Find Network Traffic and Bandwidth usage per Process in Linux

Sarath Pillai's picture
Network Traffic Per Process in Linux

Being a system administrator, there are times when we need to check which process is taking high network bandwidth on a machine. This is not that easy to do without any standard tool designed only for that purpose. In this article we will be looking at one such tool. But before looking at that tool we will try to fetch details with other methods.

 

I request my readers to share any other command line techniques/tools that can be used to achieve this.

 

Most of the graphical user interface on Linux desktop has GUI based applets to fetch this details. But most of them only shows the total network usage by the system(it does not show any per process details.). Anyways on a production server we will not be having a GUI based tool to fetch such information. Hence we will be discussing only command line tools and techniques to achieve this.

 

The first method is to use tools like iptraf or iftop to identify the ports sending much of the traffic, and then find what is running on that specific port from the list. Although this is a bit tedious method to find out process sending traffic, I have used this method several times and it serves the purpose.

 

If you are new to iftop and iptraf, I will recommend reading my below article which explains both of these tools with their use cases.

 

Read: Iptraf and Iftop command usage and examples

First install iptraf or iftop by either YUM or apt-get depending upon your distribution. Then fire the iptraf command to find out the traffic usage with interface and port details.

Iptraf command will give you an output like the one shown below. It shows two things, the source address and its network port.  Press Enter at the first welcome screen to see the options available. Once you select the "IP traffic monitor" option, with all interfaces, you will be shown an output like the below one.

 

 IPTraf
l TCP Connections (Source Host:Port) qqqqqqqqqq Packets qqq Bytes Flags  Iface k
xl192.168.190.129:22                          >     462     95456 -PA-   eth0  x
xm192.168.190.1:49946                         >     238     11688 --A-   eth0  x
x                                                                              x
x                                                                              x
x                                                                              x
x                                                                              x
x                                                                              x
x                                                                              x
x                                                                              x
x                                                                              x
x                                                                              x
x                                                                              x
m TCP:      1 entries qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Active qj
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x                                                                              x

 

By default it will sort the connections per usage wise. In my case i can easily find out which process is running on port 22(which of course is ssh), but you can find the process on that port by the below netstat command.

 

 

root@ubuntu2:~# netstat -tunp | grep 22
tcp        0     64 192.168.190.129:22      192.168.190.1:49946     ESTABLISHED 1104/sshd: ubuntu [
root@ubuntu2:~#

 

Or you can alternatively use lsof command as well to find the process on running on that port.

 

root@ubuntu2:~# lsof -i:22
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd     671   root    3u  IPv4   8584      0t0  TCP *:ssh (LISTEN)
sshd     671   root    4u  IPv6   8595      0t0  TCP *:ssh (LISTEN)
sshd    1104   root    3u  IPv4   9170      0t0  TCP 192.168.190.129:ssh->192.168.190.1:49946 (ESTABLISHED)
sshd    1120 ubuntu    3u  IPv4   9170      0t0  TCP 192.168.190.129:ssh->192.168.190.1:49946 (ESTABLISHED)

 

You can also use iftop tool similar to the way we used iptraf to find out traffic send out by ports and interfaces. This is shown below.

 

root@ubuntu2:~# iftop -P
                12.5kb          25.0kb          37.5kb          50.0kb    62.5kb
mqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqq
192.168.190.129:ssh        => 192.168.190.1:49946         928b   1.13kb  1.67kb
                           <=                             160b    160b    192b
192.168.190.129:56386      => 192.168.190.2:domain          0b      0b     30b
                           <=                               0b      0b     30b
192.168.190.129:51953      => 192.168.190.2:domain          0b      0b     29b
                           <=                               0b      0b     29b
192.168.190.129:53003      => 192.168.190.2:domain          0b      0b     29b
                           <=                               0b      0b     29b

qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
TX:             cum:   4.40kB   peak:   3.75kb  rates:    928b   1.13kb  1.76kb
RX:                     698B            1.16kb            160b    160b    279b
TOTAL:                 5.08kB           4.83kb           1.06kb  1.29kb  2.03kb

 

 

The -P option we have used in the above command will turn on the port display in iftop output, which we require to find out process running on that port. Now you can use either netstat or lsof to find out the process.

 

Apart from iftop and iptraf, you can also use a tool called jnettop. You can easily install jnettop in ubuntu by simple apt-get install jnettop command. Once its installed it will show the similar details we got using iptraf and iftop command. Its sample output is shown below.

 

run   0:00:41 device eth0       pkt[f]ilter: none                                                                                                                      .
[c]ntfilter: on  [b]ps=bytes/s [l]ocal aggr: none      [r]emote aggr: none
[q]uit [h]elp [s]orting [p]ackets [.] pause [0]-[9] switch device
LOCAL <-> REMOTE                                                                                                                                  TXBPS   RXBPS TOTALBPS
 (IP)                                                          PORT  PROTO  (IP)                                                          PORT       TX      RX    TOTAL
192.168.190.129 <-> 192.168.190.1                                                                                                                252b/s   60b/s   312b/s
 192.168.190.129                                                 22    TCP  192.168.190.1                                                51394    11.4K   2.72K    14.1K

UNKNOWNv4 <-> UNKNOWNv4                                                                                                                           14b/s   20b/s    34b/s
 0.0.0.0                                                          0    ARP  0.0.0.0                                                          0      42b     60b     102b
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
TOTAL                                                                                                                                            266b/s   80b/s   346b/s
                                                                                                                                                  11.7K   3.09K    14.8K

 

jnettop command is much suited when you want to monitor traffic between a particular source and destination. But it gives our required port details to find out the process using that port.

 

But there is a much better tool designed for only this purpose. And its called nethogs. Its very much similar to top command for sorting processes per network usage. Its very easy to install and use.

If you are on a RedHat/Centos system, then you need to first install EPEL Yum repo, to install nethogs. And for ubuntu users, its a simple apt-get command away.

 

root@ubuntu2:~# apt-get install nethogs

 

Now from the nethogs man pages, you can find the below description of the tool.

 

DESCRIPTION
       NetHogs is a small 'net top' tool. Instead of breaking the traffic down
       per protocol or per subnet, like most such tools do,  it  groups  band‐
       width  by  process - and does not rely on a special kernel module to be
       loaded. So if there's suddenly a lot of network traffic, you  can  fire
       up  NetHogs  and immediately see which PID is causing this, and if it's
       some kind of spinning process, kill it.

 

 

NetHogs command usage and examples

 

Once you have the tool installed, its very easy to use it. Simply typing nethogs will show you much of everything you need. See the sample output below.

 

root@ubuntu2:~# nethogs
NetHogs version 0.8.0

  PID USER     PROGRAM                      DEV        SENT      RECEIVED
2214  root     /usr/lib/apt/methods/http    eth0       4.693     238.631 KB/sec
2051  ubuntu   sshd: ubuntu@pts/1           eth0       3.442       0.310 KB/sec
1120  ubuntu   sshd: ubuntu@pts/0           eth0       0.416       0.035 KB/sec
2213  root     /usr/lib/apt/methods/http    eth0       0.021       0.023 KB/sec
?     root     unknown TCP                             0.000       0.000 KB/sec

  TOTAL                                                8.572     239.000 KB/sec

 

It shows the below details in its output. These details are more than enough to serve our purpose of sorting processes with their network usage.

 

  • PID (Process ID)
  • User with which the process is running
  • Command or program
  • Network interface from which the traffic is going
  • Sent bytes
  • Received Bytes

 

If you see the above output, its by default sorted from high to low...

 

Similar to top commad, you can also give refresh rate with which the tool will refresh its stats on the screen. This can be done in nethogs with -d option as shown below.

 

root@ubuntu2:~# nethogs -d 1

 


Now it will refresh every second. 

Similar to top, it has got several interactive commands as well. These can be used to sort output in different order like sent and received, and to change the output method from kb to mb etc.

Typing m while the interactive console is running will swith between kb/s, kb, b, mb. Pressing r will sort the output in received form. And pressing s will sort it in send form.

 

Please share any similar tools like nethogs, or any other interesting methods to find process network usage in linux.

Rate this article: 
Average: 2.5 (2 votes)

Comments

Very nice & helpful article. Thanks a lot.......

A must read article for Sys Admins

Sarath Pillai's picture

Thanks for your comment Ranjit.

-Sarath

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.