Zeek for pcap files

Zeek for pcap files

I have only used inbuilt scripts or commands, or tools in REMnux virtual machine in my previous blogs. So, this time I am going to download a Zeek tool in REMnux and use it to analyze .pcap files.

Zeek is a tool to examine the .pcap files, and this platform is free to utilize and open-source software. It is made to investigate real-time network traffic, mainly used to distinguish oddities for cybersecurity purposes. Zeek deciphers and creates compact translation logs, file content, and fully customized output.

.pcap is a data file containing the packet data of the network. .pcap is the short form of packet capture. This file contains the data and network analysis used to control network traffic and network status. These files cannot be opened normally and need special applications to open and analyze the contents.

Some of the applications are



Tcpdump and more.

Similarly, online tools are available too like



PacketTotal and more.

Introductions are over now; let’s get into the installation of the Zeek in REMnux. I will give a step-by-step procedure to install the tool.

Step 1: Go to https://zeek.org/ and select downloads in get zeek.

Step 2: REMnux is Linux oriented, so select Linux Binaries

Step 3: Scroll the page down, and select the download link for the latest feature (highlighted in the image)

Step 4: Select the Operating System Ubuntu. And choose Add repository and install manually.

Step 5: The REMnux I have installed is Ubuntu 20.04 version, so I chose that. Copy the four lines and paste them into the REMnux terminal. For those who are not sure of their version, when you run the REMnux, the version of Ubuntu will be displayed on the screen.

Step 6: After copying the command lines, press enter and let the code run its course. It will ask for permission to continue or not; choose yes. And the software will install in the system, and it will take some time depending on the network speed.

Step 8: Select ok for the following command, and installation will be finished.

The installed tool will be in opt folder. Now let’s change the directory and check the Zeek tool.

cd /opt/zeek/bin/

These are all the options that are available in the zeek tool

Now let’s see how to use the zeek to open the .pcap file. If you don’t have a .pcap file to analyze, it can be downloaded from many available sources.

It is better to create a separate directory as zeek will create many logs, so it will be easy to view the logs from the .pcap file and not confuse them with already existing files. After creating the new folder/directory, we need to specify the location of zeek as mentioned above. And the location of the .pcap files that need to be read by zeek.

I have created a directory named trial in a tmp folder, and the .pcap file I used for this analysis is in downloads.

/opt/zeek/bin/zeek -r ~/Downloads/fuzz-2006-06-26-2594.pcap

Executing the command mentioned above will give the required logs such as conn.log, dns.log, packet_filter.log, etc.

By using less command, we can read the log files in a detailed manner.

less -S conn.log

Similarly, all logs can be verified. If the data is too large and needs to view only the selected field, we can use the zeek cut option. For example, I need to view only the uid field in conn.log, and the following command is used.

cat conn.log | /opt/zeek/bin/zeek-cut uid

If needed, we can also easily take a single id and find where it correlates with all the other logs. We need to use the grep command for this purpose.

grep CIoYZM2osApk8BUVVl *.log

These are all the simple techniques in zeek, which are very easy to access the network traffic. Another important thing is that the log files obtained from the zeek can be used in the SIEM tool to compare further/correlate or analyze our data or other functions. We are converting the network traffic packets into logs and using them for a different purpose. By analyzing these log files, any unusual activities or threats can be identified, and other effects can be taken to neutralize the threat.