1IFTOP(8) System Manager's Manual IFTOP(8)
2
6 iftop - display bandwidth usage on an interface by host
7
10 iftop -h | [-nNpbBP] [-i interface] [-f filter code] [-F net/mask]
11
14 iftop listens to network traffic on a named interface, or on the first
15 interface it can find which looks like an external interface if none is
16 specified, and displays a table of current bandwidth usage by pairs of
17 hosts. iftop must be run with sufficient permissions to monitor all
18 network traffic on the interface; see pcap(3) for more information, but
19 on most systems this means that it must be run as root.
20 By default, iftop will look up the hostnames associated with addresses
22 it finds in packets. This can cause substantial traffic of itself, and
23 may result in a confusing display. You may wish to suppress display of
24 DNS traffic by using filter code such as not port domain, or switch it
25 off entirely, by using the -n option or by pressing R when the program
26 is running.
27 By default, iftop counts all IP packets that pass through the filter,
29 and the direction of the packet is determined according to the direc‐
30 tion the packet is moving across the interface. Using the -F option it
31 is possible to get iftop to show packets entering and leaving a given
32 network. For example, iftop -F 10.0.0.0/255.0.0.0 will analyse packets
33 flowing in and out of the 10.* network.
34 Some other filter ideas:
36 not ether host ff:ff:ff:ff:ff:ff
38 Ignore ethernet broadcast packets.
39 port http and not host webcache.example.com
41 Count web traffic only, unless it is being directed through a
42 local web cache.
43 icmp How much bandwidth are users wasting trying to figure out why
45 the network is slow?
46
49 -h Print a summary of usage.
50 -n Don't do hostname lookups.
52 -N Do not resolve port number to service names
54 -p Run in promiscuous mode, so that traffic which does not pass
56 directly through the specified interface is also counted.
57 -P Turn on port display.
59 -b Don't display bar graphs of traffic.
61 -B Display bandwidth rates in bytes/sec rather than bits/sec.
63 -i interface
65 Listen to packets on interface.
66 -f filter code
68 Use filter code to select the packets to count. Only IP packets
69 are ever counted, so the specified code is evaluated as (filter
70 code) and ip.
71 -F net/mask
73 Specifies a network for traffic analysis. If specified, iftop
74 will only include packets flowing in to or out of the given net‐
75 work, and packet direction is determined relative to the network
76 boundary, rather than to the interface. You may specify mask as
77 a dotted quad, such as /255.255.255.0, or as a single number
78 specifying the number of bits set in the netmask, such as /24.
79 -c config file
81 Specifies an alternate config file. If not specified, iftop
82 will use ~/.iftoprc if it exists. See below for a description
83 of config files
84
87 When running, iftop uses the whole screen to display network usage. At
88 the top of the display is a logarithmic scale for the bar graph which
89 gives a visual indication of traffic.
90 The main part of the display lists, for each pair of hosts, the rate at
92 which data has been sent and received over the preceding 2, 10 and 40
93 second intervals. The direction of data flow is indicated by arrows, <=
94 and =>. For instance,
95 foo.example.com => bar.example.com 1Kb 500b 100b
97 <= 2Mb 2Mb 2Mb
98 shows, on the first line, traffic from foo.example.com to bar.exam‐
100 ple.com; in the preceding 2 seconds, this averaged 1Kbit/s, around half
101 that amount over the preceding 10s, and a fifth of that over the whole
102 of the last 40s. During each of those intervals, the data sent in the
103 other direction was about 2Mbit/s. On the actual display, part of each
104 line is inverted to give a visual indication of the 10s average of
105 traffic. You might expect to see something like this where host foo is
106 making repeated HTTP requests to bar, which is sending data back which
107 saturates a 2Mbit/s link.
108 By default, the pairs of hosts responsible for the most traffic (10
110 second average) are displayed at the top of the list.
111 At the bottom of the display, various totals are shown, including peak
113 traffic over the last 40s, total traffic transferred (after filtering),
114 and total transfer rates averaged over 2s, 10s and 40s.
115
118 By pressing s or d while iftop is running, all traffic for each source
119 or destination will be aggregated together. This is most useful when
120 iftop is run in promiscuous mode, or is run on a gateway machine.
121
124 S or D toggle the display of source and destination ports respectively.
125 p will toggle port display on/off.
126
129 t cycles through the four line display modes; the default 2-line dis‐
130 play, with sent and received traffic on separate lines, and 3 1-line
131 displays, with sent, received, or total traffic shown.
132
135 By default, the display is ordered according to the 10s average (2nd
136 column). By pressing 1, 2 or 3 it is possible to sort by the 1st, 2nd
137 or 3rd column. By pressing < or > the display will be sorted by
138 source or destination hostname respectively.
139
142 l allows you to enter a POSIX extended regular expression that will be
143 used to filter hostnames shown in the display. This is a good way to
144 quickly limit what is shown on the display. Note that this happens at
145 a much later stage than filter code, and does not affect what is actu‐
146 ally captured. Display filters DO NOT affect the totals at the bottom
147 of the screen.
148
151 P will pause the current display.
152 o will freeze the current screen order. This has the side effect that
154 traffic between hosts not shown on the screen at the time will not be
155 shown at all, although it will be included in the totals at the bottom
156 of the screen.
157
160 j and k will scroll the display of hosts. This feature is most useful
161 when the display order is frozen (see above).
162
165 f allows you to edit the filter code whilst iftop running. This can
166 lead to some unexpected behaviour.
167
170 iftop can read its configuration from a config file. If the -c option
171 is not specified, iftop will attempt to read its configuration from
172 ~/.iftoprc, if it exists. Any command line options specified will
173 override settings in the config file.
174 The config file consists of one configuration directive per line. Each
176 directive is a name value pair, for example:
177 interface: eth0
179 sets the network interface. The following config directives are sup‐
181 ported:
182 interface: if
185 Sets the network interface to if.
186 dns-resolution: (yes|no)
188 Controls reverse lookup of IP addresses.
189 port-resolution: (yes|no)
191 Controls conversion of port numbers to service names.
192 filter-code: bpf
194 Sets the filter code to bpf.
195 show-bars: (yes|no)
197 Controls display of bar graphs.
198 promiscuous: (yes|no)
200 Puts the interface into promiscuous mode.
201 port-display: (off|source-only|destination-only|on)
203 Controls display of port numbers.
204 hide-source: (yes|no)
206 Hides source host names.
207 hide-destination: (yes|no)
209 Hides destination host names.
210 use-bytes: (yes|no)
212 Use bytes for bandwidth display, rather than bits.
213 sort: (2s|10s|40s|source|destination)
215 Sets which column is used to sort the display.
216 line-display: (two-line|one-line-both|one-line-sent|one-line-received)
218 Controls the appearance of each item in the display.
219 show-totals: (yes|no)
221 Shows cumulative total for each item.
222 log-scale: (yes|no)
224 Use a logarithmic scale for bar graphs.
225 max-bandwidth: bw
227 Fixes the maximum for the bar graph scale to bw, e.g. "10M"
228 net-filter: net/mask
230 Defines an IP network boundary for determining packet direction.
231 screen-filter: regexp
233 Sets a regular expression to filter screen output.
234
237 There are some circumstances in which iftop may not do what you expect.
238 In most cases what it is doing is logical, and we believe it is correct
239 behaviour, although I'm happy to hear reasoned arguments for alterna‐
240 tive behaviour.
241 Totals don't add up
243 There are several reasons why the totals may not appear to add up. The
245 most obvious is having a screen filter in effect, or screen ordering
246 frozen. In this case some captured information is not being shown to
247 you, but is included in the totals.
248 A more subtle explanation comes about when running in promiscuous mode
250 without specifying a -F option. In this case there is no easy way to
251 assign the direction of traffic between two third parties. For the
252 purposes of the main display this is done in an arbitrary fashion (by
253 ordering of IP addresses), but for the sake of totals all traffic
254 between other hosts is accounted as incoming, because that's what it is
255 from the point of view of your interface. The -F option allows you to
256 specify an arbitrary network boundary, and to show traffic flowing
257 across it.
258 Peak totals don't add up
260 Again, this is a feature. The peak sent and peak received didn't nec‐
262 essarily happen at the same time. The peak total is the maximum of
263 sent plus received in each captured time division.
264 Changing the filter code doesn't seem to work
266 Give it time. Changing the filter code affects what is captured from
268 the time that you entered it, but most of what is on the display is
269 based on some fraction of the last 40s window of capturing. After
270 changing the filter there may be entries on the display that are disal‐
271 lowed by the current filter for up to 40s. DISPLAY FILTERING has imme‐
272 diate effect and does not affect what is captured.
273
276 ~/.iftoprc
277 Configuration file for iftop.
278
281 tcpdump(8), pcap(3), driftnet(1).
282
285 Paul Warren <pdw@ex-parrot.com>
286
289 $Id: iftop.8,v 1.25 2005/12/25 11:50:21 pdw Exp $
290
293 This program is free software; you can redistribute it and/or modify it
294 under the terms of the GNU General Public License as published by the
295 Free Software Foundation; either version 2 of the License, or (at your
296 option) any later version.
297 This program is distributed in the hope that it will be useful, but
299 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
300 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
301 Public License for more details.
302 You should have received a copy of the GNU General Public License along
304 with this program; if not, write to the Free Software Foundation, Inc.,
305 675 Mass Ave, Cambridge, MA 02139, USA.
306 IFTOP(8)