1. Library
  2. Computer Networks
  3. Tools and Commands
  4. Network Analysis

iftop: Real-Time Bandwidth Monitoring

Updated 8 hours ago

When your network feels slow, the first question is always: what's using the bandwidth? Aggregate statistics tell you how much data moved over the past hour. Logs tell you what happened yesterday. But iftop tells you what's happening right now—which connections are active, where data is flowing, and how fast.

Think of it as overhearing every conversation on your network at once. You see the quiet background chatter of DNS lookups, the steady hum of database connections, and suddenly—the one connection that's screaming, consuming everything.

What You're Looking At

iftop displays a continuously updating list of network connections. Each connection shows source and destination, with three bandwidth numbers: current rate, 10-second average, and 40-second average.

Those three columns tell a story. High current rate but low averages? A brief spike, probably nothing. High numbers across all three? Something's been moving serious data for a while. This distinction matters—it's the difference between a user loading a webpage and a backup job consuming your pipe.

Arrows show direction: => for outgoing, <= for incoming. The horizontal bars give you visual scale. At the bottom, cumulative totals for all traffic.

Running It

The simplest invocation:

sudo iftop

Monitor a specific interface:

sudo iftop -i eth0

By default, iftop resolves hostnames, which creates DNS traffic and can slow things down. On busy systems, skip it:

sudo iftop -n

Filter to specific traffic using tcpdump syntax:

sudo iftop -f "port 80 or port 443"
sudo iftop -f "host 192.168.1.100"
sudo iftop -f "net 10.0.0.0/24"

Interactive Controls

While running, single keystrokes change the display:

  • n — Toggle hostname resolution
  • N — Toggle port name resolution (show 443 instead of "https")
  • s / d — Toggle source/destination display
  • t — Cycle display modes (both directions, sent only, received only)
  • 1 / 2 / 3 — Sort by current, 10s average, or 40s average
  • b — Toggle bits vs bytes
  • P — Pause (freeze the display to examine it)
  • q — Quit

Bits, Not Bytes

iftop shows bits per second by default—Kb, Mb, Gb. Your file transfer shows megabytes per second. These are not the same number. Divide bits by 8 to get bytes.

Press b to switch to bytes if comparing to file transfer speeds.

What iftop Can't Tell You

iftop shows connections, not processes. You can see that something is hammering port 443, but not which application. For that, use nethogs.

iftop doesn't capture packets. You can see that a connection is moving 50 Mbps, but not what's in those packets. For that, use tcpdump or Wireshark.

iftop requires root because it puts the interface into promiscuous mode. On systems with multiple interfaces, specify which one—otherwise you might be watching the wrong conversation.

When It Matters

Someone complains the network is slow. You run iftop and immediately see one connection to an external IP pushing 800 Mbps. Mystery solved in seconds—no log diving, no historical analysis, just direct observation.

Or you're monitoring a server and notice unexpected traffic to an unfamiliar host on an unusual port. That's worth investigating. iftop gave you the clue; other tools help you follow it.

The tool shines in the moment of confusion—when you need to see what's happening, not what happened. It answers the question "what's using my bandwidth?" faster than anything else.

Frequently Asked Questions About iftop

Was this page helpful?

😔
🤨
😃