GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
ZEEK(8) System Administration Utilities ZEEK(8)

zeek - passive network traffic analyzer

zeek [options] [file ...]

Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others.

You must have the necessary permissions to access to the files or interfaces specified.

<file>
policy file, or read stdin
exit immediately after parsing scripts
don't load scripts from the base/ directory
activate policy file debugging
augment loaded policies by given code
tcpdump filter
command line help
read from given interface
add given prefix to policy file resolution
read from given tcpdump file
read rules from given file
activate execution tracing
write to given tcpdump file
print version and exit
print contents of state file
When this option is set, Zeek ignores invalid packet checksums and does process the packets. Furthermore, if this option is set Zeek also processes IP packets with a zero total length field, which is typically caused by TCP (TCP Segment Offloading) on the NIC.
force DNS
print out given ID
print available plugins and exit (-NN for verbose)
prime DNS
print execution time summary to stderr
replay events
enable rule debugging
set 'RE_level' for rules
Record process status in file
activate watchdog timer
generate documentation based on config file
enable pseudo-realtime for performance evaluation (default 1)
load seeds from given file
save seeds to given file
Enable debugging output for selected streams ('-B help' for help)
show leaks
record heap

file search path
plugin search path
plugins to always activate
prefix list
disable DNS lookups
file to load seeds from
ASCII log file extension
Output file for script execution statistics
Disable Zeekygen (Broxygen) documentation support

Output is written in multiple files depending on configuration. The default location is the current directory.

The output written by Zeek can be formatted in multiple ways using the logging framework.

The default are files in human-readable (ASCII) format. The data is organized into columns (tab-delimited). The data can be processed using, e.g., the zeek-cut tool.

Read a capture file and generate the default logs:
# zeek -r test-capture.pcap

When running on live traffic, Zeek is usually started by running zeekctl. To configure Zeek with an initial configuration, install, and restart:
# zeekctl deploy

Note: the zeekctl configuration may need to be updated before first use. Especially the network interface used should be the correct one.

zeekctl(8) zeek-cut(1)

zeek was written by The Zeek Project <info@zeek.org>.

November 2014 zeek
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.