Zeek Newsletter - Issue 60 - February 2026

Announcements
1

image
image690×362 47.5 KB

Welcome to the Zeek Newsletter.

In this Issue:

TL;DR: Zeek 8.2 development is underway with strong ZeroMQ performance improvements. CERN workshop registration is full but waitlist spots are available, and the Leadership Team is drafting an AI contribution policy.

Community News & Reminders

:light_bulb: Zeek Techniques

This month we have a tip from Benjamin:

To figure out which parts of a PCAP trigger a certain behavior one can use pcap-minimizer.

It works similar to git bisect run (link): give it a script which signals whether a PCAP triggers some behavior, and it will automatically figure out which parts of the PCAP are needed for that and output a minimized version.

This does not depend on Zeek at all, but can be useful when developing or debugging scripts or analyzers.

Share your tricks, shortcuts, or techniques with us using this form.

Community Call Recap

Highlights from this month’s call:

  • AI contribution policy in development: The Leadership Team is drafting a policy requiring contributors to fully understand and be able to discuss their code submissions

  • New training facilitators: Taylor Schutt and David Han from CENIC will deliver Zeek-Lite training at the upcoming NSF Regional Summit

  • Fall workshop planning: We’re exploring North America workshop options for fall 2026. Stay tuned!

Missed it? Watch the recording on our YouTube Channel.

:date: The next call is April 1 at 10am Pacific Time. Use this Zoom link to join. There’s no registration required, just drop in and join the conversation. See you there!

Development Updates

Zeek 8.2 development is underway, representing the final checkpoint on the road to version 9.0. The team continues working on iterations to fully transition away from Broker, and they’re actively seeking community feedback on the latest version with ZeroMQ as the default backend. Early performance indicators show significant improvements in the ZeroMQ environment, though the team is particularly interested in edge cases where issues might arise.

A new development board tracking 8.2 work has been created on GitHub, providing transparency into the team’s current focus areas.

Arne published a blog post demonstrating how to monitor traffic in AWS by leveraging Zeek’s pluggable packet sources. The solution turns Zeek into a UDP server, eliminating the need for clunky workarounds to capture tapped traffic. Instead, traffic (whether Geneve or VXLAN) comes directly to Zeek, with the post providing guidance on logging to Kafka and implementing modern cloud monitoring workflows.

The team is also soliciting community input through GitHub Discussions on technical topics, including a hairy question about embedding binary content in JSON. Anyone working extensively with JSON data ingestion is encouraged to share their perspectives, as the team explores implementation options for 8.2.

As always, follow development progress on GitHub to stay current with the latest changes.

Zeek Packages

Anyone in the community can write add-on functionality for Zeek via packages.

Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:

https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed

Updates:

Get Involved

Thanks for being part of the community. We’ll see you next time!