Real-Time Network Monitoring with Iftop

Interactive Controls

Iftop becomes particularly powerful when you use its interactive controls to customize the display in real-time. These keyboard commands allow you to adapt the view to your immediate troubleshooting needs without restarting the tool. Type a keyboard key and watch the display react. You can toggle the port number display (p), display or hide the source address (s) or destination address (d), or display total bandwidth (t). Type n to toggle hostname resolution, which is helpful for reducing DNS lookups. Type P to freeze the current view and pause the display. Enter a 1, 2, or 3 to sort columns 1, 2, or 3 of the bandwidth timescales. The l option lets you enter a BPF filter expression.

Iftop's controls allow you to quickly focus on the most relevant connections for your current troubleshooting needs. For example, when diagnosing a bandwidth saturation issue, you might start with the default view to identify the heaviest flows, then press S to group by source if a particular host seems responsible. From there, press p to show the ports in order to identify the services responsible. Enter j/k to scroll through all connections from the host.

Filtering Traffic with BPF Expressions

One of iftop's most powerful features is its ability to filter traffic using Berkeley Packet Filter (BPF) expressions. This packet filtering language allows you to focus on specific types of traffic while excluding irrelevant data from the display. BPF filters can be applied either at startup via command line or interactively while iftop is running.

Common Filtering Scenarios

Common filtering scenarios include view-only HTTP traffic (port 80):

sudo iftop -f 'port 80'

monitor traffic to/from a specific host:

sudo iftop -f 'host 192.168.1.100'

exclude SSH traffic (port 22) from display:

sudo iftop -f 'not port 22'

monitor traffic between specific subnets:

sudo iftop -f 'net 192.168.1.0/24 and net 10.0.0.0/8'

and view-only UDP traffic (useful for VoIP or streaming analysis):

sudo iftop -f 'udp'

You can also apply these filters interactively by pressing l and entering the filter expression. This allows you to quickly change what you're monitoring based on what you see in the initial display. For example, you might start with a broad view to identify interesting traffic. If you notice heavy traffic on port 443, press l and enter port 443 to focus just on HTTPS traffic. Then press S to sort by source to see which hosts are generating this traffic.

The ability to dynamically apply these filters makes iftop exceptionally flexible for drilling down into network issues.

« Previous 1 2 3 4 5 Next »

Buy this article as PDF

Download Article PDF now with Express Checkout
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
SUBSCRIPTIONS
Print Subscriptions
Digital Subscriptions

Related content

  • Top Ten Tops

    The famous Unix admin utility known as Top has many imitators. We take a look at some of the top Top tools.

    more »
  • Charly's Column

    Network monitors are a dime a dozen, but Nload, which separates incoming and outgoing traffic and draws graphs on the console without X, is unique.

    more »
  • Linux News

    News

    • US gov embraces open data
    • Apache Cdorked.A exploit discovered
    • News Bites

    New Intel CEO

    • FSF scolds W3C
    • Torvalds releases Kernel 3.9
    • Xen new LF collaboration project

    Operating Systems

    • Debian 7.0“wheezy” debuts
    • Windows XP most likely to be victim of attack.
    more »
  • Bpytop

    Linux users have many options for monitoring system resources, but bpytop, a new Python port of bashtop, more than stands out from the crowd.

    more »
  • The sys admin’s daily grind: Sysdig

    In this issue, sys admin columnist and tool veterinarian Charly Kühnast invites Sysdig, the jack-of-all-trades among system diagnostic tools, into his surgery for a quick checkup. The project promises to unite the functionality of lsof, iftop, netstat, tcpdump, and others.

    more »
comments powered by Disqus