Zeek: The Network Traffic Analyzer That Actually Remembers What Happened
If you've ever tried to make sense of raw network traffic, you know it's a mess. Packets come in, packets go out, and unless you're running a deep packet inspector (DPI) that keeps track of the whole conversation, you're basically looking at noise. Most tools either give you too little context (just headers) or drown you in raw bytes.
Zeek (formerly Bro) sits somewhere in the sweet spot. It's not a simple packet sniffer, and it's not a full-blown intrusion detection system out of the box (though you can extend it that way). It's a network traffic analysis framework that peels back the layers of protocols, understands application-level state, and gives you high-level logs of what actually happened.
What It Does
At its core, Zeek listens to network traffic (live or from a pcap file) and produces structured logs. It understands protocols like HTTP, DNS, FTP, SMTP, SSH, SSL/TLS, and many more. But unlike a basic packet analysis tool that just tells you "there was an HTTP request," Zeek keeps track of connections, sessions, and application-layer state across time.
For example, when you capture an HTTP request, Zeek doesn't just log "got a packet." It logs:
- The full request URI
- The response status code
- The MIME types of replies
- The user agent
- The duration of the connection
- And yes, the raw payload if you want it
Same for DNS: it logs queries, responses, TTLs, and even unusual patterns like high query rates.
On top of all that, Zeek ships with a policy scripting language called Zeek scripts (which is essentially Bro's original scripting language, evolved). You can write custom logic to react to events, filter noise, or trigger alerts. It's not as magical as "just drop in a YARA rule," but it gives you incredible control.
Why It's Cool
1. It remembers context. Most packet analyzers treat each packet like an isolated snowflake. Zeek maintains a state machine for every protocol. That means it can detect things like a non-standard handshake in TLS, or a stolen session cookie, or a slowloris attack that looks benign in isolation.
2. The logs are structured, not raw.
Zeek outputs tab-separated values (TSV) by default, with named fields. You can pipe them into anything: Elasticsearch, Splunk, a custom Python script, or even just grep. This makes it incredibly DevOps-friendly. You don't need to decode hex dumps to understand what happened.
3. It's extensible via scripts.
The Zeek scripting language is event-driven. You write something like:
event http_request(c: connection, method: string, uri: string, ...)
...and then decide what to do with that data. Want to flag any request to a URL containing "admin"? Three lines of script. Want to log every SSH login attempt with the fingerprinte? A few more lines.
4. It handles scale. Zeek is used in production at major ISPs and universities. It's written in C++ for performance, and you can run it across multiple cores or even across a cluster. It's not a toy.
5. Passive, not inline. You don't need to reconfigure your network to use Zeek. It sits on a SPAN port or tcpdump interface and just listens. No latency added, no risk of breaking your production traffic.
How to Try It
The easiest way to get started is via Docker or your package manager:
Docker:
docker run --rm -it --name zeek -v $(pwd)/logs:/usr/local/zeek/logs zeek/zeek zeek -i eth0
Replace eth0 with your network interface. Logs will appear in your logs directory.
Homebrew (macOS):
brew install zeek
Debian/Ubuntu:
sudo apt-get update && sudo apt-get install zeek
Test with a pcap file: If you don't have live traffic, grab a pcap (like from Wireshark's sample captures) and run:
zeek -r sample.pcap
You'll get a bunch of .log files in the current directory. Check conn.log for connection summaries, http.log for HTTP details, dns.log for DNS queries, etc.
Want to write your first script? Create a file called my-script.zeek with:
event http_request(c: connection, method: string, uri: string) {
print fmt("Someone requested %s via %s", uri, method);
}
Then run zeek -r sample.pcap my-script.zeek and watch stdout.
Final Thoughts
Zeek is one of those tools that feels boringly practical until you need it, and then it's a lifesaver. It's not flashy. It's not trying to be an AI-powered threat hunter. It just gives you clean, structured, stateful logs of what your network is doing at a protocol-aware level.
If you're building a security monitoring pipeline, or even just troubleshooting weird network issues, Zeek is the backbone. It's the friend who takes detailed notes while everyone else is panicking. The learning curve is a bit steeper than Wireshark's "click and see," but once you grok the logs and scripting, you'll wonder how you lived without it.
Give it a spin on a pcap today. You might be surprised how much context you've been missing.
Found this useful? Follow @githubprojects for more dev-friendly tools and projects.