流量分析利器arkime的学习之路（二）---API接口

前文回忆

《流量分析利器arkime的学习之路（一）---安装部署》

概述

注意点

Arkime对所有API调用都使用摘要身份验证，因此请确保在库或curl命令中启用摘要身份验证。学习如何进行API调用的最简单方法是打开浏览器的javascript控制台，观察Arkime UI正在进行的调用，它使用所有相同的API。

注意：许多API端点都需要一个数据库字段名称，这与您在搜索表达式中使用的名称不同。查看数据库字段名称的最简单方法是单击Arkime中的猫头鹰标志->单击左侧的字段标签->单击显示数据库字段。

参数地址中带有冒号的参数名称，就是可以修改替换的参数。

关键词及核心功能

SPI（Session Profile Information）会话配置文件信息。

SPI View用于深入分析分析人员希望进一步调查的会话的特定指标。允许分析师快速查看用户感兴趣的每个项目的数量。例如，如果分析师想要查看当前时间窗口内记录的所有基本授权标题，分析师可以打开http抽屉并单击以启用http.authorization字段。然后，分析师可以更新他们的搜索查询，以包括已观察到的特定授权字符串，或者使用通配符来查看特定类型的授权标题（基本*、不记名*等）的全部内容。此外，SPI视图允许分析师快速查看时间窗口内观察到的IP地址、http响应代码、IRC缺口/通道等更多信息。

SPI Graph允许用户通过一段时间内的条形图可视化SPI视图页面中的任何项目。该页面对于每种SPI类型的活动概览以及深入分析非常有用

Connections允许用户基于他们选择的源节点和目的节点查看树形图。使用这种方法可以直观地确定关系。

Hunt 允许用户在会话包搜索文本

Files 罗列出已经存储的pcap文件

详细信息可以点击Arkime的猫头鹰标志获取所有部分详细介绍。

在文档中标注的复杂数据类型，在文档最后都有介绍。

重点可能要关注

的数据为

查看类

连接关系显示主机访问关系
会话显示主机之间的协议

主动类

Hunt 主动获取相关报文

所有API

连接关系

查询

构建弹性搜索连接查询。获取节点和链接的列表并将其返回给客户端。

地址

POST/GET - /api/connections

参数

参数	类型	默认值	描述
See_List	SessionsQuery		This API supports a common set of parameters documented in the SessionsQuery section
srcField	string	"ip.src"	The source database field name
dstField	string	"ip.dst:port"	The destination database field name
baselineDate	number	0	The baseline date range to compare connections against. Default is 0, disabled. Options include: 1x - 1 times query range. 2x - 2 times query range. 4x - 4 times query range. 6x - 6 times query range. 8x - 8 times query range. 10x - 10 times query range. 1 - 1 hour. 6 - 6 hours. 24 - 1 day. 48 - 2 days. 72 - 3 days. 168 - 1 week. 336 - 2 weeks. 720 - 1 month. 1440 - 2 months. 4380 - 6 months. 8760 - 1 year.
baselineVis	string	"all"	Which connections to display when a baseline date range is applied. Default is all. Options include: ‘all’ - All Nodes: all nodes are visible. ‘actual’ - Actual Nodes: nodes present in the “current” timeframe query results are visible. ‘actualold’ - Baseline Nodes: nodes present in the “baseline” timeframe query results are visible. ‘new’ - New Nodes Only: nodes present in the “current” but NOT the “baseline” timeframe are visible. ‘old’ - Baseline Nodes Only: nodes present in the “baseline” but NOT the “current” timeframe are visible.

名称	类型	描述
links	array	The list of links
nodes	array	The list of nodes

查询（CSV格式）

构建弹性搜索连接查询。获取csv格式的节点和链接列表，并将它们返回给客户端。（ES）

地址

POST/GET - /api/connections/csv 或者 /api/connections.csv

参数:

参数	类型	默认值	描述
See_List	SessionsQuery		This API supports a common set of parameters documented in the SessionsQuery section
srcField	string	"ip.src"	The source database field name
dstField	string	"ip.dst:port"	The destination database field name

返回值

名称	类型	描述
csv	csv	The csv with the connections requested

定时任务

检索

检索用户可以查看的定期查询。

地址

GET - /api/crons

返回值

名称	类型	描述
queries	Array.<ArkimeQuery>	A list of query objects.

新建

创建新的定期查询。

地址

POST - /api/cron

返回值

名称	类型	描述
success	boolean	Whether the create operation was successful.
text	string	The success/error message to (optionally) display to the user.
query	ArkimeQuery	The new query

更新

更新定期查询。

地址

POST - /api/cron/:key

返回值

名称	类型	描述
success	boolean	Whether the update operation was successful.
text	string	The success/error message to (optionally) display to the user.
query	ArkimeQuery	The updated query object

删除

删除定期查询。

地址

DELETE - /api/cron/:key

返回值

名称	类型	描述
success	boolean	Whether the delete operation was successful.
text	string	The success/error message to (optionally) display to the user.

历史记录

检索

检索历史记录或用户客户端对API的请求的列表。

地址

GET - /api/histories

参数:

参数	类型	默认值	描述
date	number	1	The number of hours of data to return (-1 means all data). Defaults to 1.
startTime	number		If the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC.
stopTime	number		If the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC.
searchTerm	string		The search text to filter the history list by.
length	number	100	The number of items to return. Defaults to 1,000.
start	number	0	The entry to start at. Defaults to 0.
sortField	string	"timestamp"	The field to sort the results by.
desc	string	true	Whether to sort the results descending or ascending. Default is descending.
userId	string		The ID of a user to request history results for. Admin can retrieve all users. Normal users can only retrieve their own.

返回值

名称	类型	描述
data	Array.<History>	The list of history results.
recordsTotal	number	The total number of history results stored.
recordsFiltered	number	The number of history items returned in this result.

删除

删除历史记录条目（仅限管理员）。

地址

DELETE - /api/history/:id

参数:

参数	类型	描述
index	string	The OpenSearch/Elasticsearch index that the history item was stored in.

返回值

名称	类型	描述
success	boolean	Whether the delete history operation was successful.
text	string	The success/error message to (optionally) display to the user.

捕获

新建

创建新的狩猎。

地址

POST - /api/hunt

参数:

参数	类型	描述
See_List	SessionsQuery	This API supports a common set of parameters documented in the SessionsQuery section
totalSessions	number	The number of sessions to search.
name	string	The name of the hunt (not unique).
size	number	The number of packets to search within each session.
src	boolean	Whether to search the source packets. Must search src or dst or both.
dst	boolean	Whether to search the destination packets. Must search src or dst or both.
type	string	Whether to search raw or reassembled packets.
search	string	The search text to search for within packets.
searchType	string	What type of search the text is. Options include: ascii - search for case insensitive ascii text. asciicase - search for case sensitive ascii text. hex - search for hex text. regex - search for text using safe regex. hexregex - search for text using safe hex regex.
notifier	string	The optional notifier name to fire when there is an error, or there are matches (every 10 minutes), or when the hunt is complete.
users	string	The comma separated list of users to be added to the hunt so they can view the results.

返回值

名称	类型	描述
success	boolean	Whether the creation of the hunt was successful.
hunt	Hunt	The newly created hunt object.
invalidUsers	array	The list of users that could not be added to the hunt because they were invalid or nonexitent.

检索

检索狩猎列表。

地址

GET - /api/hunts

参数:

参数	类型	默认值	描述
searchTerm	string		The search text to search hunt results for.
length	number	10000	The number of items to return. Defaults to 10000.
start	number	0	The entry to start at. Defaults to 0
sortField	string	"created"	The field to sort the hunt results by. Defaults to “created”.
desc	string	false	Whether to sort the results in descending order. Default is ascending.
history	string	false	Whether to return only finished hunts. Default is to return queued, paused, and running hunts.

返回值

名称	类型	描述
runningJob	Hunt	If there is a hunt running, returns the currently running hunt object.
data	Array.<Hunt>	The list of hunts (either finished or queued/paused/running).
recordsTotal	number	The total number of hunts Arkime has.
recordsFiltered	number	The number of hunts returned in this result.

删除

删除一个狩猎

地址

DELETE - /api/hunt/:id

返回值

名称	类型	描述
success	boolean	Whether the delete hunt operation was successful.
text	string	The success/error message to (optionally) display to the user.

取消

取消狩猎。完成狩猎并将其放入狩猎历史。

地址

PUT - /api/hunt/:id/cancel

返回值

名称	类型	描述
success	boolean	Whether the cancel hunt operation was successful.
text	string	The success/error message to (optionally) display to the user.

暂停

暂停狩猎。

地址

PUT - /api/hunt/:id/pause

返回值

名称	类型	描述
success	boolean	Whether the pause hunt operation was successful.
text	string	The success/error message to (optionally) display to the user.

开启

进行狩猎。

地址

PUT - /api/hunt/:id/play

返回值

名称	类型	描述
success	boolean	Whether the play hunt operation was successful.
text	string	The success/error message to (optionally) display to the user.

删除匹配

从匹配的会话中删除搜索ID和名称。

地址

PUT - /api/hunt/:id/removefromsessions

返回值

名称	类型	描述
success	boolean	Whether the operation was successful.
text	string	The success/error message to (optionally) display to the user.

更新

更新搜索-只能更新描述和角色

地址

PUT - /api/hunt/:id

参数:

参数	类型	描述
hunt	Hunt	The new hunt data

返回值

名称	类型	描述
success	boolean	Whether the operation was successful.
text	string	The success/error message to (optionally) display to the user.

检索用户

将用户添加到搜寻。

地址

POST - /api/hunt/:id/users

参数:

参数	类型	描述
users	string	Comma separated list of user ids to add to the hunt.

返回值

名称	类型	描述
success	boolean	Whether the add users operation was successful.
users	array	The list of users that were added to the hunt.
invalidUsers	array	The list of users that could not be added to the hunt because they were invalid or nonexitent.

删除用户

从搜索中删除用户。

地址

DELETE - /api/hunt/:id/user/:user

返回值

名称	类型	描述
success	boolean	Whether the remove users operation was successful.
users	array	The list of users who have access to the hunt.
invalidUsers	array	The list of users that could not be removed from the hunt because they were invalid or nonexitent.

字段

获取与会话相关的可用数据库字段对象。

地址

GET - /api/fields

参数:

参数	类型	默认值	描述
array	boolean	false	Whether to return an array of fields, otherwise returns a map

返回值

名称	类型	描述
	array/map	The map or list of database fields

PCAP文件

列表

地址

GET - /api/files

获取Arkime知道的PCAP文件列表。

参数:

参数	类型	默认值	描述
length	number	100	The number of items to return. Defaults to 500, Max is 10,000
start	number	0	The entry to start at. Defaults to 0

返回值

名称	类型	描述
data	Array	The list of files
recordsTotal	number	The total number of files Arkime knows about
recordsFiltered	number	The number of files returned in this result