Moloch is a great network forensics tool created by the network team at AOL (https://molo.ch/). It captures and stores network traffic (stored as pcap files) and then parses them and indexes them into an elasticsearch instance. This index is then exposed via a web interface.

The system captures all data sent to the monitoring interface and then allows the user to query it as a search engine.

Installation is very simple on Centos or Ubuntu (https://molo.ch/#downloads), the only pre-requisite for an all-in-one portable deployment is a basic OS install with Java (which is needed to run elasticsearch). We use Oracle Java 9 on Ubuntu LTS (16.04 at the time of writing) from the webupdteam ppa (https://launchpad.net/~webupd8team/+archive/ubuntu/java). The installation instructions are here.

At DFIR VN we use moloch to assist on network forensics as a indexed repository of all network traffic during incident response. The system is set to capture traffic on the main internet connection of a compromised network. Storage requirements vary with the average network speed. In Vietnam, this is very variable depending on the available service (fiber or leased line). At an upper constant traffic average of 25Mbps (quite normal when combined in both directions and considering the daytime/nightime mix) the capture requirements are of 250 GBs per day. Our portable systems carry between 2 and 4TB of available disk storage, which is suitable for 1 or 2 week engagements.