1: IFTOP(8) IFTOP(8)
2:
3:
4:
5: -e .pl 1100i
6:
7:
8: N�NA�AM�ME�E
9: iftop - display bandwidth usage on an interface by host
10:
11:
12: S�SY�YN�NO�OP�PS�SI�IS�S
13: i�if�ft�to�op�p -�-h�h | [-�-n�nN�Np�pb�bl�lB�BP�P] [-�-i�i _�i_�n_�t_�e_�r_�f_�a_�c_�e] [-�-f�f _�f_�i_�l_�t_�e_�r _�c_�o_�d_�e] [-�-F�F _�n_�e_�t/_�m_�a_�s_�k] [-�-G�G
14: _�n_�e_�t_�6/_�m_�a_�s_�k_�6]
15:
16: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
17: i�if�ft�to�op�p listens to network traffic on a named _�i_�n_�t_�e_�r_�f_�a_�c_�e, or on the first
18: interface it can find which looks like an external interface if none is
19: specified, and displays a table of current bandwidth usage by pairs of
20: hosts. i�if�ft�to�op�p must be run with sufficient permissions to monitor all
21: network traffic on the _�i_�n_�t_�e_�r_�f_�a_�c_�e; see p�pc�ca�ap�p(3) for more information, but
22: on most systems this means that it must be run as root.
23:
24: By default, i�if�ft�to�op�p will look up the hostnames associated with addresses
25: it finds in packets. This can cause substantial traffic of itself, and
26: may result in a confusing display. You may wish to suppress display of
27: DNS traffic by using filter code such as n�no�ot�t p�po�or�rt�t d�do�om�ma�ai�in�n, or switch it
28: off entirely, by using the -�-n�n option or by pressing r�r when the program
29: is running.
30:
31: By default, i�if�ft�to�op�p counts all IP packets that pass through the filter,
32: and the direction of the packet is determined according to the direc-
33: tion the packet is moving across the interface. Using the -�-F�F option it
34: is possible to get i�if�ft�to�op�p to show packets entering and leaving a given
35: network. For example, i�if�ft�to�op�p -�-F�F 1�10�0.�.0�0.�.0�0.�.0�0/�/2�25�55�5.�.0�0.�.0�0.�.0�0 will analyse packets
36: flowing in and out of the 10.* network.
37:
38: Some other filter ideas:
39:
40: n�no�ot�t e�et�th�he�er�r h�ho�os�st�t f�ff�f:�:f�ff�f:�:f�ff�f:�:f�ff�f:�:f�ff�f:�:f�ff�f
41: Ignore ethernet broadcast packets.
42:
43: p�po�or�rt�t h�ht�tt�tp�p a�an�nd�d n�no�ot�t h�ho�os�st�t _�w_�e_�b_�c_�a_�c_�h_�e_�._�e_�x_�a_�m_�p_�l_�e_�._�c_�o_�m
44: Count web traffic only, unless it is being directed through a
45: local web cache.
46:
47: i�ic�cm�mp�p How much bandwidth are users wasting trying to figure out why
48: the network is slow?
49:
50:
51: O�OP�PT�TI�IO�ON�NS�S
52: -�-h�h Print a summary of usage.
53:
54: -�-n�n Don't do hostname lookups.
55:
56: -�-N�N Do not resolve port number to service names
57:
58: -�-p�p Run in promiscuous mode, so that traffic which does not pass
59: directly through the specified interface is also counted.
60:
61: -�-P�P Turn on port display.
62:
63: -�-l�l Display and count datagrams addressed to or from link-local IPv6
64: addresses. The default is not to display that address category.
65:
66: -�-b�b Don't display bar graphs of traffic.
67:
68: -�-m�m _�l_�i_�m_�i_�t
69: Set the upper limit for the bandwidth scale. Specified as a
70: number with a 'K', 'M' or 'G' suffix.
71:
72: -�-B�B Display bandwidth rates in bytes/sec rather than bits/sec.
73:
74: -�-i�i _�i_�n_�t_�e_�r_�f_�a_�c_�e
75: Listen to packets on _�i_�n_�t_�e_�r_�f_�a_�c_�e.
76:
77: -�-f�f _�f_�i_�l_�t_�e_�r _�c_�o_�d_�e
78: Use _�f_�i_�l_�t_�e_�r _�c_�o_�d_�e to select the packets to count. Only IP packets
79: are ever counted, so the specified code is evaluated as (�(_�f_�i_�l_�t_�e_�r
80: _�c_�o_�d_�e)�) a�an�nd�d i�ip�p.
81:
82: -�-F�F _�n_�e_�t/_�m_�a_�s_�k
83: Specifies an IPv4 network for traffic analysis. If specified,
84: iftop will only include packets flowing in to or out of the
85: given network, and packet direction is determined relative to
86: the network boundary, rather than to the interface. You may
87: specify _�m_�a_�s_�k as a dotted quad, such as /255.255.255.0, or as a
88: single number specifying the number of bits set in the netmask,
89: such as /24.
90:
91: -�-G�G _�n_�e_�t_�6/_�m_�a_�s_�k_�6
92: Specifies an IPv6 network for traffic analysis. The value of
93: _�m_�a_�s_�k_�6 can be given as a prefix length or as a numerical address
94: string for more compound bitmasking.
95:
96: -�-c�c _�c_�o_�n_�f_�i_�g _�f_�i_�l_�e
97: Specifies an alternate config file. If not specified, iftop
98: will use ~�~/�/.�.i�if�ft�to�op�pr�rc�c if it exists. See below for a description
99: of config files
100:
101: -�-t�t _�t_�e_�x_�t _�o_�u_�t_�p_�u_�t _�m_�o_�d_�e
102: Use text interface without ncurses and print the output to STD-
103: OUT.
104:
105:
106:
107: D�DI�IS�SP�PL�LA�AY�Y
108: When running, i�if�ft�to�op�p uses the whole screen to display network usage. At
109: the top of the display is a logarithmic scale for the bar graph which
110: gives a visual indication of traffic.
111:
112: The main part of the display lists, for each pair of hosts, the rate at
113: which data has been sent and received over the preceding 2, 10 and 40
114: second intervals. The direction of data flow is indicated by arrows, <=
115: and =>. For instance,
116:
117: foo.example.com => bar.example.com 1Kb 500b 100b
118: <= 2Mb 2Mb 2Mb
119:
120: shows, on the first line, traffic from f�fo�oo�o.�.e�ex�xa�am�mp�pl�le�e.�.c�co�om�m to b�ba�ar�r.�.e�ex�xa�am�m-�-
121: p�pl�le�e.�.c�co�om�m; in the preceding 2 seconds, this averaged 1Kbit/s, around half
122: that amount over the preceding 10s, and a fifth of that over the whole
123: of the last 40s. During each of those intervals, the data sent in the
124: other direction was about 2Mbit/s. On the actual display, part of each
125: line is inverted to give a visual indication of the 10s average of
126: traffic. You might expect to see something like this where host f�fo�oo�o is
127: making repeated HTTP requests to b�ba�ar�r, which is sending data back which
128: saturates a 2Mbit/s link.
129:
130: By default, the pairs of hosts responsible for the most traffic (10
131: second average) are displayed at the top of the list.
132:
133: At the bottom of the display, various totals are shown, including peak
134: traffic over the last 40s, total traffic transferred (after filtering),
135: and total transfer rates averaged over 2s, 10s and 40s.
136:
137:
138: S�SO�OU�UR�RC�CE�E /�/ D�DE�ES�ST�T A�AG�GG�GR�RE�EG�GA�AT�TI�IO�ON�N
139: By pressing s�s or d�d while i�if�ft�to�op�p is running, all traffic for each source
140: or destination will be aggregated together. This is most useful when
141: i�if�ft�to�op�p is run in promiscuous mode, or is run on a gateway machine.
142:
143:
144: P�PO�OR�RT�T D�DI�IS�SP�PL�LA�AY�Y
145: S�S or D�D toggle the display of source and destination ports respectively.
146: p�p will toggle port display on/off.
147:
148:
149: D�DI�IS�SP�PL�LA�AY�Y T�TY�YP�PE�E
150: t�t cycles through the four line display modes; the default 2-line dis-
151: play, with sent and received traffic on separate lines, and 3 1-line
152: displays, with sent, received, or total traffic shown.
153:
154:
155: D�DI�IS�SP�PL�LA�AY�Y O�OR�RD�DE�ER�R
156: By default, the display is ordered according to the 10s average (2nd
157: column). By pressing 1�1, 2�2 or 3�3 it is possible to sort by the 1st, 2nd
158: or 3rd column. By pressing <�< or >�> the display will be sorted by
159: source or destination hostname respectively.
160:
161:
162: D�DI�IS�SP�PL�LA�AY�Y F�FI�IL�LT�TE�ER�RI�IN�NG�G
163: l�l allows you to enter a POSIX extended regular expression that will be
164: used to filter hostnames shown in the display. This is a good way to
165: quickly limit what is shown on the display. Note that this happens at
166: a much later stage than filter code, and does not affect what is actu-
167: ally captured. Display filters DO NOT affect the totals at the bottom
168: of the screen.
169:
170:
171: P�PA�AU�US�SE�E D�DI�IS�SP�PL�LA�AY�Y /�/ F�FR�RE�EE�EZ�ZE�E O�OR�RD�DE�ER�R
172: P�P will pause the current display.
173:
174: o�o will freeze the current screen order. This has the side effect that
175: traffic between hosts not shown on the screen at the time will not be
176: shown at all, although it will be included in the totals at the bottom
177: of the screen.
178:
179:
180: S�SC�CR�RO�OL�LL�L D�DI�IS�SP�PL�LA�AY�Y
181: j�j and k�k will scroll the display of hosts. This feature is most useful
182: when the display order is frozen (see above).
183:
184:
185: F�FI�IL�LT�TE�ER�R C�CO�OD�DE�E
186: f�f allows you to edit the filter code whilst iftop running. This can
187: lead to some unexpected behaviour.
188:
189:
190: C�CO�ON�NF�FI�IG�G F�FI�IL�LE�E
191: iftop can read its configuration from a config file. If the -�-c�c option
192: is not specified, iftop will attempt to read its configuration from
193: ~�~/�/.�.i�if�ft�to�op�pr�rc�c, if it exists. Any command line options specified will
194: override settings in the config file.
195:
196: The config file consists of one configuration directive per line. Each
197: directive is a name value pair, for example:
198:
199: interface: eth0
200:
201: sets the network interface. The following config directives are sup-
202: ported:
203:
204:
205: i�in�nt�te�er�rf�fa�ac�ce�e:�: _�i_�f
206: Sets the network interface to _�i_�f.
207:
208: d�dn�ns�s-�-r�re�es�so�ol�lu�ut�ti�io�on�n:�: _�(_�y_�e_�s_�|_�n_�o_�)
209: Controls reverse lookup of IP addresses.
210:
211: p�po�or�rt�t-�-r�re�es�so�ol�lu�ut�ti�io�on�n:�: _�(_�y_�e_�s_�|_�n_�o_�)
212: Controls conversion of port numbers to service names.
213:
214: f�fi�il�lt�te�er�r-�-c�co�od�de�e:�: _�b_�p_�f
215: Sets the filter code to _�b_�p_�f.
216:
217: s�sh�ho�ow�w-�-b�ba�ar�rs�s:�: _�(_�y_�e_�s_�|_�n_�o_�)
218: Controls display of bar graphs.
219:
220: p�pr�ro�om�mi�is�sc�cu�uo�ou�us�s:�: _�(_�y_�e_�s_�|_�n_�o_�)
221: Puts the interface into promiscuous mode.
222:
223: p�po�or�rt�t-�-d�di�is�sp�pl�la�ay�y:�: _�(_�o_�f_�f_�|_�s_�o_�u_�r_�c_�e_�-_�o_�n_�l_�y_�|_�d_�e_�s_�t_�i_�n_�a_�t_�i_�o_�n_�-_�o_�n_�l_�y_�|_�o_�n_�)
224: Controls display of port numbers.
225:
226: l�li�in�nk�k-�-l�lo�oc�ca�al�l:�: _�(_�y_�e_�s_�|_�n_�o_�)
227: Determines displaying of link-local IPv6 addresses.
228:
229: h�hi�id�de�e-�-s�so�ou�ur�rc�ce�e:�: _�(_�y_�e_�s_�|_�n_�o_�)
230: Hides source host names.
231:
232: h�hi�id�de�e-�-d�de�es�st�ti�in�na�at�ti�io�on�n:�: _�(_�y_�e_�s_�|_�n_�o_�)
233: Hides destination host names.
234:
235: u�us�se�e-�-b�by�yt�te�es�s:�: _�(_�y_�e_�s_�|_�n_�o_�)
236: Use bytes for bandwidth display, rather than bits.
237:
238: s�so�or�rt�t:�: _�(_�2_�s_�|_�1_�0_�s_�|_�4_�0_�s_�|_�s_�o_�u_�r_�c_�e_�|_�d_�e_�s_�t_�i_�n_�a_�t_�i_�o_�n_�)
239: Sets which column is used to sort the display.
240:
241: l�li�in�ne�e-�-d�di�is�sp�pl�la�ay�y:�: _�(_�t_�w_�o_�-_�l_�i_�n_�e_�|_�o_�n_�e_�-_�l_�i_�n_�e_�-_�b_�o_�t_�h_�|_�o_�n_�e_�-_�l_�i_�n_�e_�-_�s_�e_�n_�t_�|_�o_�n_�e_�-_�l_�i_�n_�e_�-_�r_�e_�c_�e_�i_�v_�e_�d_�)
242: Controls the appearance of each item in the display.
243:
244: s�sh�ho�ow�w-�-t�to�ot�ta�al�ls�s:�: _�(_�y_�e_�s_�|_�n_�o_�)
245: Shows cumulative total for each item.
246:
247: l�lo�og�g-�-s�sc�ca�al�le�e:�: _�(_�y_�e_�s_�|_�n_�o_�)
248: Use a logarithmic scale for bar graphs.
249:
250: m�ma�ax�x-�-b�ba�an�nd�dw�wi�id�dt�th�h:�: _�b_�w
251: Fixes the maximum for the bar graph scale to _�b_�w, e.g. "10M".
252: Note that the value has to always be in bits, regardless if the
253: option to display in bytes has been chosen.
254:
255: n�ne�et�t-�-f�fi�il�lt�te�er�r:�: _�n_�e_�t_�/_�m_�a_�s_�k
256: Defines an IP network boundary for determining packet direction.
257:
258: n�ne�et�t-�-f�fi�il�lt�te�er�r6�6:�: _�n_�e_�t_�6_�/_�m_�a_�s_�k_�6
259: Defines an IPv6 network boundary for determining packet direc-
260: tion.
261:
262: s�sc�cr�re�ee�en�n-�-f�fi�il�lt�te�er�r:�: _�r_�e_�g_�e_�x_�p
263: Sets a regular expression to filter screen output.
264:
265:
266: Q�QU�UI�IR�RK�KS�S (�(a�ak�ka�a t�th�he�ey�y'�'r�re�e f�fe�ea�at�tu�ur�re�es�s,�, n�no�ot�t b�bu�ug�gs�s)�)
267: There are some circumstances in which iftop may not do what you expect.
268: In most cases what it is doing is logical, and we believe it is correct
269: behaviour, although I'm happy to hear reasoned arguments for alterna-
270: tive behaviour.
271:
272: T�To�ot�ta�al�ls�s d�do�on�n'�'t�t a�ad�dd�d u�up�p
273:
274: There are several reasons why the totals may not appear to add up. The
275: most obvious is having a screen filter in effect, or screen ordering
276: frozen. In this case some captured information is not being shown to
277: you, but is included in the totals.
278:
279: A more subtle explanation comes about when running in promiscuous mode
280: without specifying a -�-F�F option. In this case there is no easy way to
281: assign the direction of traffic between two third parties. For the
282: purposes of the main display this is done in an arbitrary fashion (by
283: ordering of IP addresses), but for the sake of totals all traffic
284: between other hosts is accounted as incoming, because that's what it is
285: from the point of view of your interface. The -�-F�F option allows you to
286: specify an arbitrary network boundary, and to show traffic flowing
287: across it.
288:
289: P�Pe�ea�ak�k t�to�ot�ta�al�ls�s d�do�on�n'�'t�t a�ad�dd�d u�up�p
290:
291: Again, this is a feature. The peak sent and peak received didn't nec-
292: essarily happen at the same time. The peak total is the maximum of
293: sent plus received in each captured time division.
294:
295: C�Ch�ha�an�ng�gi�in�ng�g t�th�he�e f�fi�il�lt�te�er�r c�co�od�de�e d�do�oe�es�sn�n'�'t�t s�se�ee�em�m t�to�o w�wo�or�rk�k
296:
297: Give it time. Changing the filter code affects what is captured from
298: the time that you entered it, but most of what is on the display is
299: based on some fraction of the last 40s window of capturing. After
300: changing the filter there may be entries on the display that are disal-
301: lowed by the current filter for up to 40s. DISPLAY FILTERING has imme-
302: diate effect and does not affect what is captured.
303:
304:
305: F�FI�IL�LE�ES�S
306: ~�~/�/.�.i�if�ft�to�op�pr�rc�c
307: Configuration file for iftop.
308:
309:
310: S�SE�EE�E A�AL�LS�SO�O
311: t�tc�cp�pd�du�um�mp�p(8), p�pc�ca�ap�p(3), d�dr�ri�if�ft�tn�ne�et�t(1).
312:
313:
314: A�AU�UT�TH�HO�OR�R
315: Paul Warren <pdw@ex-parrot.com>
316:
317:
318: V�VE�ER�RS�SI�IO�ON�N
319: $Id: iftop.cat,v 1.1.1.2 2016/10/18 14:04:50 misho Exp $
320:
321:
322: C�CO�OP�PY�YI�IN�NG�G
323: This program is free software; you can redistribute it and/or modify it
324: under the terms of the GNU General Public License as published by the
325: Free Software Foundation; either version 2 of the License, or (at your
326: option) any later version.
327:
328: This program is distributed in the hope that it will be useful, but
329: WITHOUT ANY WARRANTY; without even the implied warranty of MER-
330: CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
331: Public License for more details.
332:
333: You should have received a copy of the GNU General Public License along
334: with this program; if not, write to the Free Software Foundation, Inc.,
335: 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
336:
337: (nlu+10
338:
339:
340:
341: IFTOP(8)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to iftop.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / iftop