No pcap data found; pcaps downloaded from viewer are empty

Jon Hart

unread,

Dec 7, 2016, 4:33:01 PM12/7/16

to Moloch Full Packet Capture

I've got moloch 0.16.1 installed on Ubuntu 16.04 using ES 2.3.2. I've successfully captured traffic sigh moloch as well as fed it pcaps directly with moloch-capture. When I utilize the viewer, for every packet/session, I see "No pcap data found", and trying to download the pcap results in an empty file.

I feel like I've missed an obvious configuration step or am missing something obvious. I've tried tweaking viewHost/viewURL but none seem to make a difference.

Any help would be appreciated!

Andy

unread,

Dec 7, 2016, 8:53:46 PM12/7/16

to Moloch Full Packet Capture

what's in the viewer.log?

Sounds like a permission issue where the viewer process can't read the files.

Jon Hart

unread,

Dec 7, 2016, 9:15:30 PM12/7/16

to Moloch Full Packet Capture

WARNING - Only have SPI data, PCAP file no longer available

Andy

unread,

Dec 7, 2016, 9:25:40 PM12/7/16

to Moloch Full Packet Capture

Which means its being expired

Jon Hart

unread,

Dec 8, 2016, 12:23:16 PM12/8/16

to Moloch Full Packet Capture

Odd. This is a brand new system with plenty of space. Newly captured traffic or traffic freshly read from pcaps shouldn't be expiring, right?

Reply all

Reply to author

Forward

Message has been deleted