Getting Started With Linux – View Network Usage With iftop

15th March, 2016 by

This post is part of our Getting Started With Linux series, when we address everything from Distributions to Kernel Panic. To read more from this series click here

One of the more important tasks when managing a dedicated or virtual private server is to be aware of what it is doing and how it is performing. A poorly performing or overloaded server isn’t just a problem for you, it can mean frustration for your users, and potentially lost revenue from any ecommerce sites this may affect. In previous articles, I’ve covered how you can use top and htop to monitor your system processes, CPU usage and RAM usage. These tools don’t provide a lot of help when you have issues with network throughput though, which is where iftop comes in handy.

What is iftop?

iftop is a tool for checking the bandwidth usage on network interfaces. It provides a number of helpful views that allows you to easily see which connections are using the most bandwidth as well as which services are consuming the most bandwidth. iftop isn’t installed as part of the default package load in most distributions, so you’ll need to install it before you can use it.

For Debian/Ubuntu and related distributions:

apt-get update
apt-get install iftop

For Red Hat and CentOS the package is part of the Fedora Project’s extended repositories, so you will need to enable that repository on your system if you wish to use iftop. Information on this repository is available here,, and with the repository installed iftop is easily installed with the following command:

yum install iftop

Once installed, iftop can simply be started using its command:


A help menu is provided that is accessed using the “h” key whilst running which provides information on how to customize the view to meet your needs, such as toggling the display of source and destination hosts, and whether to perform reverse DNS lookups on the various IPs to show hostnames. Note that the rDNS lookups can cause a level of network traffic that, with a large number of active connections, can also make a sizable impact on the output from iftop. Similarly, there are options to toggle information about the source and destination ports, change the ordering and adjust the display of the bar graphs of usage.

iftop Limitations

One limitation of iftop is that it will only analyze traffic on a single port, and by default when launched it will only look at traffic on the first network port. So, if you have a server with multiple connected network ports you will need to specify the port in question using the -i flag as follows:

iftop -i eth0

Other helpful flags:

-B Display the bandwidth in bytes/sec rather than bits/sec

-F Only monitor traffic within a specific IPv4 subnet, the flag needs to be followed by the network and subnet mask in the format of “net/mask” the subnet mask can be in the CIDR format or the traditional dotted quad.

-G Only monitor traffic within a specific IPv6 subnet, it requires the additional argument similar to -F.

Further information on additional flags is available on the iftop man page.

I’ve installed iftop, what does all of this new information mean?

Now let’s look at what’s going on on-screen while iftop is running. Firstly, we have a scale along the top of the screen – this is the scale that the bar charts for the various connections shown underneath are drawn to.  Beneath that we have the various connections shown – at startup this is initially in two-line pairs that show the traffic sent in each direction between your host (on the left) and the remote host (on the right), arrows (<= and =>) between the hostnames indicate the direction of the traffic flow. At the end of each line are traffic counters which work in a similar fashion to the traditional load average counters we are used to. The first column is the last 10 seconds bandwidth average, the second column is the last 20 seconds bandwidth average and then the third column is the bandwidth average for the previous 40 seconds.

Finally, as we come to the bottom of the screen we have totals for transmitted traffic (TX), received traffic (RX) and the overall total. These are shown with cumulative totals since iftop has been running (cum), peak rates since iftop has been running (peak) and then you have the three column average rate breakdowns at the ends of the lines.

The ability to tweak the displayed content on the fly means that it’s very easy to manipulate iftop to provide you with a view to quickly identify where you are you seeing issues with connections to your server. I’d recommend firing it up and having a play with it to become familiar with its operation, as this will make it easy to see when it can be helpful to you.