Interactive Controls

Iftop becomes particularly powerful when you use its interactive controls to customize the display in real-time. These keyboard commands allow you to adapt the view to your immediate troubleshooting needs without restarting the tool. Type a keyboard key and watch the display react. You can toggle the port number display (p), display or hide the source address (s) or destination address (d), or display total bandwidth (t). Type n to toggle hostname resolution, which is helpful for reducing DNS lookups. Type P to freeze the current view and pause the display. Enter a 1, 2, or 3 to sort columns 1, 2, or 3 of the bandwidth timescales. The l option lets you enter a BPF filter expression.

Iftop's controls allow you to quickly focus on the most relevant connections for your current troubleshooting needs. For example, when diagnosing a bandwidth saturation issue, you might start with the default view to identify the heaviest flows, then press S to group by source if a particular host seems responsible. From there, press p to show the ports in order to identify the services responsible. Enter j/k to scroll through all connections from the host.

Filtering Traffic with BPF Expressions

One of iftop's most powerful features is its ability to filter traffic using Berkeley Packet Filter (BPF) expressions. This packet filtering language allows you to focus on specific types of traffic while excluding irrelevant data from the display. BPF filters can be applied either at startup via command line or interactively while iftop is running.

Common Filtering Scenarios

Common filtering scenarios include view-only HTTP traffic (port 80):

sudo iftop -f 'port 80'

monitor traffic to/from a specific host:

sudo iftop -f 'host 192.168.1.100'

exclude SSH traffic (port 22) from display:

sudo iftop -f 'not port 22'

monitor traffic between specific subnets:

sudo iftop -f 'net 192.168.1.0/24 and net 10.0.0.0/8'

and view-only UDP traffic (useful for VoIP or streaming analysis):

sudo iftop -f 'udp'

You can also apply these filters interactively by pressing l and entering the filter expression. This allows you to quickly change what you're monitoring based on what you see in the initial display. For example, you might start with a broad view to identify interesting traffic. If you notice heavy traffic on port 443, press l and enter port 443 to focus just on HTTPS traffic. Then press S to sort by source to see which hosts are generating this traffic.

The ability to dynamically apply these filters makes iftop exceptionally flexible for drilling down into network issues.