FreeBSD Manual Pages
ZEEK(8) System Administration Utilities ZEEK(8) NAME zeek - passive network traffic analyzer SYNOPSIS zeek [options] [file ...] DESCRIPTION Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, how- ever, Zeek supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting. Zeek comes with built-in functionality for a range of analysis and de- tection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the net- work, identifying popular web applications, detecting SSH brute-forc- ing, validating SSL certificate chains, among others. You must have the necessary permissions to access to the files or in- terfaces specified. OPTIONS <file> policy file, or read stdin -a, --parse-only exit immediately after parsing scripts -b, --bare-mode don't load scripts from the base/ directory -d, --debug-policy activate policy file debugging -e, --exec <zeek code> augment loaded policies by given code -f, --filter <filter> tcpdump filter -h, --help|-? command line help -i, --iface <interface> read from given interface -p, --prefix <prefix> add given prefix to policy file resolution -r, --readfile <readfile> read from given tcpdump file -s, --rulefile <rulefile> read rules from given file -t, --tracefile <tracefile> activate execution tracing -w, --writefile <writefile> write to given tcpdump file -v, --version print version and exit -x, --print-state <file.bst> print contents of state file -C, --no-checksums When this option is set, Zeek ignores invalid packet checksums and does process the packets. Furthermore, if this option is set Zeek also processes IP packets with a zero total length field, which is typically caused by TCP (TCP Segment Offloading) on the NIC. -F, --force-dns force DNS -I, --print-id <ID name> print out given ID -N, --print-plugins print available plugins and exit (-NN for verbose) -P, --prime-dns prime DNS -Q, --time print execution time summary to stderr -R, --replay <events.bst> replay events -S, --debug-rules enable rule debugging -T, --re-level <level> set 'RE_level' for rules -U, --status-file <file> Record process status in file -W, --watchdog activate watchdog timer -X, --zeekygen <cfgfile> generate documentation based on config file --pseudo-realtime[=<speedup>] enable pseudo-realtime for performance evaluation (default 1) --load-seeds <file> load seeds from given file --save-seeds <file> save seeds to given file The following option is available only when Zeek is built with the --enable-debug configure option: -B, --debug <dbgstreams> Enable debugging output for selected streams ('-B help' for help) The following options are available only when Zeek is built with gperftools support (use the --enable-perftools and --en- able-perftools-debug configure options): -m, --mem-leaks show leaks -M, --mem-profile record heap ENVIRONMENT ZEEKPATH file search path ZEEK_PLUGIN_PATH plugin search path ZEEK_PLUGIN_ACTIVATE plugins to always activate ZEEK_PREFIXES prefix list ZEEK_DNS_FAKE disable DNS lookups ZEEK_SEED_FILE file to load seeds from ZEEK_LOG_SUFFIX ASCII log file extension ZEEK_PROFILER_FILE Output file for script execution statistics ZEEK_DISABLE_ZEEKYGEN Disable Zeekygen (Broxygen) documentation support OUTPUT FORMAT Output is written in multiple files depending on configuration. The de- fault location is the current directory. The output written by Zeek can be formatted in multiple ways using the logging framework. The default are files in human-readable (ASCII) format. The data is or- ganized into columns (tab-delimited). The data can be processed using, e.g., the zeek-cut tool. EXAMPLES Read a capture file and generate the default logs: # zeek -r test-capture.pcap When running on live traffic, Zeek is usually started by running zeekctl. To configure Zeek with an initial configuration, install, and restart: # zeekctl deploy Note: the zeekctl configuration may need to be updated before first use. Especially the network interface used should be the correct one. SEE ALSO zeekctl(8) zeek-cut(1) AUTHOR zeek was written by The Zeek Project <info@zeek.org>. zeek November 2014 ZEEK(8)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | ENVIRONMENT | OUTPUT FORMAT | EXAMPLES | SEE ALSO | AUTHOR
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=zeek&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>