December 6, 2007

Linux traffic analysis, quick and simple

Author: Sergio Gonzalez Duran

Full-featured traffic analyzers for Linux systems such as ntop and vnstat are widely available, but sometimes you just want a simple program that gives you fast, basic information about the amount of traffic going in and out of the hosts on your network. Darkstat, a packet sniffer that runs as a background process, fills that role. It gathers statistics about network usage and displays them over HTTP.

I tested the latest version (darkstat-3.0.707.tar.bz2) on CentOS 5 and Fedora 7 systems. You can untar this file with tar-xvjf darkstat-3.0.707.tar.bz2, then install it with the usual ./configure; make; make install. To invoke darkstat, enter:

darkstat ââ¬âi eth0

The program will start checking packets on the selected interface in the background, and return you to the shell. These lines appear after you run the program:

darkstat 3.0.707 (built with libpcap 2.4)
darkstat (19646): starting up
darkstat (19646): daemonizing to run in the background!
darkstat (19647): I am the main process
darkstat (19647): DNS child has PID 19648
darkstat (19646): parent waiting
darkstat (19647): caplen is 54
darkstat (19648): set uid/gid to 99/99
darkstat (19647): capturing in promiscuous mode
darkstat (19647): listening on
darkstat (19647): loaded 129 protos
darkstat (19647): loaded 4594 tcp and 4549 udp servs, from total 9158
darkstat (19647): chrooted into: /var/empty
darkstat (19647): set uid/gid to 99/99
darkstat (19647): local_ip update(eth0) =
darkstat (19647): entering main loop
darkstat (19646): parent done reading, calling waitpid
darkstat (19646): waitpid ret 0, status is 3

You can see from the third line that darkstat runs as a service and becomes a daemon automatically. Its PID is indicated on the fourth line; you can kill or terminate the program with kill -9 19647 or killall darkstat.

You must use a browser (http://server:667) to display the data gathered by darkstat, which it make available through its own embedded Web server. The ninth line, listening on, indicates that 667 is the port to which the browser should connect. You can change it to another port with the -p option.

The ââ¬âl switch defines a local network with the syntax network/netmask, for which all traffic entering or leaving this network will be graphed. The ââ¬âf option allows you to filter the packet:

darkstat ââ¬âi eth0 ââ¬âl ââ¬âf "port 22"

In this example we're filtering network packets for SSH, which runs on port 22, so you can determine which machines are using this protocol. The filter syntax is based on tcpdump; you can refer to its documentation for more information.

Darkstat is simple, so don't expect anything fancy. The graphs page displays four pretty but not very useful chart graphs and some other basic information. Hovering the mouse over a bar reveals a tooltip that shows how many bytes in and out the bar represents. The hosts page shows, for each host on the network, its IP and MAC addresses and the number of packets in and out. Clicking on the IP address reveals more information about the specific host, such as which ports are open and which protocols are being used. You can sort the In, Out, and Total columns only in descending order.

Unfortunately, the information darkstat displays in the browser doesn't reload automatically, so you must reload the page in order to refresh the content. However, darkstat does its job, is easy to read, and displays basic traffic information from a LAN. Sometimes, this is all you need.


  • Networking
  • System Administration