Zeek

usage

# read from stored pcap
zeek -r <pcap_file_location>

# output to json
zeek -r <pcap_file_location> LogAscii::use_json=T

# read output
cat <filename>
cat <filename> | zeek-cut
zeek-cut < <filename>

# show only specific fields
zeek-cut id.orig_h < conn.log
zeek-cut id.orig_h id.orig_p < conn.log

# count the results
zeek-cut id.orig_h < conn.log | sort | uniq -c | sort -n

# Search for IP with most traffic
zeek-cut orig_bytes id.resp_h < conn.log | sort -n 

Scripting

In example it is possible to detect bruteforce attempt

# usage 
zeek -C -r <pcap_file_location> <script_file_location>

source

zeek.org
cheatsheet: zeek
zeek interactive scripting tutorial

Zeek

usage

Scripting

source

You may also enjoy

Mastering Field Extraction in Splunk: Quick Guide

Mastering the Tstats Command in Splunk

A Technical Guide to Splunk Data Models