FakeNet-NG vs Zeek
GitHub Stats
About FakeNet-NG
FakeNet-NG is a dynamic network analysis tool designed for malware analysis on Windows and Linux. It intercepts and redirects all network traffic to local listeners that simulate real internet services (HTTP, HTTPS, DNS, SMTP, FTP, IRC, and custom protocols). This allows analysts to observe malware network behavior without allowing actual internet connectivity, capturing C2 communications, download URLs, exfiltration attempts, and protocol patterns. FakeNet-NG supports SSL interception, custom response scripts, and integration with other analysis tools. It operates at the network driver level, catching traffic from all processes simultaneously.
About Zeek
Zeek (formerly Bro) is a powerful network analysis framework that sits on a network tap, link, or live interface and generates detailed logs describing network activity. Unlike traditional IDS systems that match signatures, Zeek performs deep protocol analysis to produce structured logs for every connection, DNS query, HTTP request, SSL certificate, file transfer, and dozens of other protocol events. These logs are the foundation for network security monitoring - they tell you not just that something happened, but exactly what happened at the application layer. Zeek's scripting language allows custom analysis, from detecting specific attack patterns to extracting files from network traffic. It's widely deployed in academic networks, enterprises, and government agencies, and its logs are commonly fed into SIEM platforms for correlation and alerting. Zeek also includes a signature framework for traditional pattern matching and a file analysis framework for extracting and inspecting transferred files.
Platform Support
Tags
FakeNet-NG only
Zeek only