Darkstat - Nework Traffic Analyzer or Network Monitor

What is Darkstat ?

darkstat is a network statistics gatherer.

Effectively, it's a packet sniffer which runs as a background process on a
cable/DSL router, gathers all sorts of useless but interesting statistics,
and serves them over HTTP.

Darkstat Features

Traffic graphs.

Tracks traffic per host.

Tracks traffic per TCP and UDP port for each host.

Embedded web-server with deflate compression.

Asynchronous reverse DNS resolution using a child process.

Small. Portable. Single-threaded. Efficient.

Download Darkstat

Installing Darkstat in Debian

#apt-get install darkstat

Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded.
Need to get 59.7kB of archives.
After unpacking 426kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
Install these packages without verification [y/N]? y
Get: 1 stable/main darkstat 2.6-7 [59.7kB]
Fetched 59.7kB in 0s (264kB/s)
Preconfiguring packages ...
Selecting previously deselected package darkstat.
(Reading database ... 41155 files and directories currently installed.)
Unpacking darkstat (from .../darkstat_2.6-7_i386.deb) ...
Setting up darkstat (2.6-7) ...

This will finish the installation.Once you finish the installation you need to edit the the file located at /etc/darkstat/init.cfg

# Turn this to yes when you have configured the options below.




Now you need to start the darkstat using the following command

#/etc/init.d/darkstat start

This will start the darkstat process

If you want to run darkstat from command line


darkstat v2.6 using libpcap v2.4 (i386-pc-linux-gnu)
Firing up threads...
Sniffing on device eth0, local IP is
DNS: Thread is awake.
GRAPH: Starting at 38 secs, 42 mins, 8 hrs, 30 days.
Can't load db from darkstat.db, starting from scratch.
ACCT: Capturing traffic...
Point your browser at http://localhost:666/ to see the stats.

Now you can access your network monitor using the http://youripaddress:666

If you want more options and How to use darkstat check darkstat man page

Darkstat Screenshots

Here is the some of the screenshots for darkstat v2.6

Main Screen

Hosts Screen

Hosts screen you can see all the machines which take part in the communication. These can be arranged by the caused traffic or their particular IP address.

Ports Screen

Ports Screen you can see the port numbers which are used by server and client applications. You can immediately recognize the port numbers which are used by the following daemons: 666 (darkstat), 80 (http)

 Protocols Screen

Protocols Screen protocols ICMP,TCP,IGP and UDP for the file transmission, which were involved in the communication event.

Graphs Screen

Graphs Screen  screen shot shows a summary of the collected time periods as graphs