Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arkime viewer not rolling pcaps #484

Closed
1 of 6 tasks
coffeecoffeecoffeecoffeecoffee opened this issue Jun 5, 2024 · 2 comments
Closed
1 of 6 tasks

Arkime viewer not rolling pcaps #484

coffeecoffeecoffeecoffeecoffee opened this issue Jun 5, 2024 · 2 comments
Assignees
@mmguero
Labels
arkime Relating to Malcolm's use of Arkime bug Something isn't working capture Relating to pcap-capture container regression It worked at one point...
Milestone
v24.06.0

Comments

@coffeecoffeecoffeecoffeecoffee
Copy link

Describe the bug

We are running a full Malcolm setup with docker compose using the malcolm profile that monitors a local network interface with netsniff-ng. As per the docs for a low resources environment, SURICATA_LIVE_CAPTURE / ZEEK_LIVE_CAPTURE are set to false and SURICATA_ROTATED_PCAP / ZEEK_ROTATED_PCAP are set to true.

Pcaps are filling up the drive they are on, even with MANAGE_PCAP_FILES set to True. Everything shows False under Locked in the arkime files tab.

Expected behavior

The arkime container should delete pcaps once the disk usage has surpassed the designated amount of free space.

Malcolm Version:

  • v24.04.0

How are you running Malcolm?

Additional context

Upon further investigation, I found an old issue and this commit that referenced the same problem. In the arkime container, the pcapDir was set to /data/pcap/arkime-live by the docker entrypoint. After changing the pcapDir back to processed in the config.ini and restarting the viewer process, it correctly removed pcaps to make space.

I'm assuming the issue lies here, but I'm not very familiar with Malcolm. We are not using arkime live capture so I wonder if that replacement should only be applied when that is the case?
@coffeecoffeecoffeecoffeecoffee coffeecoffeecoffeecoffeecoffee added the bug Something isn't working label Jun 5, 2024
@mmguero mmguero self-assigned this Jun 6, 2024
@mmguero mmguero added capture Relating to pcap-capture container arkime Relating to Malcolm's use of Arkime labels Jun 6, 2024
@mmguero mmguero added this to the v24.06.0 milestone Jun 6, 2024
@mmguero
Copy link
Collaborator

mmguero commented Jun 6, 2024

I thought that the line you referenced in your last comment actually doesn't make any difference when arkime-live isn't doing the capture (which it isn't in your case). It should just be these two variables that come into play. But I'll look closer at it tomorrow and see if I can reproduce the issue; it may be that viewer is basing what it does on that directory you linked for its free space calculations, in which case it should be an easy fix. Thanks for bringing it to my attention.

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jun 11, 2024
@mmguero
fix idaholab#484, Arkime viewer not rolling PCAPs
1f36ef0
@mmguero
Copy link
Collaborator

mmguero commented Jun 11, 2024

Thanks, you're exactly right. I've adjusted the entrypoint to only change that location in the case where it's actually doing live capture.

@mmguero mmguero closed this as completed Jun 11, 2024
@mmguero mmguero added the regression It worked at one point... label Jun 11, 2024
This was referenced Jun 26, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
arkime Relating to Malcolm's use of Arkime bug Something isn't working capture Relating to pcap-capture container regression It worked at one point...
Projects
Malcolm
Status: Released
Milestone
v24.06.0
Development

No branches or pull requests
2 participants
@mmguero @coffeecoffeecoffeecoffeecoffee