you got stats!
Q: What is darkstat?
A: darkstat is the excellent open-source network traffic analyzer by Emil Mikulic. It sniffs all the data passing through the machine's network interfaces and presents the results graphically in your web browser. Check out the screenshot.
Q: Why is this page here?
A: So that I can spread the word about how good darkstat is. It really is very good.
Trouble was, in the bad old days of Mac OS X, darkstat wouldn't compile without some fussing about, so I put together a package for Puma & Jaguar users, a standard Mac installer with a few extra bits and bobs thrown in (thrown with loving care and attention, I might add - screenshots at the foot of this page), the sort of things we mac users expect.
At the time of writing we brushed-alluminium types are up to Panther; a matured and slick OS with most all the nobs on, and screwed in too. Developers, source-builders and the like have never had it so good, darkstat also compiles with no fuss whatsoever.
I maintain this package because in reality, only a minority of Mac users have the developers tools installed, but that shouldn't, and doesn't stop folks using this superb network monitoring tool for their homes, networks and servers.
In short, this is a place where you can get an up-to-date point-and-click Mac OS X version, and a lot more besides; without all that "messing about in the terminal" stuff.
Q: Okay, where can I get this package?
A: Right here..
If you have any problems with this installer package, please do not bug Emil about it, bug me!
Q:What else do I get?
A: Aside from the binary itself and its accompanying man page, the installer will install a StartupItem (so you always, got stats), some neat control scripts, and an uninstaller too, things that you can click! Scroll down for pics.
Please do check out the darkstat website. There are even a couple of links on there back to here, if you're feeling a bit loopy..
;o)
cor
Feeling blue cuz you got no blue?
If you are compiling darkstat on some other platform, but want in on some of this blue action, it's easy enough to achieve. you have two options:
i. edit
www.c (which is in the /src directory of the source
package) altering the colour values therein to whatever your heart desires.it's all fairly obvious, apart from maybe the bars themselves..
#define _IN "\"#3333CC\""
#define _I_R 0x33
#define _I_G 0x33
#define _I_B 0xCC
#define _OUT "\"#6699FF\""
#define _O_R 0x66
#define _O_G 0x99
#define _O_B 0xFFremember to edit all the values. Or..
ii. download a ready-made blue version of the source file right here..
this screenshot is from
another machine on my LAN. (a peecee)You can monitor your mac's network activity even before aqua loads..
if you have darkstat installed, clicking on this graph will take you to your own stats!
Welcome to the comments facility!
I've got this running on BSD, how can I get blue colors like this one has?
heh, good timing! I only put out the links this morning!
I've updated this page now, with information about this, even a link to the source file.
You are not the first to ask!
;o)
(or
okay, the c source file is there now. oops!
note: I uploaded darkstat 2.6 again today, the uninstaller, while uninstalling fine, didn't remove the package.pkg from the receipts folder (all because of a Capital "D"!) so if you installed twice, the second install would think it was an "upgrade".
Mind you, once you install darkstat, you never want to uninstall it!
;o)
(or
hi! thanks for the nice port!
I'm just wondering why i see nothing logged under the "ports" subpage?
ahh, it was fun.
erm, which "ports" subpage is that? emil's darkstat page links here, as do VersionTracker and MacUpdate. if you think there's another place that should be linking to me, let me know, better still, let them know! heh.
HAHAHHA!
oh THAT ports page! is it totally blank? weird.
maybe something in the darkstat log.
Can Darkstat tell me the in/out of all the ip addresses attached to my local network? Or what is a good program for sniffing out problem machines on a network (i.e., the machine that is slowing down everyone else).
Thanks
My "PORTS" page is blank too. Too bad I cant't get it to monitor en1 ( airport), maybe there is a trick ;)
Nothing ovious in my log...
Tue Jun 1 08:26:40 CDT 2004 : starting service..
darkstat v2.6 using libpcap v2.4 (powerpc-apple-darwin7.2.0)
Firing up threads...
Sniffing on device en0, local IP is 192.168.0.100
DNS: Thread is awake.
WWW: Thread is awake and awaiting connections.
WWW: Compiled without NLS
DOH! it helps to RTFM ;)
sudo /usr/local/bin/sniff -i en1
Glad you got it worked out davehoo, that man page really is excellent, isn't it!
it might be an idea, if you're using another network interface, to edit that into the sniff command itself. You could do a similar thing with the startup item.
Also, if /usr/local/bin is in your PATH (likely), you can just type "sniff", by itself, in a terminal.
anonymous, darkstat can only gather statistics on the machine on which it runs; to get this sort of data you need to run a sniffer with "root" access. If you ran darkstat on them all for a time (if they are *nix machines) you could collate that data perhaps, though even the data from a different machine could provide clues. For instance, you may be receiving a barrage of traffic on port 139, and that might lead you to investigate the possibility of some sort of Samba local master battle, or whatever.
You'll probably want to get closer to the packets, though, using something that allows you to view the actual packet data. check the manpage for tcpdump, there are quite a few mac packet sniffers around that will do the same (many are just front-ends for tcpdump)
Get yourself a copy of nmap see.. http://www.macos.utah.edu/Documentation/maco sx/security/nmap.html NmapFE is a rather good front-end. Point it at a suspect machine and receive much data.
If you have a intel box lying around, a copy of Knoppix STD.. http://www.knoppix-std.org/ would provide all the tools you need, and more.
;o)
(or
With OS X 10.3.4 (panther) I get massive DNS PTR lookups for random ip's (creates about 14'000) pakets in 10 Minutes). I searched for a while and figured after removing /Library/StartUp/Darkstat this behaviosr stoped.
Does anyone now about that?
I'm not up to 10.3.4 yet, but that's some pretty unusual sh*t. I'd be keen to see any log output you have. Maybe apple needs to know something.
Is it darkstat doing the lookups?? that would be weird.
feed info to my usual email address; I'll look into it; or dump small stuff here, maybe someone else knows something.
;o)
(or
I left you an email yesterday with a tcpdump file containing some of theses lookups. I cant say that your code is causing that, but it desapeared after I removed darkstat form StartupItems...
I don't know any tool who can tell me what process is doing dns lookups, at least LittleSnitch can't.
Cheers and enyoj your weekend, netwho
hope y'all enjoyed yer weekend as much as I did! back to work now..
I got the dump, thanks (tcpdump? damn! I gotta read that manpage one day) still trying to decipher that. does tcpdump do human-readable output? /me scatches head. there's an -r option, right? maybe I could pipe that... (still recovering from the weekend here *ahem*)
While I'm certain it's not my code causing the problems (I wrote the installer and mac gui bits only for this port, and the blueness, of course), I'm fairly certain it's not Emil's code, either. More than likely the latest Apple update has nudged pthreads (which are notoriously shakey). Or something along those lines, anyway.
I've just blown my 256MB ram chip on me mac (I work this old iMac too hard, BOOM! so I'm running panther on 96MB just now - no fun! like getting the replacement on the warranty will be! *sigh*) so an OS upgrade isn't on the cards for me just now, to check this out more.
Darkstat 3 is all-new underneath, and doesn't use pthreads at all, emil's working hard on that right now, the link to his site is above. If you have the dev tools installed, try compiling from source (included in the distro), I'd be curious to see if that binary exhibited the same behaviour. We could put it up here, if not.
keep me posted!
;o)
(or
well - i was looking for a traffic monitoring utility and darkstat seems to do the job. is there anyway to reset the sum and zero the traffic data. thanks in advance!
if you remove the darkstat.daylog and darkstat.db files, that should put everything back to zero. turn off darkstat while you do this, of course.
look inside /Library/darkstat/
;o)
(or
ps.. seems like years since I was last here, something feels unfinished, heh. feel free to drop in again if need be, sometimes I need a prod.
Hi cor,
this is so very cool, thank you!
A
for OS X
is sexy
Thanks again,
Tom
a command line 1D10T in Germany
satisfactory
Hello,
Thanks for providing DarkStat. It works great on my PowerMac G5 1.8 GHz DP, but no dice on my PowerBook G4 1.5 GHz. This is odd, because they are basically copies of one another and the Mac OS 10.3 5 data is synchronized daily. When I attempt to open DarkStat via the two browser addresses or by clicking on the link on the web site, I get the dreaded “server cannot be found” error. Anyone have a clue what is happening here?
“Technological change is like an axe in the hands of a pathological criminal.” (Albert Einstein, 1941),
Dr. Z.
yo!
No plans for darkstat3 for OS X yet. coding time is zero just now, but hopefully sometime in the near future. I haven't spoken to Emil for a while, but I'll get the source soon and see how it's looking on OS X.
Dr, sounds weird. Maybe a firewall? Does this happen on a local browser (same machine) ? Is darkstat actually running? Feel free to mail me more data which I will probably deal with in the near future.
;o)
(or
Getting this error when installing darkstat via fink 0.22.2 (distribution 0.7.1):
Filehandle STDIN reopened as STDOUT only for output at /sw/lib/perl5/Debconf/FrontEnd/Dialog.pm line 139.
This is after replying NO to whether I want darkstat to startup automatically at boot.
Art, I don't know anything about the fink release. I recommend using my distribution.
;o)
(or
hello i have a problem of it
last night i still can login the main page but now i cant login to the main page to check the download the browser said u cant open the localhost
what happen of it ?
first thing to check alfons; is darkstat still running? run the "sniff" command from the terminal and see what happens.
What error do you get in your browser? "Connection Refused"? or what? Check the darkstat logs in /Library/darkstat, too. Maybe a clue there.
;o)
(or
My ports page is blank also. Everything else seems fine, and all of the other pages have meaningful content. Can't figure out what might be the problem (en0 is indeed the interface I'm using). Here's the log:
Thu Dec 30 18:50:22 PST 2004 : starting service..
darkstat v2.6 using libpcap v2.4 (powerpc-apple-darwin7.2.0)
Firing up threads...
Sniffing on device en0, local IP is 192.168.2.5
DNS: Thread is awake.
WWW: Thread is awake and awaiting connections.
WWW: Compiled without NLS
GRAPH: Starting at 22 secs, 50 mins, 18 hrs, 30 days.
Loaded /Library/darkstat/darkstat.db.
ACCT: Capturing traffic...
Point your browser at http://localhost:666/ to see the stats.
ports! don't talk to me about ports!
I've looked into this a couple of times, but everything works fine for me and most other folks, so it's not been pinned down yet. The only way I've managed to replicate this error is by removing
/etc/servicesfrom my system.
you do have that file, yeah?
;o)
(or
ps.. I noticed recently (for Monty Python fans) that next to the services file, I now have a new, empty file, dunno where it came from, maybe a security update, but it's mysteriously called.. services.ni
woohoo!!!! Didn't have the /etc/services file, and adding an empty one fixed the ports page, at least partially! It's only showing 2 ports (445 and 6881, and I'm currently running Azureus on 6881). Don't know what a "typical" ports page looks like, so not sure if it should be showing more than that.
What's in your services file?
I don't have the services.ni file, and did a search, but couldn't track down what it was for.
Thanks!
OK...I'll ask the obvious, embarrassing questions. I'm running darkstat on a OS X box connected to a Cisco switch that has dozens of other machines on it (actually, a fairly large subnet at our institution). The "hosts" page lists many hosts, but am I to understand that my OS X box, with darkstat, is able to see how much data is flowing in and out of each of those other hosts? Does "In" mean how much is flowing into that host and "Out" mean how much is flowing out of it? Is darkstat an appropriate tool for looking at data on a switched network?
Thanks!
first, apologies for the missing post, dunno what happened there, it was a bit crazy back at the start of the year, hosting troubles. Anyways, I'd even went as far as to put a copy of my own services file in the public archives. hopefully pg got that.
Okay, Tom, back to your switched network, working backwards, No, darkstat really isn't an appropriate tool for monitoring a network, just the local box. If the local box also happens to be the network gateway, then sure, totals for the network could be gathered effectively.
The difficulty, in a mixed network, is getting all the machines talking the same language. You're looking at is some kind of NMP setup on all the boxes, check out this page, and maybe this one, too. There are commercial solutions, but plenty excellent free ones, too. You'll probably want to do the actual monitoring on your OS X box, of course.
As for darkstat, yes, the IN and OUT a) only apply to data coming in and out of the local machine from whatever host, and b) work backwards from the way most folk first imagine!
;o)
(or
link fixed!
I had a bit of a security update yesterday and didn't put in the non-standard doo-dah path, anyway, it works now, thanks for the mails!
;o)
(or
Your site is a very nice source of info.
Hey i was just wondering since i dont know a dang thing about macs but...
im trying to hack the school macs and im wondering if this thing can by any
chance capture passwords & user names???
Nah, this doesn't capture the data passing through, just the amount of data.
Instead, try this, in your shell..;o)
(or
My log says 'Can't get own IP address on interface en0'.
My G5 is connected to my home network via wireless using an Airport Extreme Card so is on interface en1.....I believe.
Can I still run Darkstat?
Yikes! Musta missed this one!
Your answer is further up the comments, did you spot it? Simply edit the interface name in the config.
Darkstat 3 is on its way, by the way. I'll post more about this later. gotta run...
;o)
(or
Hello, good tópic. Thanks. Bye. Salute.
Here to see what the human interface is all about.
no comments in three years? wow… are you still with us? You deserve mad kudos for this .pkg of an incredibly useful tool.
Many thanks for this excellent release... compiling the 3.0.712 source just wasn't happening (too many previous installs from diff sources… I couldn't figure out which files came from which install
Sadly, my .db from the original FiOS install was deleted, but the last 60 days haven't been too bad…
Any word on upgrading to v3.x ? Many thanks again,
::nico
Your v2 package of darkstat under snow leopard gives me this in the logs..
Tue 15 Sep 2009 15:17:34 EST : starting service..
Unhandled transform (1) for ioctl group = 66 (B), number = 121, length = 12
I tried downloading and compiling latest darkstat 3 but it gives me this when I run your sniff script:
Tue 15 Sep 2009 15:16:33 EST : starting service..
error: illegal argument: "-d"
darkstat 3.0.711 (built with libpcap 2.4)
otherwise if I try the darkstat suggested way without your sniff I get this:
Last login: Tue Sep 15 15:17:34 on ttys001
macpro:~ wayne$ sudo darkstat -i eth0
489: error: pcap_open_live():
macpro:~ wayne$
so I'm a bit stuck!
Thanks,
Wayne
Still here! Although with no Mac, this area is basically for reference only.
The installer and stuff should still work fine, but I'd expect the binary itself is getting a bit long in the tooth. Sadly, I cannot create a v3 for mac.
I do have a nice darkstat installer for IPCop, though!
;o)
Cor
Hey! When I try to run the sniff-file, it opens up terminal (so far, so good) and wants me to type in a password. Now, what password could this be? And, much worse, when I type any key, nothing will appear on terminal. I just tried to press enter, but it would show: "Sorry, try again" (yes, indeed). But I can't type in anything! can you help me?
thanks