[jzer0cool]

I read the instructions but was not clear. Is this just a pcap viewer or something more? The way I read it, it appears to be a running daemon which listens on all port which saves the pcap file, which then exposes API's for accessing such data.

If you had an application http server running, is traffic sent to Moloch first, and forwarded to the http server like a proxy?

[jlgaddis]

When running something like this on a large scale to capture all traffic going across a network, you'd typically use a "network packet broker" (cf. Google) that sends a copy of all traffic to the machine(s) running this software.

Your hypothetical application server would not even be aware that this was taking place.