When debugging network applications or monitoring specific connections, we often need granular visibility into the exact byte counts transferred between our server and specific endpoints. While tools like tcpdump capture packets, they don't provide the concise byte-count summary many developers need for performance analysis.
The iftop command provides exactly what we're looking for - real-time bandwidth monitoring with the ability to filter by host and port. Here's the basic installation and usage:
# Install on RHEL/CentOS
sudo yum install epel-release
sudo yum install iftop
# Basic usage
sudo iftop -n -N -P -F 192.168.1.100/32 -f "port 80"
Key parameters:
- -n: Don't resolve hostnames (faster)
- -N: Show port numbers
- -P: Show ports in output
- -F: Filter specific network
- -f: BPF filter expression
When you need to associate traffic with specific processes, nethogs is excellent:
sudo yum install nethogs
sudo nethogs -t -c 10 eth0
For persistent logging of specific traffic, iptables rules with counters work well:
# Track inbound traffic
sudo iptables -I INPUT -p tcp --dport 80 -d 192.168.1.100 -j ACCEPT
# Track outbound traffic
sudo iptables -I OUTPUT -p tcp --sport 80 -s 192.168.1.100 -j ACCEPT
# View counters
sudo iptables -L -v -n | grep 192.168.1.100
Here's a simple bash script using ss (socket statistics) to monitor a specific connection:
#!/bin/bash
TARGET_IP="8.8.8.8"
TARGET_PORT="53"
while true; do
ss -t -a -n | \
grep "$TARGET_IP:$TARGET_PORT" | \
awk '{print $3}' | \
awk -F: '{print $2}'
sleep 5
done
When debugging network applications or monitoring specific connections, we often need precise byte counts for traffic between our server and particular endpoints. While tcpdump captures packets, it doesn't provide the cumulative byte counts we frequently need for performance analysis or billing purposes.
One of the most straightforward solutions is iftop, which shows bandwidth usage on an interface:
sudo iftop -n -N -P -f "port 80 and host google.com"Key options:
-n: Disable hostname resolution
-N: Show port numbers
-P: Show ports
-f: BPF filter (same syntax as tcpdump)
For process-level visibility:
sudo nethogs -t -c 10 eth0 "port 80 and host 142.250.190.46"This samples traffic 10 times (-c 10) and displays bytes sent/received per process. The -t flag adds timestamps.
For persistent logging, iptables accounting works well:
sudo iptables -A INPUT -p tcp --dport 80 -d google.com -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -s google.com -j ACCEPT
sudo iptables -L -v -n | grep googleThe -v flag shows byte counters that increment over time.
nload provides an interactive interface with detailed stats:
nload -t 500 -i 102400 -o 102400 -m -u K -U KParameters:
-t: Update interval (ms)
-i/-o: Max in/out scale
-u/-U: Units (K for KB)
-m: Show multiple interfaces
tcptrack shows TCP connections along with throughput:
sudo tcptrack -i eth0 "port 80 and host google.com"Displays real-time bandwidth usage per connection with source/dest IPs and ports.
For custom solutions, consider this Python snippet using scapy:
from scapy.all import *
total_in = 0
total_out = 0
def packet_callback(packet):
global total_in, total_out
if IP in packet:
if packet[IP].dst == "142.250.190.46" and packet.haslayer(TCP) and packet[TCP].dport == 80:
total_out += len(packet)
elif packet[IP].src == "142.250.190.46" and packet.haslayer(TCP) and packet[TCP].sport == 80:
total_in += len(packet)
sniff(iface="eth0", filter="tcp port 80", prn=packet_callback, store=0)
print(f"Bytes out: {total_out}, Bytes in: {total_in}")
For quick checks: iftop or nload
For process correlation: nethogs
For persistent logging: iptables
For custom analysis: Python/scapy