iftop: the “sixth sense” for real-time network troubleshooting

Share on Pinterest Share on LinkedIn Share on WhatsApp
Share on Pinterest Share on LinkedIn Share on WhatsApp

When a client calls saying that “the Internet is slow” or that “the network isn’t working properly,” the explanation is often vague and unhelpful. In such cases, system administrators need tools that provide an immediate and clear view of what’s happening on the network. One of the most useful, lightweight, and straightforward options is iftop, a real-time traffic monitor that should be in every sysadmin’s toolbox.

What is iftop?

iftop is a command-line tool that displays real-time network traffic, much like top does for processes. Instead of showing which applications consume the most CPU or memory, iftop reveals which IP addresses are generating traffic, where the packets are going, and how much bandwidth each connection consumes.

Its operation is simple but powerful:

  • It listens on the specified network interface (default: the primary one).
  • Lists active connections, showing source and destination IPs.
  • Measures inbound and outbound traffic in real time.
  • Displays rolling averages over 2, 10, and 40-second intervals.

In short, iftop is like putting on X-ray glasses when the network starts to fail, and no one can give you more details.

Installing iftop on Linux

iftop is available in most GNU/Linux distributions from official repositories. On Debian or Ubuntu-based systems, install it with:

sudo apt update
sudo apt install iftop

On CentOS, RHEL, or Fedora, install it from EPEL:

sudo yum install epel-release
sudo yum install iftop

Run it with:

sudo iftop -i eth0

Where -i specifies the network interface to monitor.

Understanding iftop’s output

iftop’s interface is minimalist but clear. A typical output looks like this:

                1.15Mb      1.19Mb      1.21Mb
 192.168.1.10 => 8.8.8.8       250Kb      220Kb      230Kb
 192.168.1.10 <= 8.8.8.8       200Kb      210Kb      190Kb
 192.168.1.10 => 151.101.65.69  30Kb       20Kb       15Kb
Code language: PHP (php)
  • Source and destination IPs: show who is connecting to whom.
  • => and <=: distinguish outbound and inbound traffic.
  • Time windows: averages over 2, 10, and 40 seconds.
  • Top bar: total bandwidth used on the interface.

This makes it easy to detect whether an internal process is saturating the network, if there’s an unexpected traffic spike to an unknown IP, or if suspicious connections are active.

Useful options and parameters

While the basic command covers most use cases, several flags are worth knowing:

  • -i <interface> → specify the network interface.
  • -B → display bandwidth in bytes instead of bits.
  • -P → show port numbers along with IP addresses.
  • -N → resolve hostnames where possible.
  • -F → filter traffic by subnet (e.g., -F 192.168.1.0/24).

Interactive keys within the interface:

  • t → toggle view modes.
  • s → sort by sent traffic.
  • r → sort by received traffic.
  • p → pause or resume live updates.

Practical use cases for sysadmins

  1. Web application slowdowns
    If a client says their website is slow, iftop can confirm whether the network interface is saturated and which connections are hogging bandwidth.
  2. Suspicious traffic detection
    Spotting large outbound flows to unknown IPs may indicate malware, data exfiltration, or a misconfigured process.
  3. Shared environments
    In multi-tenant servers or coworking environments, iftop helps identify who is consuming the most bandwidth.
  4. Remote support
    When clients can only say “the network is down,” a quick iftop run gives you a live traffic map for immediate insights.

iftop vs other tools

  • iftop: lightweight, real-time, perfect for quick diagnostics.
  • nload: shows simple traffic graphs but no IP detail.
  • tcpdump: provides complete traffic traces, but requires deeper analysis.
  • ntopng/Wireshark: feature-rich and detailed, but heavier and less suitable for quick troubleshooting.

iftop’s strength lies in its speed, simplicity, and minimal overhead, making it invaluable in production environments.

Conclusion

For system administrators, iftop is like a stethoscope for a doctor: it doesn’t solve the problem by itself, but it gives the clarity needed to make quick, informed decisions. Its ease of installation, minimal resource consumption, and immediate accuracy make it a must-have for diagnosing network issues when symptoms are vague.

The next time someone says “the network isn’t working,” chances are iftop will show you the answer faster than anything else.

Frequently Asked Questions

1. Does iftop store traffic logs?
No, iftop only displays live traffic. For historical data, use tools like ntopng or Wireshark.

2. Can iftop limit or throttle traffic?
No. iftop is for monitoring only. Traffic shaping requires tools like tc, iptables, or nftables.

3. Can I run iftop on a remote server?
Yes, but note that your SSH session will also appear in the output. Filters can help exclude it.

4. Is iftop available for Windows or macOS?
Not natively. It’s built for Linux/Unix, but it can be compiled on BSD systems and installed on macOS via Homebrew.

Share on Pinterest Share on LinkedIn Share on WhatsApp

Related articles

Scroll to Top