Package Sniffer Darkstat

February

2024

linux

28 February 2024 17:07

D.arkstat is a free cross -platform network tool for collecting and viewing statistics on the use of a local computer.

Introduction

When using a local network, it is sometimes useful to know about what is happening in it as a whole, to identify a complete picture:

Anomalous increase in traffic (large transmission or receiving, queries with a high frequency)
The manifestation of new, unauthorized PCs or foreign devices in the local network
Identification of malfunctions (for example, requests to a particular port or protocol unanswered).
The appearance of non -standard protocols or the opening of ports on local PCs (can be caused by malicious software).

It is advisable to do all this in the long run (24/7) and 365 days a year.

Since specialized software and hardware is not available and is not needed for amateur purposes, simpler solutions are applied. For example, there is DarkstaT - Network Traffic Analyzer (Sniffer).

D.arkstat, в отличие от профессиональных сетевых инструментов, таких как Wireshark или tcpdump, не захватывает сетевые пакеты полностью, а просматривает лишь заголовки пакетов. Darkstat использует системную библиотеку, написанную на языке C++, работающую в ядре Linux. Поэтому darkstat is undemanding to the resources of the PC (load on CPU less than 1%, consumption of RAM not more than 1.7 MB).

Appendix Darkstat consists of two parts:

A service that is constantly in the background, capturing collects data in its database (DB).
web interface at the address http: // localhost: 667..

The possibilities of darkstat

interception of network traffic of a local network using the LibpCap nucleus library
Sending abbreviated information (IP source IP /Mac receiver, ports, protocol) in your database (in the folder /var/lib/darkstat)
The following possibilities are available in the web interface:
Calculation of the seized and captured packets and the volume of traffic
Bookmark graphs = графики принятых / переданных пакетов - по секундам, минутам, дням и часам, с указанием скорости
bookmark hosts - detailed information on each IP address
Calculation of the number of host packages according to the ports: Netbios-dgm, Netbios-Ns and Bootps
Calculation of the number of host packages by protocols (TCP, UDP, ICMP, IGMP, GRE)
IP addresses in the database asynchronously converted into names for their convenient representation when displaying on the screen.
Support for the IPV6 protocol, support for TCP.UDP, multi -stroke and other protocols (Netbios, HIP, DNS MDNS).

Installation Darkstat

The LibpCap traffic library is part of the Linux nucleus and does not require installation.

Installation for various OS:

Ubuntu / Xubuntu / Linux Mint

sudo apt install darkstat

Debian:
SU -
apt install darkstat

Fedora:

sudo dnf install darkstat

Centos

sudo yum install darkstat

Setting D.arkstat

Configuration is in the file /etc/darkstat/init.cfg. It requires refinement before starting.
I bring the significant lines in the configuration file:

sudo nano /etc/darkstat/Init.cfg

START_DARKSTAT=yes
INTERFACE="-i enp1s10"
DIR="/var/lib/darkstat"
DAYLOG="--daylog darkstat.log"

Where:
Start_Darkstat - the value should be set in “Yes”
-i enp1s10 - The name of the network card interface (can be found out with a command ip addr). If you do not specify or incorrectly set the Interface parameter, then Darkstat will not be able to listen to packages (will not be able to work).
"/var/lib/darkstat" - working directory (default, should not be changed). It will also store the database and the startup/shutdowm log.
-daylog darkstat.log - file name for recording program starts/stops (located in a working catalog).

Darkstat launch

In the Ubuntu / Debian OS and MX Linux with SystemD startup system:

sudo systemctl start darkstat
sudo /lib/systemd/systemd-sysv-install enable darkstat
sudo systemctl status darkstat

In antiX or if in MX Linux. See MX Linux site, SysV initialization system is used instead of SystemD:

sudo /etc/init.d/darkstat start
sudo chkconfig darkstat on
sudo /etc/init.d/darkstat status

Web interface

To open access to statistics from other PCs on the network, you need to configure the firewall "UWF"

sudo ufw allow 667/tcp
sudo ufw reload

To protect access from other PCs to this computer on port darkstaT 667:

sudo ufw deny 667/tcp
sudo ufw reload

To view the web interface, go to the address. User name and password are not required

http://localhost:667

Blog about Radio and Linux