Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ZEEK(8)			System Administration Utilities		       ZEEK(8)

NAME
       zeek - passive network traffic analyzer

SYNOPSIS
       zeek  [options] [file ...]

DESCRIPTION
       Zeek  is	 primarily  a  security	monitor	that inspects all traffic on a
       link in depth for signs of suspicious activity.	More  generally,  how-
       ever, Zeek supports a wide range	of traffic analysis tasks even outside
       of  the security	domain,	including performance measurements and helping
       with trouble-shooting.

       Zeek comes with built-in	functionality for a range of analysis and  de-
       tection	tasks,	including detecting malware by interfacing to external
       registries, reporting vulnerable	versions of software seen on the  net-
       work,  identifying  popular web applications, detecting SSH brute-forc-
       ing, validating SSL certificate chains, among others.

       You must	have the necessary permissions to access to the	files  or  in-
       terfaces	specified.

OPTIONS
       <file> policy file, or read stdin

       -a, --parse-only
	      exit immediately after parsing scripts

       -b, --bare-mode
	      don't load scripts from the base/	directory

       -d, --debug-policy
	      activate policy file debugging

       -e, --exec <zeek	code>
	      augment loaded policies by given code

       -f, --filter <filter>
	      tcpdump filter

       -h, --help|-?
	      command line help

       -i, --iface <interface>
	      read from	given interface

       -p, --prefix <prefix>
	      add given	prefix to policy file resolution

       -r, --readfile <readfile>
	      read from	given tcpdump file

       -s, --rulefile <rulefile>
	      read rules from given file

       -t, --tracefile <tracefile>
	      activate execution tracing

       -w, --writefile <writefile>
	      write to given tcpdump file

       -v, --version
	      print version and	exit

       -x, --print-state <file.bst>
	      print contents of	state file

       -C, --no-checksums
	      When  this  option is set, Zeek ignores invalid packet checksums
	      and does process the packets. Furthermore, if this option	is set
	      Zeek also	processes IP packets with a zero total	length	field,
	      which is typically caused	by TCP (TCP Segment Offloading)	on the
	      NIC.

       -F, --force-dns
	      force DNS

       -I, --print-id <ID name>
	      print out	given ID

       -N, --print-plugins
	      print available plugins and exit (-NN for	verbose)

       -P, --prime-dns
	      prime DNS

       -Q, --time
	      print execution time summary to stderr

       -R, --replay <events.bst>
	      replay events

       -S, --debug-rules
	      enable rule debugging

       -T, --re-level <level>
	      set 'RE_level' for rules

       -U, --status-file <file>
	      Record process status in file

       -W, --watchdog
	      activate watchdog	timer

       -X, --zeekygen <cfgfile>
	      generate documentation based on config file

       --pseudo-realtime[=<speedup>]
	      enable pseudo-realtime for performance evaluation	(default 1)

       --load-seeds <file>
	      load seeds from given file

       --save-seeds <file>
	      save seeds to given file

       The following option is available only when Zeek	is built with the
       --enable-debug configure	option:

       -B, --debug <dbgstreams>
	      Enable  debugging	 output	 for  selected	streams	('-B help' for
	      help)

       The following options are available only	when Zeek is built with
       gperftools support (use the --enable-perftools and --en-
       able-perftools-debug configure options):

       -m, --mem-leaks
	      show leaks

       -M, --mem-profile
	      record heap

ENVIRONMENT
       ZEEKPATH
	      file search path

       ZEEK_PLUGIN_PATH
	      plugin search path

       ZEEK_PLUGIN_ACTIVATE
	      plugins to always	activate

       ZEEK_PREFIXES
	      prefix list

       ZEEK_DNS_FAKE
	      disable DNS lookups

       ZEEK_SEED_FILE
	      file to load seeds from

       ZEEK_LOG_SUFFIX
	      ASCII log	file extension

       ZEEK_PROFILER_FILE
	      Output file for script execution statistics

       ZEEK_DISABLE_ZEEKYGEN
	      Disable Zeekygen (Broxygen) documentation	support

OUTPUT FORMAT
       Output is written in multiple files depending on	configuration. The de-
       fault location is the current directory.

       The output written by Zeek can be formatted in multiple ways using  the
       logging framework.

       The default are files in	human-readable (ASCII) format. The data	is or-
       ganized	into columns (tab-delimited). The data can be processed	using,
       e.g., the zeek-cut tool.

EXAMPLES
       Read a capture file and generate	the default logs:
	   # zeek -r test-capture.pcap

       When running on live  traffic,  Zeek  is	 usually  started  by  running
       zeekctl.	 To configure Zeek with	an initial configuration, install, and
       restart:
	   # zeekctl deploy

       Note: the zeekctl configuration may need	to  be	updated	 before	 first
       use. Especially the network interface used should be the	correct	one.

SEE ALSO
       zeekctl(8) zeek-cut(1)

AUTHOR
       zeek was	written	by The Zeek Project <info@zeek.org>.

zeek				 November 2014			       ZEEK(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=zeek&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help