man darkstat (Commandes) - network traffic analyzer

NAME

darkstat - network traffic analyzer

SYNOPSIS

darkstat [ -i if ] [ -p port ] [ -b ip ] [ -d path ] [ -l ip/mask ] [ -f ip ] [ -v ] [ -n ] [ -h ] [ -V ] [ -P ] [ -e expr ] [ --spy if ] [ --detach ]

DESCRIPTION

darkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router sort of machine and tallies up all sorts of useless but interesting statistics.

All settings are passed on the commandline.

OPTIONS

-i if
Listen on the network interface specified by if, rather than the default interface that libpcap returns.
-p port
Serve statistics on the specified port instead of the default 666.
-b ip
Bind the web interface to the specified local IP, instead of all interfaces.
-d path
Store database files in path instead of the current working directory.
-l ip/mask
When running a 2.4.x Linux kernel with NAT, packets are mangled before libpcap catches them. To get proper accounting of transfer statistics, you have to describe your local network address space. For example, if all the local machines have an IP of 192.168.0.x, your ip/mask should be 192.168.0.0/255.255.255.0.
-f ip
Force the local IP to the given value. This is mainly for multihomed servers.
-v
Enable verbose mode. You will see lines of text about packets begin processed and some verbose information about what the DNS and WWW threads are doing.
-n
Turns off DNS resolution. You can turn it back on using the web interface.
-h
Displays the help/usage statement.
-V
Displays the version information.
-P
Prevents darkstat from putting the interface into promiscuous mode. (Default behaviour is to go promiscuous if possible)
-e expr
Passes the specified packet filter expression to libpcap. Refer to the libpcap and tcpdump documentation for the syntax.
--spy if
Capture packets on specified interface (hint: the local one) and look for HTTP requests and log them to darkstat.spylog.YYMMDD
--detach
Detach from the controlling TTY and run in the background like a daemon.

WHY?

I have a cable router at home and I like having some statistics about the data that's going through it. I'm a fan of ntop and I've been using it for a long time. darkstat is an effort to create a smaller (in terms of memory footprint) and stabler ntop.

SPYLOG FORMAT

The format of the --spy logs is:

YYYY-MM-DD hh:mm:ss src_ip method http://host/url

Where method is GET, HEAD, or POST.

SEE ALSO

pcap(3)

http://freshmeat.net/projects/darkstat/

http://purl.org/net/darkstat

AUTHOR

Emil Mikulic and others (see AUTHORS).

e-mail: emikulic@optushome.com.au

www: http://purl.org/net/overload