Bandwidthd or darkstat

David001 · October 15, 2025, 8:08pm

Hello again!

A new problem has developed and I need to monitor someone’s activity’s on the network. I need to save the logs for a couple of weeks and have seen that can be done a few ways but I would prefer a usb drive, which, I do have a port on the back on the router. How would I set the log to be save onto that drive?

brada4 · October 15, 2025, 8:30pm

Whats the powers of your router. Any stats package will do, lets see if you can encrypt USB too….

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board

RuralRoots · October 16, 2025, 2:54pm

From the topic header, only darkstat is available (bandwidthd was removed two releases ago due to stagnant development though you could conceivably pull it from a previous Release) See darkstat config here.

The two packages referenced, bandwidthd and darkstat are two different animals. Darkstat shows the traffic in real time for different hosts within your network, it won’t show the traffic profile of the various hosts over time. Bandwidthd conversely shows the traffic profile of the various hosts over time.

You can set up your USB device with a mount point as /mnt/data/, create a darkstat directory, and configure the /etc/config/darkstat with option daylog_file '/mnt/data/darkstat/darkstat_daylog.log’

Without any reference on exactly what you want to track, you’re on your own to create a valid option network_filter stanza (refer to the tcpdump documentation.)

David001 · October 17, 2025, 12:42am

I am using a linksys wrt1900acs v2 but I will submit what I got from ssh tomorrow.

David001 · October 18, 2025, 12:52am

Alright, so here is the out I said I was going to post.

        "kernel": "6.6.104",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1900ACS",
        "board_name": "linksys,wrt1900acs",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"

Now I normally use the UI if there is one but I don’t mind using command line if I have to. I noticed that darkstat was among the packages in the software list. Can I go ahead with that?

RuralRoots · October 18, 2025, 1:35am

Sure. Works on my WRT1900ACS V2. See my post above for the wiki link for the package config. All you really need is to set the interface to monitor and it will produce stats.

You indicated here that you are looking just to follow traffic from a single entity. If you need help filtering just that traffic, give us a basic premise of what you want captured.

David001 · October 20, 2025, 4:56pm

Yes, I am sorry for not being clear enough. I did install it and looks good I just have two questions.

it is mentioned that I can bind the stats page to a single IP. Does this prevent anyone else from viewing it?
Does this also display the main domain of the site that they are visiting also?

RuralRoots · October 20, 2025, 9:28pm

That depends. Unlikely without root access. If you have concerns with an entity on your network that has access to ssh or LuCI, it would be trivial.
No. While darkstat runs in promiscuous mode, its underlying logic originally was to capture traffic stats in the wake of ISP’s setting additional charges based on monthly bandwidth volume. It was never designed to capture flow type traffic

If this is the type of traffic you wish to capture, bandwidthd and darkstat won’t do that. As well, you should be aware that this can also have Security and Performance issues. Those two aside, there are also Legal and Compliance Concerns. In many jurisdictions capturing traffic that isn't intended for you can violate privacy laws or regulations.

Wireshark, tcpdump, and softflowd are likely candidates for capturing this type of traffic.

lleachii · October 20, 2025, 11:01pm

The OP will need a combination of those tools if "main domain" means the URL that the user actually entered into the browser.

Wireshark and tcpdump can record any (unencrypted) DNS request. Softflowd moreso records SRC and DST IP, total traffic of the flow, protocol, etc. (i.e., Layer 3 metadata).

This part.

This is a good thread to check out: How to view layer 7 application running on Network - #4 by lleachii

David001 · October 22, 2025, 5:27pm

The network I am monitoring is my home network. The person I am watching is no longer trustworthy and they are aware of this and still choose to act in this manner. I also installed tcpdump and I will also download and install wireshark. What commands do I need to know in order to capture all there network traffic and look at it?

RuralRoots · October 24, 2025, 3:46pm

That just won't work without a significant amount of effort on your part. You haven't yet said what type of issues you are having, and no concept of exactly what you are looking to achieve.

Starting with tcpdump, here are a couple of tcpdump commands that:

This will capture all packets from your network interfaces, no resolve, capture 5000 packets, and write to /var/tcpdump1.pcap. Enter tcpdump -i any -n -c 5000 -w /var/tcpdump1.pcap`.
Then you can read back the captured traffic, or send it to wireshark, or softflowd. To read it, use `tcpdump -r /var/tcpdump1.pcap'.

Beyond that there is little advise I can offer without any clear context towards your goal.

David001 · October 24, 2025, 11:44pm

As I said before, right now I am simply looking to monitor what this person is using my network to look at and I will “achieve” that by looking at their network traffic packets.

But, thank you very much for the help.