Welcome to the Zeek Newsletter
In this Issue:
TL;DR: Zeek 8.1 enters final stretch with mid-December fork and ZeroMQ as the new default cluster backend, WebSocket bindings demoed for multiple languages, and CERN workshop spots still available!
Don’t Miss This – Reminders for the Community
- Zeek Workshop (Geneva, Mar. 25-26): Join us for a free, two-day workshop at CERN. Registration and Call for Presentations can be found on our website. Limited spots available.
- Topic of the Month: December’s theme is “Zeek & Other Tools”. Join the discussion in #topic-of-the-month on Slack and read the November recap on our blog.
- New Blog Post: Developing Zeek Scripts with Style
Zeek Tip of the Month
To process compressed pcaps, use zeek -r - to read from stdin and zcat or xzcat.
$ zcat http.pcap.gz | zeek -r -
$ xzcat http.pcap.xz | zeek -r -
Share your tricks, shortcuts, or techniques with us using this form.
Community Call Recap
Highlights from this month’s call:
- Zeek 8.1 development: Final stretch before mid-December fork. Starting with Zeek 8.1, Zeekctl-managed clusters will use the ZeroMQ cluster backend by default.
- WebSocket bindings demo: Benjamin showcased zeek-websocket-rs - a new Rust-based project providing language bindings for Rust, Python, C++, and Node.js simplifying interacting with Zeek’s WebSocket API.
Missed it? Watch the recording on our YouTube Channel.
The next call is January 7 at 10am Pacific Time. Use this Zoom link to join. There’s no registration required, just drop in and join the conversation. See you there!
Development Updates
Zeek 8.1 is entering its final stretch, with plans to fork mid-December 2025. The team aims to release it before the holidays as a “developer release” to allow community testing over the break, with finalization coming in the new year. This is a significant release featuring the highly anticipated switch to ZeroMQ as the default messaging backend—a major architectural change for the project. While the team expects some users may encounter unexpected behavior, easy rollback options to Broker will be available for those who prefer to wait.
The large Zeek Package Manager (zkg) update originally planned for 8.1 has been moved to the 8.2 cycle to allow more development time. However, other experimental work is progressing, including new WebSocket bindings to replace broker-based ones and a prototypical XDP shunter.
Homebrew now installs Node’s shared library. This makes it possible to build Zeek’s Javascript support on macOS. We have identified and fixed a couple issues specific to how Node runs on macOS, and are in the process of backporting them to the LTS release branch. Javascript support is enabled automatically if Node is detected, and can be disabled by configuring with --disable-javascript.
Version 8.0.4 remains available for users on the 8.0 release train, containing bug fixes with no critical issues. The team expects to share 8.1 release candidate updates at January’s Community Call, with the full release anticipated by February’s call.
As always, follow development progress on GitHub to stay current with the latest changes.
Zeek Packages
Anyone in the community can write add-on functionality for Zeek via packages.
- Browse Zeek packages: https://packages.zeek.org
- Head to our zkg package manager documentation to get started on your own
- Questions? Check out #package-sharing to get help
Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
Recent Packages:
Get Involved
- Share ideas or content: news@zeek.org or #security-news on Slack.
- Stay connected: Discourse • YouTube • Mastodon • Bluesky • LinkedIn
- Check out Leadership Team meeting notes for insider updates.
- Looking for Zeek jobs? See openings on LinkedIn.
Thanks for being part of the community. We’ll see you next time!