Real-Time Linux network traffic monitoring with Iftop

Iftop, one of the most popular command line tool for monitoring network traffic in Linux. Iftop command can quickly show you which source using most bandwidth by listing its IP address or hostname at the top of the output.

In this tutorial we will learn how to use iftop command to monitor network traffic on your Linux server. We will start with installing iftop on Ubuntu, CentOS 7 and Fedora, then we will learn the basic and advance options of the monitoring tool.

Install iftop on Ubuntu/CentOS 7/Fedora

Let's start by installing iftop command on Ubuntu, CentOS 7 and Fedora.

On Debian-based Linux systems (including Ubuntu), you can install iftop with the following command:

sudo apt-get update
sudo apt-get install iftop

To install iftop on CentOS 7, Run:

yum -y install epel-release
yum -y install iftop

In Fedora, Type:

dnf -y install iftop

Monitoring Network traffic with iftop

Important: iftop command need root permission to listen to network  traffic on Linux, so you need to login as root user or use sudo command.

Iftop command without any argument listen to network traffic on the first interface it can find.

Real-Time Linux network traffic monitoring with Iftop

You can hit q to quit from the command output.

Most important argument is -i, to display the results for a specific network interface. For example, following command will display bandwidth usage on eth1 interface.

iftop -i eth1

By default, iftop command will attempt to resolve IP addresses into a hostname, to avoid this use the -n option:

iftop -n -i eth1

Command Output

The main part of the command output lists, for each pair of hosts, the rate at which data has been sent and received over the preceding 2, 10 and 40 second intervals. The direction of data flow is indicated by arrows, <= (received) and => (sent).

At the very bottom of the display, you can see statistics for the transmitted data (TX) and received data (RX) along with totals for all connections.

Controlling output from the Keyboard

t Use the t key to toggle between display modes (sent and received traffic on separate lines, sent traffic only, Received traffic only and total traffic).
Shift + p Use the Shift + p key to pause the current display.
n Press n key to turn on and off DNS resolution.
p Port Display. p will toggle port display on/off (Both source and destination port).
Shift + s Toggle source port display on/off.
Shift + d Toggle destination port display on/off.
f Apply filters to filter command output.
sent and received traffic as total
sent and received traffic as total.

Filtering Linux iftop Output

You can also filter the output of the iftop command with filter codes. To apply filter codes we use the -f option, or press the "f" key while iftop is running.

Iftop filter code use packet filter syntax use by tcpdump.


Following command will only listen if the source or destination of the packet is host

iftop -i enp0s3 -f "host"

Listen only if the packet is destined to host

iftop -i enp0s3 -f "dst host"

To apply filter code while iftop is running, press f key on the keyboard, type the expression and press enter (It will take a few seconds to the new filter to be applied).

More iftop filter codes

Ignore all broadcast traffic:

not ether host ff:ff:ff:ff:ff:ff

Monitor HTTP traffic on port 80:

port 80

Monitor SMTP traffic on IP address

port smtp and host

Listen only if the IPv4 address matches net with the specific netmask:

net mask

To learn more about filter codes, type:

man 7 pcap-filter

You can learn more about iftop command by typing:

man iftop