Find Network Traffic and Bandwidth usage per Process in Linux
Being a system administrator, there are times when we need to check which process is taking high network bandwidth on a machine. This is not that easy to do without any standard tool designed only for that purpose. In this article we will be looking at one such tool. But before looking at that tool we will try to fetch details with other methods.
I request my readers to share any other command line techniques/tools that can be used to achieve this.
Most of the graphical user interface on Linux desktop has GUI based applets to fetch this details. But most of them only shows the total network usage by the system(it does not show any per process details.). Anyways on a production server we will not be having a GUI based tool to fetch such information. Hence we will be discussing only command line tools and techniques to achieve this.
The first method is to use tools like iptraf or iftop to identify the ports sending much of the traffic, and then find what is running on that specific port from the list. Although this is a bit tedious method to find out process sending traffic, I have used this method several times and it serves the purpose.
If you are new to iftop and iptraf, I will recommend reading my below article which explains both of these tools with their use cases.
First install iptraf or iftop by either YUM or apt-get depending upon your distribution. Then fire the iptraf command to find out the traffic usage with interface and port details.
Iptraf command will give you an output like the one shown below. It shows two things, the source address and its network port. Press Enter at the first welcome screen to see the options available. Once you select the "IP traffic monitor" option, with all interfaces, you will be shown an output like the below one.
IPTraf l TCP Connections (Source Host:Port) qqqqqqqqqq Packets qqq Bytes Flags Iface k xl192.168.190.129:22 > 462 95456 -PA- eth0 x xm192.168.190.1:49946 > 238 11688 --A- eth0 x x x x x x x x x x x x x x x x x x x x x m TCP: 1 entries qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Active qj lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x
By default it will sort the connections per usage wise. In my case i can easily find out which process is running on port 22(which of course is ssh), but you can find the process on that port by the below netstat command.
root@ubuntu2:~# netstat -tunp | grep 22 tcp 0 64 192.168.190.129:22 192.168.190.1:49946 ESTABLISHED 1104/sshd: ubuntu [ root@ubuntu2:~#
Or you can alternatively use lsof command as well to find the process on running on that port.
root@ubuntu2:~# lsof -i:22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 671 root 3u IPv4 8584 0t0 TCP *:ssh (LISTEN)
You can also use iftop tool similar to the way we used iptraf to find out traffic send out by ports and interfaces. This is shown below.
root@ubuntu2:~# iftop -P 12.5kb 25.0kb 37.5kb 50.0kb 62.5kb mqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqq 192.168.190.129:ssh => 192.168.190.1:49946 928b 1.13kb 1.67kb <= 160b 160b 192b 192.168.190.129:56386 => 192.168.190.2:domain 0b 0b 30b <= 0b 0b 30b 192.168.190.129:51953 => 192.168.190.2:domain 0b 0b 29b <= 0b 0b 29b 192.168.190.129:53003 => 192.168.190.2:domain 0b 0b 29b <= 0b 0b 29b qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq TX: cum: 4.40kB peak: 3.75kb rates: 928b 1.13kb 1.76kb RX: 698B 1.16kb 160b 160b 279b TOTAL: 5.08kB 4.83kb 1.06kb 1.29kb 2.03kb
The -P option we have used in the above command will turn on the port display in iftop output, which we require to find out process running on that port. Now you can use either netstat or lsof to find out the process.
Apart from iftop and iptraf, you can also use a tool called jnettop. You can easily install jnettop in ubuntu by simple apt-get install jnettop command. Once its installed it will show the similar details we got using iptraf and iftop command. Its sample output is shown below.
run 0:00:41 device eth0 pkt[f]ilter: none . [c]ntfilter: on [b]ps=bytes/s [l]ocal aggr: none [r]emote aggr: none [q]uit [h]elp [s]orting [p]ackets [.] pause - switch device LOCAL <-> REMOTE TXBPS RXBPS TOTALBPS (IP) PORT PROTO (IP) PORT TX RX TOTAL 192.168.190.129 <-> 192.168.190.1 252b/s 60b/s 312b/s 192.168.190.129 22 TCP 192.168.190.1 51394 11.4K 2.72K 14.1K UNKNOWNv4 <-> UNKNOWNv4 14b/s 20b/s 34b/s 0.0.0.0 0 ARP 0.0.0.0 0 42b 60b 102b qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq TOTAL 266b/s 80b/s 346b/s 11.7K 3.09K 14.8K
jnettop command is much suited when you want to monitor traffic between a particular source and destination. But it gives our required port details to find out the process using that port.
But there is a much better tool designed for only this purpose. And its called nethogs. Its very much similar to top command for sorting processes per network usage. Its very easy to install and use.
If you are on a RedHat/Centos system, then you need to first install EPEL Yum repo, to install nethogs. And for ubuntu users, its a simple apt-get command away.
root@ubuntu2:~# apt-get install nethogs
Now from the nethogs man pages, you can find the below description of the tool.
NetHogs is a small 'net top' tool. Instead of breaking the traffic down
per protocol or per subnet, like most such tools do, it groups band‐
width by process - and does not rely on a special kernel module to be
loaded. So if there's suddenly a lot of network traffic, you can fire
up NetHogs and immediately see which PID is causing this, and if it's
some kind of spinning process, kill it.
NetHogs command usage and examples
Once you have the tool installed, its very easy to use it. Simply typing nethogs will show you much of everything you need. See the sample output below.