IFTOP Guide: Display Network Interface Bandwidth Usage on Linux

by Ramesh Natarajan on December 29, 2008

[Ethernet Cables]
Photo courtesy of tigerplish

This is a guest post written by SathiyaMoorthy.

Monitoring your network is an easy task with iftop. It shows a table of current bandwidth usage by hosts. iftop shows the pair of hosts which is responsible for the most traffic at the top of list, which makes it easier to identify the hosts that causes network congestion.

Iftop output shows the data transfer rate, both for data sent and received, for the past 2 seconds, 10 seconds, and 40 seconds.

This article provides an overview of iftop, installation instructions, sample usage example and screenshots of iftop.

Overview of IFTOP

  • iftop (interface top) derives the name from the standard unix top command. top command displays real-time CPU Usage. iftop command displays real-time network bandwidth usage.
  • iftop displays the network usage of a specific interface on the host.
  • Using iftop you can identify which host is responsible for slowing down your network.
  • To find out which process is causing the problem, note down the port number from the iftop and use netstat -p to identify the process.
  • iftop monitors your network activity, and displays a table of current bandwidth.

Download iftop

Download the source code form the iftop website.

# cd /usr/src
# wget http://www.ex-parrot.com/~pdw/iftop/download/iftop-0.17.tar.gz

Install iftop

# cd /usr/src
# gzip -d iftop-0.17.tar.gz
# tar xvf iftop-0.17.tar
# cd iftop-0.17

# ./configure
# make
# make install


Note: If you get “can’t find pcap.h” or “ncurses mvchgat” error message, please see the troubleshooting section below on how to fix that issue.

If you prefer to install it from binaries, please visit the iftop website to download the binaries.

iftop Usage

The default iftop command displays the bandwidth usage of the first ethernet device.

# iftop


You can also specify a particular interface with the -i option as shown below.

# iftop -i eth0


While iftop is running, you can press any one of the following keys to display more output.

S - display source port
D - display destination port
n - show IP instead of host name
1/2/3 - sort by the specified column
< - sort by source name
> - sort by dest name
P - pause display ( else it will be often updated to show the current status )
j/k - scroll display
? - for help


If you execute iftop from a non-root account, you will get the following error message.

$ /usr/sbin/iftop -i eth0
interface: eth0
IP address is: 192.168.1.111
MAC address is: 00:44:ab:ab:10:11
pcap_open_live(eth0): socket: Operation not permitted

iftop configuration files

~/.iftoprc is the default configuration file for the iftop. The format of that file is – name: value.

If you set the port-display on as shown below, iftop command will display the ports by default.

# cat ~/.iftoprc
port-display: on

iftop Screenshots

[iftop Screenshot]
Fig: Screenshot of iftop


Additional Screenshots:

Troubleshooting iftop Issues

Issue 1: While installing iftop from source, executing ./configure gives the following pcap.ph error message.

[root@localhost iftop-0.17]# ./configure
 checking gethostbyaddr_r usability... yes

checking where to find pcap.h... no idea
configure: error: can't find pcap.h
  You're not going to get very far without libpcap.

Solution 1: Make sure libpcap and libpcap-devel is installed. If not, install it as shown below.

# up2date -i libpcap libpcap-devel
Installing...
   1:libpcap          ######################### [100%]
   2:libpcap-devel  ######################### [100%]

# rpm -qa | grep libpcap
libpcap-devel-0.9.4-12.el5.0.1
libpcap-0.9.4-12.el5.0.1


Issue 2: While installing iftop from source, executing ./configure gives the following ncurses/mvchgat error message.

[root@localhost iftop-0.17]# ./configure
checking for a curses library containing mvchgat... none found
configure: error: Curses! Foiled again!
  (Can't find a curses library supporting mvchgat.)
  Consider installing ncurses.

Solution 2: Make sure ncurses and ncurses-devel is installed. If not, install it as shown below.

# up2date -i ncurses ncurses-devel
Installing...
   1:ncurses          ######################### [100%]
   1:ncurses-devel  ######################### [100%]

# rpm -qa | grep ncurses
ncurses-devel-5.5-24.20060715
ncurses-5.5-24.20060715


This article was written by SathiyaMoorthy, developer of EPQA. Sathiya got impressed by the 15 Examples To Master Linux Command Line History article on this blog and became a regular reader and contributor. The Geek Stuff welcomes your tips and guest articles.


Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 15 comments… read them below or add one }

1 Wombat December 29, 2008 at 1:53 pm

Hi, thanks for post! i’ve installed it -> but as U mentioned above – i have to be root.

Advice me how to use this tool without root correctly . thanks

2 Ajith Edassery | DollarShower December 29, 2008 at 8:32 pm

Reminds me of my first software job (1995) where we had to write a little tool on a Sun SPARC (I guess) using TCL/TK to monitor network traffic, resource utilization on the hubs. After that I never touched Unix for almost 13 years.

(I get scared looking at the screen dump :lol: but I know that it’s a monster underneath that)

3 Ramesh January 2, 2009 at 8:34 pm

@Wombat,

iftop needs root access. Probably you can use sudo from your account to execute iftop.

@Ajith,

it’s time for you to get back to Linux. :-) . Find an old laptop/PC and install Ubuntu on it to get it started. For you it should be very easy as you’ve used Unix earlier.

4 Felix February 22, 2009 at 4:32 pm

Thank you for this introduction to iftop. Unfortunately, there are several options that are listed in help screen that I can’t find any description; and you don’t cover them either. Namely, f – edit filter code and l – set screen filter in the end, I figured `l’ option).

Also, I’ve been trying to figure out if it’s possible to wrap the names of source hosts. Especially, when each connection takes two lines, it is unfortunate that long host names are truncated and the second line is wasted :)

d54C165C0.access.telenet. => win2008.lan 0b 105b 26b
<= 0b 244b 61b

Last, it would be nice to list iftoprc names – they are not too obvious.

5 ndr June 3, 2009 at 2:16 am

i am using Clarkconnect 4.3 enterprise edition have problem to install iftop. I cannot install/update ncurses and ncurses-devel. any idea how to update/install this

6 Ramesh Natarajan June 4, 2009 at 12:39 am

@Fleix,
Yeah. long host-names can cause some display problem. Have you tried to maximize the PuTTY/SSH-client screen and see whether that made any difference?
 
Also, I’ll try to cover the missing information on the iftop that you’ve mentioned in a separate article or FAQ later. Thanks for pointing that out.
 
@Ndr,
What kind of issues are you facing while installing ncurses and ncurses-devel? Can you please post the error message you are getting?

7 ndr June 4, 2009 at 2:06 am

just apt-get install ncurses-devel and success now. but this morning try to run iftop and got error message like ‘cannot load shared library cap.., try another command like ‘ping’, ‘ll’ was give message unknown command..and try to restart and my server give message kernel panic :(

If we found the kernel panic what we can do..just reinstall the sistem or what..
thanks for your reply.

8 Marko March 29, 2010 at 10:51 pm

Hi,
Is there any possibility to use output of iftop and somehow feed it to webpage?

9 afrodeity June 22, 2010 at 3:14 pm

I started iftop and see a lot of weird ip addresses and urls doing things. What is going on? Where are these services going? Is there a way to find out what is going on?

10 Pachantoms February 28, 2012 at 10:20 pm

Hi,
How to run iftop command only once and come out of the process.

11 Carl April 14, 2012 at 1:38 pm

Ctrl-C will break you out of the process.

12 Ramón May 30, 2012 at 8:57 am

On what Linux?

13 Kamote October 1, 2012 at 1:36 am

Hi,

i tried these tool, apparently other vlan was not able to view there bandwidth. is there any change to view or monitor all vlan? all i got to monitor is flat vlan.

Thanks in advnace,
Kamote

14 Nobody October 25, 2012 at 4:40 am

IFTOP isn’t just linux.. you should refer to it as a UNIX utility…

15 paranoid January 26, 2013 at 8:32 pm

afrodeity June 22, 2010 at 3:14 pm

I started iftop and see a lot of weird ip addresses and urls doing things. What is going on? Where are these services going? Is there a way to find out what is going on?

I think these are bots/worms trying to probe your connection , the actual WEIRD part is my iptables isnt dropping them and is actually sending back a response.Going to hook up wireshark on it tomorrow , to actually confirm what this actually is. Got me paranoid :P
=====
Ok my suspicion has been confirmed it’s bots : we-in-f147.1e100.net found one of these probing , wich is a google bot.

Found it here : http://support.google.com/bin/answer.py?hl=en&answer=174717.
The reason my iptables didnt drop it , is because they use malformed tcp packets wich just get passed my firewall (related packet) , cheeky bastards.
i found 2 solutions to this : block their ip ranges or bring up an iron curtain only allowing port 80(http) & 53(dns) traffic.

Kinda confused about the goal of this is (other then spying), but i’m sure my residential internet does NOT belong to google’s network.

Leave a Comment

Previous post:

Next post: