MODES

VERSION CHECK

#check zeek version
root@dco:~$ zeek -v
 * the -v is for version information.

ZEEK: SERVICE MODE

this mode enables zeek to listen on live network traffic. the created logs will be located in the default log path /opt/zeek/logs

#run zeek as a service
root@dco:~$ sudo su
 * "ZeekControl" module requires superuser permissions to use
    - ZeekControl is a module.
root@dco:~$ zeekctl
 Welcome to ZeekControl 2.X.0

[ZeekControl] > status
 Name         Type       Host          Status    Pid    Started
 zeek         standalone localhost     stopped

[ZeekControl] > start
 starting zeek ...

[ZeekControl] > status
 Name         Type       Host          Status    Pid    Started
 zeek         standalone localhost     running   2541   13 Mar 18:25:08

[ZeekControl] > stop
 stopping zeek ...

[ZeekControl] > status
 Name         Type       Host          Status    Pid    Started
 zeek         standalone localhost     stopped

ZEEK: PCAP MODE

this mode sets Zeek to read pcap files. once the pcaps are processed, Zeek automatically creates log files according to the traffic and the created logs will be stored in the working directory

root@dco:~$ zeek -C -r sample.pcap 
 * the -r sets zeek to read/process a pcap file.
 * the -C ignores checksum errors.

root@dco:~$ ls -l
 -rw-r--r-- 1 ubuntu ubuntu  11366 Mar 13 20:45 conn.log
 -rw-r--r-- 1 ubuntu ubuntu    763 Mar 13 20:45 dhcp.log
 -rw-r--r-- 1 ubuntu ubuntu   2918 Mar 13 20:45 dns.log
 -rw-r--r-- 1 ubuntu ubuntu    254 Mar 13 20:45 packet_filter.log 
 
 * Investigating the generated logs will require command-line tools (cat, cut, grep sort, and uniq) and additional tools (zeek-cut)

PreviousZEEK NextLOGS

Last updated 11 months ago