Full-featured traffic analyzers for Linux systems such as ntop and vnstat are widely available, but sometimes you just want a simple program that gives you fast, basic information about the amount of traffic going in and out of the hosts on your network. Darkstat, a packet sniffer that runs as a background process, fills that role. It gathers statistics about network usage and displays them over HTTP.
I tested the latest version (darkstat-3.0.707.tar.bz2) on CentOS 5 and Fedora 7 systems. You can untar this file with tar-xvjf darkstat-3.0.707.tar.bz2, then install it with the usual ./configure; make; make install. To invoke darkstat, enter:
darkstat –i eth0
The program will start checking packets on the selected interface in the background, and return you to the shell. These lines appear after you run the program:
darkstat 3.0.707 (built with libpcap 2.4) darkstat (19646): starting up darkstat (19646): daemonizing to run in the background! darkstat (19647): I am the main process darkstat (19647): DNS child has PID 19648 darkstat (19646): parent waiting darkstat (19647): caplen is 54 darkstat (19648): set uid/gid to 99/99 darkstat (19647): capturing in promiscuous mode darkstat (19647): listening on 0.0.0.0:667 darkstat (19647): loaded 129 protos darkstat (19647): loaded 4594 tcp and 4549 udp servs, from total 9158 darkstat (19647): chrooted into: /var/empty darkstat (19647): set uid/gid to 99/99 darkstat (19647): local_ip update(eth0) = 192.168.0.5 darkstat (19647): entering main loop darkstat (19646): parent done reading, calling waitpid darkstat (19646): waitpid ret 0, status is 3
You can see from the third line that darkstat runs as a service and becomes a daemon automatically. Its PID is indicated on the fourth line; you can kill or terminate the program with kill -9 19647 or killall darkstat.
You must use a browser (http://server:667) to display the data gathered by darkstat, which it make available through its own embedded Web server. The ninth line, listening on 0.0.0.0:667, indicates that 667 is the port to which the browser should connect. You can change it to another port with the -p option.
The –l switch defines a local network with the syntax network/netmask, for which all traffic entering or leaving this network will be graphed. The –f option allows you to filter the packet:
In this example we're filtering network packets for SSH, which runs on port 22, so you can determine which machines are using this protocol. The filter syntax is based on tcpdump; you can refer to its documentation for more information.
Darkstat is simple, so don't expect anything fancy. The graphs page displays four pretty but not very useful chart graphs and some other basic information. Hovering the mouse over a bar reveals a tooltip that shows how many bytes in and out the bar represents. The hosts page shows, for each host on the network, its IP and MAC addresses and the number of packets in and out. Clicking on the IP address reveals more information about the specific host, such as which ports are open and which protocols are being used. You can sort the In, Out, and Total columns only in descending order.
Unfortunately, the information darkstat displays in the browser doesn't reload automatically, so you must reload the page in order to refresh the content. However, darkstat does its job, is easy to read, and displays basic traffic information from a LAN. Sometimes, this is all you need.
Article written By Sergio Gonzalez Duran, he is a Linux administrator, systems developer, and network security counselor who also teaches Linux courses and publishes the Spanish-oriented Linux and open source Web site linuxtotal.com.mx.