Arkime vs Dshell
GitHub Stats
About Arkime
Arkime (formerly Moloch) is an open-source, large-scale, full packet capturing, indexing, and database system. It stores and indexes network traffic in standard PCAP format, providing fast, indexed access to historical network sessions through a powerful web interface. Arkime's viewer lets analysts search, filter, and drill into network sessions by IP, port, protocol, country, ASN, header content, and dozens of other fields. It integrates with Elasticsearch for session metadata storage and supports PCAP export for deeper analysis in Wireshark or Zeek. Arkime is designed to scale to multi-gigabit capture rates across distributed sensors, making it suitable for enterprise and ISP-scale deployments. Its SPIGraph feature provides visual timeline analysis, and the Hunt feature allows searching through full packet payloads. Arkime is commonly deployed alongside Zeek and Suricata for a complete network security monitoring stack.
About Dshell
Dshell is a network forensic analysis framework developed by the US Army Research Laboratory. It provides a Python-based infrastructure for rapidly developing custom network packet decoders and analyzers. Dshell processes pcap files through a plugin chain, enabling analysts to extract specific protocols, identify suspicious traffic patterns, and reconstruct network sessions. Included plugins handle DNS, HTTP, SMTP, NetFlow, and other protocols. Its chainable decoder architecture allows complex analysis workflows to be built from simple reusable components.
Platform Support
Tags
Shared
Arkime only
Dshell only