Network Traffic Monitoring Tool (in English)

Most Linux developers use a top command to monitor the server status. Although this tool provides CPU and memory usage in the unit of each process as well as in the unit of the entire system, it is painful to figure out the I/O-related information. In Windows, we can easily find this kind of data with ctrl+alt+delete.

 

Thus, this post is concerned with reviewing several Linux network traffic monitoring tools after using them myself.

 

A Google search introduces many traffic monitoring tools that show you various information. Note that I will summarize the pros and cons of them after a brief experience rather than a deep dive. I hope some captures and contents in this post will help you choose a suitable tool.

 

Except for one tool, I concentrated on CLI-based tools. This is because there are several times when the GUI is not available, inevitably.

 

Environment Setup

• Simple: One NIC exists in a server. iperf3 (TCP 2-session, bidirectional), hping3 (UDP 1-session), and ping run.
  • iperf3 -c $ServerIP --bidir -t 2000
  • hping3 $ServerIP -2 -k -p 1122 --flood
  • ping $ServerIP
• Complicated: To see the complicated environment, the server has 3 NICs. The below table shows whether the tool supports multiple NICs via by NIC column and Multiple NIC entries on one screen column. No captures for complicated.

OS

• Ubuntu 22.04 instance on NHN Cloud.

0. Tools

Tool	bps	pps	by NIC	Multiple NICs on one screen	by process	by address	by protocol	graph visualization	History	Comments
1. iftop	O	X	/	/	X	O	X	O	X
2. bmon	O	O	O	O	X	X	X	O	O	support by tc
3. slurm	O	△	/	/	X	X	X	O	O
4. tcptrack	O	X	/	/	X	O	/	X	X
5. nethogs	O	X	O	O	O	X	O	X	X
6. ifstat	O	X	O	O	X	X	X	X	X
7. nettop	O	X	X	O	O	O	O	X	X
8. nload	O	X	O	X	X	X	X	O	O
9. netstat	X	O	O	O	X	X	X	X	X
10. dstat	O	X	X	X	X	X	X	X	O
11. iptraf	O	O	O	O	X	O	O	X	X
12. speedometer	O	X	O	O	X	X	X	O	O
13. vnstat	O	O	O	O	X	X	X	X	O	daemon
14. cbm	O	X	O	O	X	X	X	X	X
15. bandwhich	O	X	O	O	O	O	O	X	X
16. darkstat	O	X	O	O	X	O	X	O	O	daemon, GUI

 

bps, pps

bps: if the tool provides bandwidth information: O

pps: if the tool provides packet-related information: O (if not pps but only cumulated packet count: △)

 

By NIC

If you start the tool with multiple NICs, information is provided on a per-NIC basis.: O

Even though you start the tool with multiple NICs, the statistic is aggregated across NICs.  : X

The tool cannot be run with multiple NICs.: /

 

By Process, Address, Protocol

If the tool uses the element as a statistic aggregation unit.: O

        (e.g., the 'By process' column is marked as O if the tool displays statistics for each process.)

Otherwise: X

 

Graph Visualization

If the tool visualizes the monitoring results of either current or past.: O 

Otherwise: X

 

History

If the tool supports past statistic history via either text or graph.: O 

Otherwise: X

 

1. iftop

 

Manual

https://linux.die.net/man/8/iftop

 

Installation

apt install iftop

 

Command

iftop -P

-P: display port number

 

Capture

 

 

Pros

• It is simple.
• It shows how much traffic is being flown for each address (IP:port).
• It visualizes the traffic. The length of the white background of the text describes the amount referring to the indicator at the top.
• It provides averages of 2 secs, 10 secs, and 40 secs on the right side of the screen.

 

Cons

• It provides neither process-related nor protocol-related information.
• It supports one interface at a time. Without the -i option, it displays the first NIC of the list.

 

2. bmon

Manual

https://linux.die.net/man/1/bmon

 

Installation

apt install bmon

 

Command

bmon

 

 

Capture

 

Pros

• It shows bps and pps for each NIC on one screen.
• It visualizes the statistics of a designated NIC.
• It details tc (traffic control qdisc)-related information.

cons

• It is hard to get the statistics of each process and five-tuple since it is focused on a NIC-based.
• bps shows in Byte unit. (although, we can convert by multiplying 8.)

 

3. slurm

Manual

https://github.com/mattthias/slurm

 

Installation

apt install slurm

 

Command

slurm -i eth0

 

Capture

 

Pros

• It shows a NIC's bps and pps of both Tx and Rx.
• It visualizes the status. The green is Rx while red is Tx.
• It is Simple.

Cons

• It lacks both process and five-tuple information since it is focused on the unit of NIC.
• The user can select only one NIC.
• The amount of 'Received' and 'Transmitted' shown in the capture is the data from when the link was up, not from when the tool was launched.

 

4. tcptrack

Manual

https://linux.die.net/man/1/tcptrack

 

Installation

apt install tcptrack

 

Command

slurm -i eth0

 

Capture

iperf3 bandwidth를 500 Mbps로 제한한 상태.

Pros

• For a designated, it provides the current TCP connections status.
• It is simple

Cons

• It can only be used with TCP.
• Only one NIC is supported at a time.
• The bandwidth larger than 1 Gbps is shown as 'LUDICROUS' so the user cannot identify it precisely. Thus, it is not useful for high-performance networking environments. (https://github.com/bchretien/tcptrack/issues/2)
• No history is supported for traffic usage.

 

5. Nethogs

Manual

https://linux.die.net/man/8/nethogs

https://github.com/raboof/nethogs

 

Installation

apt install nethogs

 

Command

nethogs -C

 

Capture

 

장점

• The user can see the bandwidth usage by process.
• Simple

단점

• I'm not sure of the reason, but the UDP traffic prints the pid as unknown. (According to the GitHub, the repository is actively managed. I recommend user try a higher version.) 
• It is hard to find address-related information.
• There is no bandwidth history.

6. ifstat

Manual

https://linux.die.net/man/8/nethogs

https://github.com/raboof/nethogs

 

Installation

apt install ifstat

 

Command

ifstat -t

 

Capture

Pros

• Significantly simple.

Cons

• There is not much information except for the bandwidth of each NIC. (Please try to find if there are some options you are looking for.)

 

7. nettop

Manual

https://github.com/Emanem/nettop

 

Installation

apt install libncurses5-dev libpcap-dev
git clone https://github.com/Emanem/nettop.git
cd nettop
make

 

Comamnd

./nettop --tcp-udp-split

 

Capture

 

Pros

• It shows the traffic by process.
• It shows UDP bandwidth usage as well as TCP.
• It also provides destionation address.
• Simple (It looks like top command)

Cons

• I'm not sure why the pid of hping3 is shown as -1.
• There is no bandwidth history.
• If there are several NICs, it is tricky to figure out which NIC has been being used in the process.

 

8. nload

Manual

https://linux.die.net/man/1/nload

 

Installation

apt install nload

 

Command

nload

 

Capture

 

Pros

• It visualizes the bandwidth usage of both Tx and Rx so the suer can recognize them easily.

Cons

• There is neither process-related nor address-related information.
• It monitors serveral NICs at a time, but only one NIC can be shown on the screen.

 

9. Netstat

Manual

https://linux.die.net/man/8/netstat

 

Installation: Not required. (default command)

 

Command

netstat -c -i

 

Capture

 

Pros

• It shows the number of packets of Rx and Tx of several NICs.

Cons

• Honestly, it summarizes the information of 'ifconfig' every second.

 

10. dstat

Manual

https://linux.die.net/man/1/dstat

 

Installation

apt install dstat

 

Command

nload

 

Capture

Pros

• It neatly organizes the system resource status including disk, cpu, and network usage.

Cons

• It does not provide statistics per NIC or process.

 

11. iptraf

Manual

http://iptraf.seul.org/2.2/manual.html

https://man7.org/linux/man-pages/man8/iptraf.8.html

 

Installation

apt install iptraf

 

Command

iptraf

 

Capture

 

Pros

• It provides brief (IPv4, IPv6, etc.) statistics by NIC on a screen.
• The user can select an NIC to see the packet and byte statistics of inbound and outbound in detail by IPv4, IPv6, TCP, UDP, and ICMP. 
• It also shows statistics by TCP address.
• Overall, Various functionalities are introduced.

Cons

• No statistic history.

 

12. speedometer

Manual

https://linuxcommandlibrary.com/man/speedometer

 

Installation

apt install speedometer

 

Command

speedometer -r eth0 -t eth0

 

Capture

 

Pros

• It provides Rx and Tx bandwidth by NIC.
• It can include several NICs on one screen. (command option: -r eth0 -t eth0 -r eth1 -t eth1)
• It illustrates a clear bandwidth usage graph. The blue and white bar graphs on the right side of the screen represent the short-period average and the long-period average, respectively.

Cons

• It is hard to find process-related and address-related statistics.
• It lacks pps information.

13. vnstat

Manual

https://linux.die.net/man/1/vnstat

 

Installation

apt install vnstat

 

Command

vnstat -l

# If you want to monitor several NICs simultaneosuly, 
vnstat --add eth1
vnstat --add eth2

 

Screen

interactive

 

5-min stats

 

Pros

• It shows the Tx and Rx statistics of NIC.
• It provides pps and Gbps.
• It runs as a daemon. Thus, this is useful when users want to view hourly or daily statistics.

Cons

• It is hard to find process-related or address-related information.
• The traffic the daemon is collecting cannot be larger than 1 Gbps for each time range.

 

14. cbm

Manual

https://www.unix.com/man-page/debian/1/cbm/

 

Installation

apt install cbm

 

Command

cbm

 

Capture

 

Pros

• It is simple.
• It shows the bandwidth usage of Tx and Rx.

Cons

• There isn't much information available.

 

15. Bandwhich

Manual

https://github.com/imsnif/bandwhich

 

Installation

curl -Lo bandwhich.tar.gz https://github.com/imsnif/bandwhich/releases/download/v0.22.2/bandwhich-v0.22.2-x86_64-unknown-linux-musl.tar.gz
tar -xvzf bandwhich.tar.gz

 

Command

./bandwhich

 

Capture

 

Pros

• It provides a lot of information and statistics on one screen.
• It shows at a glance the bandwidth usage by process, by address, what protocol is being used, and what NIC is being communicated through.

Cons

• No history
• No stats by NIC.

 

 

16. darkstat (GUI)

Manual

https://unix4lyfe.org/darkstat/

 

Installation

apt install darkstat

 

Command

vi /etc/darkstat/init.cfg
# modify the contents in the file to START_DARKSTAT=yes

systemctl restart darkstat

 

Capture

The default listen port is 667. Hence, access IP:667, where the IP is the address of the server the darkstat is running.

 

Pros

• The user can see the stats easily through Web-based GUI.
• It supports a long history.
• NIC 여러개를 설정하여 동시에 정보를 취득할 수 있다.

Cons

• No process-related information.

 

I have focused on and reviewed CLI-based network bandwidth monitoring tools although there are also numerous GUI-based tools. I introduced only one GUI-based tool (darkstat), but I will also try to summarize GUI-based tools if possible.