This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Networking

Linux traffic analysis, quick and simple

By Sergio Gonzalez Duran on December 06, 2007 (9:00:00 AM)

Share    Print    Comments   

Full-featured traffic analyzers for Linux systems such as ntop and vnstat are widely available, but sometimes you just want a simple program that gives you fast, basic information about the amount of traffic going in and out of the hosts on your network. Darkstat, a packet sniffer that runs as a background process, fills that role. It gathers statistics about network usage and displays them over HTTP.

I tested the latest version (darkstat-3.0.707.tar.bz2) on CentOS 5 and Fedora 7 systems. You can untar this file with tar-xvjf darkstat-3.0.707.tar.bz2, then install it with the usual ./configure; make; make install. To invoke darkstat, enter:

darkstat –i eth0

The program will start checking packets on the selected interface in the background, and return you to the shell. These lines appear after you run the program:

darkstat 3.0.707 (built with libpcap 2.4)
darkstat (19646): starting up
darkstat (19646): daemonizing to run in the background!
darkstat (19647): I am the main process
darkstat (19647): DNS child has PID 19648
darkstat (19646): parent waiting
darkstat (19647): caplen is 54
darkstat (19648): set uid/gid to 99/99
darkstat (19647): capturing in promiscuous mode
darkstat (19647): listening on 0.0.0.0:667
darkstat (19647): loaded 129 protos
darkstat (19647): loaded 4594 tcp and 4549 udp servs, from total 9158
darkstat (19647): chrooted into: /var/empty
darkstat (19647): set uid/gid to 99/99
darkstat (19647): local_ip update(eth0) = 192.168.0.5
darkstat (19647): entering main loop
darkstat (19646): parent done reading, calling waitpid
darkstat (19646): waitpid ret 0, status is 3

You can see from the third line that darkstat runs as a service and becomes a daemon automatically. Its PID is indicated on the fourth line; you can kill or terminate the program with kill -9 19647 or killall darkstat.

You must use a browser (http://server:667) to display the data gathered by darkstat, which it make available through its own embedded Web server. The ninth line, listening on 0.0.0.0:667, indicates that 667 is the port to which the browser should connect. You can change it to another port with the -p option.

The –l switch defines a local network with the syntax network/netmask, for which all traffic entering or leaving this network will be graphed. The –f option allows you to filter the packet:

darkstat –i eth0 –l 192.168.0.0/255.255.255.0 –f "port 22"

In this example we're filtering network packets for SSH, which runs on port 22, so you can determine which machines are using this protocol. The filter syntax is based on tcpdump; you can refer to its documentation for more information.

Darkstat is simple, so don't expect anything fancy. The graphs page displays four pretty but not very useful chart graphs and some other basic information. Hovering the mouse over a bar reveals a tooltip that shows how many bytes in and out the bar represents. The hosts page shows, for each host on the network, its IP and MAC addresses and the number of packets in and out. Clicking on the IP address reveals more information about the specific host, such as which ports are open and which protocols are being used. You can sort the In, Out, and Total columns only in descending order.

Unfortunately, the information darkstat displays in the browser doesn't reload automatically, so you must reload the page in order to refresh the content. However, darkstat does its job, is easy to read, and displays basic traffic information from a LAN. Sometimes, this is all you need.

Sergio Gonzalez Duran is a Linux administrator, systems developer, and network security counselor who also teaches Linux courses and publishes the Spanish-oriented Linux and open source Web site linuxtotal.com.mx.

Share    Print    Comments   

Comments

on Linux traffic analysis, quick and simple

Note: Comments are owned by the poster. We are not responsible for their content.

Darkstat

Posted by: Anonymous [ip: 217.216.157.2] on December 06, 2007 05:33 PM
Darkstat is packaged for Debian Linux.

Just a simple apt-get install or aptitude install and ready to go.

#

Linux traffic analysis, quick and simple

Posted by: Anonymous [ip: 82.170.180.219] on December 07, 2007 07:43 AM
Thanks for this article. I have one nit to pick. You've advocated the use of "kill -9" to stop the darkstat process, and that's a very bad idea. Normally, just a simple "kill" will work. The "- 9" option to kill is for those special cases when a process is stuck, and won't die with a normal kill. A "kill -9" is rather ungraceful, and does not allow a process to clean up as it exits, and so should in general be avoided. It's like using a bulldozer for the task when a small hammer will do. It pains me everytime that I get a newbie engineer, and when asked to stop a process, immediately begins typing "kill -9 ...". I sigh, and know I've got to teach this guy a thing or two about Linux/Unix process management. Anand Buddhdev

#

Re: Linux traffic analysis, quick and simple

Posted by: Anonymous [ip: unknown] on December 07, 2007 04:41 PM
Good observation, it's a bad habit to use -9.

#

amorphic media

Posted by: Anonymous [ip: 66.122.165.197] on December 07, 2007 08:50 PM
I don't know if its to late? Isn't the FCC realocating RF? Two things- One: should open source try and wach over a portion of spectrume like the hams? or just suport hams for that perpose. Two: Should the FCC provide a generic channel of or for use by all spectrum users for amorphic load opptimezation. When IP trafic reaches a one directional threshold in a given geography say covered by a cell phone trasmiter, users with equipment would get a redirect swich. This cell cast could be payed for presumably cheaper than there cost of internet media. This idea would scale as a one directional cell use in several ajacent to proximate cells reach a threshold they could jump to a radio foot print to free up cells. And, then when a large enough area made a satalite feed efficient it would jump to satalite. This would be a designated portion of each spectrum to be used and payed for presumably at an overall reduced cost than would be described by a less flexable design. It would be dynamic and open meaning available according to a sites load and willingness to pay. It mite be managed by a consortium were every member buys in to help manage overall costs of operation compared to a less shared system.

#

Linux traffic analysis, quick and simple

Posted by: Anonymous [ip: 58.109.74.182] on December 08, 2007 03:08 PM
If you omit the -9, darkstat will shut down cleanly. This is important if you want the database to be saved and/or the daylog to be written out correctly.

#

vnStat

Posted by: Anonymous [ip: 77.99.72.140] on December 11, 2007 10:40 AM
Check out vnStat (http://humdi.net/vnstat/), mentioned briefly at the start of the article, if you haven't already.

#

Linux traffic analysis, quick and simple

Posted by: Anonymous [ip: 62.226.196.34] on March 09, 2008 10:54 PM
Nice tutorial that help me a lot. I will write <a href="http://wiki.mobbing-gegner.de/Linux/Netzwerk/Analyse">my notes</a> in my wiki

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya