darkstat(1) User Manuals darkstat(1) NAME darkstat - network traffic analyzer SYNOPSIS darkstat [ -i if ] [ -p port ] [ -b ip ] [ -d path ] [ -l ip/mask ] [ -f ip ] [ -v ] [ -n ] [ -h ] [ -V ] [ -P ] [ -e expr ] [ --spy if ] DESCRIPTION darkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router sort of machine and tallies up all sorts of useless but interesting statistics. All settings are passed on the commandline. OPTIONS -i if Listen on the network interface specified by if, rather than the default interface that libpcap returns. -p port Serve statistics on the specified port instead of the default 666. -b ip Bind the web interface to the specified local IP, instead of all interfaces. -d path Store database files in path instead of the current working directory. -l ip/mask When running a 2.4.x Linux kernel with NAT, packets are mangled before libpcap catches them. To get proper accounting of trans- fer statistics, you have to describe your local network address space. For example, if all the local machines have an IP of 192.168.0.x, your ip/mask should be 192.168.0.0/255.255.255.0. -f ip Force the local IP to the given value. This is mainly for mul- tihomed servers. -v Enable verbose mode. You will see lines of text about packets begin processed and some verbose information about what the DNS and WWW threads are doing. -n Turns off DNS resolution. You can turn it back on using the web interface. -h Displays the help/usage statement. -V Displays the version information. -P Prevents darkstat from putting the interface into promiscuous mode. (Default behaviour is to go promiscuous if possible) -e expr Passes the specified packet filter expression to libpcap. Refer to the libpcap and tcpdump documentation for the syntax. --spy if Capture packets on specified interface (hint: the local one) and look for HTTP requests and log them to darkstat.spylog.YYMMDD WHY? I have a cable router at home and I like having some statistics about the data that's going through it. I'm a big fan of ntop and I've been using it for a long time. darkstat is an effort to create a smaller (in terms of memory footprint) and stabler ntop. WHY YOU SHOULD BE USING NTOP ntop is the original swiss-army-knife of network statistics. It's tried and proven. http://www.ntop.org/ darkstat works for me on Linux and FreeBSD. I've seen it compile on OpenBSD (thanks Galahad!) and Solaris (thanks trnepal!) machines through shell accounts I was provided. Daniel Bogan got it working on Mac OS X. WHY YOU SHOULDN'T BE USING NTOP If you're having issues with ntop's memory footprint or stability then you might want to give darkstat a try. The code is a lot simpler and shorter so it's a lot easier to implement any sort of custom monitoring you need. darkstat doesn't bother with multicast and non-IP protocols like ARP (if you need accounting for those, use ntop) but it does accounting per local port (which ntop doesn't) SPYLOG FORMAT The format of the --spy logs is: YYYY-MM-DD hh:mm:ss src_ip method http://host/url Where method is GET, HEAD, or POST. SEE ALSO pcap(3) http://freshmeat.net/projects/darkstat/ http://purl.org/net/darkstat AUTHOR Emil Mikulic and others (see AUTHORS). e-mail: emikulic@optushome.com.au www: http://purl.org/net/overload darkstat August 11, 2002 darkstat(1)