← 返回命令列表

Linux command

zeek 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Analyze a pcap file

zeek -r [capture.pcap]

Analyze pcap with specific script

zeek -r [capture.pcap] [script.zeek]

Capture live traffic on interface

sudo zeek -i [eth0]

Run with local site policy

zeek -r [capture.pcap] local

Print version and exit

zeek --version

说明

Zeek (formerly Bro) is a powerful network analysis framework focused on security monitoring. Unlike packet sniffers that show raw traffic, Zeek interprets network activity and generates high-level logs about connections, protocols, and detected threats. Zeek processes network traffic (live or from pcap files) and produces structured logs: conn.log for connections, http.log for HTTP traffic, dns.log for DNS queries, ssl.log for TLS connections, and many more. The tool uses a custom scripting language for defining analysis logic. Scripts can detect intrusions, extract files from traffic, identify protocols, and generate custom logs. The local.zeek policy loads site-specific configurations. Output logs are tab-separated by default, easily parsed by tools like zeek-cut or imported into SIEM systems.

参数

-r _file_
Read packets from pcap file
-i _interface_
Capture from network interface
-C
Ignore checksum errors
-e _code_
Execute Zeek script code
-f _filter_
Apply BPF filter
-N
List all available plug-ins and exit.
-w _file_
Write raw packets to file.
-b, --bare-mode
Don't load scripts from the base/ directory.
--parse-only
Parse scripts and exit.
--version
Print version and exit.

FAQ

What is the zeek command used for?

Zeek (formerly Bro) is a powerful network analysis framework focused on security monitoring. Unlike packet sniffers that show raw traffic, Zeek interprets network activity and generates high-level logs about connections, protocols, and detected threats. Zeek processes network traffic (live or from pcap files) and produces structured logs: conn.log for connections, http.log for HTTP traffic, dns.log for DNS queries, ssl.log for TLS connections, and many more. The tool uses a custom scripting language for defining analysis logic. Scripts can detect intrusions, extract files from traffic, identify protocols, and generate custom logs. The local.zeek policy loads site-specific configurations. Output logs are tab-separated by default, easily parsed by tools like zeek-cut or imported into SIEM systems.

How do I run a basic zeek example?

Run `zeek -r [capture.pcap]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -r _file_ do in zeek?

Read packets from pcap file