Nethogs

Nethogs is a command line utility for linux that displays the network bandwidth used by each application or process in realtime. It is useful in situations when a certain process uses up too much of the bandwidth and needs to be caught.

Project website

http://nethogs.sourceforge.net/

The website describes the tool as

NetHogs is a small 'net top' tool. Instead of breaking the traffic down per protocol or per subnet, like most tools do, it groups bandwidth by process. NetHogs does not rely on a special kernel module to be loaded. If there's suddenly a lot of network traffic, you can fire up NetHogs and immediately see which PID is causing this. This makes it easy to indentify programs that have gone wild and are suddenly taking up your bandwidth.

Install Nethogs on Ubuntu/Debian/Mint

Debian and related distros like Ubuntu and Mint already have nethogs in their repositories so its a single step installation via the apt command.

sudo apt-get install nethogs

Install Nethogs on CentOS/Fedora

On Fedora nethogs is available in the fedora repository, so install it from yum directly.

$ sudo yum install nethogs

On CentOS the default repositories do not have nethogs, but can be installed from the epel repositories. So first enable epel repository and then use yum command like shown above.

Using Nethogs

Nethogs is quite simple to use. Just run nethogs with root privileges and it would show the bandwidth used by each process.

$ sudo nethogs

The output would be something like this

NetHogs version 0.7.0 PID USER PROGRAM DEV SENT RECEIVED 2367 enlighten/opt/google/chrome/chrome eth0 3.341 20.948 KB/sec 2196 enlighten/usr/lib/firefox-7.0.1/fire eth0 0.871 0.422 KB/sec 3723 enlighten/usr/bin/pidgin eth0 0.028 0.098 KB/sec 2206 enlighten/usr/bin/skype eth0 0.033 0.025 KB/sec 2380 enlighten/usr/lib/chromium-browser/c eth0 0.000 0.000 KB/sec 0 root unknown TCP 0.000 0.000 KB/sec TOTAL 4.274 21.493 KB/sec

It shows the PID, username, process, network interface being used, data sending speed and data receiving speed.

Other options

$ nethogs -h usage: nethogs [-V] [-b] [-d seconds] [-t] [-p] [device [device [device ...]]] -V : prints version. -d : delay for update refresh rate in seconds. default is 1. -t : tracemode. -b : bughunt mode - implies tracemode. -p : sniff in promiscious mode (not recommended). device : device(s) to monitor. default is eth0 When nethogs is running, press: q: quit m: switch between total and kb/s mode

Change the update delay

The frequency at which nethogs updates the data can be changed using the d switch. Lets say we want nethogs to update every 5 seconds, then issue the following command

$ sudo nethogs -d 5

Use specific device

Nethogs supports the option to specify the device to monitor on. For example

$ sudo nethogs eth0

If no device is specified, the nethogs monitors the default device on the system. To monitor multiple devices simply add the device names together.

$ sudo nethogs eth0 eth1

Tracemode

In trace mode it outputs the connections one by one. Check the following example.

$ sudo nethogs -t [sudo] password : Adding local address: 192.168.1.2 Ethernet link detected Waiting for first packet to arrive (see sourceforge.net bug 1019381) Refreshing: unknown TCP/0/0 0 0 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.771094 0.119922 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-64.131.72.23:80 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.781641 0.232617 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-64.131.72.23:80 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.781641 0.232617 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-64.131.72.23:80 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.781641 0.232617 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-64.131.72.23:80 Refreshing: /usr/bin/pidgin/3723/1000 0.0115234 0 /usr/lib/firefox-7.0.1/fire/2196/1000 0.0105469 0 unknown TCP/0/0 0 0 Unknown connection: 192.168.1.2:34684-64.131.72.23:80

Nethogs also supports promiscuous mode with the p flag.