iftop Cheatsheet

Network IO.

Overview

iftop is the interactive bandwidth monitor that shows traffic per host pair in real time. Five primitive surfaces cover almost every bandwidth investigation: real-time bytes-per-pair, sortable view, port-level detail, BPF-style filters, and cumulative totals. Fluency on those five turns “the network is slow” into a specific flow within seconds.

• Real-time bandwidth per host pair. Live updates of bytes-per-second between source and destination. The first tool to reach for when the link looks saturated.
• Sortable view. Sort by source, destination, or rate to surface the noisy talker without scrolling.
• Port-level detail. Toggle port display for protocol attribution. Tells the difference between rogue SSH traffic and legitimate database replication.
• BPF filters plus cumulative totals. Same syntax as tcpdump for narrowing scope; running totals support session-level analysis.

The approach

Five commands and shortcuts carry most of the operational weight. Memorising them moves the team from staring at iftop’s default view to surgical traffic attribution.

• iftop -i eth0. Watch a specific interface. Cuts the noise from every other NIC on the host.
• P key. Toggle port display. Gets protocol-level attribution alongside host-pair view.
• S, D, T keys. Sort by source, destination, or running total. Surface the heavy talker fast.
• iftop -F 10.0.0.0/8 plus -n. Filter to a CIDR; skip DNS resolution to keep updates snappy when the resolver itself is part of the investigation.

Why this compounds

Each iftop session teaches the team a little more about how traffic actually moves through the network. Compounded across the year, bandwidth investigations finish in minutes and the team has a real mental model of east-west traffic.

• Faster network investigation. Fluent iftop finds the noisy flow before the alert escalates. MTTR drops on bandwidth incidents.
• Better network mental model. Each session teaches the team where bytes actually go. Capacity planning gets more accurate.
• Bandwidth attribution per application. Flows tie back to specific services and cost lines. Cloud bandwidth bills become explainable.
• Year-one investment, year-two habit. First year builds fluency under pressure. By year two, iftop is muscle memory.