How to Read a Dstat Graph
A Dstat graph turns a stress test into a picture you can read — but only if you know what each line and marker means. This guide walks through the anatomy of a live Dstat chart, how to interpret its shape, and the breakdown that tells you whether a protection is actually working.
The anatomy of the chart
The horizontal axis is time and the vertical axis is request volume. Our live charts plot a rolling 60-second window: the newest second enters on the right and the oldest drops off on the left, so the line always shows the last minute of traffic rather than the whole test.
Each point is the request count the target received in that second. The headline figure above the chart is the peak — the highest point in the current window — which is the number most people quote when they describe how hard a target was hit.
Allowed, bypassed and blocked
For a protected target the chart is split into series. Allowed traffic passed the protection legitimately, bypassed traffic defeated the protection and still reached the origin, and blocked traffic was stopped at the edge. The bypass series is the one that matters: it is the real measure of how much hostile load actually got through.
On an unprotected endpoint there is only one line — every request reaches the origin — which is why unprotected Dstats tend to show much higher origin-facing numbers than protected ones under the same attack.
Reading the shape
A sharp spike followed by a flat line near zero usually means mitigation kicked in or the target dropped offline. A sustained plateau means the target is absorbing the load steadily. A staircase that keeps climbing means the load is still ramping and the target has not yet hit its ceiling.
Compare the incoming line against the bypass line: if incoming climbs while bypass stays flat, the protection is holding; if bypass climbs together with incoming, the protection is leaking.
Common misreadings
A high peak alone does not mean a target failed — what matters is whether it kept responding. Likewise, a low bypass number during a short test is not proof of strength; protections can behave differently as an attack adapts. Always read the rolling trend, not a single frame.
Related Live Dstat Examples (Layer 7)
- Request Count DstatFree live Request Count Dstat: a real-time Layer7 graph of raw HTTP requests per second hitting an unprotected endpoint. No registration, refreshes every few seconds.
- Cloudflare DstatFree live Cloudflare Dstat: real-time graph of requests behind Cloudflare, broken down into allowed 200s, bypassed and blocked — see what actually gets through.
Reading Dstat graphs — FAQ
What does a flat line at zero mean?
Either the protection has filtered virtually all traffic, or the target stopped responding. Cross-check whether the page or host is still reachable to tell the two apart.
What is the most important number on the chart?
For a protected target, the bypass rate — how many requests defeated the protection and reached the origin. For an unprotected target, peak requests per second.
Why does the line only show about a minute?
The live chart uses a rolling 60-second window so the most recent behaviour is always visible in full detail; it refreshes every few seconds.