How to use the command zeek (with examples)
Zeek is a passive network traffic analyzer that allows users to analyze live network traffic from a network interface or from a pcap file. The command provides various options to customize the analysis process, such as loading custom scripts, applying filters, and enabling a watchdog timer.
Use case 1: Analyze live traffic from a network interface
Code:
sudo zeek --iface interface
Motivation: This use case is useful when you want to monitor network traffic in real-time, directly from a network interface. It provides insights into the network activity occurring on the specified interface, allowing you to detect and analyze potential security issues or anomalous behavior.
Explanation:
sudo
: This command is executed with administrative privileges.zeek
: Invokes the zeek command.--iface
: Specifies the network interface from which to capture live traffic. Replaceinterface
with the actual name of the interface.
Example Output: The command will start capturing and analyzing live network traffic from the specified interface, displaying analyzed data such as IP addresses, ports, protocols, and any other relevant information in real-time as packets are captured.
Use case 2: Analyze live traffic from a network interface and load custom scripts
Code:
sudo zeek --iface interface script1 script2
Motivation: By loading custom scripts, you can extend the functionality of Zeek and perform additional analysis on the live network traffic. This allows you to implement custom algorithms, add specific event handlers, or define new log formats to extract insights tailored to your needs.
Explanation:
sudo
: This command is executed with administrative privileges.zeek
: Invokes the zeek command.--iface
: Specifies the network interface from which to capture live traffic. Replaceinterface
with the actual name of the interface.script1
,script2
: Specifies the custom scripts to load. Replace these with the actual scripts you want to use.
Example Output: The command will start capturing and analyzing live network traffic from the specified interface, applying the custom scripts specified. Any additional processing or logging defined in the custom scripts will be executed, and their respective output will be displayed.
Use case 3: Analyze live traffic from a network interface, without loading any scripts
Code:
sudo zeek --bare-mode --iface interface
Motivation: This use case is suitable when you want to perform a lightweight analysis of live network traffic without loading any additional scripts. It allows you to focus solely on the basic information captured by Zeek, such as IP addresses, MAC addresses, and protocols, without any additional processing or customizations.
Explanation:
sudo
: This command is executed with administrative privileges.zeek
: Invokes the zeek command.--bare-mode
: Enables bare mode, which restricts the analysis to basic packet inspection without any additional processing.--iface
: Specifies the network interface from which to capture live traffic. Replaceinterface
with the actual name of the interface.
Example Output: The command will start capturing and analyzing live network traffic from the specified interface in bare mode. It will only display basic packet information, such as source and destination IP addresses, MAC addresses, and protocols, without any additional processing or customizations.
Use case 4: Analyze live traffic from a network interface, applying a tcpdump filter
Code:
sudo zeek --filter path/to/filter --iface interface
Motivation: Applying a tcpdump filter allows you to focus the analysis on specific network traffic of interest. This is useful when you want to capture and analyze specific types of network traffic, such as packets from a particular IP address or port, to gain insights into specific network activities or troubleshoot connectivity issues.
Explanation:
sudo
: This command is executed with administrative privileges.zeek
: Invokes the zeek command.--filter
: Specifies the path to a tcpdump filter file. Replacepath/to/filter
with the actual path to the filter file.--iface
: Specifies the network interface from which to capture live traffic. Replaceinterface
with the actual name of the interface.
Example Output: The command will start capturing and analyzing live network traffic from the specified interface, but only packets matching the tcpdump filter specified in the filter file will be considered for analysis. Only the filtered packets will be displayed in the analysis output.
Use case 5: Analyze live traffic from a network interface using a watchdog timer
Code:
sudo zeek --watchdog --iface interface
Motivation: The watchdog timer feature helps ensure the continuous operation of Zeek by periodically checking for any hang or crash conditions. This allows you to run Zeek in a production environment with added reliability, as it automatically restarts if any issues are detected, preventing potential disruptions or loss of network traffic analysis.
Explanation:
sudo
: This command is executed with administrative privileges.zeek
: Invokes the zeek command.--watchdog
: Enables the watchdog timer feature, which monitors and ensures the continuous operation of Zeek.--iface
: Specifies the network interface from which to capture live traffic. Replaceinterface
with the actual name of the interface.
Example Output: The command will start capturing and analyzing live network traffic from the specified interface, while the watchdog timer continuously monitors the Zeek process. If any hang or crash conditions are detected, the watchdog timer will automatically restart the Zeek process, ensuring uninterrupted network traffic analysis.
Use case 6: Analyze traffic from a pcap file
Code:
zeek --readfile path/to/file.trace
Motivation: Analyzing traffic from a pcap file allows you to investigate historical network traffic and perform offline analysis. This is useful when you need to analyze network activity that occurred in the past or when you want to replay captured network traffic for forensic purposes.
Explanation:
zeek
: Invokes the zeek command.--readfile
: Specifies the path to the pcap file to be analyzed. Replacepath/to/file.trace
with the actual path to the pcap file.
Example Output: The command will analyze the network traffic contained in the specified pcap file. It will process the packets in the file and display the analysis output, including relevant information such as IP addresses, ports, protocols, and any other details captured by Zeek during packet processing.
Conclusion:
Zeek is a powerful command-line utility for passive network traffic analysis. It provides rich functionality and flexibility to capture, analyze, and extract insights from live network traffic or pcap files. By understanding the various use cases and options available, you can leverage Zeek to monitor and analyze network traffic for security, performance, and troubleshooting purposes.