In today's interconnected world, network monitoring has become an essential skill. With the exponential growth of cloud computing, IoT devices, and remote work solutions, understanding network traffic patterns is more critical than ever before. Among the plethora of Linux monitoring tools available, iftop stands out as one of the most powerful and versatile command-line utilities for real-time network bandwidth monitoring. Unlike system monitoring tools like htop or atop that focus on CPU, memory, and process metrics, iftop provides unparalleled visibility into your network traffic patterns, helping you identify bandwidth hogs, troubleshoot performance issues, and optimize your network configuration.

Whether you're managing enterprise servers, optimizing application performance, or simply curious about network activity, mastering iftop will give you valuable insights into your system's network behavior.

Understanding iftop

iftop is a console-based network bandwidth monitoring tool that displays real-time bandwidth usage on individual network interfaces. What sets iftop apart from basic network monitors is its ability to provide a granular view of network activity at the connection level. Most administrators are familiar with tools that show overall bandwidth consumption, but iftop takes this several steps further by revealing exactly which hosts are communicating and how much bandwidth each connection is consuming.

Key advantages of iftop include:

• Connection-level visibility – Shows bandwidth usage per socket connection rather than just aggregate interface statistics
• Real-time monitoring – Updates the display continuously to reflect current network activity
• Protocol identification – Can distinguish between different types of network traffic
• Interactive interface – Allows sorting and filtering of connections while running
• Minimal resource usage – Lightweight compared to GUI-based monitoring tools
• Historical context – Provides short-term bandwidth usage trends through a multi-timeframe display

Under the hood, iftop uses the pcap library to capture packets moving through the network interface. As packets flow through the interface, iftop analyzes them to determine:

• Source and destination IP addresses
• Port numbers
• Protocols (TCP/UDP)
• Data transfer rates in both directions
• Total data transferred per connection

This approach lets iftop show bandwidth usage at the connection level, something that tools reading from /proc/net/dev (like nload) cannot provide. The tool maintains running averages of bandwidth usage across three different timescales (2, 10, and 40 seconds by default), giving you both immediate and trending views of your network activity.

Iftop is useful for answering questions like:

• Which external hosts is my server communicating with right now?
• What specific connections are consuming the most bandwidth at this moment?
• Is there any suspicious network activity I should investigate immediately?
• Which services or ports are generating the most traffic on my system?

See the box entitled "The Other Tools" for a look at how iftop compares with other monitoring utilities.

Installing iftop

One of iftop's advantages is its wide availability across different Linux distributions. The installation process is straightforward, though it might vary slightly depending on your package manager. For Debian or Ubuntu-based systems, enter

sudo apt update
sudo apt install iftop

For RHEL or CentOS:

sudo yum install epel-release -y
sudo yum install iftop -y

For Fedora:

sudo dnf install iftop -y

For Arch Linux:

sudo pacman -Syu iftop

For other distros, see your package manager's documentation.

You'll need root privileges to run iftop, because it needs access to network interfaces for packet capture:

sudo iftop

iftop offers several useful command-line options to customize its behavior right from startup. These options allow you to tailor the tool's operation to your specific monitoring needs without having to interact with the interface. For instance, use the -i option to specify which network interface to monitor (e.g., eth0, wlan0, ens3).

Use the -N option to specify port numbers or the -P option to show both port numbers and IP addresses. A lowercase -n tells iftop to disable hostmane resolution, which will speed up processesing by reducing DNS traffic. See the box entitled "More Options" for other useful command-line switches.

For example, to monitor interface eth0 without hostname resolution and showing port numbers:

sudo iftop -i eth0 -nP

Or to monitor only HTTP/HTTPS traffic on interface wlp3s0:

sudo iftop -i wlp3s0 -f 'port 80 or port 443'

Understanding the iftop Interface

When launched, iftop presents a clean, text-based interface divided into logical sections that work together to provide a comprehensive view of network activity (Figure 1).

Figure 1: Iftop's text-based interface offers a view of current connections and overall network activity.

The top section shows total bandwidth usage. The middle section lists active connections (source to destination) with bandwidth usage. The bottom section shows RX and TX. RX (Receive) represents incoming traffic, measures the amount of data your machine is receiving from other hosts (in bytes per second). TX (Transmit) represents outgoing traffic, measures the amount of data your machine is sending to other hosts (in bytes per second).

The connection list in the middle section is the most important part, showing for each connection:

• Source host (left side, with port if enabled)
• Destination host (right side, with port if enabled)
• Current bandwidth usage (middle bar, length represents utilization)
• 2-second average bandwidth rate (first numerical column)
• 10-second average bandwidth rate (second numerical column)
• 40-second average bandwidth rate (third numerical column)

By default, connections are sorted by their 40-second average bandwidth usage, with the heaviest connections at the top of the list. This default sorting helps immediately identify which connections are consuming the most bandwidth over a meaningful time frame.