~/ linuxnetwork.net

Mastering iftop: Real-Time Bandwidth Usage Monitoring for Linux & macOS

In a world where network performance can make or break application reliability, having tools to monitor and analyze bandwidth usage is critical. While tools like top or htop excel at tracking system resources, they fall short when you need granular visibility into network traffic flows. Enter iftop—a powerful command-line utility that provides real-time, interactive monitoring of network bandwidth usage per connection.

Unlike aggregate tools such as vnstat, iftop focuses on individual network conversations (source-destination pairs), allowing you to quickly identify bandwidth hogs, diagnose unusual traffic patterns, and troubleshoot slow network links. Whether you’re a system administrator optimizing server performance, a developer debugging application network issues, or a power user monitoring home network activity, iftop is an indispensable addition to your toolkit.

This guide will take you from installing iftop to mastering its advanced features, including filtering, scripting, and troubleshooting common network problems. We’ll cover best practices, real-world examples, and everything you need to leverage iftop effectively.

Table of Contents#

  1. Installation
    1. Debian/Ubuntu
    2. RHEL/CentOS/Fedora
    3. macOS
  2. Basic Usage: Getting Started
    1. Launching iftop
    2. Understanding the iftop Interface
  3. Key Features & Interactive Commands
    1. Interactive Navigation
    2. Packet Filtering with BPF Syntax
    3. Sorting Connections
  4. Advanced Usage
    1. Command-Line Flags for Customization
    2. Saving Output to File
    3. Scripting with iftop
  5. Common & Best Practices
  6. Troubleshooting Scenarios
    1. Identifying Bandwidth Hogs
    2. Investigating Unusual Outbound Traffic
    3. Diagnosing Port-Specific Congestion
  7. Conclusion
  8. References

Installation#

iftop is available for most Linux distributions and macOS. It requires root privileges to capture raw network packets, so you’ll need to use sudo for most commands.

Debian/Ubuntu#

Install directly from official repositories:

sudo apt update
sudo apt install -y iftop

RHEL/CentOS/Fedora#

iftop is part of the EPEL repository. First enable EPEL, then install:

# RHEL/CentOS 7
sudo yum install -y epel-release
sudo yum install -y iftop
 
# RHEL/CentOS 8+ / Fedora
sudo dnf install -y epel-release
sudo dnf install -y iftop

macOS#

Use Homebrew to install:

brew update
brew install iftop

Note: macOS may require additional permissions for iftop to access network interfaces.

Basic Usage: Getting Started#

Launching iftop#

Start monitoring traffic with root privileges:

sudo iftop

By default, iftop monitors the first active interface (e.g., eth0, wlan0). To specify a different interface:

sudo iftop -i wlan0

Understanding the iftop Interface#

The interface is divided into three core sections:

1. Bandwidth Graph (Top)#

A horizontal bar graph visualizing total bandwidth usage over 2, 10, and 40 seconds. It highlights sudden spikes or sustained high usage.

2. Connection List (Middle)#

Displays active network conversations with real-time rates:

  • Source/Destination: Left/right columns show IPs/hostnames. Arrows (->, <-, <->) indicate traffic direction.
  • Bandwidth Rates: Three columns show average usage for each conversation over 2s, 10s, and 40s. Color-coded bars represent relative usage.

3. Summary Statistics (Bottom)#

  • Cumulative: Total bytes transferred since launch.
  • Peak Rates: Highest bandwidth observed during the session.
  • Total Transfer: Sum of all incoming/outgoing traffic.

Key Features & Interactive Commands#

Interactive Navigation#

Press these keys while iftop is running to customize output:

CommandDescription
qQuit iftop
nToggle IP addresses (disable DNS resolution)
pToggle port number visibility
sSort connections by source address
dSort connections by destination address
rSort by current bandwidth rate (default)
fEdit traffic filters (BPF syntax)
tSwitch to plain text mode (no ncurses)

Packet Filtering with BPF Syntax#

Use Berkeley Packet Filter (BPF) syntax to narrow traffic to specific flows. Apply filters via the command line (-f) or interactively (f):

# Monitor traffic to a specific IP
sudo iftop -f "dst 192.168.1.100"
 
# Filter HTTPS traffic (port 443)
sudo iftop -f "dst port 443"
 
# Show only TCP traffic
sudo iftop -f "tcp"
 
# Exclude DNS queries (port 53)
sudo iftop -f "not port 53"

Sorting Connections#

  • By Source: Press s to group traffic by source IP/hostname.
  • By Destination: Press d to focus on destination endpoints.
  • By Bandwidth: Press r to sort by current rate (default) or l to sort by total transfer.

Advanced Usage#

Command-Line Flags for Customization#

FlagDescription
-nDisable DNS resolution (reduce overhead)
-PShow port numbers by default
-m <limit>Set bandwidth graph limit (e.g., -m 10M for 10 Mbps)
-s <seconds>Run for a specified duration then exit
-tUse plain text mode (ideal for SSH without X11)

Example: Monitor eth0 with IPs, ports, and a 10 Mbps graph limit:

sudo iftop -i eth0 -n -P -m 10M

Saving Output to File#

Save text-mode output for post-analysis:

# Capture 60 seconds of traffic to a file
sudo iftop -t -s 60 -n -P > iftop_traffic_report.txt

Scripting with iftop#

Integrate into automated monitoring scripts. Example: Alert on high bandwidth usage:

#!/bin/bash
INTERFACE="eth0"
THRESHOLD="10M"
 
# Capture 10 seconds of traffic and extract current rate
CURRENT_RATE=$(sudo iftop -t -s 10 -n -i $INTERFACE | grep "Cumulative send" | awk '{print $4}')
 
if [[ "$CURRENT_RATE" > "$THRESHOLD" ]]; then
  echo "High bandwidth alert: $CURRENT_RATE on $INTERFACE" | mail -s "Network Alert" [email protected]
fi

Common & Best Practices#

  1. Always Use Root: iftop needs raw packet access—run with sudo.
  2. Disable DNS for Busy Servers: Use -n to avoid overhead from DNS queries.
  3. Filter Strategically: Focus on specific IPs/ports to isolate issues quickly.
  4. Combine with Other Tools: Pair iftop with ss to identify processes behind high-traffic connections: 
    sudo ss -tulpn | grep "<port-number>"
  5. Monitor Specific Interfaces: Servers often have multiple interfaces—specify -i to avoid missing critical traffic.
  6. Save Output for Post-Mortem: Capture sessions during incidents to review later.

Troubleshooting Scenarios#

1. Identifying Bandwidth Hogs#

Problem: Server latency spikes due to excessive bandwidth usage. Solution:

  1. Run sudo iftop -n -P to see IPs and ports.
  2. Identify the top traffic flow.
  3. Use sudo ss -tulpn to find the associated process.
  4. Verify if the process is legitimate (e.g., backup) or malicious.

2. Investigating Unusual Outbound Traffic#

Problem: Unexpected outbound traffic from your server. Solution:

  1. Filter outbound traffic: sudo iftop -f "src host <your_ip>" -n to view outgoing connections.
  2. Look up suspicious IPs with whois <ip-address>.
  3. Block malicious IPs with iptables or your firewall.

3. Diagnosing Port-Specific Congestion#

Problem: Web server slowdown on port 443. Solution:

  1. Monitor HTTPS traffic: sudo iftop -f "dst port 443".
  2. Identify top clients consuming bandwidth.
  3. Implement rate limiting (e.g., Nginx limit_req module) for abusive clients.

Conclusion#

iftop is a lightweight yet powerful tool for real-time network monitoring. Its focus on individual traffic flows makes it ideal for troubleshooting bandwidth issues, identifying anomalies, and optimizing network performance. By mastering its installation, filtering, and scripting capabilities, you’ll be able to resolve network problems faster and keep your systems running smoothly.

References#

  1. iftop Official Documentation
  2. iftop Man Page
  3. BPF Syntax Guide
  4. EPEL Repository Guide
  5. Homebrew for macOS
2026-03