Nethogs monitors network bandwidth per process
Bean Counter
Nethogs knows which programs and users are monopolizing the system's network connection.
For more than 10 years, Arnout Engelen [1] has worked on his Nethogs [2] tool. Nethogs is a little-known utility that breaks down network bandwidth by process. A view of the network by process is particularly useful if you want to know which application is currently involved in a particularly intensive communication.
Nethogs, which is licensed under the GPL, relies on the virtual proc
filesystem for the analysis (relying on /proc/net/tcp
and /proc/net/tcp6
, among others). The code is written in C++. You will find the official source code at the project website [3]. Currently, Nethogs only shows you the TCP data flow; other protocols, such as ICMP or UDP, are not supported. Also, Nethogs analyzes the network usage for a single system and doesn't attempt to study all the traffic on the network.
Easily Installed
Nethogs has found its way by now into the official package repositories for more popular distributions. On the Ubuntu 14.04 64-bit version in our lab, I was able to install the package with the following commands:
$ sudo apt-get update $ sudo apt-get install libncurses5 libpcap0.8 $ sudo apt-get install nethogs
If you do decide to build Nethogs from the source code, make sure you resolve the Libpcap and Ncurses dependencies in advance – on Debian/Ubuntu, you'll need the packages libncurses5-dev
and libpcap0.8-dev
.
The program needs root privileges. You can launch Nethogs directly as root
or use sudo
on Ubuntu or Debian:
$ sudo nethogs
Once you launch Nethogs, you'll need to wait for a while before you start to see meaningful results onscreen. Before the tool can create its first analyses, you need a few network packets across the wire. Figure 1 shows how Nethogs broke down the bandwidth in our lab.
The data displays in six columns: the first column, labeled PID, contains a process ID of the displayed processors; the column labeled USER lists the corresponding users who launched the processes. The third column, PROGRAM, points to the executable file – in Figure 1, apt-get update
turns out to be hiding behind the program /usr/lib/apt/methods/http
. Because many programs in Linux use different tools or modules, you can't always automatically see the program you launched in this column.
The fourth column, labeled DEV points to the interface currently handling the data traffic. The second to last column, labeled SENT, shows the outgoing bandwidth, and the last column, RECEIVED, shows the incoming traffic in kilobytes per second. Pressing Ctrl+C, or alternatively q, quits the program again.
Options
When launched without additional parameters, Nethogs simply assumes meaningful defaults. For example, the program listens on the first interface (typically eth0
), and it refreshes the display every second. If you want to include another interface in the analysis, you can either pass in only this interface (Listing 1, line 1) or all interfaces (Listing 1, line 2).
Listing 1
Specifying an Interface
If you want to refresh the display more frequently, use the -d
option. If necessary, you can combine the -d
option with the interface selection (Listing 1, line 3). To discover more parameters, type:
sudo nethogs -h
The program, which is similar to the top
utility in some respects, lets you influence the display at run time. Pressing M toggles between units KB/s, KB, B, and MB. The MB option shows the data volume consumed by each process since the program was launched (Figure 2).
After pressing R and S, the program also gives you the option of sorting by incoming (r for "received") and outgoing (s for "sent") bandwidth. By the way, don't let the unknown TCP message in Figure 2 confuse you: in this case, Nethogs probably just didn't have enough data for the connection to identify the process uniquely.
Conclusions
Nethogs lets you break down the current bandwidth usage of active programs running on the system. A quick look at the bandwidth usage will tell you at a glance which processes are monopolizing the network connection.
Nethogs only detects TCP traffic, and it only analyzes what is happening on the local system; it is thus not at all useful for analyzing overall network traffic. However, Nethogs can be a useful tool for breaking down a system's network load.
Infos
- Arnout Engelen: http://arnout.engelen.eu
- Nethogs: http://nethogs.sourceforge.net
- Nethogs source code: http://sourceforge.net/projects/nethogs/files/nethogs/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.