🧠Humans of Cyber | Andy Wick.
Open source packet capture and indexing platform that lets analysts search historical network traffic and reconstruct sessions for threat hunting and investigations.
Modern threat investigations often require deep visibility into network traffic. Security teams frequently need the ability to search historical packet data and reconstruct how an attacker moved through an environment. One open source project designed for this purpose is Arkime, created by Andy Wick.
Wick first developed the project in 2012 while working at AOL to address a common challenge in large networks. Packet capture systems could store traffic, but searching through that data quickly during an investigation was difficult. The goal was to build a platform that could capture packets continuously while allowing analysts to search network sessions in near real time.
Technically, Arkime is a large scale packet capture and indexing system. Network sensors record full packet data while extracting metadata about each session. This metadata is indexed and made searchable through distributed databases. Early versions relied on Elasticsearch, and modern deployments fully support OpenSearch, which is commonly used today for indexing and query performance.
The architecture separates packet capture from analysis components. Capture nodes record traffic and store packet data locally, while the viewer interface allows investigators to search session metadata across distributed sensors. Analysts can query sessions using attributes such as IP addresses, protocols, ports, domain names, or time ranges. When a relevant session is found, the full packet capture can be reconstructed for deeper analysis.
The project was originally released under the name Moloch, but it was renamed Arkime in 2021. The name references Archimedes, the observant owl from the Merlin stories, which also inspired the project’s mascot. Around the same time, the codebase moved to its own dedicated GitHub organization arkime/arkime, helping the project evolve as an independent open source community effort.
Today Arkime is widely used by security operations teams, network defenders, and incident responders who need long term visibility into network activity. The ability to search historical packet captures allows investigators to revisit traffic when new indicators of compromise appear, making it a valuable capability during threat hunting and forensic analysis.
Subscribe and Comment.
Copyright © 2026 911Cyber. All Rights Reserved.
Follow 911Cyber on: