The Iftop

This article is also posted on my blog, feel free to check the latest revision: The Iftop

I frequently use ifconfig and cat /proc/net/dev to examine network information. However, today, my cloud server crashed unexpectedly. I reached out to the cloud support for assistance. The engineer utilized iftop to analyze the situation. After the issue was resolved, I started to consider using this tool. Now, let's take a closer look at this powerful utility.

For more info about /proc you can check another blog Further Understanding of Proc.

The reason why I choose the iftop is simple, if the alicloud Inc. selects the iftop, which indicates the tool is somehow suitable for general analysis and common situtation. After all, those with experience knows better.

iftop must be run with sufficient permissions to monitor all network traffic on the interface, which is root for most os.

You can refer the official docs: iftop

The display

The top part is the bar graph of the bandwidth. You can adjust it by -m parameter.

The main part of the display lists, for each pair of hosts, the rate at which data has been sent and received over the preceding 2, 10 and 40 second intervals. The direction of data flow is indicated by arrows, <= (receive) and => (send).

At the bottom of the display, various totals are shown, including total traffic transferred (after filtering), peak traffic over the last 40s, and total transfer rates averaged over 2s, 10s and 40s.

                2.00Mb          4.00Mb          6.00Mb          8.00Mb    10.0Mb
└───────────────┴───────────────┴───────────────┴───────────────┴───────────────
foo.example.com  =>  bar.example.com      1Kb  500b   100b
                 <=                       2Mb    2Mb    2Mb

TX:             cum:   43.5MB   peak:   4.21Mb  rates:   4.15Mb  4.08Mb  4.00Mb
RX:                    1.46MB            192Kb            192Kb   162Kb   136Kb
TOTAL:                 45.0MB           4.38Mb           4.34Mb  4.24Mb  4.13Mb

The options

For more options you should check the official docs, here I will list some common usage:

1. iftop -nP: -n means Don't do hostname lookups. -P means Turn on port display.
2. iftop -B: -B means Display bandwidth rates in bytes/sec.
3. iftop -l: -l means IPv6 addresses(default not include).
4. iftop -m 10M specific the maximum of the bar graph.
5. iftop -i wlan0 -f "dst port 22": -i you can specific the network interface and -f you can specific some filters. Other filters such as dst host 10.10.8.8, src port 443, dst portrange 22-23 and gateway 10.10.8.1.

The operation when running iftop

You can just press h when running iftop to check every operation.