Monitor Network Activity With iftop

April 2, 2014
iftop03Just as top and htop allow us to view and manage system processes in real time, Linux provides a fine and dandy program, called iftop, that lets us view realtime network activity within a terminal.

Pausing network display, cycling through different display options, filtering, and scrolling through the current connections are a few of the useful features possible to make it easier to see what flows across the network behind the scenes.

Installing iftop

iftop is available from the Ubuntu repository.

sudo apt-get install iftop

man iftop provides a wealth of operation details, but to get started, enter,

sudo iftop -i eth0

Replace eth0 of the network interface you wish to monitor. Also, run as root with sudo, or else you will see this error:

Run iftop as root to avoid this error.

Run iftop as root to avoid this error.

Main Screen

The main screen fills the entire terminal area with meters and a blank area.



But it quickly fills up during network activity to show a list of active connections along with how much traffic each is sending and receiving.

Connections that appear when browsing with a default Firefox.

Shown here are connections that appeared when browsing with a default Firefox.

Why so many connections?

Can you guess what all of those connections are for? It’s Google. 1e100 is a mathematical expression that represents one googol (the correct spelling). A googol is 10^100, which is a 1 followed by 100 zeroes. Why does appear and why frequently? There are a few reasons in this case. First, I was browsing with Firefox, which had the Block reported attack sites and Block reported web forgeries checkboxes active. When these are set in Firefox, Firefox validates URLs with Google, thus the connections to

The other reason involves the default Firefox homepage – it always opens with a Google start page. Each time Firefox opens, it opens the Google start page, and this opens connections to Google at Also, web pages with links to Google will also reveal connections.

Past host connections shown in iftop linger for a few moments before disappearing. So, what had happened? I opened Firefox, searched for Linux Mint and Cinnamon, and then made a connection to, which is the shown above. The home page at apparently contained Google content, so connections occurred again. Quite often, in fact.

To mitigate the connections to Google, disable the Block reported attack sites and Block reported web forgeries and clear the default home/start page. Now, when Firefox opens, Firefox no longer automatically connects to Google. However, this only goes so far. When browsing web pages, many will contain Google content of some sort due to the ubiquity of Google, and this will connect to

This example shows how useful iftop can be by revealing the more obscure network connections. I was not aware of so many “background” connections during web browsing, and I had no idea of the sheer number of connections my computer was making to Google until I started browsing with iftop. Yes, I knew that something might be happening behind the scenes, but I was not certain exactly what until iftop provided details.

According to iftop,

According to iftop, Block reported attack sites and Block reported web forgeries phone home to Google’s host for each URL.


Host Lines

By default, each connected host occupies two lines. The top line shows sending traffic to the host, and the bottom line with <= shows downloading traffic from the host.


Two lines per host. => represents uploading to host, and <= represents downloading from host.

A white bar will occupy and appear to highlight a host line in order to provide a visual bar graph that shows network speed when uploading or downloading. In the screenshot above, we see a Linux Mint ISO downloading from the University of Kent in the United Kingdom. Look at all of the Google connections. Firefox was the only browser open and with one tab open at This was before the reporting and forging “privacy” settings were disabled in Firefox. The IP address is Google’s home page, which was surprising because I never opened Google directly.


Transfer Speed

The speed bar aligns with the dynamically adjusting metric shown at the top of iftop. The leftmost side is 0 – no data transferred. The more the bar the bar fills to the right, the faster the download speed. The speeds are shown in megabits per second, not megabytes, but the conversion to bytes is accurate and matches the network speed reported by System Monitor.

Traffic statistics are recorded at the bottom of the iftop. Total transmit, total received, and transfer rates are recorded, but they are not saved between sessions. Meaning, all of this data is lost when iftop is closed.


Pressing ‘h’ or ‘?’ (Shift + /) shows the help screen that lists common keyboard commands that affect the display.

iftop help. Press h or ? to access.

iftop help. Press h or ? to access.

If there are too many connections, keys j and k will scroll through the list. Pressing P (Shift + p) will pause the display, and t will toggle through four different display modes: two lines per host, one line per host, received traffic only, and sent traffic only.


iftop showing downloads only. The highlighted portion represents the download speed, which shows about 1.8 Mb/s, which is approximately 180 KB/s after accounting for slight overhead. Yes, all of the connections are brief connections to Google.

iftop showing all uploads.

iftop showing all uploads. Not much was uploading at the time, so little activity appears.


iftop offers filtering. Here, we see iftop filtered to a specific host–the one that matters in this case–and all other hosts are not displayed. The Google connections to are still being made, but they do not appear. This reduces clutter and makes it easier to focus on relevant connections. Partial filtering is also possible, such as displaying all hosts that contain .org, for example. Use the Screen filter l (lowercase L) to achieve this.


iftop has proven its worth. It does for networking what top and htop do for processes. Not only is htop useful in diagnosing network activity, the novelty in finding out what connections are being made during regular web browsing is fun to watch as it happens.


, ,

  1. #1 by anthonyvenable110 on April 8, 2014 - 4:43 AM

    Reblogged this on anthonyvenable110.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: