NAME
darkstat v3 - network statistics gatherer
SYNOPSIS
darkstat -i interface [
-D ] [ -n ] [ -r ] [ -p port ] [
-b bindaddr ] [ -f filter ] [ -l
network/netmask ]
DESCRIPTION
darkstat is a packet sniffer which runs
as a background process on a cable/DSL router, gathers all sorts of
traffic statistics, and serves them over HTTP.
All settings are passed on the commandline.
OPTIONS
- -i interface
- Listen on the specified network interface. This is the only
mandatory argument.
- -D
- Debugging mode: do not detach from the controlling terminal,
stay in the foreground instead.
- -n
- Do not use promiscuous mode to capture. Note that an interface
may already be in promiscuous mode. If this is a problem, use an
appropriate bpf(4)
filter.
- -r
- Do not reverse resolve IPs to host names.
- -p port
- The embedded webserver should bind to the specified port. The
default is 667.
- -b bindaddr
- The embedded webserver should bind to the specified address.
The default is to listen on all interfaces.
- -f filter
- Passes the specified packet filter expression to
libpcap. The filter syntax is beyond the scope of this
manual page; please refer to the tcpdump(1)
documentation.
- -l network/netmask
- Define a "local network" according to the network and netmask
addresses. All traffic entering or leaving this network will be
graphed, as opposed to the default behaviour of only graphing
traffic to and from the local host. See the usage example
below.
USAGE EXAMPLES
To gather statistics on the fxp0
interface:
- darkstat -i fxp0
We want to account for traffic on the Internet-facing interface,
but only serve web pages to our private local network where we have
the IP address 192.168.0.1:
- darkstat -i fxp0 -b 192.168.0.1
We want to serve web pages on the standard HTTP port:
- darkstat -i fxp0 -p 80
We are on Optus (cable) and don't want to account for the
constant ARP traffic we are receiving:
- darkstat -i fxp0 -f "not arp"
We only want to account for SSH traffic:
- darkstat -i fxp0 -f "port 22"
(For a full reference on filter syntax, refer to the tcpdump(1)
manpage)
We have a network consisting of a gateway server (192.168.1.1)
and a few workstations (192.168.1.2, 192.168.1.3, etc.) and we want
to graph all traffic entering and leaving the local network, not
just the gateway server (which is running darkstat):
- darkstat -i fxp0 -l 192.168.1.0/255.255.255.0
TROUBLESHOOTING
If you are using PPPoE (for example, on
ADSL), and sniffing on an ethernet interface, you might see
warnings about PPPoE packets:
- ether: unknown protocol (8864)
In order to get usable statistics, you need to sniff on the
tunnel interface that your PPPoE software provides. For example:
- darkstat -i tun0
Or, on OpenBSD or NetBSD, sniff on the
pppoe interface:
- darkstat -i pppoe0
FREQUENTLY ASKED QUESTIONS
How many bytes does each bar on the graph represent?
Hover
your mouse cursor over a bar and you should get a tooltip saying
exactly how many bytes in and out the bar represents.
Why aren't there labels / tics / a scale on the
graphs?
Because implementing them is hard. And doing so
correctly, and in a way that works across all browsers,
looks pretty much impossible.
I might attempt it some day. In the meantime, patches would be
gladly accepted.
Why are the graphs blank? All the bars are zero.
The graphs
only show traffic in/out of the local host, which is determined by
getting the IP address of the interface you're sniffing on.
If you want to account for all traffic entering or leaving a
network, you can use the -l commandline argument.
SEE ALSO
tcpdump(1)
AUTHOR
Emil Mikulic, and others (see AUTHORS and THANKS).
WEBSITE
http://dmr.ath.cx/net/darkstat/