zeek(8) System Administration Utilities zeek(8)
NAME
zeek - passive network traffic analyzer
SYNOPSIS
zeek [options] [file ...]
DESCRIPTION
Zeek is primarily a security monitor that inspects all traffic on a
link in depth for signs of suspicious activity. More generally, how-
ever, Zeek supports a wide range of traffic analysis tasks even outside
of the security domain, including performance measurements and helping
with trouble-shooting.
Zeek comes with built-in functionality for a range of analysis and
detection tasks, including detecting malware by interfacing to external
registries, reporting vulnerable versions of software seen on the net-
work, identifying popular web applications, detecting SSH brute-forc-
ing, validating SSL certificate chains, among others.
You must have the necessary permissions to access to the files or
interfaces specified.
OPTIONS
<file> policy file, or read stdin
-a, --parse-only
exit immediately after parsing scripts
-b, --bare-mode
don't load scripts from the base/ directory
-d, --debug-policy
activate policy file debugging
-e, --exec <zeek code>
augment loaded policies by given code
-f, --filter <filter>
tcpdump filter
-h, --help|-?
command line help
-i, --iface <interface>
read from given interface
-p, --prefix <prefix>
add given prefix to policy file resolution
-r, --readfile <readfile>
read from given tcpdump file
-s, --rulefile <rulefile>
read rules from given file
-t, --tracefile <tracefile>
activate execution tracing
-w, --writefile <writefile>
write to given tcpdump file
-v, --version
print version and exit
-x, --print-state <file.bst>
print contents of state file
-C, --no-checksums
ignore checksums
-F, --force-dns
force DNS
-I, --print-id <ID name>
print out given ID
-N, --print-plugins
print available plugins and exit (-NN for verbose)
-P, --prime-dns
prime DNS
-Q, --time
print execution time summary to stderr
-R, --replay <events.bst>
replay events
-S, --debug-rules
enable rule debugging
-T, --re-level <level>
set 'RE_level' for rules
-U, --status-file <file>
Record process status in file
-W, --watchdog
activate watchdog timer
-X, --zeekygen <cfgfile>
generate documentation based on config file
--pseudo-realtime[=<speedup>]
enable pseudo-realtime for performance evaluation (default 1)
--load-seeds <file>
load seeds from given file
--save-seeds <file>
save seeds to given file
The following option is available only when Zeek is built with the
--enable-debug configure option:
-B, --debug <dbgstreams>
Enable debugging output for selected streams ('-B help' for
help)
The following options are available only when Zeek is built with
gperftools support (use the --enable-perftools and
--enable-perftools-debug configure options):
-m, --mem-leaks
show leaks
-M, --mem-profile
record heap
ENVIRONMENT
ZEEKPATH
file search path
ZEEK_PLUGIN_PATH
plugin search path
ZEEK_PLUGIN_ACTIVATE
plugins to always activate
ZEEK_PREFIXES
prefix list
ZEEK_DNS_FAKE
disable DNS lookups
ZEEK_SEED_FILE
file to load seeds from
ZEEK_LOG_SUFFIX
ASCII log file extension
ZEEK_PROFILER_FILE
Output file for script execution statistics
ZEEK_DISABLE_ZEEKYGEN
Disable Zeekygen (Broxygen) documentation support
OUTPUT FORMAT
Output is written in multiple files depending on configuration. The
default location is the current directory.
The output written by Zeek can be formatted in multiple ways using the
logging framework.
The default are files in human-readable (ASCII) format. The data is
organized into columns (tab-delimited). The data can be processed
using, e.g., the zeek-cut tool.
EXAMPLES
Read a capture file and generate the default logs:
# zeek -r test-capture.pcap
When running on live traffic, Zeek is usually started by running
zeekctl. To configure Zeek with an initial configuration, install, and
restart:
# zeekctl deploy
Note: the zeekctl configuration may need to be updated before first
use. Especially the network interface used should be the correct one.
SEE ALSO
zeekctl(8) zeek-cut(1)
AUTHOR
zeek was written by The Zeek Project <info@zeek.org>.
zeek November 2014 zeek(8)
zeek 4.1.0 - Generated Mon Aug 16 11:38:17 CDT 2021