Monitoring Per Process Network Bandwidth Usage with NetHogs

Do you suspect that some process running on your box is using up a lot of network bandwidth? Would like to investigate and identify the culprit? If so, you need the nethogs utility.

3 min read

What is NetHogs?

NetHogs is a nice little utility (like a networking version of top) for keeping tabs on what network activity each process on your sytem is doing. If you want to quickly find out what processes are causing all the network activity on your box, this is the utility you're looking for.

Installation

To install nethogs, run the following command:

sudo apt-get install nethogs

Using NetHogs

To fire it up, you'll need root permissions, so run with sudo:

sudo nethogs

The sent and received columns show the amount of traffic being moved around per process. While the total sent and received bandwidth usage is shown at the bottom. The sort order can be changed using the interactive controls explained below.

Command line options

Notable command line options are "-d" to specify a refresh rate, and "-device" to monitor bandwith relating to a specific device or devices (the default is eth0). e.g. to set the refresh rate to every 5 seconds, start nethogs with:

sudo nethogs -d 5

To monitor the network bandwith for your eth2 interface only, use:

sudo nethogs -device eth2

To monitor bandwith for both eth0 and eth1 interfaces, use:

sudo nethogs -device eth0 eth1

Interactive Controls

To change the units displayed for the bandwidth hit m (These are the available units: KB/sec -> KB -> B-> MB). To sort by magnitude of sent traffic or received traffic, hit s or r respectively. You can quit in the same fashion as top by hitting q. For a full list of command line options and more info, see the man page.

Weird looking process name displayed by nethogs?

Usually there is a clear process name under the "Program" column which identifies which process is causing the network traffic usage. However, when there's a spawned thread causing the network usage, you may see something like:

..:45678-72.21.214.128:80

This basically tells us that a local thread is using port 45678 to communicate with a box having IP Address of 72.21.214.128 and remote port 80. Port 80 tells us that it is probably http traffic, so in this case the thread is talking to a website.

Thanks to Arnout Engelen for writing this useful little tool.

Thank you for reading this article. Please share if you liked it.