zeek

Analyze a pcap file

$ zeek -r [capture.pcap]

$ zeek -r [capture.pcap] [script.zeek]

$ sudo zeek -i [eth0]

$ zeek -r [capture.pcap] local

$ zeek --version

zeek [options] [file...]

Zeek (formerly Bro) is a powerful network analysis framework focused on security monitoring. Unlike packet sniffers that show raw traffic, Zeek interprets network activity and generates high-level logs about connections, protocols, and detected threats.
Zeek processes network traffic (live or from pcap files) and produces structured logs: conn.log for connections, http.log for HTTP traffic, dns.log for DNS queries, ssl.log for TLS connections, and many more.
The tool uses a custom scripting language for defining analysis logic. Scripts can detect intrusions, extract files from traffic, identify protocols, and generate custom logs. The local.zeek policy loads site-specific configurations.
Output logs are tab-separated by default, easily parsed by tools like zeek-cut or imported into SIEM systems.

-r file

Read packets from pcap file

Capture from network interface

Ignore checksum errors

Execute Zeek script code

Apply BPF filter

Write status to file

Write raw packets to file

Syntax check scripts without execution

Parse scripts and exit

Zeek requires significant CPU and memory for high-traffic networks. Tune workers and analysis depth accordingly.
The scripting language has a learning curve. Start with built-in scripts before writing custom analyzers.
Live capture requires root or appropriate capabilities. Pcap file analysis runs as a normal user.
Log rotation and management should be configured for production deployments.

tcpdump(1), wireshark(1), tshark(1), suricata(8)