Awhile back I purchased a Linux book bundle from Humble Bundle. Now that I’m studying for my Linux+, I found it a good time to begin browsing some of them to aid in my studies as well as find labs and projects I could do for some additional hands-on experience. The first book I’m looking at is Practical Linux Topics by Chris Binnie. This book describes several commands, techniques, and tips for managing Linux systems. The first of these topics is iftop.
iftop is a real time Linux network bandwidth monitoring tool. It largely does what the netstat command does, but its advantage is the rich on the fly filters and options that can be changed while iftop is running. I would best describe it as fitting between the capabilities of netstat and Wireshark.
Once you’ve identified the interface you want to listen to, run the following command:
# iftop –i eth0
The default is to display destination addresses, source addresses, and FQDNs. Traffic is displayed based on the display order columns, which are 3 columns that display a two-second, ten-second, and a forty-second delay average to show the noisiest traffic first. These averages can be configured to show different delays.
Now that it’s open there are several keyboard shortcuts that can be used to change the displayed information quickly. h will display the help menu which provides all the shortcuts, but I will highlight the ones I use the most. t toggles between only sent traffic, only received traffic, and a combination of both. p displays the port alongside the IP/FQDN. P can be used to pause the display.
Perhaps the strongest option is f which sets a screen filter. Similar to Wireshark, keywords or phrases can be added here to filter traffic to only capture certain traffic based on port, ip, service, etc. On top of that, regular expressions in the POSIX format can be used for even more complex filters.
During my testing, I confirmed that iftop works in both runlevel 3 and 5. iftop can also be started using promiscuous mode using the following command:
# iftop –p –i eth0
Overall, I would say iftop is a very good tool for getting detailed network info quickly with the options to filter on the fly. I would highly recommend adding this to your system admin toolbox.
I plan on exploring more topics from Practical Linux Topics in the future. Other topics include Wget, PAM, SELinux, and more!
References:
Binnie, C. (2016). Practical Linux topics. Berkeley, CA: Apress.