LinuxCommandLibrary

zeek

Network security monitoring and analysis framework

TLDR

Analyze a pcap file

$ zeek -r [capture.pcap]
copy
Analyze pcap with specific script
$ zeek -r [capture.pcap] [script.zeek]
copy
Capture live traffic on interface
$ sudo zeek -i [eth0]
copy
Run with local site policy
$ zeek -r [capture.pcap] local
copy
Print version and exit
$ zeek --version
copy

SYNOPSIS

zeek [options] [file...]

DESCRIPTION

Zeek (formerly Bro) is a powerful network analysis framework focused on security monitoring. Unlike packet sniffers that show raw traffic, Zeek interprets network activity and generates high-level logs about connections, protocols, and detected threats.
Zeek processes network traffic (live or from pcap files) and produces structured logs: conn.log for connections, http.log for HTTP traffic, dns.log for DNS queries, ssl.log for TLS connections, and many more.
The tool uses a custom scripting language for defining analysis logic. Scripts can detect intrusions, extract files from traffic, identify protocols, and generate custom logs. The local.zeek policy loads site-specific configurations.
Output logs are tab-separated by default, easily parsed by tools like zeek-cut or imported into SIEM systems.

PARAMETERS

-r file

Read packets from pcap file
-i interface
Capture from network interface
-C
Ignore checksum errors
-e code
Execute Zeek script code
-f filter
Apply BPF filter
-U status
Write status to file
-w file
Write raw packets to file
--test
Syntax check scripts without execution
--parse-only
Parse scripts and exit

CAVEATS

Zeek requires significant CPU and memory for high-traffic networks. Tune workers and analysis depth accordingly.
The scripting language has a learning curve. Start with built-in scripts before writing custom analyzers.
Live capture requires root or appropriate capabilities. Pcap file analysis runs as a normal user.
Log rotation and management should be configured for production deployments.

SEE ALSO

tcpdump(1), wireshark(1), tshark(1), suricata(8)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community