Arkime
Large-scale full packet capture, indexing, and search (SPIE) with a web UI—successor to the Moloch lineage for NSM teams.
Why it is included
Widely deployed open stack for retaining and hunting PCAP without proprietary NDR appliances.
Best for
SOCs needing session reconstruction, PCAP export, and analyst search at ISP/enterprise volume.
Strengths
- PCAP lifecycle
- Scalable capture
- Strong community
Limitations
- Storage and ES ops are the main cost; privacy/legal retention policies required
Good alternatives
Zeek logs only · Commercial NDR · Stenographer
Related tools
Security & Privacy
Zeek
Network security monitor producing rich logs (conn, DNS, HTTP, SSL, files) for analytics—not a classic IDS signature engine.
Security & Privacy
Suricata
High-performance IDS/IPS and network security monitoring with multi-threading, TLS inspection options, and Lua scripting.
Security & Privacy
Security Onion
Linux distribution and platform bundling Zeek, Suricata, Elastic stack, and analyst UIs for NSM and log hunting.
Security & Privacy
Snort
Classic packet-sniffing IDS/IPS with rule language and community rule feeds; Snort 3 improves scaling.
Security & Privacy
RITA
Real Intelligence Threat Analytics: ingest Zeek logs to score beaconing, long connections, blacklisted DNS, and lateral patterns.
Security & Privacy
Wireshark
Network protocol analyzer for deep packet inspection and forensic debugging.