How to Monitor Network Traffic in Linux

I recently covered three utilities you can use to monitor your system resources in Linux. One of those programs,

iftop

gives you information about the network traffic of your machine. In this article I’ll show the in-depth usage of iftop, as well as another program called

nethogs

that was recommended by a reader. With these two programs you’ll learn how to monitor network usage in Linux, in both Ubuntu and Fedora as well as many other distributions.

Note: You’ll need to be root to run most, if not all, of these commands.

iftop I’ve used

iftop

for a long time, because it’s a very powerful tool that gives you lots of details about your network connections. Here’s what you need to know about

iftop

to get started:

Basic Usage

iftop

is easy to use if you just want to see your current network connections and how much bandwidth is being used by each remote host. Simply launch it from the command line, passing the

-i

option with the interface you want to monitor, and optionally the

-B

option to display values in bytes (the default is to display in bits). So for example, to monitor the wlan0 device in bytes, you would run:

iftop -i wlan0 -BThere’s a lot of information displayed on the screen, but it is formatted intelligently and quickly becomes easy to digest. Here is what the basic screen is showing you, when you first launch

iftop

:





As you can see, the display is packed full of useful information (click on the image above for a larger version). Don’t worry if it’s a little overwhelming at first; it won’t take long to get used to reading the display, and you’ll appreciate having all this information available so quickly.

Now let’s move on to some of the more powerful features that

iftop

provides.

Filtering networks, hosts, and ports
While it’s nice to see all the hosts your computer is talking to, it’s often the case that you’re only interested in a certain segment of the network.

iftop

allows you to filter connections by network, host, and port, which gives you complete control over which connections are displayed.

iftop

accepts pcap-filter formatted filters on the commandline with the

-f

flag. Below is a table of some of the filers you might want to use with iftop:

dst host host	src host host
dst net net	src net net
dst port port	src port port
dst portrange start-end	src portrange start-end
gateway gateway
ip proto protocol

For example, to view only traffic going from your local machine to google.com over eth0, you could run:

iftop -i eth0 -f “dst host google.com”Or to see only ssh traffic over wlan0:

iftop -i wlan0 -f “dst port 22″Additionally,

iftop

allows you to set arbitrary filters based upon regular expressions. It’s important to note that when you specify a filter with a regular expression, you are only filtering the on-screen output, whereas using a pcap filter (above) will filter what iftop actually listens to. As a result, the totals displayed at the bottom of the screen won’t be affected by regex filters. You can press the

l

key to enter regular expression filters while iftop is running.

Controlling the interface and the online help
Once you’ve got the information you want on the screen, you’ll need to be able to move around and tweak the exact output. There are many options, and the easiest thing to do is just hit the

h

or

?

key to see the on-screen help:





Notice that you can toggle things like hostname and port resolution, port display, and whether iftop sorts by destination or source. Showing connections by port is useful for monitoring throughput on programs that create many connections, while turning DNS resolution on might make it easier to read the display if you are watching things like web traffic.

nethogs Now I’ll show you how to use

nethogs

, which is a great little program that was mentioned by one of TechThrob’s readers (thanks, dasen!). Whereas

iftop

displays network usage by destination IP address and port number,

nethogs

takes a process-oriented approach and shows you usage based on the program that is accessing the network.

nethogs

is much simpler than iftop and doesn’t have as many options. You can specify the interface to listen on when you launch it:

nethogs eth1 Which will give you a screen similar to the following, showing the processes that are sending or receiving traffic on that interface.





While it’s running, you can use the

m

key to toggle between units (megabytes, kilobytes, and bytes) and to change whether you are viewing instantaneous throughput or the total throughput since nethogs was started.

Being so simple is the greatest advantage of nethogs, since it makes it much more user-friendly than iftop and lets you see in an instant what applications are using your network, and how much bandwidth they are using. If you think your network is being hammered and you want to know who to hold responsible,

nethogs

is probably the command you want.

Don’t be evil With great power comes great responsibility. If you have root on a machine that is routing a lot of traffic, tools like this will let you see what people are doing on the network; don’t be evil. Use these tools to monitor your own traffic, and to troubleshoot problems, but don’t spy on other people.