Anthropic-Cybersecurity-Skills/skills/performing-network-traffic-analysis-with-zeek/references/api-reference.md

API Reference — Performing Network Traffic Analysis with Zeek

Libraries Used

• pathlib: Read Zeek TSV log files
• subprocess: Execute Zeek on PCAP files
• collections.Counter: Traffic pattern aggregation

CLI Interface

python agent.py conn --log conn.log
python agent.py dns --log dns.log
python agent.py http --log http.log
python agent.py notice --log notice.log
python agent.py run --pcap capture.pcap [--output-dir /tmp/zeek_output]

Core Functions

parse_zeek_log(log_file) — Generic Zeek TSV parser

Parses #fields header and data rows. Returns headers and record list.

analyze_conn_log(conn_log) — Connection analysis

Statistics: protocols, services, top IPs/ports, total bytes, long connections (>1hr).

analyze_dns_log(dns_log) — DNS query analysis

Detects: long queries (>50 chars), TXT queries, NXDOMAIN responses. Flags potential DNS tunneling indicators.

analyze_http_log(http_log) — Web traffic analysis

Tracks: methods, status codes, top hosts, user agents. Flags suspicious UAs: curl, wget, python, powershell, certutil, bitsadmin.

analyze_notice_log(notice_log) — Security alert review

Parses Zeek notice.log for detected security events.

run_zeek_on_pcap(pcap_file, output_dir) — Generate Zeek logs from PCAP

Executes Zeek against PCAP to produce conn.log, dns.log, http.log, etc.

Zeek Log Fields

Log	Key Fields
conn.log	id.orig_h, id.resp_h, id.resp_p, proto, service, duration, orig_bytes
dns.log	query, qtype_name, rcode_name
http.log	method, host, uri, status_code, user_agent
notice.log	note, msg, src, dst

Dependencies

System: zeek (for PCAP processing) No Python packages required.