Monitor Network Traffic per Process with Nethogs

Yesterday I wrote about using 3G on Raspberry Pi board,  and one of the commenter mentioned higher traffic than expected when connecting to 3G to just send a few bytes before disconnecting. One of the reasons are the extra data needed if you transmit data over a secure connection, for example establishing a PPP connection, connect to the board over SSH, and disconnect, results in the transmission & reception of a few kilobytes on my board:


But if you get much more traffic than that, you may want to investigate if another package may transfer data when it detects the connection is up. To analyze traffic, tcpdump and Wireshark are good options, especially if you want to look into the packets data, however such tools do not tell you which process is sending or receiving the data.

So I searched whether I could find a program that would do just that, and a thread on Ask Ubuntu discussing how to display network traffic in the terminal, mentions some interesting utilities like bmon, iftop, tcptrack, etc… which all show info about the connections, but the utility that does exactly what I I want is called nethogs. Installing it in Ubuntu/Debian is very easy.


Now run it as root, as you should get a list of processes that send and received data over a specific interface:


The full options can be found with -h:

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
7 Comments
oldest
newest
davef
davef
6 years ago

Thank you for posting this mini HowTo. Running the utility told me that the actual short text message took about 300 bytes. As you need PPP running, the data cost to bring the connection up is not displayed.

That appears to the major portion of the 10K total.

Cheers,
davef

FransM
FransM
6 years ago

Tried this in a VM. If I do a ping in another shell, this ping does not show up. If I start firefix it indeed shows. Might be this tool only works for TCP traffic. My version is also reported as0.8.1. This is the version on the ubuntu 16.04.03 feed. It is different than the one from CNXSoft though. The help for my version has no -a option: usage: nethogs [-V] [-b] [-d seconds] [-v mode] [-c count] [-t] [-p] [-s] [device [device [device …]]] -V : prints version. -b : bughunt mode – implies tracemode. -d : delay for… Read more »

paul M
paul M
6 years ago

I also use “iftop” to see which servers my box is connecting to and using all the bandwidth.

If you want to get really fancy, “ntop” works very well, it provides a Web GUI.

tkaiser
tkaiser
6 years ago

davef :
Thank you for posting this mini HowTo. Running the utility told me that the actual short text message took about 300 bytes. As you need PPP running, the data cost to bring the connection up is not displayed.
That appears to the major portion of the 10K total.

If it would be possible that PPP needs 10,000 bytes for a payload of just 300 bytes I wonder how we managed to establish dial-up connections 3 decades ago over phone lines at 2400 baud rate? 🙂

davef
davef
6 years ago

tkaiser,

The main problem is that I am fairly inexperienced with using PPP in general and beginner’s level experience using it in a cellular system (Hologram). I have checked some basic stuff like, ensuring updates on the computer are disabled.

The small amount of comfort I have found is that CNX seems to get similar exchanges of data just doing a ping test.

The fact that the traffic can vary from 1K to 100K in a 20 second connect-time seems puzzling to me.

Cheers,
davef

Drone
Drone
6 years ago

Isolate your IoT traffic from the default physical interface as per your routing table. That should be the case if you are using ppp over /dev/ttyx for the IoT traffic and IP over Ethernet in the default route. If you are using IP over Ethernet for both traffic streams, try separating them by aliasing a different interface address on the same physical port and add the new interface as a non-default route.

Boardcon Rockchip and Allwinner SoM and SBC products