pktstat

About

pktstat is a lightweight replacement for the ncurses-based pktstat. On Linux it uses AF_PACKET; on all other platforms it uses generic live PCAP capture. It requires no special or recent kernel features — AF_PACKET has been available since Linux v2.2 (1999) — and is fully compatible with other Unix platforms such as Darwin, where it falls back to generic PCAP.

At the end of execution, the program displays per-IP and per-protocol statistics (IPv4, IPv6, TCP, UDP, ICMPv4, and ICMPv6), sorted by per-connection bps, packet count, and (source-IP:port → destination-IP:port) tuples.

Note: pktstat with AF_PACKET handles up to several thousand packets per second without loss, but for higher traffic volumes consider the pktstat-bpf alternative. It is implemented as a Linux eBPF program, operates near wire-speed, and has no measurable impact on production systems.

Requirements

Capturing traffic typically requires root privileges. As an alternative, you can run pktstat as a regular user after granting it the necessary Linux capabilities:

$ setcap cap_net_raw,cap_net_admin=eip pktstat

Usage

➜ ./pktstat --help
NAME
  pktstat

FLAGS
  -?, --help                display help
  -v, --add_vlan            if true, add VLAN header
  -j, --json                if true, output in JSON format
      --version             display program version
  -s, --snaplen INT         snaplen (if <= 0 uses 65535) (default: 0)
  -b, --bufsize INT         interface buffersize in MB (default: 8)
  -f, --filter STRING       BPF filter
  -i, --iface STRING        interface to read from (default: en0)
  -t, --timeout DURATION    timeout for packet capture (default: 10m0s)
  -l, --interval DURATION   interval between packet capture output (default: 0s)

By default, pktstat listens on all interfaces with no BPF filter applied. Use --iface to select a specific interface, and --filter to restrict captured traffic — for example, --filter "not port 22" to exclude SSH traffic.

--timeout stops the capture after the specified duration. You can also interrupt the program at any time with Ctrl-C, SIGTERM, or SIGINT.

--json outputs the traffic statistics as JSON instead of plain text.

--interval, when set to a value greater than zero and less than the timeout, causes the program to print statistics at that cadence until it exits.

Name		Name	Last commit message	Last commit date
Latest commit History 40 Commits
.github		.github
.gitignore		.gitignore
.golangci.yml		.golangci.yml
.goreleaser-darwin.yml		.goreleaser-darwin.yml
.goreleaser-linux.yml		.goreleaser-linux.yml
CLAUDE.md		CLAUDE.md
LICENSE		LICENSE
README.md		README.md
Taskfile.yml		Taskfile.yml
capture.go		capture.go
demo.gif		demo.gif
flags.go		flags.go
go.mod		go.mod
go.sum		go.sum
gopher.png		gopher.png
helpers.go		helpers.go
main.go		main.go
output.go		output.go
packet.go		packet.go
packet_linux.go		packet_linux.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

pktstat

About

Requirements

Usage

Star History

About

Uh oh!

Releases 22

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

pktstat

About

Requirements

Usage

Star History

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 22

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages