zeek

Passive network traffic analyser.

TLDR

Analyze live traffic from a network interface

$ sudo zeek --iface [interface]

Analyze live traffic from a network interface and load custom scripts

$ sudo zeek --iface [interface] [script1] [script2]

Analyze live traffic from a network interface, without loading any scripts

$ sudo zeek --bare-mode --iface [interface]

Analyze live traffic from a network interface, applying a tcpdump filter

$ sudo zeek --filter [path/to/filter] --iface [interface]

Analyze live traffic from a network interface using a watchdog timer

$ sudo zeek --watchdog --iface [interface]

Analyze traffic from a pcap file

$ zeek --readfile [path/to/file.trace]

Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others.

OPTIONS

<file>: policy file, or read stdin
-a, --parse-only: exit immediately after parsing scripts
-b, --bare-mode: don't load scripts from the base/ directory
-d, --debug-policy: activate policy file debugging
-e, --exec <zeek code>: augment loaded policies by given code
-f, --filter <filter>: tcpdump filter
-h, --help|-?: command line help
-i, --iface <interface>: read from given interface
-p, --prefix <prefix>: add given prefix to policy file resolution
-r, --readfile <readfile>: read from given tcpdump file
-s, --rulefile <rulefile>: read rules from given file
-t, --tracefile <tracefile>: activate execution tracing
-w, --writefile <writefile>: write to given tcpdump file
-v, --version: print version and exit
-x, --print-state <file.bst>: print contents of state file
-C, --no-checksums: ignore checksums
-F, --force-dns: force DNS
-I, --print-id <ID name>: print out given ID
-N, --print-plugins: print available plugins and exit (-NN for verbose)
-P, --prime-dns: prime DNS
-Q, --time: print execution time summary to stderr
-R, --replay <events.bst>: replay events
-S, --debug-rules: enable rule debugging
-T, --re-level <level>: set 'RE_level' for rules
-U, --status-file <file>: Record process status in file
-W, --watchdog: activate watchdog timer
-X, --zeekygen <cfgfile>: generate documentation based on config file
--pseudo-realtime[=<speedup>]: enable pseudo-realtime for performance evaluation (default 1)
--load-seeds <file>: load seeds from given file
--save-seeds <file>: save seeds to given file
The following option is available only when Zeek is built with the --enable-debug configure option:
-B, --debug <dbgstreams>: Enable debugging output for selected streams ('-B help' for help)
The following options are available only when Zeek is built with gperftools support (use the --enable-perftools and --enable-perftools-debug configure options):
-m, --mem-leaks: show leaks
-M, --mem-profile: record heap

ENVIRONMENT

ZEEKPATH: file search path
ZEEK_PLUGIN_PATH: plugin search path
ZEEK_PLUGIN_ACTIVATE: plugins to always activate
ZEEK_PREFIXES: prefix list
ZEEK_DNS_FAKE: disable DNS lookups
ZEEK_SEED_FILE: file to load seeds from
ZEEK_LOG_SUFFIX: ASCII log file extension
ZEEK_PROFILER_FILE: Output file for script execution statistics
ZEEK_DISABLE_ZEEKYGEN: Disable Zeekygen (Broxygen) documentation support

AUTHOR

zeek was written by The Zeek Project <info@zeek.org>.