How to Monitor Network Traffic in Linux

I recently covered three utilities you can use to monitor your system resources in Linux. One of those programs, iftop gives you information about the network traffic of your machine. In this article I’ll show the in-depth usage of iftop, as well as another program called nethogs that was recommended by a reader. With these two programs you’ll learn how to monitor network usage in Linux, in both Ubuntu and Fedora as well as many other distributions.

Note: You’ll need to be root to run most, if not all, of these commands.

iftop

I’ve used iftop for a long time, because it’s a very powerful tool that gives you lots of details about your network connections. Here’s what you need to know about iftop to get started:

  1. Basic Usage
  2. iftop is easy to use if you just want to see your current network connections and how much bandwidth is being used by each remote host. Simply launch it from the command line, passing the -i option with the interface you want to monitor, and optionally the -B option to display values in bytes (the default is to display in bits). So for example, to monitor the wlan0 device in bytes, you would run:

    iftop -i wlan0 -B

    There’s a lot of information displayed on the screen, but it is formatted intelligently and quickly becomes easy to digest. Here is what the basic screen is showing you, when you first launch iftop:

    As you can see, the display is packed full of useful information (click on the image above for a larger version). Don’t worry if it’s a little overwhelming at first; it won’t take long to get used to reading the display, and you’ll appreciate having all this information available so quickly.

    Now let’s move on to some of the more powerful features that iftop provides.

  3. Filtering networks, hosts, and ports
  4. While it’s nice to see all the hosts your computer is talking to, it’s often the case that you’re only interested in a certain segment of the network. iftop allows you to filter connections by network, host, and port, which gives you complete control over which connections are displayed.

    iftop accepts pcap-filter formatted filters on the commandline with the -f flag. Below is a table of some of the filers you might want to use with iftop:

    dst host host src host host
    dst net net src net net
    dst port port src port port
    dst portrange start-end src portrange start-end
    gateway gateway
    ip proto protocol

    For example, to view only traffic going from your local machine to google.com over eth0, you could run:

    iftop -i eth0 -f “dst host google.com”

    Or to see only ssh traffic over wlan0:

    iftop -i wlan0 -f “dst port 22″

    Additionally, iftop allows you to set arbitrary filters based upon regular expressions. It’s important to note that when you specify a filter with a regular expression, you are only filtering the on-screen output, whereas using a pcap filter (above) will filter what iftop actually listens to. As a result, the totals displayed at the bottom of the screen won’t be affected by regex filters. You can press the l key to enter regular expression filters while iftop is running.

  5. Controlling the interface and the online help
  6. Once you’ve got the information you want on the screen, you’ll need to be able to move around and tweak the exact output. There are many options, and the easiest thing to do is just hit the h or ? key to see the on-screen help:

    Notice that you can toggle things like hostname and port resolution, port display, and whether iftop sorts by destination or source. Showing connections by port is useful for monitoring throughput on programs that create many connections, while turning DNS resolution on might make it easier to read the display if you are watching things like web traffic.

nethogs

Now I’ll show you how to use nethogs, which is a great little program that was mentioned by one of TechThrob’s readers (thanks, dasen!). Whereas iftop displays network usage by destination IP address and port number, nethogs takes a process-oriented approach and shows you usage based on the program that is accessing the network.

nethogs is much simpler than iftop and doesn’t have as many options. You can specify the interface to listen on when you launch it:

nethogs eth1

Which will give you a screen similar to the following, showing the processes that are sending or receiving traffic on that interface.

While it’s running, you can use the m key to toggle between units (megabytes, kilobytes, and bytes) and to change whether you are viewing instantaneous throughput or the total throughput since nethogs was started.

Being so simple is the greatest advantage of nethogs, since it makes it much more user-friendly than iftop and lets you see in an instant what applications are using your network, and how much bandwidth they are using. If you think your network is being hammered and you want to know who to hold responsible, nethogs is probably the command you want.

Don’t be evil

With great power comes great responsibility. If you have root on a machine that is routing a lot of traffic, tools like this will let you see what people are doing on the network; don’t be evil. Use these tools to monitor your own traffic, and to troubleshoot problems, but don’t spy on other people.

posted @ 2012-04-24 11:32  瑞尼书苑  阅读(1056)  评论(0编辑  收藏  举报