iftop: Real-Time Network Bandwidth Monitor

Overview

iftop is a powerful command-line utility that displays real-time network bandwidth usage on an interface by host. It provides a dynamic view of network connections, showing which hosts are consuming the most bandwidth and in which direction the traffic is flowing. This tool is essential for network administrators, system administrators, and anyone who needs to monitor network activity in real-time.

Installation

Ubuntu/Debian Systems

Red Hat/CentOS/Fedora Systems

CentOS/RHEL 7/8

Fedora

Arch Linux

macOS (using Homebrew)

Compilation from Source

Basic Usage and Syntax

Standard Syntax

Basic Commands

#### Monitor Default Interface `bash sudo iftop ` This command starts iftop monitoring the default network interface with root privileges required for packet capture.

#### Monitor Specific Interface `bash sudo iftop -i eth0 sudo iftop -i wlan0 sudo iftop -i enp0s3 `

#### Monitor Without DNS Resolution `bash sudo iftop -n `

#### Monitor Specific Port `bash sudo iftop -f "port 80" sudo iftop -f "port 443" `

Command Line Options

| Option | Long Form | Description | Example | |--------|-----------|-------------|---------| | -h | --help | Display help message | iftop -h | | -n | | Don't resolve hostnames | iftop -n | | -N | | Don't resolve port names | iftop -N | | -p | | Run in promiscuous mode | iftop -p | | -P | | Display ports | iftop -P | | -l | | Display and log network traffic | iftop -l | | -b | | Don't display bandwidth bars | iftop -b | | -B | | Display bandwidth in bytes/sec | iftop -B | | -i | | Monitor specific interface | iftop -i eth0 | | -f | | Use filter expression | iftop -f "port 80" | | -F | | Read filter from file | iftop -F /path/to/filter | | -G | | Display bytes in SI units | iftop -G | | -c | | Read config from file | iftop -c /path/to/config | | -t | | Text output mode | iftop -t | | -s | | Print single measurement | iftop -t -s 10 |

Interactive Commands

Real-time Control Keys

| Key | Function | Description | |-----|----------|-------------| | h | Help | Display help screen | | n | Toggle DNS | Toggle hostname resolution | | s | Source sorting | Toggle sorting by source | | d | Destination sorting | Toggle sorting by destination | | t | Toggle display | Cycle through 2s/10s/40s averages | | p | Pause display | Pause/unpause the display | | j/k | Scroll | Scroll up/down through connections | | f | Filter | Set filter expression | | l | Screen | Toggle logarithmic scale | | P | Ports | Toggle port display | | b | Bars | Toggle bandwidth bars | | B | Units | Toggle bytes/bits display | | T | Totals | Toggle cumulative totals | | o | Order | Cycle through sort orders | | 1/2/3 | Columns | Sort by different columns | | < | | Sort by source name | | > | | Sort by destination name | | q | Quit | Exit iftop |

Display Format and Understanding Output

Main Display Components

#### Connection List Format ` Source Host Destination Host Bandwidth 192.168.1.100 => google.com 1.2Mb 800Kb 600Kb <= 2.4Mb 1.6Mb 1.2Mb `

#### Column Explanations

| Column Position | Time Period | Description | |----------------|-------------|-------------| | First | 2 seconds | Most recent 2-second average | | Second | 10 seconds | 10-second average | | Third | 40 seconds | 40-second average |

#### Bottom Statistics ` TX: cumul: 12.5MB peak rate: 1.2Mb rates: 800Kb 600Kb 400Kb RX: 45.2MB 4.5Mb 2.1Mb 1.8Mb 1.5Mb TOTAL: 57.7MB 5.7Mb 2.9Mb 2.4Mb 1.9Mb `

Advanced Usage Examples

Network Interface Monitoring

#### Monitor Wireless Interface `bash sudo iftop -i wlan0 -P -n ` This monitors the wireless interface showing ports without DNS resolution.

#### Monitor Multiple Aspects `bash sudo iftop -i eth0 -P -B -n ` Monitor ethernet interface displaying ports, bandwidth in bytes, without DNS resolution.

Traffic Filtering

#### HTTP Traffic Only `bash sudo iftop -f "port 80 or port 443" `

#### Specific Host Traffic `bash sudo iftop -f "host 192.168.1.100" `

#### Network Range Monitoring `bash sudo iftop -f "net 192.168.1.0/24" `

#### Exclude Specific Traffic `bash sudo iftop -f "not port 22" `

Output Formatting

#### Text Mode for Logging `bash sudo iftop -t -s 30 > network_usage.log `

#### Continuous Text Output `bash sudo iftop -t -L 100 `

Filter Expressions

Basic Filter Syntax

| Filter Type | Syntax | Example | Purpose | |-------------|--------|---------|---------| | Host | host [hostname/IP] | host google.com | Monitor specific host | | Network | net [network/mask] | net 192.168.1.0/24 | Monitor network range | | Port | port [number] | port 80 | Monitor specific port | | Protocol | [protocol] | tcp, udp, icmp | Filter by protocol | | Direction | src/dst | src host 192.168.1.1 | Source/destination specific |

Complex Filter Examples

#### Web Traffic (HTTP/HTTPS) `bash sudo iftop -f "port 80 or port 443" `

#### Email Traffic `bash sudo iftop -f "port 25 or port 110 or port 143 or port 993 or port 995" `

#### Internal Network Only `bash sudo iftop -f "net 192.168.0.0/16 or net 10.0.0.0/8 or net 172.16.0.0/12" `

#### Exclude SSH and Local Traffic `bash sudo iftop -f "not port 22 and not host 127.0.0.1" `

Configuration File

Default Configuration Locations

Sample Configuration File

Interface to monitor

DNS resolution

Display options

Sorting

Units

Filtering

Configuration Parameters

| Parameter | Values | Description | Example | |-----------|--------|-------------|---------| | interface | device name | Default interface | interface: eth0 | | dns-resolution | yes/no | Resolve hostnames | dns-resolution: no | | port-resolution | yes/no | Resolve port names | port-resolution: yes | | filter-code | filter expression | Default filter | filter-code: port 80 | | show-bars | yes/no | Display bandwidth bars | show-bars: yes | | promiscuous | yes/no | Promiscuous mode | promiscuous: yes | | port-display | on/off/source/destination | Port display mode | port-display: on | | sort | 2s/10s/40s/source/destination | Default sort column | sort: 2s | | line-display | one-line/two-line | Connection display format | line-display: two-line | | show-totals | yes/no | Show total bandwidth | show-totals: yes | | log-scale | yes/no | Logarithmic scale | log-scale: no | | max-bandwidth | bandwidth | Scale maximum | max-bandwidth: 10M |

Practical Monitoring Scenarios

Bandwidth Monitoring

#### Identify Bandwidth Hogs `bash sudo iftop -i eth0 -P -B -o 2s ` This command helps identify which connections are using the most bandwidth in the last 2 seconds.

#### Monitor Server Traffic `bash sudo iftop -i eth0 -f "not port 22" -P -n ` Monitor all server traffic excluding SSH connections.

#### Web Server Monitoring `bash sudo iftop -f "port 80 or port 443" -P -B ` Monitor only web traffic to see HTTP and HTTPS connections.

Network Troubleshooting

#### Detect Unusual Connections `bash sudo iftop -i eth0 -n -P -o destination ` Sort by destination to identify unusual outbound connections.

#### Monitor Specific Service `bash sudo iftop -f "port 3306" -P -B ` Monitor MySQL database connections.

#### Check for Port Scanning `bash sudo iftop -f "tcp[tcpflags] & (tcp-syn) != 0" -n -P ` Monitor TCP SYN packets to detect potential port scanning.

Output Analysis and Interpretation

Understanding Bandwidth Units

| Unit | Full Form | Bytes per Second | |------|-----------|------------------| | b | bits | 1/8 byte | | B | Bytes | 1 byte | | Kb | Kilobits | 125 bytes | | KB | Kilobytes | 1,024 bytes | | Mb | Megabits | 125,000 bytes | | MB | Megabytes | 1,048,576 bytes | | Gb | Gigabits | 125,000,000 bytes | | GB | Gigabytes | 1,073,741,824 bytes |

Traffic Pattern Analysis

#### Normal Traffic Patterns - Consistent low-level background traffic - Periodic spikes during business hours - Regular backup or sync operations

#### Suspicious Traffic Patterns - Unusual high bandwidth usage - Connections to unknown external hosts - Traffic on unexpected ports - Sustained high outbound traffic

Performance Metrics

#### Key Metrics to Monitor

| Metric | Normal Range | Concern Level | Action Required | |--------|-------------|---------------|-----------------| | Peak bandwidth usage | < 70% of capacity | > 90% | Investigate high usage | | Connection count | Varies by service | Sudden spikes | Check for attacks | | External connections | Expected services | Unknown hosts | Security review | | Port usage | Standard services | Non-standard ports | Verify legitimacy |

Troubleshooting Common Issues

Permission Issues

Error: Operation not permitted

Alternative: Add user to appropriate group

Interface Detection Problems

List available interfaces

Specify correct interface

High CPU Usage

Reduce update frequency

Limit connections displayed

Memory Issues

Use text mode for lower memory usage

Limit history

Integration with Other Tools

Combining with Other Network Tools

#### iftop with tcpdump `bash

Capture packets while monitoring bandwidth

#### iftop with netstat `bash

Monitor connections and bandwidth simultaneously

#### Automated Monitoring Script `bash #!/bin/bash

monitor_network.sh

INTERFACE="eth0" DURATION=300 LOGFILE="/var/log/network_monitor.log"

echo "Starting network monitoring at $(date)" >> $LOGFILE sudo iftop -i $INTERFACE -t -s $DURATION >> $LOGFILE 2>&1 echo "Network monitoring completed at $(date)" >> $LOGFILE `

Log Analysis

#### Parse iftop Text Output `bash

Extract top bandwidth users

Monitor specific time period

Security Considerations

Network Security Monitoring

#### Detect Data Exfiltration `bash

Monitor large outbound transfers

#### Identify Suspicious Connections `bash

Monitor non-standard ports

Privacy and Compliance

#### Considerations for Production Use - Ensure compliance with privacy policies - Limit access to authorized personnel - Implement proper logging and audit trails - Consider data retention policies

Best Practices

Monitoring Guidelines

#### Regular Monitoring Tasks 1. Establish baseline network usage patterns 2. Set up automated monitoring during peak hours 3. Create alerts for unusual traffic patterns 4. Document normal vs. abnormal traffic flows 5. Regular review of top bandwidth consumers

#### Performance Optimization 1. Use text mode for automated monitoring 2. Implement appropriate filters to reduce noise 3. Monitor during different time periods 4. Combine with other monitoring tools 5. Regular cleanup of log files

Documentation and Reporting

#### Creating Network Usage Reports `bash #!/bin/bash

generate_network_report.sh

DATE=$(date +%Y%m%d) REPORT_DIR="/var/log/network_reports" INTERFACE="eth0"

mkdir -p $REPORT_DIR

Generate hourly report

Extract summary statistics

Limitations and Alternatives

iftop Limitations

| Limitation | Description | Workaround | |------------|-------------|------------| | Root privileges required | Needs packet capture permissions | Use sudo or appropriate groups | | Single interface focus | Cannot monitor multiple interfaces simultaneously | Run multiple instances | | No historical data | Real-time monitoring only | Use with logging solutions | | Limited filtering options | Basic filter expressions | Combine with other tools | | Performance impact | Can affect system performance | Use text mode for automation |

Alternative Tools

| Tool | Strengths | Use Case | |------|-----------|----------| | nethogs | Process-specific monitoring | Identify which processes use bandwidth | | nload | Simple interface monitoring | Quick bandwidth overview | | vnstat | Historical data collection | Long-term usage statistics | | ntopng | Web-based interface | Enterprise monitoring | | bandwhich | Modern Rust-based tool | Process and connection monitoring |

iftop remains an essential tool for real-time network monitoring, providing immediate insights into network usage patterns and helping administrators maintain optimal network performance. Its combination of real-time monitoring capabilities, flexible filtering options, and detailed connection information makes it invaluable for network troubleshooting, capacity planning, and security monitoring tasks.