Why does live-captured PCAP have to be periodically rolled for analysis by Arkime?

[mmguero]

@alleniverson33 asked in idaholab#537:

Why is there no configuration in Malcolm to enable real-time capture of Arkime on demand? I want Arkime to capture traffic in real-time. Is there any good recommendation method?

[mmguero]

When monitoring traffic on a local network interface, the reason that Arkime can't capture "on demand" in a Malcolm standalone installation is due to its necessity to communicate with the internal OpenSearch instance and at the same time listen on the physical interface provided to it in "host" network mode. I'm not aware of a way to configure it to be able to do both of those things using Docker.

However, there are a few options for running live Arkime capture:

• Malcolm's network sensor OS Hedgehog Linux runs Arkime capture to capture live traffic and forwards the traffic metadata to Malcolm in real-time.
• A separate capture-only instance of Malcolm in the hedgehog run profile can forward to another Malcolm instance's OpenSearch database
• Running Malcolm with a remote OpenSearch or Elasticsearch instance rather than its internally-managed one will give you the option to run Arkime capture live.

I'm not aware of any other way to run Arkime's capture tool live in a Malcolm standalone installation due to the constraint I listed in the first paragraph.