Skip to content
Zeek Auxiliary Programs
Branch: master
Clone or download
jsiwek Merge remote-tracking branch 'origin/topic/dnthayer/gh-313'
* origin/topic/dnthayer/gh-313:
  Rename directories from bro to zeek
Latest commit e0689c1 Jun 12, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
adtrace Tweaks for OpenBSD support. Jan 6, 2012
cmake @ 58e4eeb Merge remote-tracking branch 'origin/topic/dnthayer/gh-313' Jun 12, 2019
devel-tools Rename all BRO-prefixed environment variables May 22, 2019
plugin-support Use zkg.meta file in plugin skeleton Jun 12, 2019
testing Rename all BRO-prefixed environment variables May 22, 2019
zeek-cut Rename all BRO-prefixed environment variables May 22, 2019
.gitignore Merge with Subversion repository as of r7098. Nov 27, 2010
.gitmodules Update submodules to use Dec 6, 2018
.travis.yml More Bro to Zeek renaming May 20, 2019
.update-changes.cfg update-changes now looks for a 'release' tag to idenfify the stable Oct 18, 2011
CHANGES Merge remote-tracking branch 'origin/topic/dnthayer/gh-313' Jun 12, 2019
CMakeLists.txt More Bro to Zeek renaming May 20, 2019
COPYING Updating copyright notice. Oct 8, 2013
Makefile Improve `make dist` Aug 31, 2018
README Merge remote-tracking branch 'origin/topic/dnthayer/gh-313' Jun 12, 2019
README.rst Add README.rst -> README symlink. Jan 11, 2016
VERSION Merge remote-tracking branch 'origin/topic/dnthayer/gh-313' Jun 12, 2019
btest Updating CHANGES and VERSION. Jul 5, 2012 Revert "Use #ifdef for Linux-specific code" Nov 5, 2012
configure Updating CHANGES and VERSION. Jul 5, 2012


Zeek Auxiliary Programs


Handy auxiliary programs related to the use of the Zeek Network Security Monitor (


Installation is simple and standard:

make install


The "adtrace" utility is used to compute the network address that compose the internal and extern nets that Zeek is monitoring. This program just reads a pcap (tcpdump) file and writes out the src MAC, dst MAC, src IP, dst IP for each packet seen in the file.


The "zeek-cut" utility reads ASCII Zeek logs on standard input and outputs them to standard output with only the specified columns (the column names can be found in each log file in the "#fields" header line). If no column names are specified, then "zeek-cut" simply outputs all columns.

There are several command-line options available to modify the output (run "zeek-cut -h" to see a list of all options). There are options to convert timestamps into human-readable format, and options to specify whether or not to include the format header lines in the output (by default, they're not included).

For example, the following command will output the three specified columns from conn.log with the timestamps from the "ts" column being converted to human-readable format:

cat conn.log | zeek-cut -d ts id.orig_h id.orig_p

The specified order of the column names determines the output order of the columns (i.e., "zeek-cut" can reorder the columns).

The "zeek-cut" utility can read the concatenation of one or more uncompressed ASCII log files (however, JSON format is not supported) produced by Zeek version 2.0 or newer, as long as each log file contains format header lines (these are the lines at the beginning of the file starting with "#"). In fact, "zeek-cut" can process the concatenation of multiple ASCII log files that have different column layouts.

To read a compressed log file, a tool such as "zcat" must be used to uncompress the file. For example, "zeek-cut" can read a group of compressed conn.log files with a command like this:

zcat conn.*.log.gz | zeek-cut


A set of scripts used commonly for Zeek development. Note that none of these scripts are installed by 'make install'.

Extracts a connection from a trace file based on its UID found in Zeek's conn.log
Generates list of Mozilla SSL root certificates in a format readable by Zeek.
A script to maintain the CHANGES and VERSION files.
Show commits to the fastpath branch not yet merged into master.
Run a number of Zeek benchmarks on a trace file.


The "rst" utility can be invoked by a Zeek script to terminate an established TCP connection by forging RST tear-down packets.

You can’t perform that action at this time.