Using Zeek in Packet Analysis

3 min read

The Zeek Logs analysis tool in CloudShark utilizing the fast and powerful logging capabilities of Zeek.

Zeek provides a great new way to interface with your captures and speed analysis. Here is a quick overview of Zeek, how it works, and how you can use it to discover and resolve network and security problems more efficiently.


What is Zeek?

Zeek (formerly Bro) is a passive network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link for signs of suspicious activity, but can also be used to illuminate many different kinds of network behavior. It is a trusted tool used by today’s network and security experts.

As an open-source project, Zeek is maintained by the leadership team at and has a vibrant community expanding its capabilities through a scripting language optimized for network analysis.

Other Intrusion Detection (IDS) or Intrusion Prevention (IPS) systems create alerts based on specific rules called signatures. In contrast, Zeek sits quietly on a sensor and unobtrusively observes and turns raw network traffic into comprehensive “transaction logs”.


What are transaction logs?

Zeek transaction logs are collated, organized records of network activity. Logs include every connection seen on the network, as well as application-layer information such as HTTP sessions, DNS requests and responses, TLS sessions, and more. Other logs are further categorized based on the particular data fields or other content.

Transaction logs are a different way of looking at network data. Logs help organizations understand how their network is being used, supporting security, performance, audit, and capacity missions.


How is Zeek used?

Zeek is typically deployed on passive network sensors. It generates logs as traffic passes through, but the full packet data is not recorded. Often, logs are sent to a SIEM and forever disconnected from the packets. The analysis ends there.

In high-bandwidth environments, Zeek must be configured so it is fast enough to keep up with live traffic.

Running Zeek on the CLI with pre-recorded traffic unlocks additional capabilities in the tool. More intensive scripts, deeper scans, and additional reporting can be performed without worrying about impacting network performance. And, since it runs on a PCAP, the raw network data is there when you need it.

These extremely detailed logs extend beyond what a sensor may be capable of in real-time and give the network analyst a new approach when dissecting and investigating traffic.


Evolving PCAP analysis

CloudShark has always been about more than just web-based pcap analysis. CloudShark helps you analyze network issues faster through cataloging, collaboration, and adding context to packets, helping to drill down to the information you need to solve problems.

Adding Zeek to CloudShark’s easy to use web-interface is another exciting step in our continuous evolution of packet analysis. .

Interested in how CloudShark can help? Request a demo to learn more.

Want articles like this delivered right to your inbox?

Sign up for our Newsletter

No spam, just good networking