configuration for Arkime capture: i.e., rotated PCAP mode for Arkime won't work in this scenario

Here are the scenarios where live arkime capture is not allowed:

• when OPENSEARCH_PRIMARY=opensearch-local (i.e., standalone Malcolm)

Here are the scenarios where live arkime capture is allowed:

• when OPENSEARCH_PRIMARY=opensearch-remote or OPENSEARCH_PRIMARY=elasticsearc-remote