Inspecting network usage with iftopMay 20, 2018
If you need a tool to inspect your network usage, without having to wire a proxy or install a more complex tool like Wireshark,
iftop may be what are you looking for.
iftop | [-nNpblBP] [-i interface] [-f filter] [-F net/mask] [-G net6/mask6]
iftop uses the whole screen to display network usage. At the top there's is a logarithmic scale which gives a visual indication of traffic, and at the bottom a summary with information of all packages captured.
By default, the program shows for each pair of hosts, the rate at which data has been sent and received over the preceding 2, 10 and 40-second intervals. The arrows (
=>) indicates the direction of data flow. For example:
foo.example.com => bar.example.com 1Kb 500b 100b <= 2Mb 2Mb 2Mb
If invoked without arguments,
iftop displays information for the first interface it can find which looks like an external interface, most of the time you may want to provide a specific interface with the
note: to find interfaces, you can use
ifconfig in *nix systems, or
networksetup -listallhardwareports in macOS.
The system needs special privileges to execute
iftop, which in most cases implies running it as a root.
l allows you to enter a POSIX extended regular expression that will be used to filter hostnames shown in the display.
It's important to note that this happens at a much later stage than filter codes and does not affect what is actually captured, therefore, display filters don't affect the totals at the bottom of the screen.
Screen filters are good to do quick, visual filtering, but if you need to only track packets transmitted under certain conditions, you can use a filter code to select the packets to count.
iftop uses pcap formatted filters as input, and you can provide them with the
-f flag, or in the app by pressing
f. As a general rule, I'd recommend using the flag to prevent unexpected behavior.
note: because only IP packets are ever counted, the specified code is evaluated as "(filter code) and ip".
You can also use a set of pre-defined sort methods to order the data presented in the view by pressing one of these keys:
1/2/3- sort by 1st/2nd/3rd column (2, 10 and 40-second intervals)
<- sort by source name
>- sort by dest name
o- freeze current order
You can enable text-mode with the
-t flag, in text-mode the output is printed to STDOUT in intervals.