NetBox has the concept of sites. Malcolm doesn't handle multiple sites very well (at all, really), it just lets the user provide a NETBOX_DEFAULT_SITE value that is checked against tags for upload and used for live capture.

We should allow multiple sites, which means we need to provide a way to associate captured data with a particular site. This includes:

• uploaded pcap: the upload interface should allow the user to specify a site name to associate with files uploaded in a batch of PCAP files
• hedgehog linux: when setting up capture hedgehog should allow the user to specify a site name
• malcolm live capture: when capturing from local network interfaces we should allow Malcolm to specify a site (this might be the NETBOX_DEFAULT_SITE variable above)

This needs to come through for all uploaded data and captured with Zeek and Suricata. We could look at arkime as well although I'm not sure where it would be specified for arkime data. The value is stored today in source.device.site and source.segment.site and destination.device.site and destination.segment.site.

Site will be definable in upload window, queried from NetBox's list of extant sites:

As far as I can tell this is all working correctly now. I'll continue to test and reopen if I find anything. Also there may be improvements we can do in the future for this, but for now I think it seems good.