zeek - Man Page

• Analyze live traffic from a network interface: sudo zeek --iface interface
• Analyze live traffic from a network interface and load custom scripts: sudo zeek --iface interface script1 script2
• Analyze live traffic from a network interface, without loading any scripts: sudo zeek --bare-mode --iface interface
• Analyze live traffic from a network interface, applying a tcpdump filter: sudo zeek --filter path/to/filter --iface interface
• Analyze live traffic from a network interface using a watchdog timer: sudo zeek --watchdog --iface interface
• Analyze traffic from a PCAP file: zeek --readfile path/to/file.trace

tldr.sh

zeek [options] [file ...]

Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others.

You must have the necessary permissions to access to the files or interfaces specified.

<file>

policy file, or read stdin

-a, --parse-only

exit immediately after parsing scripts

-b, --bare-mode

don't load scripts from the base/ directory

-d, --debug-policy

activate policy file debugging

-e, --exec <zeek code>

augment loaded policies by given code

-f, --filter <filter>

tcpdump filter

-h, --help|-?

command line help

-i, --iface <interface>

read from given interface

-p, --prefix <prefix>

add given prefix to policy file resolution

-r, --readfile <readfile>

read from given tcpdump file

-s, --rulefile <rulefile>

read rules from given file

-t, --tracefile <tracefile>

activate execution tracing

-w, --writefile <writefile>

write to given tcpdump file

-v, --version

print version and exit

-x, --print-state <file.bst>

print contents of state file

-C, --no-checksums

When this option is set, Zeek ignores invalid packet checksums and does process the packets. Furthermore, if this option is set Zeek also processes IP packets with a zero total length field, which is typically caused by TCP (TCP Segment Offloading) on the NIC.

-F, --force-dns

force DNS

-I, --print-id <ID name>

print out given ID

-N, --print-plugins

print available plugins and exit (-NN for verbose)

-P, --prime-dns

prime DNS

-Q, --time

print execution time summary to stderr

-R, --replay <events.bst>

replay events

-S, --debug-rules

enable rule debugging

-T, --re-level <level>

set 'RE_level' for rules

-U, --status-file <file>

Record process status in file

-W, --watchdog

activate watchdog timer

-X, --zeekygen <cfgfile>

generate documentation based on config file

--pseudo-realtime[=<speedup>]

enable pseudo-realtime for performance evaluation (default 1)

--load-seeds <file>

load seeds from given file

--save-seeds <file>

save seeds to given file

The following option is available only when Zeek is built with the --enable-debug configure option:

-B, --debug <dbgstreams>

Enable debugging output for selected streams ('-B help' for help)

The following options are available only when Zeek is built with gperftools support (use the --enable-perftools and --enable-perftools-debug configure options):

-m, --mem-leaks

show leaks

-M, --mem-profile

record heap

ZEEKPATH

file search path

ZEEK_PLUGIN_PATH

plugin search path

ZEEK_PLUGIN_ACTIVATE

plugins to always activate

ZEEK_PREFIXES

prefix list

ZEEK_DNS_FAKE

disable DNS lookups

ZEEK_SEED_FILE

file to load seeds from

ZEEK_LOG_SUFFIX

ASCII log file extension

ZEEK_PROFILER_FILE

Output file for script execution statistics

ZEEK_DISABLE_ZEEKYGEN

Disable Zeekygen (Broxygen) documentation support

Output is written in multiple files depending on configuration. The default location is the current directory.

The output written by Zeek can be formatted in multiple ways using the logging framework.

The default are files in human-readable (ASCII) format. The data is organized into columns (tab-delimited). The data can be processed using, e.g., the zeek-cut tool.

Read a capture file and generate the default logs:
   # zeek -r test-capture.pcap

When running on live traffic, Zeek is usually started by running zeekctl. To configure Zeek with an initial configuration, install, and restart:
   # zeekctl deploy

Note: the zeekctl configuration may need to be updated before first use. Especially the network interface used should be the correct one.

zeekctl(8) zeek-cut(1)

zeek was written by The Zeek Project <info@zeek.org>.