Inspecting network usage with iftop May 21st, 2018

If you need a tool to inspect your network usage, without having to wire a proxy or install a more complex tool like Wireshark, iftop may be what are you looking for.

iftop | [-nNpblBP] [-i interface] [-f filter] [-F net/mask] [-G net6/mask6]

When running, iftop uses the whole screen to display network usage. At the top there’s is a logarithmic scale which gives a visual indication of traffic, and at the bottom a summary with information of all packages captured.

By default, the program shows for each pair of hosts, the rate at which data has been sent and received over the preceding 2, 10 and 40-second intervals. The arrows ( <= and => ) indicates the direction of data flow. For example:

foo.example.com => bar.example.com 1Kb 500b 100b <= 2Mb 2Mb 2Mb

If invoked without arguments, iftop displays information for the first interface it can find which looks like an external interface, most of the time you may want to provide a specific interface with the -i flag.

note: to find interfaces, you can use ifconfig in *nix systems, or networksetup -listallhardwareports in macOS.

The system needs special privileges to execute iftop , which in most cases implies running it as a root.

The program is very versatile, you can filter, sort, and even use it in text-mode if you don’t need the interactive interface.

l allows you to enter a POSIX extended regular expression that will be used to filter hostnames shown in the display.

It’s important to note that this happens at a much later stage than filter codes and does not affect what is actually captured, therefore, display filters don’t affect the totals at the bottom of the screen.

Screen filters are good to do quick, visual filtering, but if you need to only track packets transmitted under certain conditions, you can use a filter code to select the packets to count.

iftop uses pcap formatted filters as input, and you can provide them with the -f flag, or in the app by pressing f . As a general rule, I’d recommend using the flag to prevent unexpected behavior.

note: because only IP packets are ever counted, the specified code is evaluated as “(filter code) and ip".

You can also use a set of pre-defined sort methods to order the data presented in the view by pressing one of these keys:

1/2/3 - sort by 1st/2nd/3rd column (2, 10 and 40-second intervals)

- sort by 1st/2nd/3rd column (2, 10 and 40-second intervals) < - sort by source name

- sort by source name > - sort by dest name

- sort by dest name o - freeze current order

You can enable text-mode with the -t flag, in text-mode the output is printed to STDOUT in intervals.