A Zeek user spent years maintaining a careful system of named test PCAPs, tracking which scripts belonged to which tests and building a testing workflow from scratch. Then they discovered btest, Zeek’s built-in testing framework that automatically creates baselines—no more manual tracking!
This pattern repeats constantly. Zeek has been around for over 30 years, and some of its capabilities have gotten lost in the shuffle. You won’t always find them in the docs, but someone in the community knows they exist.
The most common way people discover these capabilities? Accidentally. Sometimes you stumble into a conversation and you realize you’ve been working around a problem Zeek already solved.
Here are some that surface when practitioners compare notes.
The built-in script debugger
You’ve added 15 print statements to a script trying to figure out why a variable isn’t getting set. You’re reloading Zeek, checking output, adding more print statements, and repeating. But there’s a better way.
Zeek has a built-in debugger. Launch it with zeek -d to step through script execution interactively, inspect variables, and set breakpoints. It’s been there for years and works well—try it next time you’re troubleshooting detection logic that won’t fire.
The input framework goes further than you think
Most people who know about the input framework associate it with reading in indicator lists or configuration data. Zeek gives you many different formats to read data from: standard TSV, JSONL, or even SQLite.
Since Zeek uses TSV as its default log format, you can use Zeek’s logs as input framework data! The logs may be much smaller, so you can get similar historic data from the logs as you would from a PCAP file, but with much less space. Combine this with Input::add_event and you can mimic Zeek’s processing without the PCAP.
btest: Zeek’s built-in testing framework
This is the feature that sparked the opening story. One practitioner built an entire manual testing system before discovering btest already existed.
btest runs Zeek scripts against PCAPs and compares output to expected results—the orchestration happens automatically. If you’re developing detection logic or custom scripts and want to make sure changes don’t break existing functionality, btest gives you regression testing without building infrastructure from scratch.
It’s part of the Zeek distribution and many miss it entirely.
Other built-in functions worth knowing
Base64 decoding is built in. The log_stream_policy hook gives you control over what gets logged and when. Bloom filters are there when you need them for scaling. String manipulation functions handle encoding conversions most people assume require external tools.
Some of this falls into a broader pattern: practitioners spending months or years building workarounds for things Zeek already handles. The capabilities are there but sometimes they are hidden.
How to find what you’re missing
Here’s how to stay on top of what Zeek can do:
- Browse the package manager. Scan package descriptions even if you’re not installing anything—you’ll find tools solving problems you didn’t know were solvable in Zeek.
- Watch pull requests on the main Zeek repository. Just skimming PR titles and descriptions will help you catch new capabilities as they land.
- Head to the Advanced Topics section of the docs for capabilities that don’t fit in the main documentation.
- Ask questions in community spaces. Hidden features surface most reliably through conversation. Someone will mention a capability in passing, and you’ll realize you’ve been doing something the hard way.
If you discover you’ve been working around a problem Zeek already solves, mention it. That’s how others learn too.
Thank you to the community members who contributed to March’s Topic of the Month conversation, “I didn’t know Zeek could do that!”: Sebastian, Ashish, Kevin, Aaron, Dop, Chris C., Jakob, Yacin, Seth, Carlos, CPU, Trong, Mohan, Chris H., Pedro, Liam, Christian, and Evan.
This month we’re talking about: How do you keep Zeek running? We want to hear what you do to keep your Zeek deployment healthy. Join the conversation today in our Slack workspace.
RSS - Posts