This blog will be dedicated to Linux, Open Source and Technology news, affairs, how-tos and virtually EVERYTHING in these domains.

iftop: Display Bandwidth Usage of Interface

Posted by madhavkobal on 20/09/2009

iftop listens to network traffic on a named interface, or on the first interface it can find which looks like an external interface if none is specified, and displays a table of current bandwidth usage by pairs of hosts. iftop must be run with sufficient permissions to monitor all network traffic on the interface; see pcap(3) for more information, but on most systems this means that it must be run as root.

By default, iftop will look up the hostnames associated with addresses it finds in packets. This can cause substantial traffic of itself, and may result in a confusing display. You may wish to suppress display of DNS traffic by using filter code such as not port domain, or switch it off entirely, by using the -n option or by pressing R when the program is running.

By default, iftop counts all IP packets that pass through the filter, and the direction of the packet is determined according to the direction the packet is moving across the interface. Using the -F option it is possible to get iftop to show packets entering and leaving a given network. For example, iftop -F will analyse packets flowing in and out of the 10.* network.

Some other filter ideas:

not ether host ff:ff:ff:ff:ff:ff
Ignore ethernet broadcast packets.
port http and not host
Count web traffic only, unless it is being directed through a local web cache.
icmpHow much bandwith are users wasting trying to figure out why the network is slow?


Standard view, port display off, two lines per host pair

v0.12 screenshot

Host names hidden, source port shown, one line per host pair = network traffic by service


