Nethogs is a command line utility for linux that displays the network bandwidth used by each application or process in realtime. It is useful in situations when a certain process uses up too much of the bandwidth and needs to be caught.
The website describes the tool as
NetHogs is a small 'net top' tool. Instead of breaking the traffic down per protocol or per subnet, like most tools do, it groups bandwidth by process. NetHogs does not rely on a special kernel module to be loaded. If there's suddenly a lot of network traffic, you can fire up NetHogs and immediately see which PID is causing this. This makes it easy to indentify programs that have gone wild and are suddenly taking up your bandwidth.
Install Nethogs on Ubuntu/Debian/Mint
Debian and related distros like Ubuntu and Mint already have nethogs in their repositories so its a single step installation via the apt command.
sudo apt-get install nethogs
Install Nethogs on CentOS/Fedora
On Fedora nethogs is available in the fedora repository, so install it from yum directly.
$ sudo yum install nethogs
On CentOS the default repositories do not have nethogs, but can be installed from the epel repositories. So first enable epel repository and then use yum command like shown above.
Nethogs is quite simple to use. Just run nethogs with root privileges and it would show the bandwidth used by each process.
The output would be something like this
NetHogs version 0.7.0 PID USER PROGRAM DEV SENT RECEIVED 2367 enlighten/opt/google/chrome/chrome eth0 3.341 20.948 KB/sec 2196 enlighten/usr/lib/firefox-7.0.1/fire eth0 0.871 0.422 KB/sec 3723 enlighten/usr/bin/pidgin eth0 0.028 0.098 KB/sec 2206 enlighten/usr/bin/skype eth0 0.033 0.025 KB/sec 2380 enlighten/usr/lib/chromium-browser/c eth0 0.000 0.000 KB/sec 0 root unknown TCP 0.000 0.000 KB/sec TOTAL 4.274 21.493 KB/sec
It shows the PID, username, process, network interface being used, data sending speed and data receiving speed.
$ nethogs -h usage: nethogs [-V] [-b] [-d seconds] [-t] [-p] [device [device [device ...]]] -V : prints version. -d : delay for update refresh rate in seconds. default is 1. -t : tracemode. -b : bughunt mode - implies tracemode. -p : sniff in promiscious mode (not recommended). device : device(s) to monitor. default is eth0 When nethogs is running, press: q: quit m: switch between total and kb/s mode
Change the update delay
The frequency at which nethogs updates the data can be changed using the d switch. Lets say we want nethogs to update every 5 seconds, then issue the following command
$ sudo nethogs -d 5
Use specific device
Nethogs supports the option to specify the device to monitor on. For example
$ sudo nethogs eth0
If no device is specified, the nethogs monitors the default device on the system. To monitor multiple devices simply add the device names together.
$ sudo nethogs eth0 eth1
In trace mode it outputs the connections one by one. Check the following example.
$ sudo nethogs -t [sudo] password : Adding local address: 192.168.1.2 Ethernet link detected Waiting for first packet to arrive (see sourceforge.net bug 1019381) Refreshing: unknown TCP/0/0 0 0 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.771094 0.119922 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-220.127.116.11:80 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.781641 0.232617 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-18.104.22.168:80 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.781641 0.232617 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-22.214.171.124:80 Refreshing: /usr/lib/firefox-7.0.1/fire/2196/1000 0.781641 0.232617 unknown TCP/0/0 0.0105469 0.0117188 Unknown connection: 192.168.1.2:34684-126.96.36.199:80 Refreshing: /usr/bin/pidgin/3723/1000 0.0115234 0 /usr/lib/firefox-7.0.1/fire/2196/1000 0.0105469 0 unknown TCP/0/0 0 0 Unknown connection: 192.168.1.2:34684-188.8.131.52:80
Nethogs also supports promiscuous mode with the p flag.