# iftop — Monitor Live Network Traffic per Connection

> Practical guide to iftop — monitor live bandwidth per connection in the terminal, apply BPF filters and spot traffic spikes.

Source: https://www.jpkc.com/db/en/cheatsheets/networking/iftop/

<!-- PROSE:intro -->
iftop shows you in real time which network connections are consuming your bandwidth – just as `top` displays CPU time per process, iftop lists bandwidth per host pair. A single command reveals who is sending and receiving right now, how much traffic each connection generates, and which hosts are eating the most capacity. The tool relies on packet capture (libpcap) and runs entirely in the terminal – ideal for quick troubleshooting when unexpected bandwidth usage strikes.
<!-- PROSE:intro:end -->

## Basic Usage

`iftop` — Monitor traffic on the default interface. Requires root.

```bash
sudo iftop
```

`iftop -i INTERFACE` — Monitor a specific interface.

```bash
sudo iftop -i eth0
```

`iftop -n` — Numeric output — do not resolve hostnames. Faster startup.

```bash
sudo iftop -n
```

`iftop -N` — Do not resolve port numbers to service names.

```bash
sudo iftop -N
```

`iftop -nN` — Fully numeric — no hostname or port resolution.

```bash
sudo iftop -nN
```

`iftop -P` — Show port numbers alongside host names/IPs.

```bash
sudo iftop -P
```

## Filtering & Display

`iftop -f FILTER` — Apply a BPF filter expression (same syntax as tcpdump).

```bash
sudo iftop -f 'port 80 or port 443'
```

`iftop -F NETWORK/CIDR` — Show traffic to/from a specific network.

```bash
sudo iftop -F 192.168.1.0/24
```

`iftop -G NETWORK/CIDR` — Show traffic for an IPv6 network.

```bash
sudo iftop -G 2001:db8::/32
```

`iftop -B` — Display bandwidth in bytes/sec instead of bits/sec.

```bash
sudo iftop -B
```

`iftop -m LIMIT` — Set the maximum bandwidth for the bar graph scale.

```bash
sudo iftop -m 100M
```

`iftop -p` — Promiscuous mode — capture all traffic on the network segment.

```bash
sudo iftop -p
```

## Text Mode & Output

`iftop -t` — Text mode — non-interactive output suitable for logging.

```bash
sudo iftop -t -s 10
```

`iftop -t -s SECONDS` — Text mode running for a specific number of seconds.

```bash
sudo iftop -t -s 30
```

`iftop -t -L LINES` — Text mode showing only the top N connections.

```bash
sudo iftop -t -L 20 -s 10
```

`iftop -o COLUMN` — Sort by column: 2s, 10s, 40s, source, destination.

```bash
sudo iftop -o 10s
```

## Interactive Keyboard Shortcuts

`h` — Toggle help screen.

`n` — Toggle DNS resolution.

`N` — Toggle port number resolution.

`p` — Toggle port display.

`P` — Pause display (traffic still captured).

`s` — Toggle source host display.

`d` — Toggle destination host display.

`S` — Toggle source port display.

`D` — Toggle destination port display.

`t` — Cycle display modes: two-line, one-line send, one-line receive, one-line both.

`b` — Toggle bar graph display.

`B` — Toggle bytes/bits display.

`T` — Toggle cumulative totals.

`l` — Set a display filter (search pattern).

`L` — Set the number of lines to display.

`1/2/3` — Sort by 2s / 10s / 40s average column.

`</>` — Sort by source / destination.

`j/k` — Scroll up/down through the connection list.

`q` — Quit iftop.

## Common Patterns

`iftop -nNP -i eth0` — Full numeric display with ports on a specific interface.

```bash
sudo iftop -nNP -i eth0
```

`iftop -n -f 'not port 22'` — Monitor traffic excluding SSH (useful when connected via SSH).

```bash
sudo iftop -n -f 'not port 22'
```

`iftop -n -f 'dst port 80 or dst port 443'` — Monitor only outgoing web traffic.

```bash
sudo iftop -n -f 'dst port 80 or dst port 443'
```

`iftop -t -s 60 -n > bandwidth.log` — Log 60 seconds of bandwidth usage to a file.

```bash
sudo iftop -t -s 60 -n > bandwidth.log
```

## Reading the Display

`TX (top bar)` — Total transmitted (sent) bandwidth.

`RX (bottom bar)` — Total received bandwidth.

`TOTAL` — Combined TX + RX bandwidth.

`2s / 10s / 40s columns` — Average bandwidth over the last 2, 10, and 40 seconds.

`=> / <=` — Arrow direction shows traffic flow: => outgoing, <= incoming.

`peak / cum` — Peak: highest bandwidth seen. Cum: cumulative data transferred.

<!-- PROSE:outro -->
## Conclusion

iftop is your first stop when throughput drops unexpectedly or a single connection is monopolising your uplink. The BPF filter language lets you focus immediately on suspicious traffic, and text mode makes the output scriptable. For deeper packet-level analysis, reach for tcpdump or Wireshark next.

## Further Reading

- [iftop – project page](http://www.ex-parrot.com/pdw/iftop/) – official website with download and documentation
- [iftop(8) – manual page](https://linux.die.net/man/8/iftop) – every option at a glance
- [iftop – Wikipedia](https://en.wikipedia.org/wiki/Iftop) – background and context
<!-- PROSE:outro:end -->

## Related Commands

- [netstat](https://www.jpkc.com/db/en/cheatsheets/networking/netstat/) – display network connections, routing tables and socket statistics
- [ss](https://www.jpkc.com/db/en/cheatsheets/networking/ss/) – fast socket statistics as a modern alternative to netstat
- [tcpdump](https://www.jpkc.com/db/en/cheatsheets/networking/tcpdump/) – capture and filter network packets on the command line