Parsing a darkstat database with PHP

Posted by

This is something I wrote for the sake of interest more than necessity but I have found it quite useful for manipulating the data from a darkstat database since then. It’s not particularly elegant in such that it’s just a bunch of global functions but it’s a decent start if you want to wrap it in a class.

You can get the code here.

4 comments

  1. Wow! I searched for this with zero hope and someone did it! Thank you! I plan to move these functions in a class. I’ll send you the improved code once I’m done with this.

  2. Hello !

    I’m using darkstat for an important school project, and I’m trying to use the darkstat.db file. Unfortunately, it’s unusable directly, so I searched how to parse it correctly. I found your post, tried your php code, but unfortunately, it doesn’t work. Your program find the headers correctly, but dies with the ‘I don’t know this address family’ error. I tried to figure out why, but unsuccessfully. I wonder if your code may be obsolete.
    I guess darkstat developers have changed the way darkstat write its database.
    So I would like to ask you if you are aware of some improvements, or if you had improved your code yourself. If you had, may I ask you if you can update your post, or share your latest version ?
    Thanks a lot in advance !

    1. Hi! Tom,
      I managed to make this code working by modifying two line. Here are the diff result, FYI:
      scotthsiao@ubuntu /tmp/darkstat $ diff ds_parser.php ../ds_parser_ori.php
      15,16d14
      <
      “\x04”, 6 => “\x06”);
      35,36c33
      < $ip[] = bin2hex(fread($db, 2));
      $ip[] = bin2hex(fread($db, 8));
      85c82
      global $versions, $protocols;
      102c99

      113c110

      116,118c113,114
      < #$family = fread($db, 1); //marked by scott
      < $family = array_search(fread($db, 1), $families);
      $family = fread($db, 1);
      >
      159,161d154
      <
      < echo "Local IP: ".$tmp['addr'].",MAC: ".$tmp['mac'].", Hostname: ".$tmp['hostname']."\n";
      < echo "Inbound: ".$tmp['in'].",outbound: ".$tmp['out'].", Total: ".$tmp['total']."\n";
      169,170c162
      < echo "ip_count: ".$ip_count."\n";

      190,191d181
      < echo " proto_num: ".$ip_tmp['proto_num'].", proto_name: ".$ip_tmp['proto_name']."\n";
      < echo " Inbound: ".$ip_tmp['in'].", outbound: ".$ip_tmp['out'].", Total: ".$ip_tmp['total']."\n";
      201c191
      die(‘TCP proto header not found’);
      205d194
      < echo "tcp_count: ".$tcp_count."\n";
      225,227c214
      <
      < echo " port: ".$tcp_tmp['port'].", syn_count: ".$tcp_tmp['syn_count']."\n";

      240,241c227
      < $udp_count = reset(unpack('n', fread($db, 2)));
      $udp_count = reset(unpack(‘n’, fread($db, 2)));
      258,260c244
      <
      < echo " port: ".$udp_tmp['port']."\n";

      265d248
      < echo "\n";
      269c252

      274c257
      var_dump(parse_darkstat_db(‘darkstat.db’));

Leave a Reply to Phil Lavin Cancel reply

Your email address will not be published. Required fields are marked *