Measuring Network Traffic Using xDarkstat

Stefán Péter <stefan@iif.hu>

NIIFI

In this paper an extended NTOP-like program, xDarkstat (extended Darkstat), will be introduced. The main purpose of the original Darkstat program is to monitor the network interface of a specified host, gather traffic data passed through the interface, maintain inner traffic records, and build human-readable statistics based on the measurements. Packet capturing library is used to provide unified API for most network interfaces and operating systems. The statistic are comfortably available through the web.

xDarkstat is an improved version of the original program. Among many new features it is capable of processing expired flow exported from a CISCO router, thus providing a useful tool for network managers to monitor their subnet. Currently flow versions v1 and v5 are supported.

There are basically two ways of using the software exist: it can be configured as a continuous statistics provider, giving host, port top-lists as well as illustrative charts on traffic data. The second way of using xDarkstat is attack detection, especially for large networks. Whenever something suspicious happens in the network, the administrator can reset counters and can monitor which hosts or ports are under heavy traffic load in a short period of time.

xDarkstat has been tested on Solaris and Linux platforms. However, the system can be easily ported to other operating environment, provided that the environment supports POSIX threads.

Extensive experimentation and testing have been made on regional nodes of the Hungarian Academic Network. Figure 1 shows the top 15 hosts sorted by total traffic in SZTAKI (Computer and Automation Research Institute) subnet.