🚫 This is NOT the release you are looking for. move along. We are in the very early stages of Arkime 7 development, so use last-commit6 if you want something that actually works. Curious what's potentially coming? Try the 7 demo. 🚫

Hi! After every commit to the main branch of Arkime 6 we build and store the results here. The builds are based on Arkime 6, so if upgrading from Arkime 5, make sure you've followed the upgrading to 6 instructions. If you don't want to run the pre release version, check out our stable release.

We need your help! Please support Arkime by becoming a Github Sponsor!

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

Sanitize builds are used for detecting memory leaks and other issues, see Sanitizer Info

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

✨ What's new ✨

Breaking

• #3967 All header* auth modes (header, header-jwt, headerOnly, header+digest, header+basic) now default userAuthIps to localhost-only when not explicitly configured
• #3982 docker.sh: TLS verification is now enforced by default for Elasticsearch/OpenSearch connections, use --insecure to skip verification
• #3983 multies now defaults multiESHost to 127.0.0.1 instead of binding to all interfaces.

Release

• #3941 Move to using curl instead of wget everywhere and now depend on curl package
• #3975 Node 22.22.3

All

• #3951 Fix UTF-8 mojibake in user names auto-created via header auth (e.g. behind Caddy/oauth2-proxy)

Capture

• #3954 Add trimEthernetPadding option to strip Ethernet padding/FCS so saved pcap and byte counts match the on-wire IP length
• #3957 Even when not writing packets still save new sessions midway
• #3958 Add stateDir config option (default /tmp) for capture state files (drophash, stoppedsessions)
• #3958 State files now opened with O_NOFOLLOW to prevent symlink attacks
• #3958 PCAP files now opened with O_NOFOLLOW to prevent symlink attacks
• #3962 Improved websocket parser; adds websocket.* fields and websocketTextSampleCnt config option
• #3963 Improved mDNS parsing: handle aggregated queries, unsolicited responses, and flags
• DNS TXT records now capture multiple items
• #3965 Add diameter.resultCode field (AVP 268) for 4G/5G core auth/error tracking
• #3965 Add dnp3.funcName and s7comm.funcName decoded ICS function-code names
• #3965 Add mqtt.connackCode for CONNACK return/reason codes
• #3965 Add snmp.engineId and snmp.secLevel SNMPv3 fields
• #3966 Add enip parser
• #3969 Include up to 12 bytes of UDP payload in the packet dedup hash so RTP and other UDP traffic with identical headers is no longer over-deduplicated
• #3970 Added full OpenVPN classifier/parser
• #3972 Improved STUN/TURN parser: extract XOR-PEER-ADDRESS, more methods, and stun.attributes field
• #3973 Improved OSPF parser: per-(src,dst) sessions and ospf.msgType/routerId/areaId fields, tag weak auth
• #3977 Improved RADIUS parser: extract radius.msgType, radius.nasIp, and radius.nasPort
• #3978 New FTP parser: detect multi-line 220- banners and add ftp.banner, ftp.command, ftp.filename, ftp.responseCode fields; tag ftp:password when PASS is seen
• #3985 Add shared NTLMSSP decoder with ntlm.* fields, wired into SMB, HTTP, LDAP, DCE-RPC, SMTP, IMAP, POP3, and TDS parsers
• #3985 Add new POP3 parser that captures USER name and NTLM auth blobs
• #3988 Fix command-socket --notify without --flush crashing capture
• #3988 Fix crash when using rules with bpfs and different DLTs without using --flush

Multies

• #3983 Support optional HTTP Basic auth via the new multiESBasicAuth setting

WISE

• #3968 Improve JSON Array Parsing: shortcut paths now expand arrays at any intermediate position, not just the final value

⬇️ Download Info ⬇️

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

✨ What's new 6.3.1 ✨

Capture

• #3940 Fix ISAKMP parser on UDP/4500 (NAT-T) misparsed ESP packets without the non-ESP marker

Viewer

• #3942 Fix hiding packets when we shouldn't

✨ What's new 6.3.0 ✨

BREAKING

• #3911 ArkimeParserBuf_t.buf is now a heap-allocated pointer (uint8_t *buf[2]). You must use pb->bufSize[which] instead of sizeof(pb->buf[which])

All

• #3920 Log more information on role failures

Capture

• #3910 Corrupt UDP packets could have invalid byte counts
• #3910 TCP DNS packets might not be parsed correctly depending on segmentation
• #3911, #3913 TCP sequence wrapping tests and improvements
• #3912 Fix IKEv2 encryption/hash parsing
• #3913 Fix WISE plugin skipping fields after array-typed fields
• #3913 Fix S3 listing deadlock when bucket/prefix is empty
• #3914 Fix ASN.1 OID decoding of first arc per X.690
• #3916 Improved NTP and IS-IS parsing
• #3917 Improved LUA ip handling
• #3917 Add DHCPv6 relay parsing
• #3917 Improved SMB parsing of share/filename
• #3917 Improved SNMP GetBulkRequest parsing
• #3917 Extract VNI from GENEVE tunnels
• #3918 scheme http no longer requires a port (defaults to 80/443)
• #3918 fix SNMP sessions showing up as LDAP too
• #3919 Remove ftp protocol if we are sure smtp
• #3923 Packets with more than 8 VLANs marked as corrupt
• #3923 UDP packets enforce length correctly
• #3924, #3930 Remove trailing slash from wiseURL
• #3927 Cap IMAP/SMTP/HTTP Header buffer lengths
• #3932 Skip byte-based UDP classifiers on UDP/53 to avoid DNS false-matches
• #3933 Reassemble TLS ClientHello across multiple QUIC Initial packets
• #3935 Validate QUIC packet lengths

Cont3xt

• #3928 Threatstream: ignore per-user host override unless user/key also per-user
• #3928 csvjson: add 60s timeout and 1GB content/body limits on remote feed loads

Viewer

• #3898 show error msg in spiview when All selected but not allowed
• #3906 add copy button to History Elasticsearch Query section
• #3908 fix download entire pcap missing filename
• #3921 Fix Cap Restart graph markers, Session Detail labels slider width, Field Actions dropdown, Stats Shrink Index, and shortcut ($) autocomplete in search expression
• #3928 Cap /api/sessions/summary length parameter at 1000
• #3931 Remove last manualQuery option which wasn't implemented
• #3934 Fix not handling sessions correctly with no PCAP

⬇️ Download Info ⬇️

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in May 2026, please upgrade.

This build is broken use 6.3.1 instead.

✨ What's new ✨

BREAKING

• #3911 ArkimeParserBuf_t.buf is now a heap-allocated pointer (uint8_t *buf[2]). You must use pb->bufSize[which] instead of sizeof(pb->buf[which])

All

• #3920 Log more information on role failures

Capture

• #3910 Corrupt UDP packets could have invalid byte counts
• #3910 TCP DNS packets might not be parsed correctly depending on segmentation
• #3911, #3913 TCP sequence wrapping tests and improvements
• #3912 Fix IKEv2 encryption/hash parsing
• #3913 Fix WISE plugin skipping fields after array-typed fields
• #3913 Fix S3 listing deadlock when bucket/prefix is empty
• #3914 Fix ASN.1 OID decoding of first arc per X.690
• #3916 Improved NTP and IS-IS parsing
• #3917 Improved LUA ip handling
• #3917 Add DHCPv6 relay parsing
• #3917 Improved SMB parsing of share/filename
• #3917 Improved SNMP GetBulkRequest parsing
• #3917 Extract VNI from GENEVE tunnels
• #3918 scheme http no longer requires a port (defaults to 80/443)
• #3918 fix SNMP sessions showing up as LDAP too
• #3919 Remove ftp protocol if we are sure smtp
• #3923 Packets with more than 8 VLANs marked as corrupt
• #3923 UDP packets enforce length correctly
• #3924, #3930 Remove trailing slash from wiseURL
• #3927 Cap IMAP/SMTP/HTTP Header buffer lengths
• #3932 Skip byte-based UDP classifiers on UDP/53 to avoid DNS false-matches
• #3933 Reassemble TLS ClientHello across multiple QUIC Initial packets
• #3935 Validate QUIC packet lengths

Cont3xt

• #3928 Threatstream: ignore per-user host override unless user/key also per-user
• #3928 csvjson: add 60s timeout and 1GB content/body limits on remote feed loads

Viewer

• #3898 show error msg in spiview when All selected but not allowed
• #3906 add copy button to History Elasticsearch Query section
• #3908 fix download entire pcap missing filename
• #3921 Fix Cap Restart graph markers, Session Detail labels slider width, Field Actions dropdown, Stats Shrink Index, and shortcut ($) autocomplete in search expression
• #3928 Cap /api/sessions/summary length parameter at 1000
• #3931 Remove last manualQuery option which wasn't implemented
• #3934 Fix not handling sessions correctly with no PCAP

⬇️ Download Info ⬇️

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in May 2026, please upgrade.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

✨ What's new ✨

BREAKING

• #3874 The user-auto-create and user-role-mappings sections now limit what
  loop and exception Javascript can be used for security.
• #3881 Command sockets now chmod(0660) and removes Other access.

Release

• #3864 CyberChef 10.23.0
• #3870 docker.sh supports generic --db with help examples

All

• #3831 New TOTP support for wise config instead of code - requires db.pl upgrade
• #3865 Add syslog notifier
• #3866 Add snmp notifier
• #3888 Can now use - for password with addUser.js to get prompted

Capture

• #3871 Packets with more than 10 ip/ethernet headers are now marked as corrupt
• #3896 Improve MQTT parsing and tests

Capture/Viewer

• #3833 New simpleDEKEncoding setting which controls how the DEK is encrypted
• #3857 Fix scheme pcapNG not handling large files (thanks @wegman12)

db.pl

• #3860 Add --compression option

Viewer

• #3842 Add internationalized aria-labels
• #3863 Add per-cluster serverSecret in S2S auth for multicluster pcap retrieval
• #3878 Add JWT decoding support for header auth mode
• #3877 Add ESIndices codec column
• #3891 Improve tcp reassembly display when packets are retransmitted

⬇️ Download Info ⬇️

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in April 2026, please upgrade.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

✨ What's new ✨

BREAKING

• #3812 The user-auto-create and user-role-mappings sections now limit what Javascript can be used for security.

Release

• #3834 Node 22.22.2

All

• #3812 Validate javascript expression in user-auto-create and user-role-mappings
• #3835 Fix reverse proxy being unhappy with no params after a ? in urls

Capture

• #3813 Add ECE, CWR, and AE TCP flag support
• #3818 Improve scheduling http requests with libcurl (thanks @swannman)
• #3829 Add ADB (Android Debug Bridge) parser (thanks @h0wdee)
• #3836 Fix bacnet false positives on dns ports
• #3843 Improve JSON encoding of UTF8 strings
• #3841 command socket add-file/dir now supports notify on complete (--notify) and new file-status command (thanks @wegman12)
• #3847 Fix crash when parsing malformed packets
• #3855 Fix --copy not working in command socket mode (thanks @wegman12)

Multies

• #3830 Show cluster when using multies

Viewer

• #3826 Handle ip frag pcap display better

⬇️ Download Info ⬇️

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in April 2026, please upgrade.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

✨ What's new ✨

BREAKING

• #3782 Previous redis user databases will be ignored
• #3786 Dedup packets now include VLAN/VNI by default, set dedupVlanVni=false to disable
• #3792 The setting uploadFileSizeLimit now defaults to 2G instead of unlimited
• #3792 Link group urls in cont3xt must start with http(s):// now
• #3794 Previously the bpf filter setting was reversed for scheme, pcapoverip, and tzsp readers
• #3802 Cluster urls in parliament must start with http or / now

All

• #3782 sqlite support added for user database and cont3xt/parliament databases
• #3782 many fixes for lmdb and redis database implementation
• #3782 now regression test sqlite/lmdb/redis databases during builds
• #3804 New user-auto-create section to replace userAutoCreateTmpl setting
• #3805 Add pt-BR i18n strings

Capture

• #3786, #3797 add VLAN/VNI deduplication support (thanks @waynieack)
• #3790 fix VLAN parsing for Type III ERSPAN (thanks @waynieack)
• #3794 Fixed bpf filter setting reversed for scheme, pcapoverip, and tzsp readers
• #3803 Fix tcap parsing loop

ES Proxy

• #3789 Add AWS SigV4 signing support for managed OpenSearch (thanks @Kurlee)

Parliament

• #3788 Fix abort when parliament file not set

Viewer

• #3781 Most server errors are now localized
• #3785 views/shareables/shortcuts can now live in sqlite instead of ES
• #3796 Fix value-actions not working (thanks @waynieack)
• #3807 Only show "Only Data Nodes" on EsNodes Stats tab

WISE

• #3801 Add phpIPAM WISE source (thanks @waynieack)
• #3806 Add Cisco ISE pxGrid WISE source (thanks @waynieack)

⬇️ Download Info ⬇️

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in April 2026, please upgrade.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

✨ What's new ✨

Known Bugs

• With offline pcaps, if you have a bpf filter in your config file, even a empty one, you must use --libpcap with capture

All

• #3768 https://[::1] automatically sets insecure now

Capture

• #3760 Fix scheme mode not ignoring empty bpf setting
• #3762 Fix auto loading of .lua parsers not always working
• #3774 Fix GRE Enhanced v1 (PPTP) header parsing and added proper PPP framing support
• #3774 Add simple OpenVPN classifier
• #3774 Add simple Omron-FINS classifier
• #3774 Add ENIP parser
• #3774 Don't be so strict with BACnet parsing
• #3778 add simple rdpudp classifier
• #3778 add simple gtp control classifier

Cont3xt

• #3756 Fix overview raw editing not working well

Viewer

• #3766 Fix ips starting with :: being treated as ports

⬇️ Download Info ⬇️

We offer downloads for different Linux distributions and versions because of library differences. For example, use the el8 download for Centos 8 or RHEL 8 not RHEL 9. A libssl version error means that most likely the wrong download was used for your Linux distribution and version, please double check. The moloch builds have the old filesystem layouts, we will stop providing the moloch builds in 2026. The EL 8 builds will stop in April 2026, please upgrade.

Installation Instructions | 5.x -> 6.x Upgrade Instructions | FAQ | CHANGELOG | JA4+ Install | Docker Install

A db.pl upgrade is required when upgrading from Arkime 5 or earlier

Support Arkime's ongoing development! Become a GitHub Sponsor!

✨ What's new ✨

Known Bugs

• With offline pcaps, if you have a bpf filter in your config file, even a empty one, you must use --libpcap with capture

BREAKING

• #3138 settings parseSMTP & parseSMB removed, use disableParsers instead
• #3138 plugins must end with a supported extension, e.g. .so, .lua, .py
• #3138 setting luaFiles now defaults to no files
• #3212 with capture --scheme is now the default, use --libpcap for previous behaviour
• #3281 Remove Ubuntu 20.04 builds
• #3293 db.pl now requires a leading http:// or https:// in OpenSearch/Elasticsearch URLs
• #3306 WISE now requires webBasePath to be set if you use a non-default base path — set it in Arkime 5 before upgrading
• #3422 Cont3xt ThreatFox integration now requires an API key (free at https://auth.abuse.ch/)
• #3427 Capture now adds the first VLAN tag back to packets when saving to disk. This may affect existing BPF filters — set tpacketv3OldVlan=true to disable.
• #3468 Digest/Form users who haven't changed their password since Dec 2019 will not be able to log in. A userAdmin can reset their passwords.
• #3473 dnsOutputAnswers defaults to TRUE now
• #3488 When talking to remote viewers, only viewUrl is used now — webBasePath is no longer used
• #3492 Viewer now expires PCAPs even if pcapDir is not set, defaulting to /opt/arkime/raw. Previously, PCAPs were not expired when pcapDir was unset.
• #3552 Users now inherit the 7 extra permissions from their Roles unless explicitly overridden
• #3583 Fixed: IPv4 sessions with identical src and dst IP addresses may have had an incorrect community_id. Old sessions will retain the incorrect value.
• #3591 The geoLite2Country setting now looks for a City database file first by default
• #3601 The unkEthernet/unkIpProtocol plugins are removed. The saveUnknownPackets setting now saves unknown/corrupt packets as real Arkime sessions.

Release

• Node 22.22.0
• #3342 Container based on Debian 13 now
• Container includes geoipupdate
• docker.sh supports --ilm and --ism options
• #3502 FreeBSD builds
• #3518 easybutton defaults to --nothirdparty now
• #3718 Build for Ubuntu 26.04
• #3726 docker.sh supports --wait-for-db option

All

• Migrated to Vue3!! (misc PRs)
• Remove Webpack tech debt (misc PRs)
• #3286 support oidc end_session endpoint and token if logoutUrl not set,
  new logoutUrlMethod setting
• #3306 eslint upgraded to v9
• #3364 eslint vue files and enforce recommended rules
• #3468 remove support for old password storage
• #3476 new authJwsAlgorithm setting, defaults to RS256
• #3552 Users and Roles now inherit for the 7 extra settings if not specificly set.
• #3747 New /api/appversion API

Capture

• #3138 lua plugin now autoloads *.lua scripts in parsers directory
  if lua plugin is used
• #3208 vlan id is now stored in order seen
• #3268 New python support, *.py scripts in parsers directory auto loaded
  use disablePython=true to disable
• #3357 Basic SCTP support
• #3375 For WISE/Rules fields that are lower/upper case, capture updates string
• #3427 Add first vlan back to packet in AFPacket mode
• #3460 DNS compress pointer chaining max increased to 10
• #3461 New DHCP Session linking
• #3473 dnsOutputAnswers defults to TRUE now
• #3479 Per thread compression to ES should help with busy capture
• #3481 ArkimePacket free list, should help with memory fragmentation on busy capture
• #3494 Update field friendlyNames in db if they don't match capture
• #3501 Added reader-bpf
• #3517 Netmap FreeBSD support
• #3547 Fix erspan vlan truncating at 7 bits instead of 12 bits
• #3566 fix the sessions length being off by 1ms sometimes
• #3583 Fix community_id for v4 sessions with same src/dst port sorting
• #3591 geoLite2Country setting now looks for City file first by default
• #3618 Fix S3 scheme prefix handling
• #3618 Fix S3 scheme not process over 1000 S3 items
• #3620 Simple DNS RRSIG/DS/NSEC parsing
• #3622 Added disableIp4Defrag setting
• #3623 Initial ES-IS protocol support
• #3624 saveUnknownPackets supports common strings
• #3630 tds7 protocol support
• #3637 Initial bacnet protocol support
• #3638 NTP protocol improvements
• #3640 Initial isakmp protocol support
• #3642 Initial tftp protocol support
• #3643 Improved rdp parser
• #3644 Improved snmp parser
• #3645 Improved mqtt parser
• #3651 Added basic sip parser
• #3652 Added basic stun parser
• #3653, #3666 Improve krb5 parser
• #3654 Added turn support to stun parser
• #3655 Handle different quic salts for draft23, draft29, v2
• #3655 More ssdp keywords
• #3656 Parse udp facebook quic
• #3657 Added classifiers for: plex-gdm, samsung-smartview, whatsapp, ubiquiti-ubnt, xid
• #3659 Added classifier for nbds and parser for nbns
• #3660 Added basic ptp parser
• #3661 Added isakmp cert decoding
• #3663 Added dcerpc parsing
• #3668 Added basic dnp3 parsing
• #3670 Added basic wireguard classifier
• #3672 Added some telcom protocols: m3ua, sccp, tcap, camel, diameter
• #3676 Added basic imap parser
• #3677 Align structures and remove unimportant atomic counts to help when using large number of packetThreads
• #3678 Added classifier: gearman, esio; parser: pana
• #3681 Added synchrophasor parser
• #3682 Added s7comm parser
• #3686 Added websocket detection
• #3687 Added c122 parser
• #3699 writer-s3 always uses 0xffff for snapLen now
• #3699 writer-s3 fix gzip memory leak
• #3702 support redis:// for config
• #3706 Don't close stdin after using "-" for filename
• #3706 Cert UTCTime/GneralizedTime offset parsing fixes
• #3706 Fix rules _dropBySession not working consistently
• #3709 Fix scheme mode only queueing up to two files for later
• #3710 Fix SCTP chunk alignment, add maxSctpOutOfOrderPackets setting and check
• #3711 Fix SCTP databytes
• #3711 Fix SCTP protoid should be 32 bits
• #3724 fix ja4plus plugin to match rust implementation for edge cases
• #3731 fix crash on quit when freeing http zstrm data structures
• #3731 fix dedup increase message having incorrect values
• #3731 performance improvements with dedup and arkime_memcasestr
• #3739 disablePython defaults to true now

Capture/Viewer

• #3197 new sessionsStarted and sessionsPresent in files tab
• #3210 new vlan.dot1q and vlan.dot1ad expressions
• #3308 City and Region from MMDB
• #3434 SCTP protoId
• #3463 Added dhcp.classId
• #3464 Added id for dhcpv6
• #3465 Added dhcp.requestIp
• #3566 New packetRange field to support spanning timeline display
• #3601 Save corrupt and unknown sessions as real Arkime sessions based on saveUnknownPackets

Contrib

• #3637 increased max tzsp-forwarder packet to 64000
• #3674 added new netflow2arkime.pl script

ESProxy

• #3750 - fix httpsAgent race condition with client certificates

Viewer

• #3326 BIG search expression
• #3343 Basic internationalization support
  (most translations contributed by Cursor using Claude 4 Sonnet)
• #3341 Check files index mapping on start
• #3366 Sankey diagram on SPI Graph page
• #3374 Allow multiviewer to change password if usersElasticsearch is set
• #3376 multiviewer logs history for only clusters selected
• #3399 Now track ES node ids in dstats so on Shards tab we can show
  which node is missing for node_left. ES should do this for us!
• #3423 Periodic Queries and Hunts can now notify on multiple notifiers
• #3439 multiviewer config now supports defaultCluster setting
• #3474 support 15 and 30 minute query time ranges
• #3488 only use viewUrl for remote URL
• #3492,#3536 default pcapDir to /opt/arkime/raw
• #3495 Speed improvements for add/removing tags and exporting CSV
• #3497 Process pcap files in blocks for speed improvements
• #3498 Optimize pcap ressembly memory usage for speed improvements
• #3522 Can set max scrolls and display current scrolls
• #3528 IP OR array queries should be more efficient now
• #3567 Hunts allow updating of fields while running
• #3728 support expression autocomplete more places
• #3742 ArkimeTables support i18n
• #3743 Consistent expression parser error messages

Parliament

• #3395 Low disk space monitoring for capture and ES hosts
• #3395 Navbar ES status indicator cycles through clusters with issues w/highlighting
• #3395 Clickable issue table rows navigate to node stats
• #3395 Issue filters persist in URL parameters
• #3395 Toggle to show/hide all issues
• #3395 Display ES version in cluster tooltips

Cont3xt

• #3405 Keyword/regex highlighting in integration and overview cards via ?highlight= parameter
  or via Search bar mode selector to switch between query search and highlight pattern modes
• #3422 ThreatFox integration
• #3421 Zetalytics integration
• #3406 Domain Tools Whois Integration
• #3410 crt.sh integration
• #3407 Greynoise malicious tidbit

Multies

• #3430 Handle when ES cluster returns 503 better

WISE

• #3435 New wise urlapi source

db.pl

• #3581 New db.pl show-nodes command
• #3600 The init/wipe/upgrade commands warn if using different settings
• #3603 Support repairing bad map...