Sniffing & Spoofingnetworktrafficanalyzersnifferstatisticsweb

darkstat

darkstat is a packet sniffer that runs as a background process and serves network traffic statistics to a web browser. It provides input and output IP traffic by machines, ports, and protocols, along with graphical views for last minute, hourly, daily, and monthly global traffic.

Description

darkstat is a network traffic analyzer designed to monitor and visualize network activity efficiently. It operates as a lightweight packet sniffer, capturing data and presenting it through a web interface accessible via a browser. Key features include breakdowns of IP traffic by machines, ports, and protocols, as well as time-based graphical representations of global input and output traffic over various intervals such as the last minute, hourly, daily, and monthly.

Use cases for darkstat include real-time network monitoring, troubleshooting connectivity issues, and analyzing traffic patterns in environments where resource efficiency is critical. It is particularly suited for scenarios requiring a small memory footprint and high stability, making it a preferred alternative to heavier tools like ntop.

The tool integrates seamlessly into Kali Linux environments for cybersecurity tasks, such as reconnaissance and traffic inspection during penetration testing.

How It Works

darkstat uses libpcap (version 1.10.6 with 64-bit time_t and TPACKET_V3 support) to capture network packets on specified interfaces or from capture files. It processes the packets in the background, aggregating statistics on IP traffic by machines, ports, and protocols. These statistics are served via an embedded web server, typically on a configurable port and bind address, allowing browser-based access to real-time and historical graphical data including last-minute, hourly, daily, and monthly input/output charts.

Installation

bash

sudo apt install darkstat

Flags

-i interfaceSpecify the network interface to monitor

-f filterApply a libpcap filter expression

-r capfileRead packets from a capture file instead of live interface

-p portSet the web server port

-b bindaddrBind the web server to a specific address

-l network/netmaskSpecify the local network and netmask

--base pathSet the base path for the web interface

--local-onlyRestrict web access to local connections only

--snaplen bytesSet the snapshot length for packet capture

Examples

Monitor traffic on the eth0 interface and serve statistics via web browser

darkstat -i eth0

Capture on wlan0 and serve web stats on port 8080

darkstat -i wlan0 -p 8080

Filter for HTTP traffic only on default interface

darkstat -f 'tcp port 80'

Analyze packets from a previously saved capture file

darkstat -r capture.pcap

Bind to localhost and set local network to 192.168.1.0/24

darkstat -b 127.0.0.1 -l 192.168.1.0/24

Restrict access locally with 1500-byte snapshot length

darkstat --local-only --snaplen 1500

Capture on all interfaces

darkstat -i any

Updated 2026-04-16kali.org ↗