Marcus Millo/iStock/Getty Images Plus via Getty Images
Follow ZDNET:
Add us as a preferred source on Google.
ZDNET’s main insights emphasize that Linux provides numerous effective methods for monitoring network activity, both for data entering and leaving your system. Maintaining regular oversight of network traffic is crucial for anyone who values performance, stability, or security. Among the many tools designed for this purpose, one command-line utility stands out for its balance of simplicity, clarity, and functionality: **iftop**.
The Linux operating system is renowned for its vast ecosystem of utilities that address practically every imaginable administrative task. Some of these tools come in polished graphical user interfaces, ideal for quick configuration, while others rely on the tried-and-true command line — a realm where speed, precision, and control reign supreme. When it comes to observing network connectivity in real time and analyzing bandwidth usage, the command-line approach is generally the most dependable. Yet, as is often the case in Linux, the sheer number of available commands and their occasionally intricate syntax can easily overwhelm even experienced users once they begin exploring the possibilities.
In my own search for an efficient, less cumbersome network monitoring solution, I quickly discovered that simplicity often triumphs over complexity. I had previously relied on **Wireshark**, an industry-standard graphical tool that offers granular inspection of packets, but over time it had grown unnecessarily heavy and awkward in daily use. The Flatpak distribution of Wireshark, in particular, introduced additional complications, making setup and maintenance more difficult than they needed to be. In contrast, the question arose: why rely on a complex program when a lean, purpose-built command can accomplish exactly what you need with minimal overhead?
That realization led me to **iftop**, a compact yet remarkably capable command-line utility. According to its manual page, the tool’s purpose is clear and concise: “display bandwidth usage on an interface by host.” Essentially, iftop listens to traffic that passes through a chosen network interface — or automatically selects the first available one if none is specified — and presents the information in a simple, dynamically updated table. This visual layout makes the distinction between incoming and outgoing data immediately obvious, transforming what could be dense and unreadable statistics into an understandable and organized summary.
An additional advantage of iftop’s design lies in its adaptability. The program offers a range of command options, but in most everyday scenarios, only one fundamental argument is truly necessary. This minimalist approach is ideal for users who want actionable information without being burdened by excessive configuration details.
### Installing iftop
To begin using iftop, very little preparation is required. The tool is part of the standard software repositories for nearly all major Linux distributions. Consequently, all you’ll need is your preferred Linux environment and a user account with **sudo** privileges to install packages. Start by launching your system’s default terminal — typically accessible from the desktop menu, application panel, or dock — and then run the installation command specific to your distribution.
For example, on Ubuntu-based systems, you can install it using:
“`
sudo apt-get install iftop -y
“`
On Fedora-based distributions:
“`
sudo dnf install iftop -y
“`
And for users of Arch-based systems:
“`
sudo pacman -S iftop
“`
Once installation is complete, iftop is immediately ready for use.
### Using iftop
Operating iftop is notably straightforward, but success begins with identifying the correct **network interface** to monitor. If you do not specify one, iftop defaults to the first detected interface — which may not always correspond to the active connection you wish to analyze. To determine the name of your active interface, execute the following command:
“`
ip a
“`
The output will list all network interfaces along with relevant parameters. A typical entry might appear as:
“`
wlp15s0:
“`
In this case, the interface name is `wlp15s0`, which you’ll substitute into the iftop command. To start monitoring traffic, use:
“`
sudo iftop -i INTERFACE
“`
For example:
“`
sudo iftop -i wlp15s0
“`
Immediately, iftop initiates its live display, showing a continuously refreshed table of network connections. Each line represents a communication pair, and directional arrows provide clarity: `<=` indicates **incoming** data, while `=>` signifies **outgoing** transmission. This notation makes it remarkably easy to differentiate how data flows into and out of your machine.
Typically, the first point of attention should be the inbound traffic. If you notice unfamiliar or suspicious hostnames or IP addresses, you can verify their legitimacy using a **Whois** lookup service. Any endpoint that looks questionable can subsequently be blocked using your system’s firewall rules, mitigating potential threats in real time.
Next, examining the outgoing connections can reveal whether installed applications are sending telemetry or other data to remote servers. For example, you might see a harmless address such as `24.224.186.35.bc.googleusercontent.com`, which represents legitimate activity. However, if your traffic includes destinations like `googlebot.com` or an obscure third-party domain, that could indicate that your computer is transmitting usage data — behavior worth investigating further.
Personally, I rely on iftop on a consistent basis because it fulfills a simple yet essential purpose: keeping constant awareness of what enters and leaves my system. When anything unexpected appears, I take immediate action by verifying its source. Should I determine that a particular IP address is indeed problematic, I promptly use my operating system’s firewall to block future communication. With this disciplined approach, it becomes possible to maintain both visibility and control over one of the most important aspects of any computer’s operation — its connection to the network.
Sourse: https://www.zdnet.com/article/monitor-network-traffic-iftop-command-linux/
