Darkstat is a free cross-platform network tool for collecting and viewing statistics on local network usage.

Introduction

When using a local network, it is sometimes useful to know about what is happening in it as a whole, in order to identify the full picture:

• abnormal increase in traffic (large volumes of transmission or reception, requests with high frequency)
• manifestation of new, unauthorized PCs or other people's devices on the local network
• troubleshooting (for example, requests to a specific port or protocol without a response).
• the appearance of non-standard protocols or opening of ports on local PCs (can be caused by malware).

It is advisable to do all this in the long term (24/7) and 365 days a year.

Since specialized software and hardware are not available and are not needed for amateur purposes, simpler solutions are used. For example, there is darkstat- network traffic analyzer (sniffer).

Darkstat, unlike professional network tools such as Wireshark or tcpdump, does not capture entire network packets, but only looks at the packet headers. Darkstat uses a system library written in C++ that runs in the Linux kernel. Therefore, darkstat is undemanding to PC resources (CPU load less than 1%, RAM consumption no more than 1.7 MB).

The Darkstat application consists of two parts:

• a service that constantly runs in the background, capturing and collecting data into its database (DB).
• web interface at http://localhost:667..

Darkstat features

• intercepting local network traffic using the libpcap kernel library
• entering abbreviated information (source IP/MAC receiver, ports, protocol) into your database (in the /var/lib/darkstat folder)
• the following options are available in the web interface:
• counting of packets seen and captured and traffic volume
• bookmark graphs= graphs of received/transmitted packets - by seconds, minutes, days and hours, indicating speed
• bookmark hosts- detailed information for each IP address
• counting the number of host packets by port: netbios-dgm, netbios-ns and bootps
• counting the number of host packets by protocol (TCP, UDP, ICMP, IGMP, GRE)
• IP addresses in the database are asynchronously converted into names for convenient presentation when displayed on the screen.
• IPv6 protocol support, TCP.UDP support, multicast and other protocols (netbios, HIP, DNS mDNS).

Installing Darkstat

The libpcap traffic capture library is included in the Linux kernel and does not require installation.

Installation for various OS:

Ubuntu/XUbuntu/Linux Mint

sudo apt install darkstat

Debian:
su -
apt install darkstat

Fedora:

sudo dnf install darkstat

CentOS

sudo yum install darkstat

Setting up darkstat

The configuration is in the file /etc/darkstat/init.cfg. It requires improvement before launch.
Here are the significant lines in the configuration file:

sudo nano /etc/darkstat/init.cfg

START_DARKSTAT=yes
INTERFACE="-i enp1s10" 
DIR="/var/lib/darkstat" 
DAYLOG="--daylog darkstat.log"

where:
START_DARKSTAT - the value must be set to “yes”
-i enp1s10- name of the network card interface (you can find out with the command ip addr). If you do not specify or incorrectly set the INTERFACE parameter, then darkstat will not be able to listen to packets (it will not be able to work).
"/var/lib/darkstat"- working directory (by default, should not be changed). It will also store the database and the program start/stop log.
--daylog darkstat.log- file name for recording program starts/stops (located in the working directory).

Launching Darkstat

On Ubuntu/Debian and MX Linux with SystemD launch system:

sudo systemctl start darkstat
sudo /lib/systemd/systemd-sysv-install enable darkstat
sudo systemctl status darkstat

In antiX or if in MX Linux selected sysV initialization system instead of SystemD:

sudo /etc/init.d/darkstat start
sudo chkconfig darkstat on
sudo /etc/init.d/darkstat status

Web interface

To open access to statistics from other PCs on the network, you need to configure the "uwf" firewall

sudo ufw allow 667/tcp
sudo ufw reload

To close access from other PCs to this computer via the darkstat port 667:

sudo ufw deny 667/tcp
sudo ufw reload

To view the web interface, go to the address. No username or password required

http://localhost:667

Related publications

Working with Flatpak or APT through a proxy server

Fixing Linux Mint boot problem with integrated Intel graphics card

Stop and disable TimeShift to save disk space

Troubleshooting L2TP/IPsec connection errors "Could not add IPsec connection" and "no acceptable traffic selectors found"

Hard disk partitioning for installing Linux Mint on an old PC with BIOS in GPT mode