experimenting with github pages

docs/README.md

@@ -15,60 +15,60 @@ For smaller networks, use at home by network security enthusiasts, or in the fie
 ## <a name="TableOfContents"></a>Table of Contents
 
 * [Quick start](quickstart.md#QuickStart)
-    * [Getting Malcolm](quickstart.md#GetMalcolm)
-    * [User interface](quickstart.md#UserInterfaceURLs)
+    - [Getting Malcolm](quickstart.md#GetMalcolm)
+    - [User interface](quickstart.md#UserInterfaceURLs)
 * [Components](components.md#Components)
 * [Supported Protocols](protocols.md#Protocols)
 * [Development](development.md#Development)
-    * [Building from source](development.md#Build)
-    * [Pre-Packaged installation files](development.md#Packager)
+    - [Building from source](development.md#Build)
+    - [Pre-Packaged installation files](development.md#Packager)
 * [Configuration](malcolm-preparation.md#Configuration)
-    * [Recommended system requirements](system-requirements.md#SystemRequirements)
-    * [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)
-        * [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml)
-    * [Platform-specific Configuration](host-config.md#HostSystemConfig)
-        * [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux)
-        * [macOS host system configuration](host-config-macos.md#HostSystemConfigMac)
-        * [Windows host system configuration](host-config-windows.md#HostSystemConfigWindows)
+    - [Recommended system requirements](system-requirements.md#SystemRequirements)
+    - [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)
+        + [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml)
+    - [Configure authentication](authsetup.md#AuthSetup)
+        + [Local account management](authsetup.md#AuthBasicAccountManagement)
+        + [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP)
+            * [LDAP connection security](authsetup.md#AuthLDAPSecurity)
+        + [TLS certificates](authsetup.md#TLSCerts)
+    - [Platform-specific Configuration](host-config.md#HostSystemConfig)
+        + [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux)
+        + [macOS host system configuration](host-config-macos.md#HostSystemConfigMac)
+        + [Windows host system configuration](host-config-windows.md#HostSystemConfigWindows)
 * [Running Malcolm](running.md#Running)
-    * [OpenSearch instances](opensearch-instances.md#OpenSearchInstance)
-        * [Authentication and authorization for remote OpenSearch clusters](opensearch-instances.md#OpenSearchAuth)
-    * [Configure authentication](authsetup.md#AuthSetup)
-        * [Local account management](authsetup.md#AuthBasicAccountManagement)
-        * [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP)
-            - [LDAP connection security](authsetup.md#AuthLDAPSecurity)
-    * [TLS certificates](authsetup.md#TLSCerts)
-    * [Starting Malcolm](running.md#Starting)
-    * [Stopping and restarting Malcolm](running.md#StopAndRestart)
-    * [Clearing Malcolm's data](running.md#Wipe)
-    * [Temporary read-only interface](running.md#ReadOnlyUI)
+    - [OpenSearch instances](opensearch-instances.md#OpenSearchInstance)
+        + [Authentication and authorization for remote OpenSearch clusters](opensearch-instances.md#OpenSearchAuth)
+    - [Starting Malcolm](running.md#Starting)
+    - [Stopping and restarting Malcolm](running.md#StopAndRestart)
+    - [Clearing Malcolm's data](running.md#Wipe)
+    - [Temporary read-only interface](running.md#ReadOnlyUI)
 * [Capture file and log archive upload](upload.md#Upload)
     - [Tagging](upload.md#Tagging)
     - [Processing uploaded PCAPs with Zeek and Suricata](upload.md#UploadPCAPProcessors)
 * [Live analysis](live-analysis.md#LiveAnalysis)
-    * [Using a network sensor appliance](live-analysis.md#Hedgehog)
-    * [Monitoring local network interfaces](live-analysis.md#LocalPCAP)
-    * [Manually forwarding logs from an external source](live-analysis.md#ExternalForward)
+    - [Using a network sensor appliance](live-analysis.md#Hedgehog)
+    - [Monitoring local network interfaces](live-analysis.md#LocalPCAP)
+    - [Manually forwarding logs from an external source](live-analysis.md#ExternalForward)
 * [Arkime](arkime.md#Arkime)
-    * [Zeek log integration](arkime.md#ArkimeZeek)
-        - [Correlating Zeek logs and Arkime sessions](arkime.md#ZeekArkimeFlowCorrelation)
-    * [Help](arkime.md#ArkimeHelp)
-    * [Sessions](arkime.md#ArkimeSessions)
-        * [PCAP Export](arkime.md#ArkimePCAPExport)
-    * [SPIView](arkime.md#ArkimeSPIView)
-    * [SPIGraph](arkime.md#ArkimeSPIGraph)
-    * [Connections](arkime.md#ArkimeConnections)
-    * [Hunt](arkime.md#ArkimeHunt)
-    * [Statistics](arkime.md#ArkimeStats)
-    * [Settings](arkime.md#ArkimeSettings)
+    - [Zeek log integration](arkime.md#ArkimeZeek)
+        + [Correlating Zeek logs and Arkime sessions](arkime.md#ZeekArkimeFlowCorrelation)
+    - [Help](arkime.md#ArkimeHelp)
+    - [Sessions](arkime.md#ArkimeSessions)
+        + [PCAP Export](arkime.md#ArkimePCAPExport)
+    - [SPIView](arkime.md#ArkimeSPIView)
+    - [SPIGraph](arkime.md#ArkimeSPIGraph)
+    - [Connections](arkime.md#ArkimeConnections)
+    - [Hunt](arkime.md#ArkimeHunt)
+    - [Statistics](arkime.md#ArkimeStats)
+    - [Settings](arkime.md#ArkimeSettings)
 * [OpenSearch Dashboards](dashboards.md#Dashboards)
-    * [Discover](dashboards.md#Discover)
-        - [Screenshots](dashboards.md#DiscoverGallery)
-    * [Visualizations and dashboards](dashboards.md#DashboardsVisualizations)
-        - [Prebuilt visualizations and dashboards](dashboards.md#PrebuiltVisualizations)
-            - [Screenshots](dashboards.md#PrebuiltVisualizationsGallery)
-        - [Building your own visualizations and dashboards](dashboards.md#BuildDashboard)
-            + [Screenshots](dashboards.md#NewVisualizationsGallery)
+    - [Discover](dashboards.md#Discover)
+        + [Screenshots](dashboards.md#DiscoverGallery)
+    - [Visualizations and dashboards](dashboards.md#DashboardsVisualizations)
+        + [Prebuilt visualizations and dashboards](dashboards.md#PrebuiltVisualizations)
+            * [Screenshots](dashboards.md#PrebuiltVisualizationsGallery)
+        + [Building your own visualizations and dashboards](dashboards.md#BuildDashboard)
+            * [Screenshots](dashboards.md#NewVisualizationsGallery)
 * [Search Queries in Arkime and OpenSearch](queries-cheat-sheet.md#SearchCheatSheet)
 * Other Malcolm features
     - [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction)
@@ -93,12 +93,12 @@ For smaller networks, use at home by network security enthusiasts, or in the fie
         + [Examples](api-examples.md#APIExamples)
 * [Ingesting Third-party Logs](third-party-logs.md#ThirdPartyLogs)
 * [Malcolm installer ISO](malcolm-iso.md#ISO)
-    * [Installation](malcolm-iso.md#ISOInstallation)
-    * [Generating the ISO](malcolm-iso.md#ISOBuild)
-    * [Setup](malcolm-iso.md#ISOSetup)
-    * [Time synchronization](time-sync.md#ConfigTime)
+    - [Installation](malcolm-iso.md#ISOInstallation)
+    - [Generating the ISO](malcolm-iso.md#ISOBuild)
+    - [Setup](malcolm-iso.md#ISOSetup)
+    - [Time synchronization](time-sync.md#ConfigTime)
 * [Hardening](hardening.md#Hardening)
-    * [Compliance Exceptions](hardening.md#ComplianceExceptions)
+    - [Compliance Exceptions](hardening.md#ComplianceExceptions)
 * [Installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample)
 * [Upgrading Malcolm](malcolm-upgrade.md#UpgradePlan)
 * [Modifying or Contributing to Malcolm](contributing-guide.md#Contributing)

docs/arkime.md

@@ -1,5 +1,18 @@
 ## <a name="Arkime"></a>Arkime
 
+* [Arkime](#Arkime)
+    - [Zeek log integration](#ArkimeZeek)
+        + [Correlating Zeek logs and Arkime sessions](#ZeekArkimeFlowCorrelation)
+    - [Help](#ArkimeHelp)
+    - [Sessions](#ArkimeSessions)
+        + [PCAP Export](#ArkimePCAPExport)
+    - [SPIView](#ArkimeSPIView)
+    - [SPIGraph](#ArkimeSPIGraph)
+    - [Connections](#ArkimeConnections)
+    - [Hunt](#ArkimeHunt)
+    - [Statistics](#ArkimeStats)
+    - [Settings](#ArkimeSettings)
+
 The Arkime interface will be accessible over HTTPS on port 443 at the docker hosts IP address (e.g., [https://localhost](https://localhost) if you are connecting locally).
 
 ### <a name="ArkimeZeek"></a>Zeek log integration
@@ -38,7 +51,7 @@ Click the icon of the owl 🦉 in the upper-left hand corner of to access the Ar
 
 ### <a name="ArkimeSessions"></a>Sessions
 
-The **Sessions** view provides low-level details of the sessions being investigated, whether they be Arkime sessions created from PCAP files or [Zeek logs mapped](arkime.md#ArkimeZeek) to the Arkime session database schema.
+The **Sessions** view provides low-level details of the sessions being investigated, whether they be Arkime sessions created from PCAP files or [Zeek logs mapped](#ArkimeZeek) to the Arkime session database schema.
 
 ![Arkime's Sessions view](./images/screenshots/arkime_sessions.png)
 
@@ -61,7 +74,7 @@ The sessions table is displayed below the filter controls. This table contains t
 
 To the left of the column headers are two buttons. The **Toggle visible columns** button, indicated by a grid **⊞** icon, allows toggling which columns are displayed in the sessions table. The **Save or load custom column configuration** button, indicated by a columns **◫** icon, allows saving the current displayed columns or loading previously-saved configurations. This is useful for customizing which columns are displayed when investigating different types of traffic. Column headers can also be clicked to sort the results in the table, and column widths may be adjusted by dragging the separators between column headers.
 
-Details for individual sessions/logs can be expanded by clicking the plus **➕** icon on the left of each row. Each row may contain multiple sections and controls, depending on whether the row represents a Arkime session or a [Zeek log](arkime.md#ArkimeZeek). Clicking the field names and values in the details sections allows additional filters to be specified or summary lists of unique values to be exported.
+Details for individual sessions/logs can be expanded by clicking the plus **➕** icon on the left of each row. Each row may contain multiple sections and controls, depending on whether the row represents a Arkime session or a [Zeek log](#ArkimeZeek). Clicking the field names and values in the details sections allows additional filters to be specified or summary lists of unique values to be exported.
 
 When viewing Arkime session details (ie., a session generated from a PCAP file), an additional packets section will be visible underneath the metadata sections. When the details of a session of this type are expanded, Arkime will read the packet(s) comprising the session for display here. Various controls can be used to adjust how the packet is displayed (enabling **natural** decoding and enabling **Show Images & Files** may produce visually pleasing results), and other options (including PCAP download, carving images and files, applying decoding filters, and examining payloads in [CyberChef](https://github.com/gchq/CyberChef)) are available.
 
@@ -79,7 +92,7 @@ Arkime's **SPI** (**S**ession **P**rofile **I**nformation) **View** provides a q
 
 ![Arkime's SPIView](./images/screenshots/arkime_spiview.png)
 
-Click the the plus **➕** icon to the right of a category to expand it. The values for specific fields are displayed by clicking the field description in the field list underneath the category name. The list of field names can be filtered by typing part of the field name in the *Search for fields to display in this category* text input. The **Load All** and **Unload All** buttons can be used to toggle display of all of the fields belonging to that category. Once displayed, a field's name or one of its values may be clicked to provide further actions for filtering or displaying that field or its values. Of particular interest may be the **Open [fieldname] SPI Graph** option when clicking on a field's name. This will open a new tab with the SPI Graph ([see below](arkime.md#ArkimeSPIGraph)) populated with the field's top values.
+Click the the plus **➕** icon to the right of a category to expand it. The values for specific fields are displayed by clicking the field description in the field list underneath the category name. The list of field names can be filtered by typing part of the field name in the *Search for fields to display in this category* text input. The **Load All** and **Unload All** buttons can be used to toggle display of all of the fields belonging to that category. Once displayed, a field's name or one of its values may be clicked to provide further actions for filtering or displaying that field or its values. Of particular interest may be the **Open [fieldname] SPI Graph** option when clicking on a field's name. This will open a new tab with the SPI Graph ([see below](#ArkimeSPIGraph)) populated with the field's top values.
 
 Note that because the SPIView page can potentially run many queries, SPIView limits the search domain to seven days (in other words, seven indices, as each index represents one day's worth of data). When using SPIView, you will have best results if you limit your search time frame to less than or equal to seven days. This limit can be adjusted by editing the `spiDataMaxIndices` setting in [config.ini](./etc/arkime/config.ini) and rebuilding the `malcolmnetsec/arkime` docker container.
 
@@ -116,7 +129,7 @@ See also Arkime's usage documentation for more information on the [Connections g
 
 ### <a name="ArkimeHunt"></a>Hunt
 
-Arkime's **Hunt** feature allows an analyst to search within the packets themselves (including payload data) rather than simply searching the session metadata. The search string may be specified using ASCII (with or without case sensitivity), hex codes, or regular expressions. Once a hunt job is complete, matching sessions can be viewed in the [Sessions](arkime.md#ArkimeSessions)  view.
+Arkime's **Hunt** feature allows an analyst to search within the packets themselves (including payload data) rather than simply searching the session metadata. The search string may be specified using ASCII (with or without case sensitivity), hex codes, or regular expressions. Once a hunt job is complete, matching sessions can be viewed in the [Sessions](#ArkimeSessions)  view.
 
 Clicking the **Create a packet search job** on the Hunt page will allow you to specify the following parameters for a new hunt job:
 
@@ -134,7 +147,7 @@ Once a hunt job is submitted, it will be assigned a unique hunt ID (a long uniqu
 
 ![Hunt completed](./images/screenshots/arkime_hunt_finished.png)
 
-Once the hunt job is complete (and a minute or so has passed, as the `huntId` must be added to the matching session records in the database), click the folder **📂** icon on the right side of the hunt job row to open a new [Sessions](arkime.md#ArkimeSessions) tab with the search bar prepopulated to filter to sessions with packets matching the search criteria.
+Once the hunt job is complete (and a minute or so has passed, as the `huntId` must be added to the matching session records in the database), click the folder **📂** icon on the right side of the hunt job row to open a new [Sessions](#ArkimeSessions) tab with the search bar prepopulated to filter to sessions with packets matching the search criteria.
 
 ![Hunt result sessions](./images/screenshots/arkime_hunt_sessions.png)