# Zeek — Powerful Network Analysis Framework for Security Monitoring > A passive network traffic analyzer that turns raw packets into structured logs, enabling security monitoring, forensics, and protocol analysis at scale. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: # Zeek — Powerful Network Analysis Framework for Security Monitoring ## Quick Use ```bash # Install on Ubuntu/Debian sudo apt install zeek # Analyze a pcap file zeek -r capture.pcap # Monitor a live interface sudo zeek -i eth0 local # View generated logs cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service ``` ## Introduction Zeek (formerly Bro) is a passive network traffic analyzer that produces detailed, structured logs of network activity. Unlike signature-based IDS tools, Zeek focuses on understanding what is happening on a network by parsing protocols and generating rich event data for security analysts. ## What Zeek Does - Parses 30+ network protocols (HTTP, DNS, TLS, SMB, SSH, etc.) into structured logs - Generates connection summaries, file extraction, and certificate inventories - Provides a domain-specific scripting language for custom analysis logic - Produces JSON or TSV logs consumable by SIEMs and log platforms - Detects anomalies through protocol analysis rather than signature matching ## Architecture Overview Zeek runs as a cluster of worker processes supervised by a manager node. Each worker receives raw packets from a network tap or mirror port via a packet capture library (libpcap or AF_PACKET). Workers parse protocol state machines and emit events, which Zeek scripts process to generate log entries and raise notices. ## Self-Hosting & Configuration - Install from binary packages for major Linux distributions or build from source - Configure monitored interfaces and cluster topology in `node.cfg` - Customize analysis by writing or loading Zeek scripts (`.zeek` files) - Use `zeekctl` to deploy, start, stop, and manage cluster nodes - Forward logs to Elasticsearch, Splunk, or any SIEM via JSON output or Kafka ## Key Features - Protocol-level visibility into HTTP headers, DNS queries, TLS certificates, and more - Automatic file extraction from network traffic (binaries, documents, images) - Extensible scripting language for writing custom detectors and log enrichment - Cluster mode for monitoring multi-gigabit network links - Community-maintained package ecosystem via the Zeek Package Manager ## Comparison with Similar Tools - **Suricata** — Signature-based IDS/IPS; Zeek focuses on protocol analysis and logging - **Wireshark** — Interactive packet inspector; Zeek is designed for continuous automated monitoring - **Snort** — Classic signature-based IDS; less protocol parsing depth than Zeek - **Arkime (Moloch)** — Full packet capture and search; complements Zeek logs with raw pcap storage - **NetworkMiner** — Forensic analysis tool; GUI-based, not designed for continuous operation ## FAQ **Q: Is Zeek an IDS?** A: Zeek is a network analysis framework, not a traditional signature-based IDS. It excels at protocol parsing and log generation, which analysts use for detection and investigation. **Q: Can Zeek handle high-speed links?** A: Yes. In cluster mode, Zeek distributes traffic across workers and can monitor 10 Gbps+ links with appropriate hardware. **Q: What happened to Bro?** A: Zeek was renamed from Bro in 2018. The software and community are the same; only the name changed. **Q: Can I write custom detections?** A: Yes. Zeek includes a full scripting language for writing custom protocol analyzers, detectors, and log generators. ## Sources - https://github.com/zeek/zeek - https://docs.zeek.org --- Source: https://tokrepo.com/en/workflows/zeek-powerful-network-analysis-framework-security-monitoring-aba19366 Author: AI Open Source