man darkstat (Commandes) - network traffic analyzer
NAME
darkstat - network traffic analyzer
SYNOPSIS
darkstat [ -i if ] [ -p port ] [ -b ip ] [ -d path ] [ -l ip/mask ] [ -f ip ] [ -v ] [ -n ] [ -h ] [ -V ] [ -P ] [ -e expr ] [ --spy if ] [ --detach ]
DESCRIPTION
darkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router sort of machine and tallies up all sorts of useless but interesting statistics.
All settings are passed on the commandline.
OPTIONS
- -i if
- Listen on the network interface specified by if, rather than the default interface that libpcap returns.
- -p port
- Serve statistics on the specified port instead of the default 666.
- -b ip
- Bind the web interface to the specified local IP, instead of all interfaces.
- -d path
- Store database files in path instead of the current working directory.
- -l ip/mask
- When running a 2.4.x Linux kernel with NAT, packets are mangled before libpcap catches them. To get proper accounting of transfer statistics, you have to describe your local network address space. For example, if all the local machines have an IP of 192.168.0.x, your ip/mask should be 192.168.0.0/255.255.255.0.
- -f ip
- Force the local IP to the given value. This is mainly for multihomed servers.
- -v
- Enable verbose mode. You will see lines of text about packets begin processed and some verbose information about what the DNS and WWW threads are doing.
- -n
- Turns off DNS resolution. You can turn it back on using the web interface.
- -h
- Displays the help/usage statement.
- -V
- Displays the version information.
- -P
- Prevents darkstat from putting the interface into promiscuous mode. (Default behaviour is to go promiscuous if possible)
- -e expr
- Passes the specified packet filter expression to libpcap. Refer to the libpcap and tcpdump documentation for the syntax.
- --spy if
- Capture packets on specified interface (hint: the local one) and look for HTTP requests and log them to darkstat.spylog.YYMMDD
- --detach
- Detach from the controlling TTY and run in the background like a daemon.
WHY?
I have a cable router at home and I like having some statistics about the data that's going through it. I'm a fan of ntop and I've been using it for a long time. darkstat is an effort to create a smaller (in terms of memory footprint) and stabler ntop.
SPYLOG FORMAT
The format of the --spy logs is:
YYYY-MM-DD hh:mm:ss src_ip method http://host/url
Where method is GET, HEAD, or POST.
SEE ALSO
AUTHOR
Emil Mikulic and others (see AUTHORS).
e-mail: emikulic@optushome.com.au
www: http://purl.org/net/overload