How to Identify Process-Level Network Traffic on Linux: Analyzing eth0 Packet Senders


1 views

When troubleshooting network bandwidth issues on Linux systems, standard tools like netstat or ss often fall short. They show established connections but don't reveal which processes are actually generating the traffic. This becomes particularly frustrating when you notice sustained network activity (like the 500KB/s case mentioned) but can't pinpoint the source.

While basic network utilities provide connection information, we need more specialized tools to map network activity to specific processes:

# Install nethogs on Debian/Ubuntu
sudo apt-get install nethogs

# Run with root privileges
sudo nethogs eth0

This will display real-time network usage per process in a top-like interface:

PID   USER    PROGRAM              DEV        SENT      RECEIVED
1234  www-data /usr/bin/apache2    eth0       12.123KB  456.789KB
5678  mysql   /usr/sbin/mysqld     eth0       0.000KB   23.456KB

If nethogs isn't available, consider these alternatives:

# Using iftop to identify traffic patterns
sudo iftop -i eth0 -n -P

# Pairing ss with lsof for connection mapping
sudo ss -tulnp | grep eth0
sudo lsof -i :[port_number]

For advanced users, SystemTap provides the most detailed view:

# SystemTap script to track network traffic by process
probe kernel.trace("net_dev_queue") {
    if (dev_name == "eth0") {
        printf("%s[%d] sent %d bytes\n", execname(), pid(), skb_len)
    }
}

Let's walk through a real-world scenario:

# First identify suspicious connections
sudo netstat -tnp | grep ESTABLISHED

# Cross-reference with nethogs
sudo nethogs -t eth0

# If it's a web server process, examine logs
sudo tail -f /var/log/apache2/access.log

For continuous monitoring, create a simple bash script:

#!/bin/bash
# Monitor processes sending >100KB/s
while true; do
    sudo nethogs -t -c 5 eth0 | awk '$5 > 100 {print $0}'
    sleep 10
done

When your Linux system suddenly shows unexpected network activity through eth0 (or any other network interface), it's crucial to identify the responsible processes quickly. Traditional tools like netstat or ss show connections but don't provide real-time bandwidth usage per process.

While useful for connection monitoring, these common utilities have limitations:

  • netstat -tulpn: Shows connections but not bandwidth
  • iftop: Displays bandwidth but not per-process
  • lsof -i: Lists open files but not traffic volume

The nethogs package (available in Debian/Ubuntu as nethogs and RHEL/CentOS as nethogs via EPEL) solves this perfectly:

sudo apt-get install nethogs  # Debian/Ubuntu
sudo yum install nethogs      # RHEL/CentOS
sudo nethogs eth0

Sample output shows processes with their network usage:

PID    USER     PROGRAM              DEV        SENT      RECEIVED
1234   www-data apache2              eth0       450.0KB   1200.0KB
5678   mysql    mysqld               eth0       50.0KB    300.0KB

When nethogs isn't available, consider these approaches:

1. Using ss + lsof

sudo ss -tupn | grep ESTAB
sudo lsof -p [PID]

2. iftop with Process Filtering

sudo iftop -P -N -n -i eth0

3. Kernel Tracing (Advanced)

sudo strace -p [PID] -e trace=network 2>&1 | grep send

For continuous monitoring, create a bash script:

#!/bin/bash
while true; do
  echo "==== $(date) ===="
  sudo nethogs -t eth0 -c 5
  sleep 10
done

Remember that monitoring tools themselves consume resources:

  • nethogs adds ~2-5% CPU overhead
  • For high-traffic servers, consider sampling (e.g., run every minute)
  • Kernel tracing methods can significantly impact performance