iftop for Network Visibility

iftop shows top network talkers.

Usage

iftop is the per-host network top tool. Where iotop shows per-process disk I/O, iftop shows per-connection network bandwidth. The tool is reached for when network is suspect.

What basic usage looks like:

• iftop -i eth0 shows top talkers per interface.: The -i flag specifies the network interface. The output is real-time bandwidth per connection (source-destination pair), sorted by usage.
• -P shows port numbers.: The -P flag includes port information. The team can identify which services are involved by their port; investigation is more specific.
• Real-time updates.: iftop updates continuously. The team watches the patterns; spikes appear; the heavy talkers stay near the top.
• Bandwidth columns.: Multiple time-window columns (last 2s, 10s, 40s averages). Recent vs sustained traffic patterns; transient spikes vs steady connections; the columns distinguish.
• Requires root.: iftop needs raw socket access; typically requires sudo. The privilege is the operational constraint; production servers usually have it for the operator.

Basic usage is straightforward. The tool surfaces what is consuming bandwidth at this moment.

When

iftop is reached for when network usage is the question. Cloud egress bills spike; latency increases unexpectedly; bandwidth saturation suspected.

• Network spikes.: The cluster's network metrics show unexplained traffic. iftop on the affected nodes surfaces which connections are responsible; the investigation is targeted.
• Suspect misbehaving service.: A service is consuming more network than expected. iftop shows what destination it is talking to; the conversation reveals the cause.
• Quickly identify the culprit.: iftop is faster than waiting for centralized monitoring data. The local view is immediate; investigation begins immediately.
• Egress cost investigation.: Cloud egress bills spike unexpectedly. iftop on the egress nodes reveals which destinations are receiving traffic; the cost can be attributed to specific flows.
• Network saturation.: When the network seems saturated, iftop confirms which connections are responsible. The team's response addresses the specific connections.

The when is straightforward. iftop is the local-tool reach for network investigation.

Alternatives

iftop has alternatives. Each has its own strengths; the team uses what fits the situation.

• nethogs for per-process.: nethogs attributes network usage to processes. Where iftop shows connection-level data, nethogs shows process-level. For "which process is using the bandwidth", nethogs is direct.
• bandwhich for modern alternative.: bandwhich is a Rust-based tool with a richer UI. It shows process, connection, and remote address simultaneously. The output is more informative than iftop's; the tool is newer but mature.
• Pick by what is installed.: SSH into a server; whichever tool is installed is what the engineer uses. Standard tooling installation may include all three; some servers have only the basic.
• Skill transfer.: Knowing one tool prepares the engineer for the others. The patterns are similar; the syntax differs in details.
• Continuous monitoring.: For continuous monitoring, none of these is the right tool. node_exporter with network metrics handles continuous monitoring; iftop, nethogs, bandwhich are for ad-hoc investigation.

iftop for network cost is one of those Linux tooling skills that pays off in network investigation. Nova AI Ops integrates with cluster network telemetry, surfaces traffic patterns at scale, and complements local-tool investigation.