zeek

Analyze live traffic from a network interface

$ sudo zeek --iface [interface]

$ sudo zeek --iface [interface] [script1 script2 ...]

$ sudo zeek --bare-mode --iface [interface]

$ sudo zeek --filter [path/to/filter] --iface [interface]

$ sudo zeek --watchdog --iface [interface]

$ zeek --readfile [path/to/file.trace]

zeek [options] [...]
Common usage:
zeek -r [...]
zeek -i [...]

-r
    Reads network traffic from the specified PCAP file instead of a live interface.

-i
    Reads network traffic live from the specified network interface.

-C
    Disables MD5 checksum verification for PCAP files during processing.

-N
    Disables checksum validation for TCP/IP traffic, useful for non-standard captures.

-p
    Prevents the network interface from being put into promiscuous mode.

-B
    Sets the network buffer size in bytes for the capture interface.

-s
    Sets the snaplen (snapshot length) to capture only the first snapshot_len bytes of each packet.

-b
    Applies a Berkeley Packet Filter (BPF) filter to incoming network traffic.

-U
    Prevents Zeek from loading its default set of policy scripts.

-q
    Suppresses all warning messages during execution.

-v
    Prints the Zeek version information and exits.

-h
    Displays the command-line help message and exits.

Zeek, formerly known as Bro, is an open-source, powerful network analysis framework designed for deep packet inspection and comprehensive security monitoring. Unlike traditional Intrusion Detection Systems (IDS), Zeek doesn't merely flag malicious activity; it produces a comprehensive, high-fidelity archive of network traffic for forensics, historical analysis, and threat hunting. It achieves this by dissecting network protocols, extracting application-layer content, and generating detailed, semantically-rich logs (e.g., connection logs, HTTP logs, DNS logs, file transfers, SSL certificates). Zeek's policy script language allows security analysts to define custom detection logic, perform advanced protocol analysis, and implement site-specific security policies. It is widely used in enterprise, government, and research environments for incident response, threat intelligence, and network performance monitoring.

Zeek can be resource-intensive (CPU, RAM, disk I/O) especially for high-volume network traffic. It requires significant configuration, understanding of its scripting language, and proper log management for optimal utilization. It functions as a powerful detection and logging system, rather than a preventative or blocking tool.

Zeek automatically generates a comprehensive set of highly detailed, structured logs (e.g., conn.log, http.log, dns.log, ssl.log, files.log, x509.log). These logs are typically produced in tab-separated value (TSV) format, making them highly parsable and easily integrable with Security Information and Event Management (SIEM) systems, data lakes, or analytical platforms for further processing and correlation.

At the core of Zeek's flexibility is its custom, event-driven scripting language. This language enables users to define sophisticated detection logic, implement custom protocol analysis, maintain stateful information across connections, and react dynamically to network events. This capability allows for highly tailored security policies and deep insight into network behavior that generic signature-based systems cannot provide.

Originally developed by Vern Paxson at Lawrence Berkeley National Laboratory (LBNL) in 1995 and open-sourced in 1996, the project was initially known as Bro. It quickly became a foundational tool in network security research and operations. In 2018, the project was officially renamed from Bro to Zeek to better reflect its expansive capabilities beyond simple monitoring and to adopt a more broadly appealing identity. It is now maintained and evolved by the Zeek Project, a community-driven open-source initiative.

tcpdump(1), wireshark(1), snort(8), suricata(8)