DEV Community

Roberto Dip
Roberto Dip

Posted on • Originally published at monades.roperzh.com on

Weekly Command: inspecting network usage with iftop

iftop-overview

If you need a tool to inspect your network usage, without having to wire a proxy or install a more complex tool like Wireshark, iftop may be what are you looking for.

The basics

iftop | [-nNpblBP] [-i interface] [-f filter] [-F net/mask] [-G net6/mask6]
Enter fullscreen mode Exit fullscreen mode

When running, iftop uses the whole screen to display network usage. At the top there’s is a logarithmic scale which gives a visual indication of traffic, and at the bottom a summary with information of all packages captured.

By default, the program shows for each pair of hosts, the rate at which data has been sent and received over the preceding 2, 10 and 40-second intervals. The arrows (<= and =>) indicates the direction of data flow. For example:

foo.example.com => bar.example.com 1Kb 500b 100b
                 <= 2Mb 2Mb 2Mb
Enter fullscreen mode Exit fullscreen mode

If invoked without arguments, iftop displays information for the first interface it can find which looks like an external interface, most of the time you may want to provide a specific interface with the -i flag.

note: to find interfaces, you can use ifconfig in *nix systems, or networksetup -listallhardwareports in macOS.

The system needs special privileges to execute iftop, which in most cases implies running it as a root.

The program is very versatile, you can filter, sort, and even use it in text-mode if you don’t need the interactive interface.

Examples

Screen filters

l allows you to enter a POSIX extended regular expression that will be used to filter hostnames shown in the display.

It’s important to note that this happens at a much later stage than filter codes and does not affect what is actually captured, therefore, display filters DO NOT affect the totals at the bottom of the screen.

Filter codes

Screen filters are good to do a quick, visual filter, but if you only need to track packets transmitted under certain conditions, you can use a filter code to select the packets to count.

iftop uses pcap formatted filters as input, and you can provide them with the -f flag, or in the app by pressing f. As a general rule, I will always recommend using the flag to prevent unexpected behavior.

note: because only IP packets are ever counted, the specified code is evaluated as “(filter code) and ip ”.

Sorting

You can also use a set of pre-defined sort methods to order the data presented in the view by pressing one of these keys:

  • 1/2/3 - sort by 1st/2nd/3rd column (2, 10 and 40-second intervals)
  • < - sort by source name
  • > - sort by dest name
  • o - freeze current order

Text mode

You can enable text-mode with the -t flag, in text-mode the output is printed to STDOUT in intervals.

Latest comments (0)