How to use the command zeek (with examples)

How to use the command zeek (with examples)

Zeek is a passive network traffic analyzer that allows users to analyze live network traffic from a network interface or from a pcap file. The command provides various options to customize the analysis process, such as loading custom scripts, applying filters, and enabling a watchdog timer.

Use case 1: Analyze live traffic from a network interface

Code:

sudo zeek --iface interface

Motivation: This use case is useful when you want to monitor network traffic in real-time, directly from a network interface. It provides insights into the network activity occurring on the specified interface, allowing you to detect and analyze potential security issues or anomalous behavior.

Explanation:

  • sudo: This command is executed with administrative privileges.
  • zeek: Invokes the zeek command.
  • --iface: Specifies the network interface from which to capture live traffic. Replace interface with the actual name of the interface.

Example Output: The command will start capturing and analyzing live network traffic from the specified interface, displaying analyzed data such as IP addresses, ports, protocols, and any other relevant information in real-time as packets are captured.

Use case 2: Analyze live traffic from a network interface and load custom scripts

Code:

sudo zeek --iface interface script1 script2

Motivation: By loading custom scripts, you can extend the functionality of Zeek and perform additional analysis on the live network traffic. This allows you to implement custom algorithms, add specific event handlers, or define new log formats to extract insights tailored to your needs.

Explanation:

  • sudo: This command is executed with administrative privileges.
  • zeek: Invokes the zeek command.
  • --iface: Specifies the network interface from which to capture live traffic. Replace interface with the actual name of the interface.
  • script1, script2: Specifies the custom scripts to load. Replace these with the actual scripts you want to use.

Example Output: The command will start capturing and analyzing live network traffic from the specified interface, applying the custom scripts specified. Any additional processing or logging defined in the custom scripts will be executed, and their respective output will be displayed.

Use case 3: Analyze live traffic from a network interface, without loading any scripts

Code:

sudo zeek --bare-mode --iface interface

Motivation: This use case is suitable when you want to perform a lightweight analysis of live network traffic without loading any additional scripts. It allows you to focus solely on the basic information captured by Zeek, such as IP addresses, MAC addresses, and protocols, without any additional processing or customizations.

Explanation:

  • sudo: This command is executed with administrative privileges.
  • zeek: Invokes the zeek command.
  • --bare-mode: Enables bare mode, which restricts the analysis to basic packet inspection without any additional processing.
  • --iface: Specifies the network interface from which to capture live traffic. Replace interface with the actual name of the interface.

Example Output: The command will start capturing and analyzing live network traffic from the specified interface in bare mode. It will only display basic packet information, such as source and destination IP addresses, MAC addresses, and protocols, without any additional processing or customizations.

Use case 4: Analyze live traffic from a network interface, applying a tcpdump filter

Code:

sudo zeek --filter path/to/filter --iface interface

Motivation: Applying a tcpdump filter allows you to focus the analysis on specific network traffic of interest. This is useful when you want to capture and analyze specific types of network traffic, such as packets from a particular IP address or port, to gain insights into specific network activities or troubleshoot connectivity issues.

Explanation:

  • sudo: This command is executed with administrative privileges.
  • zeek: Invokes the zeek command.
  • --filter: Specifies the path to a tcpdump filter file. Replace path/to/filter with the actual path to the filter file.
  • --iface: Specifies the network interface from which to capture live traffic. Replace interface with the actual name of the interface.

Example Output: The command will start capturing and analyzing live network traffic from the specified interface, but only packets matching the tcpdump filter specified in the filter file will be considered for analysis. Only the filtered packets will be displayed in the analysis output.

Use case 5: Analyze live traffic from a network interface using a watchdog timer

Code:

sudo zeek --watchdog --iface interface

Motivation: The watchdog timer feature helps ensure the continuous operation of Zeek by periodically checking for any hang or crash conditions. This allows you to run Zeek in a production environment with added reliability, as it automatically restarts if any issues are detected, preventing potential disruptions or loss of network traffic analysis.

Explanation:

  • sudo: This command is executed with administrative privileges.
  • zeek: Invokes the zeek command.
  • --watchdog: Enables the watchdog timer feature, which monitors and ensures the continuous operation of Zeek.
  • --iface: Specifies the network interface from which to capture live traffic. Replace interface with the actual name of the interface.

Example Output: The command will start capturing and analyzing live network traffic from the specified interface, while the watchdog timer continuously monitors the Zeek process. If any hang or crash conditions are detected, the watchdog timer will automatically restart the Zeek process, ensuring uninterrupted network traffic analysis.

Use case 6: Analyze traffic from a pcap file

Code:

zeek --readfile path/to/file.trace

Motivation: Analyzing traffic from a pcap file allows you to investigate historical network traffic and perform offline analysis. This is useful when you need to analyze network activity that occurred in the past or when you want to replay captured network traffic for forensic purposes.

Explanation:

  • zeek: Invokes the zeek command.
  • --readfile: Specifies the path to the pcap file to be analyzed. Replace path/to/file.trace with the actual path to the pcap file.

Example Output: The command will analyze the network traffic contained in the specified pcap file. It will process the packets in the file and display the analysis output, including relevant information such as IP addresses, ports, protocols, and any other details captured by Zeek during packet processing.

Conclusion:

Zeek is a powerful command-line utility for passive network traffic analysis. It provides rich functionality and flexibility to capture, analyze, and extract insights from live network traffic or pcap files. By understanding the various use cases and options available, you can leverage Zeek to monitor and analyze network traffic for security, performance, and troubleshooting purposes.

Related Posts

Managing Kubernetes Contexts with `kubectx` (with examples)

Managing Kubernetes Contexts with `kubectx` (with examples)

Introduction When working with multiple Kubernetes clusters or contexts, it’s important to have an easy way to switch between them.

Read More
warpd Command Examples (with examples)

warpd Command Examples (with examples)

1: Run warpd in normal mode warpd --normal Motivation: Running warpd in normal mode allows for the keyboard-driven manipulation of the pointer.

Read More
How to use the command systemd-dissect (with examples)

How to use the command systemd-dissect (with examples)

Systemd-dissect is a command that allows users to introspect and interact with file system OS disk images, specifically Discoverable Disk Images (DDIs).

Read More