PDA

Просмотр полной версии : Анализируем траффик в Linux с помощью Darkstat



Синауридзе Александр
04.08.2008, 22:55
В Linux иногда бывает нужна программа, которая бы выдавала информацию о количестве проходящего трафика. Существует много разных анализаторов, но я остановлюсь на Darkstat. (http://dmr.ath.cx/net/darkstat/) Это пакетный снифер, работающий в фоновом режиме который способен собирать сетевую статистику "на лету".

Установка производилась на Web-сервер работающий под ASPLinux 12.

Скачиваем:


wget http://dmr.ath.cx/net/darkstat/darkstat-3.0.708.tar.bz2

Распаковываем:


tar xjf darkstat-3.0.708.tar.bz2

Далее все как обычно:


./configure
make
make install

У меня вылезло следующее:

[[email protected] darkstat-3.0.708]# ./configure
checking for /var/empty... found it
checking for a BSD-compatible install... /usr/bin/install -c
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking if your C compiler wants a hit off the pipe... sure does
checking for deflate in -lz... no
------------------------------------------------------------

I can't link to zlib. You really can't have a modern
operating system without zlib.

If you are using a package-based operating system (like
something with RPMs), see if there is a zlib-devel package
that you can install, to provide the zlib headers and
libraries.

------------------------------------------------------------
configure: error: can't find usable zlib
[[email protected] darkstat-3.0.708]# yum install zlib-devel
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.i386 0:1.2.3-10.0.120asp set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
zlib-devel i386 1.2.3-10.0.120asp asplinux 81 k

Transaction Summary
================================================== ===========================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 81 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): zlib-devel-1.2.3-1 100% |=========================| 81 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: zlib-devel ######################### [1/1]

Installed: zlib-devel.i386 0:1.2.3-10.0.120asp
Complete!
[[email protected] darkstat-3.0.708]# ./configure
checking for /var/empty... found it
checking for a BSD-compatible install... /usr/bin/install -c
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking if your C compiler wants a hit off the pipe... sure does
checking for deflate in -lz... yes
checking for gethostbyname in -lnsl... yes
checking for socket in -lsocket... no
checking for inet_aton in -lresolv... yes
checking for pcap_loop in -lpcap... no
------------------------------------------------------------

darkstat absolutely requires libpcap to be installed. If
it's installed into a prefix that isn't being picked up by
configure, for example /usr/local, re-run configure and add
--with-pcap=/usr/local

If you are using a package-based operating system (like
something with RPMs), see if there is a pcap-devel or
libpcap-devel package that you can install, to provide the
pcap headers and libraries.

Failing all of the above, go to http://www.tcpdump.org/ and
download the source distribution of libpcap and build it
yourself.

------------------------------------------------------------
configure: error: can't find usable libpcap
[[email protected] darkstat-3.0.708]# yum install libpcap-devel
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package libpcap-devel.i386 14:0.9.7-1.0.120asp set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
libpcap-devel i386 14:0.9.7-1.0.120asp asplinux 27 k

Transaction Summary
================================================== ===========================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 27 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): libpcap-devel-0.9. 100% |=========================| 27 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: libpcap-devel ######################### [1/1]

Installed: libpcap-devel.i386 14:0.9.7-1.0.120asp
Complete!

Теперь все!

Для запуска Dartstat на интерфейсе eth0:


[[email protected] darkstat-3.0.708]# darkstat -i eth0
darkstat 3.0.708 (built with libpcap 2.4)
darkstat (04813): max 1000 hosts, cutting down to 500 when exceeded
darkstat (04813): max 200 ports per host, cutting down to 30 when exceeded
darkstat (04813): starting up
darkstat (04813): daemonizing to run in the background!
darkstat (04814): I am the main process
darkstat (04813): parent waiting
darkstat (04815): set uid/gid to 99/99
darkstat (04814): DNS child has PID 4815
darkstat (04814): caplen is 54
darkstat (04814): capturing in promiscuous mode
darkstat (04814): listening on 0.0.0.0:667
darkstat (04814): loaded 133 protos
darkstat (04814): loaded 4594 tcp and 4549 udp servs, from total 9158
darkstat (04814): chrooted into: /var/empty
darkstat (04814): set uid/gid to 99/99
darkstat (04814): local_ip update(eth0) = 192.168.0.34
darkstat (04814): entering main loop
darkstat (04813): parent done reading, calling waitpid
darkstat (04813): waitpid ret 0, status is 3


Darkstat начинается проверять пакеты в фоновом режиме, а управление передается командной строке.


darkstat (04813): daemonizing to run in the background!

Показано, что Darkstat работает как служба и автоматом становится демоном.


darkstat (04814): DNS child has PID 4815

PID.

Здесь указан порт к которому нужно подключиться:


darkstat (04814): listening on 0.0.0.0:667

Для просмотра данных, набираем в браузере http://сервер:667 и все!