iftop — Monitor Live Network Traffic per Connection

iftop shows you in real time which network connections are consuming your bandwidth – just as top displays CPU time per process, iftop lists bandwidth per host pair. A single command reveals who is sending and receiving right now, how much traffic each connection generates, and which hosts are eating the most capacity. The tool relies on packet capture (libpcap) and runs entirely in the terminal – ideal for quick troubleshooting when unexpected bandwidth usage strikes.

Basic Usage

iftop — Monitor traffic on the default interface. Requires root.

sudo iftop

iftop -i INTERFACE — Monitor a specific interface.

sudo iftop -i eth0

iftop -n — Numeric output — do not resolve hostnames. Faster startup.

sudo iftop -n

iftop -N — Do not resolve port numbers to service names.

sudo iftop -N

iftop -nN — Fully numeric — no hostname or port resolution.

sudo iftop -nN

iftop -P — Show port numbers alongside host names/IPs.

sudo iftop -P

Filtering & Display

iftop -f FILTER — Apply a BPF filter expression (same syntax as tcpdump).

sudo iftop -f 'port 80 or port 443'

iftop -F NETWORK/CIDR — Show traffic to/from a specific network.

sudo iftop -F 192.168.1.0/24

iftop -G NETWORK/CIDR — Show traffic for an IPv6 network.

sudo iftop -G 2001:db8::/32

iftop -B — Display bandwidth in bytes/sec instead of bits/sec.

sudo iftop -B

iftop -m LIMIT — Set the maximum bandwidth for the bar graph scale.

sudo iftop -m 100M

iftop -p — Promiscuous mode — capture all traffic on the network segment.

sudo iftop -p

Text Mode & Output

iftop -t — Text mode — non-interactive output suitable for logging.

sudo iftop -t -s 10

iftop -t -s SECONDS — Text mode running for a specific number of seconds.

sudo iftop -t -s 30

iftop -t -L LINES — Text mode showing only the top N connections.

sudo iftop -t -L 20 -s 10

iftop -o COLUMN — Sort by column: 2s, 10s, 40s, source, destination.

sudo iftop -o 10s

Interactive Keyboard Shortcuts

h — Toggle help screen.

n — Toggle DNS resolution.

N — Toggle port number resolution.

p — Toggle port display.

P — Pause display (traffic still captured).

s — Toggle source host display.

d — Toggle destination host display.

S — Toggle source port display.

D — Toggle destination port display.

t — Cycle display modes: two-line, one-line send, one-line receive, one-line both.

b — Toggle bar graph display.

B — Toggle bytes/bits display.

T — Toggle cumulative totals.

l — Set a display filter (search pattern).

L — Set the number of lines to display.

1/2/3 — Sort by 2s / 10s / 40s average column.

</> — Sort by source / destination.

j/k — Scroll up/down through the connection list.

q — Quit iftop.

Common Patterns

iftop -nNP -i eth0 — Full numeric display with ports on a specific interface.

sudo iftop -nNP -i eth0

iftop -n -f 'not port 22' — Monitor traffic excluding SSH (useful when connected via SSH).

sudo iftop -n -f 'not port 22'

iftop -n -f 'dst port 80 or dst port 443' — Monitor only outgoing web traffic.

sudo iftop -n -f 'dst port 80 or dst port 443'

iftop -t -s 60 -n > bandwidth.log — Log 60 seconds of bandwidth usage to a file.

sudo iftop -t -s 60 -n > bandwidth.log

Reading the Display

TX (top bar) — Total transmitted (sent) bandwidth.

RX (bottom bar) — Total received bandwidth.

TOTAL — Combined TX + RX bandwidth.

2s / 10s / 40s columns — Average bandwidth over the last 2, 10, and 40 seconds.

=> / <= — Arrow direction shows traffic flow: => outgoing, <= incoming.

peak / cum — Peak: highest bandwidth seen. Cum: cumulative data transferred.

Conclusion

iftop is your first stop when throughput drops unexpectedly or a single connection is monopolising your uplink. The BPF filter language lets you focus immediately on suspicious traffic, and text mode makes the output scriptable. For deeper packet-level analysis, reach for tcpdump or Wireshark next.