Networking

How to use darkstat to monitor Linux server network traffic

No admin wants surprises when it comes to network traffic. Here's how to use darkstat to know exactly what's hitting your Linux server.

dependencieshero.jpg
Image: Jack Wallen

If you administer a Linux server, you'll want tools at the ready to help keep that baby humming. Some of these tools, such as a network traffic monitor, should be considered necessities. Within the realm of traffic monitors, you can't go wrong with darkstat.

What darkstat does

Darkstat captures network traffic (thanks to the help of libpcap) and calculates usage statistics. Reports are then served up over a simple HTTP server as easy to read graphs or usage listings.

Installing darkstat

I'll demonstrate how to install darkstat on a Ubuntu server. There are two ways you can do this: using standard repositories or installing from source. Regardless of the manner in which you install, you will first need to install the libpcap dependency. Follow these steps.

  1. Open a terminal window.
  2. Issue the command sudo apt-get install libpcap-dev.
  3. Type your sudo password and hit Enter.
  4. Allow the installation to complete.

Now that you have that dependency out of the way, let's install darkstat. First we'll install using apt. Here's how.

  1. Open a terminal window.
  2. Issue the command sudo apt-get install darkstat.
  3. Type your sudo password and hit Enter.
  4. Allow the installation to complete.

If you don't want to install using apt, you can download the source (for the sake of simplicity, save the file in ~/Downloads), and follow these steps.

  1. Open a terminal window.
  2. Change into the ~/Downloads directory with the command cd ~/Downloads.
  3. Unpack the file with the command tar xjvf darkstat-XXX.tar.bz2 (XXX is the release number).
  4. Change into the newly created darkstat directory.
  5. Issue the command ./configure.
  6. Once the configure completes, issue the command make.
  7. Issue the command sudo make install.
  8. Type your sudo password and hit Enter.

Configuring darkstat

Within /etc you should find a new directory called darkstat. Open a terminal window, change into that directory, and then open the file init.conf. In that file you'll find new things to edit. First and foremost, you must change this line:

START_DARKSTAT=no

to

START_DARKSTAT=yes

Next, you'll need to edit the line:

INTERFACE="-i XXX

so that it uses the networking interface on the machine (XXX is the name of the interface, such as eth0).

After that, uncomment out (remove the leading # character) the following section:

DIR="/var/lib/darkstat"

PORT="-p 666"

BINDIP="-b 127.0.0.1"

LOCAL="-l 192.168.1.0/255.255.255.0"

You also need to change the LOCAL section (above) to reflect your networking address scheme. After you make those changes, save and close the file.

Starting and viewing darkstat

To start the darkstat service, we'll use the built-in service tool like so:

sudo service darkstat start

At this point the darkstat service will be running and collecting data. Now all you have to do is point a web browser to http://IP_OF_SERVER:666 (IP_OF_SERVER is the actual IP address of the server running darkstat) and start viewing your networking graphs.

When you log into the darkstat graphs, you'll see a static graph (Figure A). If you scroll down to the bottom of the page, you can click to enable auto reload so the graphs automatically update.

Figure A

Figure A
Image: Jack Wallen

The darkstat graphs auto reloading to show network traffic associated with the server.

If you click the hosts button (at the top of the page), you'll get a list of all hosts on the network that have attempted to reach the server (Figure B).

Figure B

Figure B
Image: Jack Wallen

A listing of hosts that have contacted the server.

Simple and effective

Darkstat does an outstanding job of keeping you in the know as to what network traffic is hitting your server; plus, you'd be hard-pressed to find a simpler network monitoring tool for a Linux server. Give it a try, and see if it doesn't make your Linux server admin job easier.

Also see

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

Editor's Picks