Malcolm is an easily deployable, containerized network traffic analysis suite that processes PCAP files, Zeek logs, and Suricata alerts for comprehensive network security monitoring.
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Malcolm is used by network security professionals and SOC teams to monitor, analyze, and investigate network traffic and security incidents through full packet captures and alert logs. It provides intuitive visualization and session analysis tools to quickly identify suspicious activity and support incident response efforts.
Malcolm requires a container runtime environment (e.g., Docker) for deployment and is best suited for Linux servers but can also be run on macOS for incident response. Users should ensure secure network configurations to protect encrypted communications. Familiarity with Zeek, Suricata, and network traffic analysis concepts will enhance effective use.
Clone the repository from GitHub
Run the provided setup scripts to deploy Malcolm containers
Use the runtime management scripts to start and stop the Malcolm cluster
Access the browser-based interface to upload PCAP files or configure live forwarding
Refer to the Malcolm documentation for detailed deployment and usage guidance./malcolm-ctl start
Starts the Malcolm container cluster and all associated services
./malcolm-ctl stop
Stops the Malcolm container cluster and all associated services
./malcolm-ctl status
Displays the current status of the Malcolm containers and services
Upload PCAP files via the browser interface
Allows users to manually upload network traffic captures for analysis
Configure lightweight forwarders to send live traffic
Enables passive capture and forwarding of live network data to Malcolm