⌚ April 2, 2014
Just as top and htop allow us to view and manage system processes in real time, Linux provides a fine and dandy program, called iftop, that lets us view realtime network activity within a terminal.
Pausing network display, cycling through different display options, filtering, and scrolling through the current connections are a few of the useful features possible to make it easier to see what flows across the network behind the scenes.
iftop is available from the Ubuntu repository.
sudo apt-get install iftop
man iftop provides a wealth of operation details, but to get started, enter,
sudo iftop -i eth0
Replace eth0 of the network interface you wish to monitor. Also, run as root with sudo, or else you will see this error:
The main screen fills the entire terminal area with meters and a blank area.
But it quickly fills up during network activity to show a list of active connections along with how much traffic each is sending and receiving.
Why so many 1e100.net connections?
Can you guess what all of those 1e100.net connections are for? It’s Google. 1e100 is a mathematical expression that represents one googol (the correct spelling). A googol is 10^100, which is a 1 followed by 100 zeroes. Why does 1e100.net appear and why frequently? There are a few reasons in this case. First, I was browsing with Firefox, which had the Block reported attack sites and Block reported web forgeries checkboxes active. When these are set in Firefox, Firefox validates URLs with Google, thus the connections to 1e100.net.
The other reason involves the default Firefox homepage – it always opens with a Google start page. Each time Firefox opens, it opens the Google start page, and this opens connections to Google at 1e100.net. Also, web pages with links to Google will also reveal 1e100.net connections.
Past host connections shown in iftop linger for a few moments before disappearing. So, what had happened? I opened Firefox, searched for Linux Mint and Cinnamon, and then made a connection to cinnamon.linuxmint.com, which is the 22.214.171.124 shown above. The home page at linuxmint.com apparently contained Google content, so 1e100.net connections occurred again. Quite often, in fact.
To mitigate the connections to Google, disable the Block reported attack sites and Block reported web forgeries and clear the default home/start page. Now, when Firefox opens, Firefox no longer automatically connects to Google. However, this only goes so far. When browsing web pages, many will contain Google content of some sort due to the ubiquity of Google, and this will connect to 1e100.net.
This example shows how useful iftop can be by revealing the more obscure network connections. I was not aware of so many “background” connections during web browsing, and I had no idea of the sheer number of connections my computer was making to Google until I started browsing with iftop. Yes, I knew that something might be happening behind the scenes, but I was not certain exactly what until iftop provided details.
By default, each connected host occupies two lines. The top line shows sending traffic to the host, and the bottom line with <= shows downloading traffic from the host.
A white bar will occupy and appear to highlight a host line in order to provide a visual bar graph that shows network speed when uploading or downloading. In the screenshot above, we see a Linux Mint ISO downloading from the University of Kent in the United Kingdom. Look at all of the Google connections. Firefox was the only browser open and with one tab open at linuxmint.com. This was before the reporting and forging “privacy” settings were disabled in Firefox. The 126.96.36.199 IP address is Google’s home page, which was surprising because I never opened Google directly.
The speed bar aligns with the dynamically adjusting metric shown at the top of iftop. The leftmost side is 0 – no data transferred. The more the bar the bar fills to the right, the faster the download speed. The speeds are shown in megabits per second, not megabytes, but the conversion to bytes is accurate and matches the network speed reported by System Monitor.
Traffic statistics are recorded at the bottom of the iftop. Total transmit, total received, and transfer rates are recorded, but they are not saved between sessions. Meaning, all of this data is lost when iftop is closed.
Pressing ‘h’ or ‘?’ (Shift + /) shows the help screen that lists common keyboard commands that affect the display.
If there are too many connections, keys j and k will scroll through the list. Pressing P (Shift + p) will pause the display, and t will toggle through four different display modes: two lines per host, one line per host, received traffic only, and sent traffic only.
iftop has proven its worth. It does for networking what top and htop do for processes. Not only is htop useful in diagnosing network activity, the novelty in finding out what connections are being made during regular web browsing is fun to watch as it happens.