#check zeek version
root@dco:~$ zeek -v
* the -v is for version information.
ZEEK: SERVICE MODE
this mode enables zeek to listen on live network traffic. the created logs will be located in the default log path /opt/zeek/logs
#run zeek as a service
root@dco:~$ sudo su
* "ZeekControl" module requires superuser permissions to use
- ZeekControl is a module.
root@dco:~$ zeekctl
Welcome to ZeekControl 2.X.0
[ZeekControl] > status
Name Type Host Status Pid Started
zeek standalone localhost stopped
[ZeekControl] > start
starting zeek ...
[ZeekControl] > status
Name Type Host Status Pid Started
zeek standalone localhost running 2541 13 Mar 18:25:08
[ZeekControl] > stop
stopping zeek ...
[ZeekControl] > status
Name Type Host Status Pid Started
zeek standalone localhost stopped
ZEEK: PCAP MODE
this mode sets Zeek to read pcap files. once the pcaps are processed, Zeek automatically creates log files according to the traffic and the created logs will be stored in the working directory
root@dco:~$ zeek -C -r sample.pcap
* the -r sets zeek to read/process a pcap file.
* the -C ignores checksum errors.
root@dco:~$ ls -l
-rw-r--r-- 1 ubuntu ubuntu 11366 Mar 13 20:45 conn.log
-rw-r--r-- 1 ubuntu ubuntu 763 Mar 13 20:45 dhcp.log
-rw-r--r-- 1 ubuntu ubuntu 2918 Mar 13 20:45 dns.log
-rw-r--r-- 1 ubuntu ubuntu 254 Mar 13 20:45 packet_filter.log
* Investigating the generated logs will require command-line tools (cat, cut, grep sort, and uniq) and additional tools (zeek-cut)
