Posted inNetwork

Linux Bandwidth Monitoring: Identify Network-Hogging Processes with Nethogs and Iftop

Network tutorial - IT technology blog
Network tutorial - IT technology blog

Midnight Bandwidth Troubleshooting: Why Nethogs and Iftop are Lifesavers

At 2 AM, my phone started vibrating incessantly. The Zabbix system was flashing red: Outbound traffic for the database cluster had spiked to 1Gbps, hitting the network card’s limit. Strangely, user traffic at that hour was almost zero.

Using top or htop at this point was useless. They only showed stable CPU/RAM while the network card was “screaming for help.” Commands like vnstat or nload only show total volume, but they can’t point a finger at who is sending the data.

Based on my experience managing a network for a 50-person office and a small datacenter, I’ve learned a lesson: You need tools that dive deep into individual Process IDs (PIDs) or IP connections. That’s where Nethogs and Iftop come in.

Quick Installation on Linux Distributions

These two tools are lightweight, totaling less than 2MB. You should pre-install them in your server templates for immediate use during an incident.

Ubuntu/Debian family:

sudo apt update && sudo apt install nethogs iftop -y

CentOS/RHEL/AlmaLinux family (Requires EPEL Repo):

sudo yum install epel-release -y
sudo yum install nethogs iftop -y

Nethogs – Hunting Down Bandwidth-Hungry Processes

What sets nethogs apart is that it groups traffic by Process rather than protocol. It answers the exact question: “Which script or user is hogging the network?”

Real-world Usage

Run the command with root privileges:

sudo nethogs

The interface will display several key columns:

  • PID: The process identifier so you can kill it immediately if necessary.
  • USER: Helps identify which account is running the process (very easy to spot a compromised user).
  • PROGRAM: The path to the executable file (e.g., /usr/sbin/nginx).
  • SENT/RECEIVED: Actual upload/download speeds in KB/s.

In production environments, I often use additional parameters to monitor specific interfaces:

sudo nethogs eth0

Pro tip: Press the ‘c’ key while running to switch to Cumulative mode. You’ll see the total data consumed by each process since the tool was opened, which is extremely useful for finding intermittent background scripts.

Iftop – Analyzing Traffic by IP and Port

If nethogs tells you what is running, iftop tells you where it’s going. Iftop displays detailed connections between your server and external IPs.

sudo iftop -i eth0 -n -P

The -n flag disables DNS resolution (speeding up the display), and -P shows the ports.

Essential Shortcuts:

  • n: Toggle DNS resolution. Keep it off to avoid the server hanging while waiting for DNS queries.
  • p: Show ports. Helps distinguish web traffic (443) from unusual malware ports.
  • L: Display a visual traffic bar.

Workflow: When to Use Which Tool?

In actual operations, I always combine both in a 3-step scenario:

  1. Step 1: Open nethogs. Notice an rsync process consuming 50MB/s.
  2. Step 2: Open iftop. Discover the destination IP is a strange foreign server instead of the internal backup server.
  3. Step 3: Use lsof -p [PID] to see which file the process is reading and proceed to block the IP or kill the process.

Real-world Office Scenario

Once, the office network suddenly slowed down, with pings hitting 500ms. I SSH’d into the Gateway, ran nethogs, and immediately saw a workstation pushing 10MB/s to Dropbox. It took only 20 seconds to identify the specific employee’s IP without digging through complex firewall logs.

Notes on Periodic Monitoring

If you want to save the history for later auditing, you can run nethogs in tracing mode:

sudo nethogs -t > network_debug.log

Be careful, as this log file grows very quickly. Only enable it when you are actively debugging a specific issue.

Mastering nethogs and iftop is like having a microscope for your network card. I hope these insights from the “front lines” help keep your systems running smoothly.

Share:
Tags: