This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: System Administration

Keeping tabs on your network traffic

By Shashank Sharma on December 01, 2008 (8:00:00 PM)

Share    Print    Comments   

One of the first things I do upon installing a Linux distribution is put the Network Monitor applet on my GNOME panel. Watching the blue lights twinkle on and off makes me aware of network traffic. But if you want more details about what's happening on your network, such as which application is hogging bandwidth or what each network interface is up to, you can turn to specialty tools like NetHogs and IPTraf. While NetHogs is a unique tool altogether, IPTraf can be used on a server as well as by a home user.

NetHogs

Unlike most bandwidth monitoring tools, which display network usage per IP address or per protocol, NetHogs monitors the network and presents bandwidth usage per application. Thus you can see how much bandwidth the RSS aggregator, browser, software updater, and even IRC and IM clients are using.

NetHogs is available through the software repositories for most distributions, or you can download the compressed tarball and install from source. When it's installed, open a terminal, switch to the root user, and type nethogs. You should see each application name and its PID along with how much data it has sent and received, similar the output of the top command. The information is updated in real time so you don't have to relaunch nethogs every time you launch a new application.

By default the refresh rate is 1 second, but you can change it anything you like with the -d command option. Also by default, the transfer is shown in KBps (kilobytes per second) but this too can be changed. While nethogs is running, press the m key to cycle through the available options for displaying the data transfer. The options are KBps, Bps, and MBps.

IPTraf

While NetHogs is a simple tool with a single functionality, there are many monitoring tools, graphical and command-line, with exhaustive list of features. If you want to contrast its simplicity with a tool that can offer you stats on your network usage, per each network interface and is easy to use, consider IPTraf.

IPTraf is a ncurses-based utility with a feature list so extensive, it's nearly impossible to list all it does. Its About page lists the features and other useful information about it.

Like NetHogs, IPTraf is available through the software repositories of many distributions, and can be installed using yum or apt-get or via the source tarball. Also like NetHogs, IPTraf requires super-user privileges to observe your network.

When you run IPTraf without any command options, you'll be greeted with a menu-driven interface. You can navigate through the interface using the arrow keys to move up and down, and the Enter key to select an item from the menu. The menu entries are all self-explanatory; if you wish to view the IP traffic, select IP traffic monitor, then select your interface card from the list if you want to view the traffic for a single interface.

You can configure IPTraf from its Configure menu. If all the configurable options seem confusing, refer to the online IPTraf manual for a quick course on what each of these options means. Some of the options are Reverse DNS Lookup, which causes IPTraf to find out the name of the hosts with the IP addresses in the packets; enabling logging; and turn on the promiscious mode, which ensures that all traffic is captured. To change a option, scroll down to it using the down arrow key and press Enter. For instance, you can enable logging this way, and see the logging setting change from Off to On under the Current Settings heading on the right. After that, when you select IP traffic monitor and an interface, you will be asked to specify a file where the log will be stored. By default, logs are stored in the /var/log/iptraf directory. Each entry in the log file consists of (in this order):

Time stamp: month, day, time, year Protocol: TCP, UDP, etc. Interface: eth0, eth1, localhost, etc. Packet size in bytes Addresses: The for and from keywords denote whether the address is a destination or a source address. It can be either IP or MAC address.

When you run the IP traffic monitor, among the other details, IPTraf also informs you of the flag status for each TCP packet it intercepts. These flags can reveal details such as which side initiated the connection, and when the connection is closed or reset.

In addition to serving as a simple IP traffic monitor, you can also use IPTraf to view a statistical breakdown of your network traffic sorted by packet size or according to the TCP/UDP port. This gives you a fair idea of the network traffic to and from your machine.

Conclusion

While many tools can inform you of the data transfer for each of your network interfaces, as well as break it down per protocol, they are not all easy to use. Because IPTraf is, it remains a popular tool even three years after its most recent version was released. As for NetHogs, its strength is one that other tools in this genre have chosen to ignore: By informing users of bandwidth usage per application, it provides a crucial missing piece in the network monitoring puzzle.

Shashank Sharma specializes in writing about free and open source software for new users and moderates the Linux.com forum boards. He is the coauthor of Beginning Fedora, published by Apress.

Share    Print    Comments   

Comments

on Keeping tabs on your network traffic

Note: Comments are owned by the poster. We are not responsible for their content.

Keeping tabs on your network traffic

Posted by: Anonymous [ip: 213.39.196.230] on December 01, 2008 08:44 PM
Ooooh, nice. Thanks a lot for nethogs. I've been using iptraf for ages but being able to "split" by application is great.
I just wish there was an easy "firewall" for that too. Per application blocking (not for security, but for some kind of controling and muting).

#

correction for nethogs

Posted by: stovicek on December 01, 2008 11:23 PM
You may have to specify which network interface you want nethogs to monitor. It defaults to eth0. My laptop is rarely connected by wire, so I need to specify wlan0 for the wifi.

root@laptop:~# nethogs
ioctl failed while establishing local IP
root@laptop:~# nethogs wlan0

#

Keeping tabs on your network traffic

Posted by: Anonymous [ip: 98.214.233.233] on December 02, 2008 03:13 AM
I've been looking for an application like nethogs for (literally) years (granted, I haven't looked that hard). But on a regular basis, I want to know what the crap is using my network.

Thanks for the heads up!

#

Keeping tabs on your network traffic

Posted by: Anonymous [ip: 195.47.79.78] on December 02, 2008 02:45 PM
I was looking for this for a very long time, too. Thanx! I still can't believe NetHogs is the only linux tool out there doing this.

#

Keeping tabs on your network traffic

Posted by: Anonymous [ip: 121.246.78.142] on December 03, 2008 05:59 AM
Very nice article, specially nethogs is amazing. For Debian, you can install it with: apt-get install nethogs

#

Re: Keeping tabs on your network traffic

Posted by: Anonymous [ip: 206.192.231.187] on December 05, 2008 05:00 AM
You can install it in ubuntu with sudo apt-get install nethogs

#

Keeping tabs on your network traffic

Posted by: Anonymous [ip: 67.91.179.126] on December 04, 2008 03:03 PM
Has anyone come across a tool that can tell you how much data you've moved through your router on a monthly basis? For instance, to see where you are in relationship to Comcast's new traffic limits...

#

Re: Keeping tabs on your network traffic

Posted by: Anonymous [ip: 58.96.43.220] on December 04, 2008 10:55 PM
Check if ur ISP has a program that updates the amout of data gone through ur router updated from their server. or u can just install a hardware firewall between ur router and ur LAN.

#

Re: Keeping tabs on your network traffic

Posted by: Anonymous [ip: 87.65.73.66] on December 05, 2008 05:23 PM
easiest solution:
put in an iptables rule
and clear it every month (crond)

iptables -I INPUT -s ! <local_network_portion>/<netmask in CIDR format> -j ACCEPT

now you'll have a rule and its counters

do
iptables -v -L INPUT
and look at the counter

PS: you need to add this rule beforehand if you filter on it,
and this is only for incoming traffic not comming from your local lan

then put

iptables -Z in (root's) crontab file
and let it run every ...
when your ISP clears its counters

#

Keeping tabs on your network traffic

Posted by: Michael Shigorin on December 06, 2008 07:39 PM
I've settled with iftop (http://ex-parrot.com/~pdw/iftop/) after looking for quite a few years (and shortly using ifstat before iirc). Gonna have a look at nethogs too, then.
[Modified by: Michael Shigorin on December 06, 2008 07:40 PM]

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya