How to Monitor Network Traffic in Linux
I recently covered three utilities you can use to monitor your system resources in Linux. One of those programs, iftop
gives you information about the network traffic of your machine. In this article I’ll show the in-depth usage of iftop, as well as another program called nethogs
that was recommended by a reader. With these two programs you’ll learn how to monitor network usage in Linux, in both Ubuntu and Fedora as well as many other distributions.
Note: You’ll need to be root to run most, if not all, of these commands.
I’ve used iftop
for a long time, because it’s a very powerful tool that gives you lots of details about your network connections. Here’s what you need to know about iftop
to get started:
- Basic Usage
- Filtering networks, hosts, and ports
- Controlling the interface and the online help
iftop
is easy to use if you just want to see your current network connections and how much bandwidth is being used by each remote host. Simply launch it from the command line, passing the -i
option with the interface you want to monitor, and optionally the -B
option to display values in bytes (the default is to display in bits). So for example, to monitor the wlan0 device in bytes, you would run:
There’s a lot of information displayed on the screen, but it is formatted intelligently and quickly becomes easy to digest. Here is what the basic screen is showing you, when you first launch iftop
:
As you can see, the display is packed full of useful information (click on the image above for a larger version). Don’t worry if it’s a little overwhelming at first; it won’t take long to get used to reading the display, and you’ll appreciate having all this information available so quickly.
Now let’s move on to some of the more powerful features that iftop
provides.
While it’s nice to see all the hosts your computer is talking to, it’s often the case that you’re only interested in a certain segment of the network. iftop
allows you to filter connections by network, host, and port, which gives you complete control over which connections are displayed.
iftop
accepts pcap-filter formatted filters on the commandline with the -f
flag. Below is a table of some of the filers you might want to use with iftop:
dst host host | src host host |
dst net net | src net net |
dst port port | src port port |
dst portrange start-end | src portrange start-end |
gateway gateway | |
ip proto protocol |
For example, to view only traffic going from your local machine to google.com over eth0, you could run:
Or to see only ssh traffic over wlan0:
Additionally, iftop
allows you to set arbitrary filters based upon regular expressions. It’s important to note that when you specify a filter with a regular expression, you are only filtering the on-screen output, whereas using a pcap filter (above) will filter what iftop actually listens to. As a result, the totals displayed at the bottom of the screen won’t be affected by regex filters. You can press the l
key to enter regular expression filters while iftop is running.
Once you’ve got the information you want on the screen, you’ll need to be able to move around and tweak the exact output. There are many options, and the easiest thing to do is just hit the h
or ?
key to see the on-screen help:
Notice that you can toggle things like hostname and port resolution, port display, and whether iftop sorts by destination or source. Showing connections by port is useful for monitoring throughput on programs that create many connections, while turning DNS resolution on might make it easier to read the display if you are watching things like web traffic.
Now I’ll show you how to use nethogs
, which is a great little program that was mentioned by one of TechThrob’s readers (thanks, dasen!). Whereas iftop
displays network usage by destination IP address and port number, nethogs
takes a process-oriented approach and shows you usage based on the program that is accessing the network.
nethogs
is much simpler than iftop and doesn’t have as many options. You can specify the interface to listen on when you launch it:
Which will give you a screen similar to the following, showing the processes that are sending or receiving traffic on that interface.
While it’s running, you can use the m
key to toggle between units (megabytes, kilobytes, and bytes) and to change whether you are viewing instantaneous throughput or the total throughput since nethogs was started.
Being so simple is the greatest advantage of nethogs, since it makes it much more user-friendly than iftop and lets you see in an instant what applications are using your network, and how much bandwidth they are using. If you think your network is being hammered and you want to know who to hold responsible, nethogs
is probably the command you want.
With great power comes great responsibility. If you have root on a machine that is routing a lot of traffic, tools like this will let you see what people are doing on the network; don’t be evil. Use these tools to monitor your own traffic, and to troubleshoot problems, but don’t spy on other people.