Hedgehog pcap-monitor 401 error and PCAP forwarding

[jakestre]

Hello! We are setting up a hedgehog sensor and have it mostly set up. Currently, when we start hedgehog on the sensor it loads the containers fine, but when it gets to pcap-monitor-1 it gives out an error every second that says pcap-monitor-1 | 2026-02-11 14:40:42 CRITICAL: pcap_watcher.py: 2 connection error: AuthenticationException(401, 'Unauthorized'). I am seeing zeek and suricata logs from the sensor so I am not sure what this error is preventing it from doing.

Second, we would like to have hedgehog as a capture device only and forward pcap files to malcolm for analysis. That does not seem to be what is occurring as only zeek and suricata logs are being sent. I am wondering if the above error is the cause of that or if we manually need to copy pcaps over to ingest them into Malcolm.

Current configuration on hedgehog is:

Enable Arkime/Zeek/Suricata Analysis: no
Capture live network traffic (with tcpdump): yes
Analyze live traffic with zeek/suricata: yes
Primary Document Store: Opensearch-remote
Primary Opensearch/Elastisearch URL: https://<our-malcolm-ip>:9200

I created a user for the sensor within Malcolm's UI and entered that as the credentials for remoteos in auth_setup.

Let me know if you need any more info on the config

so the 2 questions I have are:

1. Is the 401 error I am seeing effecting information from getting to Malcolm?
2. Is there a way for hedgehog to forward pcap files within the config or does that need to be done manually? Is there anything that needs to change to get hedgehog to the point where it is only capturing and forwarding pcaps?

[mmguero]

A couple of things to help you understand what's going on here:

There's nothing on hedgehog that "forwards pcap files to malcolm for analysis." Full PCAP remains at the point of capture, on the hedgehog sensor. What gets forwarded to Malcolm is metadata from one ore more of the three tools that are examining network traffic:

• Zeek
• Suricata
• Arkime capture

However, Arkime capture is unique in that in addition to the summaries of network sessions it sends to Malcolm, it stores the PCAP locally and sends information to Malcolm about where to find each session in that PCAP file. When the user goes to the Arkime viewer's Session page on Malcolm and expands an arkime session record, Malcolm reaches back over the wire at that moment and requests just that session.

So, normally, on a Hedgehog, using netsniff-ng or tcpdump doesn't really buy you anything: you probably want to use arkime capture so it can capture the PCAP and send information about it to Malcolm.

Zeek/Suricata logs are forwarded from the Hedgehog to Malcolm's logstash instance, and they use TLS certificates for authentication.

Arkime (which is what's storing the full PCAP on the sensor) connects directly to opensearch, which means it needs credentials. Run auth_setup on the hedgehog, and select Store username/password for OpenSearch/Elasticsearch instance, then provide it with credentials for a local account you've created on Malcolm for that purpose. That will let the hedgehog communicate with Malcolm's opensearch instance when it needs to.

So, how I'd set things up for live capture on your Hedgehog: under Capture Live Network Traffic

...
└── 72. Capture Live Network Traffic (current: Yes)
    ├── 73. Capture Live Traffic with Arkime (current: Yes)
    ├── 74. Analyze Live Traffic with Suricata (current: Yes)
    ├── 75. Analyze Live Traffic with Zeek (current: Yes)
...
    ├── 77. Capture Live Traffic with netsniff-ng (current: No)
    ├── 78. Capture Live Traffic with tcpdump (current: No)
    ├── 79. Gather Traffic Capture Statistics (current: Yes)
    └── 80. Optimize Interface Settings for Capture (current: Yes)
...

I hope that makes sense!

[jakestre]

~/.Malcolm/.opensearch.primary.curlrc does have the correct username and password for the account. The grep on malcolm returned NGINX_AUTH_MODE=basic.

[mmguero]

Hmm... that is perplexing. How about OPENSEARCH_URL in ./config/opensearch.env, does that look right?

On the sensor, if you run this from the command line in the Malcolm directory what do you get:

$ curl -ksSL --config ./.opensearch.primary.curlrc "$(grep ^OPENSEARCH_URL= config/opensearch.env | cut -d '=' -f2)"
{
  "name" : "opensearch",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "Lf_ECstATEiJqPRLOY12Dg",
  "version" : {
    "distribution" : "opensearch",
    "number" : "3.4.0",
    "build_type" : "tar",
    "build_hash" : "00336141f90b2456d7aa35e9052fd6baf7147423",
    "build_date" : "2025-12-15T21:40:44.005079862Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.2",
    "minimum_wire_compatibility_version" : "2.19.0",
    "minimum_index_compatibility_version" : "2.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

[jakestre]

I get the unauthorized error when running what you sent. I also remembered I had manually opened the ports on Malcolm so I switched that around and did it through the configure.sh script like I was supposed to. Im wondering if something isn't messed up on this hedgehog image because I just set up a different sensor on a malcolm test environment, this time using Ubuntu and cloning from github with the hedgehog profile and that is working how you described originally.

I am going to rebuild this hedgehog machine and utilize the git clone instead that has worked great in test.

[mmguero]

Okay. If you're getting the unauthorized error running that, then the username/password in .opensearch.primary.curlrc does not match a username/password on the Malcolm side. On the Malcolm side you could look at your ./nginx/htpasswd file in Malcolm just to see if you see the username there (the password will be encrypted). Either way, perhaps go to the https://malcolmip/auth page and re-set that cred.

[jakestre]

I will do that. Thanks for your help!