Skip to main content
Version: v4.16

User Guides

The user guides walk you through hands-on examples that illustrate how to use Tenzir.


Throughout our guides, we use publicly available datasets so that you can follow along.


The M57 Patents Scenario contains large amounts of diverse network traffic. We enriched the PCAP from Nov 18, 2009, by adding malicious traffic from We adjusted all packet timestamp to 2021. Thereafter, we ran Zeek v5.2.0 and Suricata 6.0.10 to obtain structured logs.

The dataset includes the following files:

For following examples we assume that you have imported the demo data in your node with the following two pipelines:

read suricata --no-infer
| where #schema != "suricata.stats"
| import
read zeek-tsv
| import

Note that the demo node already comes with this demo data pre-populated for you.