iftop Command Linux: Monitor Network Traffic and Display Bandwidth Usage by Connection

The iftop command is a powerful network monitoring tool in Linux that displays real-time bandwidth usage by network connections. Similar to how the top command shows process activity, iftop provides a live view of network traffic flowing through your system’s network interfaces. This tool is essential for system administrators and network engineers who need to monitor network performance, identify bandwidth-heavy connections, and troubleshoot network issues.

What is iftop Command?

iftop stands for “Interface TOP” and is a command-line utility that displays bandwidth usage on an interface by host. It listens to network traffic on a specific interface and displays a table of current bandwidth usage by pairs of hosts. The tool provides real-time updates and can help identify which connections are consuming the most bandwidth.

Key Features of iftop

• Real-time monitoring: Displays live network traffic statistics
• Connection-based view: Shows traffic between specific host pairs
• Multiple time scales: Displays 2s, 10s, and 40s averages
• Port resolution: Can display service names instead of port numbers
• Filtering capabilities: Supports traffic filtering using expressions
• Interactive controls: Allows sorting and filtering during runtime

Installing iftop on Linux

Before using iftop, you need to install it on your system. The installation method varies depending on your Linux distribution:

Ubuntu/Debian

sudo apt update
sudo apt install iftop

CentOS/RHEL/Fedora

# For CentOS/RHEL 7/8
sudo yum install iftop

# For CentOS/RHEL 9 and Fedora
sudo dnf install iftop

Arch Linux

sudo pacman -S iftop

Basic iftop Command Syntax

The basic syntax for the iftop command is:

iftop [options] [-i interface] [-f filter]

Note: iftop requires root privileges to monitor network interfaces, so you’ll typically need to use sudo.

Understanding iftop Output

When you run iftop, it displays a screen with several sections:

Main Display

The main area shows active connections with the following columns:

• Source → Destination: Shows the connection direction
• 2s, 10s, 40s columns: Display bandwidth usage averages
• TX (Transmit): Data being sent
• RX (Receive): Data being received
• TOTAL: Combined TX and RX traffic

Bottom Statistics

The bottom section displays cumulative statistics:

• Peak: Maximum bandwidth observed
• Rates: Current TX, RX, and TOTAL rates
• Cumulative: Total data transferred since iftop started

Common iftop Command Examples

Example 1: Basic Network Monitoring

To start monitoring the default network interface:

sudo iftop

Sample Output:

                    12.5Kb  25.0Kb  37.5Kb  50.0Kb  62.5Kb
┌─────────────────────────────────────────────────────────
192.168.1.100                => 8.8.8.8                    1.20Kb  2.10Kb  1.85Kb
                              <=                           856b   1.45Kb  1.23Kb
192.168.1.100                => 142.250.191.78             2.45Kb  3.20Kb  2.80Kb
                              <=                           1.80Kb  2.90Kb  2.15Kb
server.local                 => 192.168.1.50               890b   1.10Kb   950b
                              <=                           1.20Kb  1.60Kb  1.35Kb
─────────────────────────────────────────────────────────
TX:             cum:   125KB   rates:   4.55Kb  6.40Kb  5.58Kb
RX:                    98.5KB           3.86Kb  5.95Kb  4.73Kb
TOTAL:                 224KB            8.41Kb 12.35Kb 10.31Kb

Example 2: Monitor Specific Interface

To monitor a specific network interface (e.g., eth0):

sudo iftop -i eth0

Example 3: Display Port Numbers

To show port numbers instead of service names:

sudo iftop -P

Sample Output:

192.168.1.100:52847          => 8.8.8.8:53                 1.20Kb  2.10Kb  1.85Kb
                              <=                           856b   1.45Kb  1.23Kb
192.168.1.100:443            => 142.250.191.78:443         2.45Kb  3.20Kb  2.80Kb
                              <=                           1.80Kb  2.90Kb  2.15Kb

Example 4: Filter Traffic by Host

To monitor traffic to/from a specific host:

sudo iftop -f "host 8.8.8.8"

Example 5: Filter by Port

To monitor only HTTP traffic (port 80):

sudo iftop -f "port 80"

Example 6: Monitor Without DNS Resolution

To disable DNS lookups for faster display:

sudo iftop -n

Advanced iftop Options

Command Line Options

Filter Expressions

iftop supports Berkeley Packet Filter (BPF) expressions for filtering traffic:

# Monitor only TCP traffic
sudo iftop -f "tcp"

# Monitor specific subnet
sudo iftop -f "net 192.168.1.0/24"

# Monitor traffic to specific port range
sudo iftop -f "portrange 80-443"

# Exclude specific host
sudo iftop -f "not host 192.168.1.1"

# Monitor only outgoing traffic
sudo iftop -f "src host 192.168.1.100"

Interactive Controls

While iftop is running, you can use various keyboard shortcuts to control the display:

Practical Use Cases

1. Identifying Bandwidth-Heavy Applications

Use iftop to identify which applications or connections are consuming the most bandwidth:

sudo iftop -P -n

This command shows port numbers and disables DNS resolution for faster identification of services.

2. Monitoring Server Network Activity

For web servers, monitor HTTP and HTTPS traffic:

sudo iftop -f "port 80 or port 443"

3. Detecting Unusual Network Activity

Monitor for connections to external hosts that might indicate security issues:

sudo iftop -f "not net 192.168.0.0/16 and not net 10.0.0.0/8"

4. Database Server Monitoring

Monitor database connections on a MySQL server:

sudo iftop -f "port 3306"

Configuration File

You can create a configuration file to set default options for iftop. Create ~/.iftoprc with your preferred settings:

# Sample .iftoprc configuration
dns-resolution: no
port-resolution: yes
show-bars: yes
promiscuous: no
port-display: on
link-local: no
hide-source: no
hide-destination: no
sort: 2s
line-display: two-line
show-totals: yes

Troubleshooting Common Issues

Permission Denied Error

If you encounter permission errors, ensure you’re running iftop with sudo:

# Wrong
iftop

# Correct
sudo iftop

Interface Not Found

If iftop can’t find your network interface, list available interfaces first:

# List network interfaces
ip link show

# Then specify the correct interface
sudo iftop -i enp0s3

No Traffic Displayed

If no traffic appears:

• Verify you’re monitoring the correct interface
• Check if there’s actual network traffic
• Try running without filters first
• Ensure the interface is active and has traffic

Alternatives to iftop

While iftop is excellent for connection-based monitoring, consider these alternatives for different use cases:

• nload: Simple interface bandwidth monitoring
• vnstat: Network statistics with historical data
• nethogs: Process-based network monitoring
• iptraf-ng: Comprehensive network monitoring suite
• tcptrack: TCP connection monitoring

Best Practices

1. Regular Monitoring

Set up regular monitoring sessions to establish baseline network behavior:

# Monitor for 5 minutes and save output
sudo iftop -t -s 300 > network_baseline.txt

2. Use Appropriate Filters

Apply filters to focus on relevant traffic and reduce noise:

# Focus on external traffic only
sudo iftop -f "not net 192.168.0.0/16"

3. Combine with Other Tools

Use iftop alongside other monitoring tools for comprehensive analysis:

# Run iftop in one terminal
sudo iftop

# Monitor processes in another terminal
sudo nethogs

4. Document Unusual Patterns

Keep records of unusual network patterns for security analysis and capacity planning.

Security Considerations

When using iftop for network monitoring:

• Privileged access: iftop requires root privileges, so ensure proper access controls
• Data sensitivity: Network traffic data can be sensitive; protect logs appropriately
• Promiscuous mode: Use promiscuous mode carefully as it can capture all network traffic
• Compliance: Ensure monitoring activities comply with organizational policies and regulations

Conclusion

The iftop command is an invaluable tool for Linux system administrators and network engineers who need real-time visibility into network traffic patterns. Its ability to display bandwidth usage by connection makes it particularly useful for identifying performance bottlenecks, monitoring application behavior, and troubleshooting network issues.

By mastering iftop’s various options, filters, and interactive controls, you can effectively monitor network performance and make informed decisions about network optimization and security. Whether you’re managing a single server or a complex network infrastructure, iftop provides the real-time insights needed to maintain optimal network performance.

Remember to combine iftop with other monitoring tools and establish regular monitoring practices to get the most value from your network monitoring efforts. With its powerful filtering capabilities and real-time display, iftop remains one of the most essential tools in the Linux administrator’s toolkit.