CONVERSION

PCAP TO ZEEK LOGS

Zeek reads a PCAP file and analyzes the raw network traffic to produce structured, high-level logs that describe what actually occurred on the network. Instead of simply displaying packets, Zeek interprets protocols, sessions, and behaviors, extracting meaningful metadata such as connection details, DNS queries, HTTP requests, and potential command-and-control activity. This process effectively transforms packet-level data into Zeek logs that are easier for analysts to search, correlate, and investigate. By converting raw traffic into actionable security context, Zeek enables efficient threat hunting, incident response, and behavior-based analysis without requiring manual packet inspection.

root@dco:~$ zeek readpcap pcaps/AsyncRAT.pcap zeek_logs/asyncrat
 Starting the Zeek docker container
 Zeek logs will be saved to /home/ubuntu/zeek_logs/asyncrat
 
root@dco:~$ cd /home/ubuntu/zeek_logs/asyncrat/ && ls
 capture_loss.log  dns.log    http.log         known_services.log  notice.log  packet_filter.log  software.log  stats.log  x509.log
 conn.log          files.log  known_hosts.log  loaded_scripts.log  ocsp.log    reporter.log       ssl.log       weird.log