How to Read and Interpret iftop Output

iftop displays real-time network bandwidth usage per connection. Its output shows source/destination hosts, transfer rates, and cumulative totals in a dynamic, terminal-based interface. Key metrics include TX/RX speeds, connection pairs, and port numbers, helping diagnose traffic spikes or unauthorized activity.

Understanding the iftop Interface

  • Top bar: Live bandwidth graphs for TX (transmit), RX (receive), and total traffic (scaled to fit terminal width).
  • Middle section: List of active connections with:
    • Source/destination IPs/hostnames (resolved if DNS is enabled).
    • Port numbers (e.g., `:80` for HTTP, `:443` for HTTPS).
    • TX/RX rates (e.g., `1.2Mb`, `500Kb`) and cumulative totals (e.g., `50MB`).
  • Bottom bar: Aggregated total send/receive rates and peak bandwidth since launch.

Key Columns in iftop Output

Column Description Example
Source/Destination IP/hostname and port of the connection endpoints. Use `-n` to disable hostname resolution. `192.168.1.5:12345 => 10.0.0.1:80`
TX (Send) Outgoing traffic rate (e.g., uploads). Units auto-scale (b, Kb, Mb, Gb). `5.0Mb`
RX (Receive) Incoming traffic rate (e.g., downloads). `200Kb`
Cumulative Total data transferred since iftop started (e.g., `1.2GB`). `500MB + 1.1GB`
Bar Graphs Visual representation of TX/RX rates (length = relative bandwidth usage). `=====================>` (longer = higher usage)

Common iftop Commands and Flags

  • `iftop -i eth0`: Monitor a specific interface (replace `eth0` with your interface).
  • `iftop -n`: Disable hostname resolution (faster, shows IPs only).
  • `iftop -P`: Show ports in addition to hosts (default: hidden).
  • `iftop -B`: Display bandwidth in bytes (default: bits).
  • `iftop -f 'port 80'`: Filter traffic by port/protocol (e.g., HTTP).
  • `T` (while running): Toggle cumulative totals on/off.
  • `P`: Pause display (freeze updates).
  • `q`: Quit iftop.

Interpreting Traffic Patterns

Normal vs. Suspicious Activity

  • Normal:
    • Consistent low-bandwidth connections to known services (e.g., DNS on port `53`).
    • Bursts during updates/downloads (e.g., `apt`, `yum`).
    • Local LAN traffic (e.g., `192.168.x.x` or `10.x.x.x`).
  • Suspicious:
    • Unexpected high-bandwidth connections to unknown IPs/ports.
    • Persistent outbound traffic to a single foreign IP (potential data exfiltration).
    • Unusual ports (e.g., `4444`, `31337`) or protocols (e.g., raw TCP).

Sorting and Prioritizing Connections

  1. Press `<` or `>` to sort by source/destination columns.
  2. Press `o` to toggle persistent connection display (shows idle connections).
  3. Use `-L [limit]` to cap the number of displayed connections (e.g., `-L 20`).
  4. Press `l` to enable/disable port display dynamically.

Comparing iftop to Alternative Tools

Tool Real-Time Per-Connection Stats Historical Data Best For
iftop ✅ Yes ✅ Detailed (IP/port-level) ❌ No (live only) Monitoring active bandwidth per connection.
nload ✅ Yes ❌ No (interface-level only) ❌ No Quick interface-level traffic overview.
vnstat ❌ No ❌ No ✅ Yes (daily/monthly logs) Long-term traffic trends and summaries.
tcpdump ✅ Yes ✅ Packet-level ✅ Yes (with `-w` flag) Deep packet inspection and debugging.

Troubleshooting Common Issues

No Traffic Displayed

  • Verify the correct interface with `ifconfig` or `ip a`.
  • Run as root (`sudo iftop`); non-root users may lack permissions.
  • Check for firewall rules blocking traffic.

High Bandwidth Usage by Unknown Process

  1. Note the IP:port from iftop.
  2. Use `lsof -i :[port]` to identify the process.
  3. Check `netstat -tulnp` for listening services.
  4. Terminate suspicious processes with `kill -9 [PID]`.