1IFTOP(8) System Manager's Manual IFTOP(8)
2
6 iftop - display bandwidth usage on an interface by host
7
10 iftop -h | [-nNpblBP] [-i interface] [-f filter code] [-F net/mask] [-G
11 net6/mask6]
12
15 iftop listens to network traffic on a named interface, or on the first
16 interface it can find which looks like an external interface if none is
17 specified, and displays a table of current bandwidth usage by pairs of
18 hosts. iftop must be run with sufficient permissions to monitor all
19 network traffic on the interface; see pcap(3) for more information, but
20 on most systems this means that it must be run as root.
21 By default, iftop will look up the hostnames associated with addresses
23 it finds in packets. This can cause substantial traffic of itself, and
24 may result in a confusing display. You may wish to suppress display of
25 DNS traffic by using filter code such as not port domain, or switch it
26 off entirely, by using the -n option or by pressing n when the program
27 is running.
28 By default, iftop counts all IP packets that pass through the filter,
30 and the direction of the packet is determined according to the direc‐
31 tion the packet is moving across the interface. Using the -F option it
32 is possible to get iftop to show packets entering and leaving a given
33 network. For example, iftop -F 10.0.0.0/255.0.0.0 will analyse packets
34 flowing in and out of the 10.* network.
35 Some other filter ideas:
37 not ether host ff:ff:ff:ff:ff:ff
39 Ignore ethernet broadcast packets.
40 port http and not host webcache.example.com
42 Count web traffic only, unless it is being directed through a
43 local web cache.
44 icmp How much bandwidth are users wasting trying to figure out why
46 the network is slow?
47
50 -h Print a summary of usage.
51 -n Don't do hostname lookups.
53 -N Do not resolve port number to service names
55 -p Run in promiscuous mode, so that traffic which does not pass
57 directly through the specified interface is also counted.
58 -P Turn on port display.
60 -l Display and count datagrams addressed to or from link-local IPv6
62 addresses. The default is not to display that address category.
63 -b Don't display bar graphs of traffic.
65 -B Display bandwidth rates in bytes/sec rather than bits/sec.
67 -i interface
69 Listen to packets on interface.
70 -f filter code
72 Use filter code to select the packets to count. Only IP packets
73 are ever counted, so the specified code is evaluated as (filter
74 code) and ip.
75 -F net/mask
77 Specifies an IPv4 network for traffic analysis. If specified,
78 iftop will only include packets flowing in to or out of the
79 given network, and packet direction is determined relative to
80 the network boundary, rather than to the interface. You may
81 specify mask as a dotted quad, such as /255.255.255.0, or as a
82 single number specifying the number of bits set in the netmask,
83 such as /24.
84 -G net6/mask6
86 Specifies an IPv6 network for traffic analysis. The value of
87 mask6 can be given as a prefix length or as a numerical address
88 string for more compound bitmasking.
89 -c config file
91 Specifies an alternate config file. If not specified, iftop
92 will use ~/.iftoprc if it exists. See below for a description
93 of config files
94
97 When running, iftop uses the whole screen to display network usage. At
98 the top of the display is a logarithmic scale for the bar graph which
99 gives a visual indication of traffic.
100 The main part of the display lists, for each pair of hosts, the rate at
102 which data has been sent and received over the preceding 2, 10 and 40
103 second intervals. The direction of data flow is indicated by arrows, <=
104 and =>. For instance,
105 foo.example.com => bar.example.com 1Kb 500b 100b
107 <= 2Mb 2Mb 2Mb
108 shows, on the first line, traffic from foo.example.com to bar.exam‐
110 ple.com; in the preceding 2 seconds, this averaged 1Kbit/s, around half
111 that amount over the preceding 10s, and a fifth of that over the whole
112 of the last 40s. During each of those intervals, the data sent in the
113 other direction was about 2Mbit/s. On the actual display, part of each
114 line is inverted to give a visual indication of the 10s average of
115 traffic. You might expect to see something like this where host foo is
116 making repeated HTTP requests to bar, which is sending data back which
117 saturates a 2Mbit/s link.
118 By default, the pairs of hosts responsible for the most traffic (10
120 second average) are displayed at the top of the list.
121 At the bottom of the display, various totals are shown, including peak
123 traffic over the last 40s, total traffic transferred (after filtering),
124 and total transfer rates averaged over 2s, 10s and 40s.
125
128 By pressing s or d while iftop is running, all traffic for each source
129 or destination will be aggregated together. This is most useful when
130 iftop is run in promiscuous mode, or is run on a gateway machine.
131
134 S or D toggle the display of source and destination ports respectively.
135 p will toggle port display on/off.
136
139 t cycles through the four line display modes; the default 2-line dis‐
140 play, with sent and received traffic on separate lines, and 3 1-line
141 displays, with sent, received, or total traffic shown.
142
145 By default, the display is ordered according to the 10s average (2nd
146 column). By pressing 1, 2 or 3 it is possible to sort by the 1st, 2nd
147 or 3rd column. By pressing < or > the display will be sorted by
148 source or destination hostname respectively.
149
152 l allows you to enter a POSIX extended regular expression that will be
153 used to filter hostnames shown in the display. This is a good way to
154 quickly limit what is shown on the display. Note that this happens at
155 a much later stage than filter code, and does not affect what is actu‐
156 ally captured. Display filters DO NOT affect the totals at the bottom
157 of the screen.
158
161 P will pause the current display.
162 o will freeze the current screen order. This has the side effect that
164 traffic between hosts not shown on the screen at the time will not be
165 shown at all, although it will be included in the totals at the bottom
166 of the screen.
167
170 j and k will scroll the display of hosts. This feature is most useful
171 when the display order is frozen (see above).
172
175 f allows you to edit the filter code whilst iftop running. This can
176 lead to some unexpected behaviour.
177
180 iftop can read its configuration from a config file. If the -c option
181 is not specified, iftop will attempt to read its configuration from
182 ~/.iftoprc, if it exists. Any command line options specified will
183 override settings in the config file.
184 The config file consists of one configuration directive per line. Each
186 directive is a name value pair, for example:
187 interface: eth0
189 sets the network interface. The following config directives are sup‐
191 ported:
192 interface: if
195 Sets the network interface to if.
196 dns-resolution: (yes|no)
198 Controls reverse lookup of IP addresses.
199 port-resolution: (yes|no)
201 Controls conversion of port numbers to service names.
202 filter-code: bpf
204 Sets the filter code to bpf.
205 show-bars: (yes|no)
207 Controls display of bar graphs.
208 promiscuous: (yes|no)
210 Puts the interface into promiscuous mode.
211 port-display: (off|source-only|destination-only|on)
213 Controls display of port numbers.
214 link-local: (yes|no)
216 Determines displaying of link-local IPv6 addresses.
217 hide-source: (yes|no)
219 Hides source host names.
220 hide-destination: (yes|no)
222 Hides destination host names.
223 use-bytes: (yes|no)
225 Use bytes for bandwidth display, rather than bits.
226 sort: (2s|10s|40s|source|destination)
228 Sets which column is used to sort the display.
229 line-display: (two-line|one-line-both|one-line-sent|one-line-received)
231 Controls the appearance of each item in the display.
232 show-totals: (yes|no)
234 Shows cumulative total for each item.
235 log-scale: (yes|no)
237 Use a logarithmic scale for bar graphs.
238 max-bandwidth: bw
240 Fixes the maximum for the bar graph scale to bw, e.g. "10M".
241 Note that the value has to always be in bits, regardless if the
242 option to display in bytes has been chosen.
243 net-filter: net/mask
245 Defines an IP network boundary for determining packet direction.
246 net-filter6: net6/mask6
248 Defines an IPv6 network boundary for determining packet direc‐
249 tion.
250 screen-filter: regexp
252 Sets a regular expression to filter screen output.
253
256 There are some circumstances in which iftop may not do what you expect.
257 In most cases what it is doing is logical, and we believe it is correct
258 behaviour, although I'm happy to hear reasoned arguments for alterna‐
259 tive behaviour.
260 Totals don't add up
262 There are several reasons why the totals may not appear to add up. The
264 most obvious is having a screen filter in effect, or screen ordering
265 frozen. In this case some captured information is not being shown to
266 you, but is included in the totals.
267 A more subtle explanation comes about when running in promiscuous mode
269 without specifying a -F option. In this case there is no easy way to
270 assign the direction of traffic between two third parties. For the
271 purposes of the main display this is done in an arbitrary fashion (by
272 ordering of IP addresses), but for the sake of totals all traffic
273 between other hosts is accounted as incoming, because that's what it is
274 from the point of view of your interface. The -F option allows you to
275 specify an arbitrary network boundary, and to show traffic flowing
276 across it.
277 Peak totals don't add up
279 Again, this is a feature. The peak sent and peak received didn't nec‐
281 essarily happen at the same time. The peak total is the maximum of
282 sent plus received in each captured time division.
283 Changing the filter code doesn't seem to work
285 Give it time. Changing the filter code affects what is captured from
287 the time that you entered it, but most of what is on the display is
288 based on some fraction of the last 40s window of capturing. After
289 changing the filter there may be entries on the display that are disal‐
290 lowed by the current filter for up to 40s. DISPLAY FILTERING has imme‐
291 diate effect and does not affect what is captured.
292
295 ~/.iftoprc
296 Configuration file for iftop.
297
300 tcpdump(8), pcap(3), driftnet(1).
301
304 Paul Warren <pdw@ex-parrot.com>
305
308 $Id: iftop.8,v 1.25 2005/12/25 11:50:21 pdw Exp $
309
312 This program is free software; you can redistribute it and/or modify it
313 under the terms of the GNU General Public License as published by the
314 Free Software Foundation; either version 2 of the License, or (at your
315 option) any later version.
316 This program is distributed in the hope that it will be useful, but
318 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
319 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
320 Public License for more details.
321 You should have received a copy of the GNU General Public License along
323 with this program; if not, write to the Free Software Foundation, Inc.,
324 675 Mass Ave, Cambridge, MA 02139, USA.
325 IFTOP(8)