1IFTOP(8) System Manager's Manual IFTOP(8)
2
3
4
6 iftop - display bandwidth usage on an interface by host
7
8
10 iftop -h | [-nNpblP] [-u unit] [-i interface] [-f filter code] [-F
11 net/mask] [-G net6/mask6]
12
14 iftop listens to network traffic on a named interface, or on the first
15 interface it can find which looks like an external interface if none is
16 specified, and displays a table of current bandwidth usage by pairs of
17 hosts. iftop must be run with sufficient permissions to monitor all
18 network traffic on the interface; see pcap(3) for more information, but
19 on most systems this means that it must be run as root.
20
21 By default, iftop will look up the hostnames associated with addresses
22 it finds in packets. This can cause substantial traffic of itself, and
23 may result in a confusing display. You may wish to suppress display of
24 DNS traffic by using filter code such as not port domain, or switch it
25 off entirely, by using the -n option or by pressing r when the program
26 is running.
27
28 By default, iftop counts all IP packets that pass through the filter,
29 and the direction of the packet is determined according to the direc‐
30 tion the packet is moving across the interface. Using the -F option it
31 is possible to get iftop to show packets entering and leaving a given
32 network. For example, iftop -F 10.0.0.0/255.0.0.0 will analyse packets
33 flowing in and out of the 10.* network.
34
35 Some other filter ideas:
36
37 not ether host ff:ff:ff:ff:ff:ff
38 Ignore ethernet broadcast packets.
39
40 port http and not host webcache.example.com
41 Count web traffic only, unless it is being directed through a
42 local web cache.
43
44 icmp How much bandwidth are users wasting trying to figure out why
45 the network is slow?
46
47
49 -h Print a summary of usage.
50
51 -n Don't do hostname lookups.
52
53 -N Do not resolve port number to service names
54
55 -p Run in promiscuous mode, so that traffic which does not pass
56 directly through the specified interface is also counted.
57
58 -P Turn on port display.
59
60 -l Display and count datagrams addressed to or from link-local IPv6
61 addresses. The default is not to display that address category.
62
63 -b Don't display bar graphs of traffic.
64
65 -m limit
66 Set the upper limit for the bandwidth scale. Specified as a
67 number with a 'K', 'M' or 'G' suffix.
68
69 -u bits|bytes|packets
70 Display bandwidth rates in the given unit (per second).
71
72 -B Synonym for -u bits.
73
74 -i interface
75 Listen to packets on interface.
76
77 -f filter code
78 Use filter code to select the packets to count. Only IP packets
79 are ever counted, so the specified code is evaluated as (filter
80 code) and ip.
81
82 -F net/mask
83 Specifies an IPv4 network for traffic analysis. If specified,
84 iftop will only include packets flowing in to or out of the
85 given network, and packet direction is determined relative to
86 the network boundary, rather than to the interface. You may
87 specify mask as a dotted quad, such as /255.255.255.0, or as a
88 single number specifying the number of bits set in the netmask,
89 such as /24.
90
91 -G net6/mask6
92 Specifies an IPv6 network for traffic analysis. The value of
93 mask6 can be given as a prefix length or as a numerical address
94 string for more compound bitmasking.
95
96 -c config file
97 Specifies an alternate config file. If not specified, iftop
98 will use ~/.iftoprc if it exists. See below for a description
99 of config files
100
101 -t text output mode
102 Use text interface without ncurses and print the output to STD‐
103 OUT.
104
105
106
108 When running, iftop uses the whole screen to display network usage. At
109 the top of the display is a logarithmic scale for the bar graph which
110 gives a visual indication of traffic.
111
112 The main part of the display lists, for each pair of hosts, the rate at
113 which data has been sent and received over the preceding 2, 10 and 40
114 second intervals. The direction of data flow is indicated by arrows, <=
115 and =>. For instance,
116
117 foo.example.com => bar.example.com 1Kb 500b 100b
118 <= 2Mb 2Mb 2Mb
119
120 shows, on the first line, traffic from foo.example.com to bar.exam‐
121 ple.com; in the preceding 2 seconds, this averaged 1Kbit/s, around half
122 that amount over the preceding 10s, and a fifth of that over the whole
123 of the last 40s. During each of those intervals, the data sent in the
124 other direction was about 2Mbit/s. On the actual display, part of each
125 line is inverted to give a visual indication of the 10s average of
126 traffic. You might expect to see something like this where host foo is
127 making repeated HTTP requests to bar, which is sending data back which
128 saturates a 2Mbit/s link.
129
130 By default, the pairs of hosts responsible for the most traffic (10
131 second average) are displayed at the top of the list.
132
133 At the bottom of the display, various totals are shown, including peak
134 traffic over the last 40s, total traffic transferred (after filtering),
135 and total transfer rates averaged over 2s, 10s and 40s.
136
137
139 By pressing s or d while iftop is running, all traffic for each source
140 or destination will be aggregated together. This is most useful when
141 iftop is run in promiscuous mode, or is run on a gateway machine.
142
143
145 S or D toggle the display of source and destination ports respectively.
146 p will toggle port display on/off.
147
148
150 t cycles through the four line display modes; the default 2-line dis‐
151 play, with sent and received traffic on separate lines, and 3 1-line
152 displays, with sent, received, or total traffic shown.
153
154
156 By default, the display is ordered according to the 10s average (2nd
157 column). By pressing 1, 2 or 3 it is possible to sort by the 1st, 2nd
158 or 3rd column. By pressing < or > the display will be sorted by
159 source or destination hostname respectively.
160
161
163 l allows you to enter a POSIX extended regular expression that will be
164 used to filter hostnames shown in the display. This is a good way to
165 quickly limit what is shown on the display. Note that this happens at
166 a much later stage than filter code, and does not affect what is actu‐
167 ally captured. Display filters DO NOT affect the totals at the bottom
168 of the screen.
169
170
172 P will pause the current display.
173
174 o will freeze the current screen order. This has the side effect that
175 traffic between hosts not shown on the screen at the time will not be
176 shown at all, although it will be included in the totals at the bottom
177 of the screen.
178
179
181 j and k will scroll the display of hosts. This feature is most useful
182 when the display order is frozen (see above).
183
184
186 f allows you to edit the filter code whilst iftop running. This can
187 lead to some unexpected behaviour.
188
189
191 iftop can read its configuration from a config file. If the -c option
192 is not specified, iftop will attempt to read its configuration from
193 ~/.iftoprc, if it exists. Any command line options specified will
194 override settings in the config file.
195
196 The config file consists of one configuration directive per line. Each
197 directive is a name value pair, for example:
198
199 interface: eth0
200
201 sets the network interface. The following config directives are sup‐
202 ported:
203
204
205 interface: if
206 Sets the network interface to if.
207
208 dns-resolution: (yes|no)
209 Controls reverse lookup of IP addresses.
210
211 port-resolution: (yes|no)
212 Controls conversion of port numbers to service names.
213
214 filter-code: bpf
215 Sets the filter code to bpf.
216
217 show-bars: (yes|no)
218 Controls display of bar graphs.
219
220 promiscuous: (yes|no)
221 Puts the interface into promiscuous mode.
222
223 port-display: (off|source-only|destination-only|on)
224 Controls display of port numbers.
225
226 link-local: (yes|no)
227 Determines displaying of link-local IPv6 addresses.
228
229 hide-source: (yes|no)
230 Hides source host names.
231
232 hide-destination: (yes|no)
233 Hides destination host names.
234
235 bandwidth-unit: (bits|bytes|packets)
236 Use the specified unit for bandwidth display. The default is
237 bits.
238
239 use-bytes: (yes|no)
240 use-bytes: yes is a synonym of bandwidth-unit: packets.
241
242 sort: (2s|10s|40s|source|destination)
243 Sets which column is used to sort the display.
244
245 line-display: (two-line|one-line-both|one-line-sent|one-line-received)
246 Controls the appearance of each item in the display.
247
248 show-totals: (yes|no)
249 Shows cumulative total for each item.
250
251 log-scale: (yes|no)
252 Use a logarithmic scale for bar graphs.
253
254 max-bandwidth: bw
255 Fixes the maximum for the bar graph scale to bw, e.g. "10M".
256 Note that the value has to always be in bits, regardless if the
257 option to display in bytes has been chosen.
258
259 net-filter: net/mask
260 Defines an IP network boundary for determining packet direction.
261
262 net-filter6: net6/mask6
263 Defines an IPv6 network boundary for determining packet direc‐
264 tion.
265
266 screen-filter: regexp
267 Sets a regular expression to filter screen output.
268
269
271 There are some circumstances in which iftop may not do what you expect.
272 In most cases what it is doing is logical, and we believe it is correct
273 behaviour, although I'm happy to hear reasoned arguments for alterna‐
274 tive behaviour.
275
276 Totals don't add up
277
278 There are several reasons why the totals may not appear to add up. The
279 most obvious is having a screen filter in effect, or screen ordering
280 frozen. In this case some captured information is not being shown to
281 you, but is included in the totals.
282
283 A more subtle explanation comes about when running in promiscuous mode
284 without specifying a -F option. In this case there is no easy way to
285 assign the direction of traffic between two third parties. For the
286 purposes of the main display this is done in an arbitrary fashion (by
287 ordering of IP addresses), but for the sake of totals all traffic
288 between other hosts is accounted as incoming, because that's what it is
289 from the point of view of your interface. The -F option allows you to
290 specify an arbitrary network boundary, and to show traffic flowing
291 across it.
292
293 Peak totals don't add up
294
295 Again, this is a feature. The peak sent and peak received didn't nec‐
296 essarily happen at the same time. The peak total is the maximum of
297 sent plus received in each captured time division.
298
299 Changing the filter code doesn't seem to work
300
301 Give it time. Changing the filter code affects what is captured from
302 the time that you entered it, but most of what is on the display is
303 based on some fraction of the last 40s window of capturing. After
304 changing the filter there may be entries on the display that are disal‐
305 lowed by the current filter for up to 40s. DISPLAY FILTERING has imme‐
306 diate effect and does not affect what is captured.
307
308
310 ~/.iftoprc
311 Configuration file for iftop.
312
313
315 tcpdump(8), pcap(3), driftnet(1).
316
317
319 Paul Warren <pdw@ex-parrot.com>
320
321
323 $Id$
324
325
327 This program is free software; you can redistribute it and/or modify it
328 under the terms of the GNU General Public License as published by the
329 Free Software Foundation; either version 2 of the License, or (at your
330 option) any later version.
331
332 This program is distributed in the hope that it will be useful, but
333 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
334 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
335 Public License for more details.
336
337 You should have received a copy of the GNU General Public License along
338 with this program; if not, write to the Free Software Foundation, Inc.,
339 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
340
341
342
343
344 IFTOP(8)