For more than 10 years, Arnout Engelen [1] has worked on his Nethogs [2] tool. Nethogs is a little-known utility that breaks down network bandwidth by process. A view of the network by process is particularly useful if you want to know which application is currently involved in a particularly intensive communication.

Nethogs, which is licensed under the GPL, relies on the virtual proc filesystem for the analysis (relying on /proc/net/tcp and /proc/net/tcp6, among others). The code is written in C++. You will find the official source code at the project website [3]. Currently, Nethogs only shows you the TCP data flow; other protocols, such as ICMP or UDP, are not supported. Also, Nethogs analyzes the network usage for a single system and doesn't attempt to study all the traffic on the network.

Easily Installed

Nethogs has found its way by now into the official package repositories for more popular distributions. On the Ubuntu 14.04 64-bit version in our lab, I was able to install the package with the following commands:

$ sudo apt-get update
$ sudo apt-get install libncurses5 libpcap0.8
$ sudo apt-get install nethogs

If you do decide to build Nethogs from the source code, make sure you resolve the Libpcap and Ncurses dependencies in advance – on Debian/Ubuntu, you'll need the packages libncurses5-dev and libpcap0.8-dev.

The program needs root privileges. You can launch Nethogs directly as root or use sudo on Ubuntu or Debian:

$ sudo nethogs

Once you launch Nethogs, you'll need to wait for a while before you start to see meaningful results onscreen. Before the tool can create its first analyses, you need a few network packets across the wire. Figure 1 shows how Nethogs broke down the bandwidth in our lab.

Figure 1: Nethogs shows that a Wget process and an Apt process are currently using some bandwidth.

The data displays in six columns: the first column, labeled PID, contains a process ID of the displayed processors; the column labeled USER lists the corresponding users who launched the processes. The third column, PROGRAM, points to the executable file – in Figure 1, apt-get update turns out to be hiding behind the program /usr/lib/apt/methods/http. Because many programs in Linux use different tools or modules, you can't always automatically see the program you launched in this column.

The fourth column, labeled DEV points to the interface currently handling the data traffic. The second to last column, labeled SENT, shows the outgoing bandwidth, and the last column, RECEIVED, shows the incoming traffic in kilobytes per second. Pressing Ctrl+C, or alternatively q, quits the program again.

Options

When launched without additional parameters, Nethogs simply assumes meaningful defaults. For example, the program listens on the first interface (typically eth0), and it refreshes the display every second. If you want to include another interface in the analysis, you can either pass in only this interface (Listing 1, line 1) or all interfaces (Listing 1, line 2).

If you want to refresh the display more frequently, use the -d option. If necessary, you can combine the -d option with the interface selection (Listing 1, line 3). To discover more parameters, type:

sudo nethogs -h

The program, which is similar to the top utility in some respects, lets you influence the display at run time. Pressing M toggles between units KB/s, KB, B, and MB. The MB option shows the data volume consumed by each process since the program was launched (Figure 2).

Figure 2: Pressing M changes the unit display in Nethogs.

After pressing R and S, the program also gives you the option of sorting by incoming (r for "received") and outgoing (s for "sent") bandwidth. By the way, don't let the unknown TCP message in Figure 2 confuse you: in this case, Nethogs probably just didn't have enough data for the connection to identify the process uniquely.

Conclusions

Nethogs lets you break down the current bandwidth usage of active programs running on the system. A quick look at the bandwidth usage will tell you at a glance which processes are monopolizing the network connection.

Nethogs only detects TCP traffic, and it only analyzes what is happening on the local system; it is thus not at all useful for analyzing overall network traffic. However, Nethogs can be a useful tool for breaking down a system's network load.