darkstat(1)		   User Manuals		      darkstat(1)

NAME
       darkstat - network traffic analyzer

SYNOPSIS
       darkstat	 [ -i if ] [ -p port ] [ -b ip ] [ -d path ] [ -l
       ip/mask ] [ -f ip ] [ -v ] [ -n ] [ -h ] [ -V ] [ -P  ]	[
       -e  expr ] [ --spy  if ] [ --detach ]

DESCRIPTION
       darkstat	 is  a network traffic analyzer. It's basically a
       packet sniffer which runs as a  background  process  on	a
       cable/DSL  router sort of machine and tallies up all sorts
       of useless but interesting statistics.

       All settings are passed on the commandline.

   OPTIONS
       -i if  Listen on the network interface  specified  by  if,
	      rather  than  the	 default  interface  that libpcap
	      returns.

       -p port
	      Serve statistics on the specified port  instead  of
	      the default 666.

       -b ip  Bind  the	 web interface to the specified local IP,
	      instead of all interfaces.

       -d path
	      Store database files in path instead of the current
	      working directory.

       -l ip/mask
	      When running a 2.4.x Linux kernel with NAT, packets
	      are mangled before libpcap catches  them.	  To  get
	      proper  accounting of transfer statistics, you have
	      to describe your local network address space.

	      For example, if all the local machines have  an  IP
	      of    192.168.0.x,    your    ip/mask   should   be
	      192.168.0.0/255.255.255.0.

       -f ip  Force the local IP to the	 given	value.	 This  is
	      mainly for multihomed servers.

       -v     Enable  verbose  mode.  You  will see lines of text
	      about packets  begin  processed  and  some  verbose
	      information  about what the DNS and WWW threads are
	      doing.

       -n     Turns off DNS resolution.	 You can turn it back  on
	      using the web interface.

       -h     Displays the help/usage statement.

       -V     Displays the version information.

       -P     Prevents	darkstat  from putting the interface into
	      promiscuous mode.	  (Default  behaviour  is  to  go
	      promiscuous if possible)

       -e  expr
	      Passes  the  specified  packet filter expression to
	      libpcap.	Refer to the libpcap and tcpdump documen-
	      tation for the syntax.

       --spy if
	      Capture  packets	on specified interface (hint: the
	      local one) and look for HTTP requests and log  them
	      to darkstat.spylog.YYMMDD

       --detach
	      Detach  from  the	 controlling  TTY  and run in the
	      background like a daemon.

WHY?
       I have a cable router at	 home  and  I  like  having  some
       statistics about the data that's going through it.

       I'm  a fan of ntop and I've been using it for a long time.
       darkstat is an effort to create a  smaller  (in	terms  of
       memory footprint) and stabler ntop.

SPYLOG FORMAT
       The format of the --spy logs is:

       YYYY-MM-DD hh:mm:ss src_ip method http://host/url

       Where method is GET, HEAD, or POST.

SEE ALSO
       pcap(3)
       http://freshmeat.net/projects/darkstat/
       http://purl.org/net/darkstat

AUTHOR
       Emil Mikulic and others (see AUTHORS).
       e-mail: emikulic@optushome.com.au
       www: http://purl.org/net/overload

darkstat		     Jan 2003				2


