Analyzing network traffic with iftop

Slashdot it! Delicious Share on Facebook Tweet! Digg!


Traffic Watch

Sluggish network connections can be nerve-wracking. Checking live statistics about network traffic can help pinpoint the problem. Iftop is a command-line system monitoring tool that can help you identify bandwidth hogs and keep traffic moving.

Iftop (interface top) should be a part of every Linux user's toolbox. The program [1] shows network usage, whereas top and htop show the current CPU load. Iftop is not usually part of the standard installation, however. (See the "Installing iftop" box).

Installing iftop

Iftop is found in the repositories of all major Linux distributions, so usually it can be installed via the package manager. You can also find many more DEB- [2] and RPM-based [3] distributions in the iftop web binaries. The only prerequisites are the two libraries: Libpcap [4] and Libcurses [5]. Libpcap is used for inspection and Libcurses is for terminal output.

Alternatively, you can download the source code [1]. The current versions have the number 0.17 from February 2006, or 1.Opre2 from October 2011, and are available as tarballs. After downloading the code, unpack the archive and compile the source code [6] for the distribution and platform. Although the releases seem a bit dusty at first glance, they work perfectly in daily practice.

With iftop, you can find out why bandwidth is being eaten up on a network interface. The program shows the network connections between two IP addresses and how many data packets traverse the link. Alternatively, iftop shows the connection on the protocol level, for example, all FTP or HTTP traffic. Thus, iftop is especially good at troubleshooting why a line seems particularly slow.

Getting Started

Start iftop in the terminal with the iftop command. Because the program requires administrator rights, you must be root or start it with sudo .

After startup, iftop appears in three parts: at the upper edge is the data rate scale, in the middle the active network connections, and data transfer volume statistic on the bottom (Figure 1). Iftop evaluates the data from the first external network interface it detects, unless instructed otherwise (more on this later). This interface is usually eth0.

Figure 1: The iftop display shows the source without domain name but with port, and destination with domain name and protocol.

The active network connections are displayed in two lines with five columns in each. The first line is the send and the second line is the receive. A small arrow shows the direction: => is the send direction and <= is the receive direction. The columns show the source and destination of the connection along with the values for a successful data transfer. The columns on the right show the data transfer rates for the last 2, 10, and 40 seconds, respectively.

Per transmission, you'll see a black bar that highlights the connection. The width of the bar shows the proportion of the connection to the total data transferred. In that way you can see at a glance which data stream is using the most bandwidth. With more active network connections than can fit on the screen, you can scroll through using the vim keybindings j for scrolling down and k for scrolling up.

At the bottom edge, iftop shows the transmitted TX, received RX, and TOTAL data transfers. The second column shows the cumulative values over the observed period. The three columns on the right show the cumulative progress in the previous 2, 10, and 40 seconds.

Iftop doesn't have a lot of bells and whistles. To get an overview of options during runtime, simply press h (Figure 2). Other command help is in the comprehensive man pages; enter man iftop at the command line.

Figure 2: Pressing h brings up command help.

Customized View

You can toggle the scale for the data rate with Shift+L to linear or logarithmic mode, and iftop flashes the mode briefly in the upper left corner. Pressing b toggles the bar graph display on and off. Pressing n toggles between displaying IP addresses and resolving them into domain names via DNS.

Figure 3 shows a mixed display; some of the IP addresses can't resolve into domain names. Also, you can see the port numbers for the connections. You can press p> to toggle the port display; Shift+S limits this action to the source ports and Shift+D to the destination ports only.

Figure 3: Compact display of the connections.

What applies to port numbers also applies to hostnames. Press s to toggle showing the source hosts and d to show the destination hosts only.

Buy this article as PDF

Express-Checkout as PDF

Pages: 3

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Programs for bandwidth monitoring

    Many programs communicate over the network, and when a bottleneck occurs, these tools can help you determine the cause.

  • Zentyal Server 3.5

    Some users may struggle when setting up various services, such as web servers, email servers, firewalls, and the like. Zentyal simplifies configuration of all those things, thanks to its intuitive user interface.

  • Understanding and using the Tor network

    Given the extent to which intelligence agencies have been tapping data off the Internet, those wanting to protect their privacy need to take action. Tor can help you.

  • Viewing users' system access

    Linux automatically executes protocols on the activities that take place on the system. This article looks at ways to keep track of users who've logged in.

  • Anonymous surfing on the Internet

    Users who want to surf the Internet anonymously need to consider the Tor network. The Tor browser package offers a simple solution for protecting your personal privacy.