darkstat(1)                                                            User Manuals                                                           darkstat(1)

NAME
       darkstat - network traffic analyzer

SYNOPSIS
       darkstat  [  -i  if  ]  [ -p port ] [ -b ip ] [ -d path ] [ -l ip/mask ] [ -f ip ] [ -v ] [ -n ] [ -h ] [ -V ] [ -P ] [ -e  expr ] [ -
--spy  if ] [
       --detach ]

DESCRIPTION
       darkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router sort  of  machine
       and tallies up all sorts of useless but interesting statistics.

       All settings are passed on the commandline.

   OPTIONS
       -i if  Listen on the network interface specified by if, rather than the default interface that libpcap returns.

       -p port
              Serve statistics on the specified port instead of the default 666.

       -b ip  Bind the web interface to the specified local IP, instead of all interfaces.

       -d path
              Store database files in path instead of the current working directory.

       -l ip/mask
              When  running a 2.4.x Linux kernel with NAT, packets are mangled before libpcap catches them.  To get proper accounting of transfer statis-
              tics, you have to describe your local network address space.

              For example, if all the local machines have an IP of 192.168.0.x, your ip/mask should be 192.168.0.0/255.255.255.0.

       -f ip  Force the local IP to the given value.  This is mainly for multihomed servers.

       -v     Enable verbose mode. You will see lines of text about packets begin processed and some verbose information  about  what  the  DNS  and  WWW
              threads are doing.

       -n     Turns off DNS resolution.  You can turn it back on using the web interface.

       -h     Displays the help/usage statement.

       -V     Displays the version information.

       -P     Prevents darkstat from putting the interface into promiscuous mode.  (Default behaviour is to go promiscuous if possible)

       -e  expr
              Passes the specified packet filter expression to libpcap.  Refer to the libpcap and tcpdump documentation for the syntax.

       --spy if
              Capture packets on specified interface (hint: the local one) and look for HTTP requests and log them to darkstat.spylog.YYMMDD

       --detach
              Detach from the controlling TTY and run in the background like a daemon.

WHY?
       I have a cable router at home and I like having some statistics about the data that's going through it.

       I'm  a  fan  of ntop and I've been using it for a long time.  darkstat is an effort to create a smaller (in terms of memory footprint) and stabler ntop.

SPYLOG FORMAT
       The format of the --spy logs is:

       YYYY-MM-DD hh:mm:ss src_ip method http://host/url

       Where method is GET, HEAD, or POST.

SEE ALSO
       pcap(3)
       http://freshmeat.net/projects/darkstat/
       http://purl.org/net/darkstat

AUTHOR
       Emil Mikulic and others (see AUTHORS).
       e-mail: emikulic@optushome.com.au
       www: http://purl.org/net/overload

darkstat                                                                 Jan 2003                                                             darkstat(1)