Monades

Weekly Command: inspecting network usage with iftop

May 21st, 2018 weekly-command xnix

iftop-overview

If you need a tool to inspect your network usage, without having to wire a proxy or install a more complex tool like Wireshark, iftop may be what are you looking for.

The basics

iftop | [-nNpblBP] [-i interface] [-f filter] [-F net/mask] [-G net6/mask6]

When running, iftop uses the whole screen to display network usage. At the top there’s is a logarithmic scale which gives a visual indication of traffic, and at the bottom a summary with information of all packages captured.

By default, the program shows for each pair of hosts, the rate at which data has been sent and received over the preceding 2, 10 and 40-second intervals. The arrows (<= and =>) indicates the direction of data flow. For example:

foo.example.com  =>  bar.example.com      1Kb  500b   100b
                 <=                       2Mb  2Mb    2Mb

If invoked without arguments, iftop displays information for the first interface it can find which looks like an external interface, most of the time you may want to provide a specific interface with the -i flag.

note: to find interfaces, you can use ifconfig in *nix systems, or networksetup -listallhardwareports in macOS.

The system needs special privileges to execute iftop, which in most cases implies running it as a root.

The program is very versatile, you can filter, sort, and even use it in text-mode if you don’t need the interactive interface.

Examples

Screen filters

l allows you to enter a POSIX extended regular expression that will be used to filter hostnames shown in the display.

It’s important to note that this happens at a much later stage than filter codes and does not affect what is actually captured, therefore, display filters don’t affect the totals at the bottom of the screen.

Filter codes

Screen filters are good to do quick, visual filtering, but if you need to only track packets transmitted under certain conditions, you can use a filter code to select the packets to count.

iftop uses pcap formatted filters as input, and you can provide them with the -f flag, or in the app by pressing f. As a general rule, I’d recommend using the flag to prevent unexpected behavior.

note: because only IP packets are ever counted, the specified code is evaluated as “(filter code) and ip”.

Sorting

You can also use a set of pre-defined sort methods to order the data presented in the view by pressing one of these keys:

Text mode

You can enable text-mode with the -t flag, in text-mode the output is printed to STDOUT in intervals.



Subscribe

I try to post once a week interesting stuff about programming, *nix, and the web. If you’d like to be notified when a new post goes out, you can subscribe with the form below.


Roberto Dip