Monitoring Network Usage per Process in Linux

As a Linux system administrator, having visibility into network traffic and bandwidth usage is critical for performance monitoring and troubleshooting. By breaking down network usage on a per-process basis, you can identify the specific applications or services that are consuming the most bandwidth on your systems. This allows you to pinpoint bandwidth hogs or troubleshoot sluggish network connections.

In this comprehensive guide, we will explore several useful command-line tools for monitoring network usage per process in Linux:

ipTraf

ipTraf is an open-source CLI utility included in most Linux distributions that displays real-time network statistics. It allows you to monitor bandwidth usage, TCP and UDP connections, packets, errors and more.

To install ipTraf:

sudo apt install iptraf

Once installed, you can launch ipTraf in interactive mode to view live network statistics:

sudo iptraf

The main ipTraf console shows total bandwidth usage, packet activity, TCP connections and more for each detected network interface.

While useful, this view does not break down usage on a per-process level. To achieve that, we need to correlate the connections and ports shown in ipTraf with the actual processes using them.

We can use netstat to map ports and connections to process IDs (PIDs):

sudo netstat -apn | grep <port>

For example, to identify the process on port 80:

sudo netstat -apn | grep :80

This will print the process ID and name of the application listening on that port.

By combining iptraf and netstat, you can now pinpoint exactly which processes are utilizing the most bandwidth on your network.

iftop

iftop is another handy CLI program that displays bandwidth usage on a network interface, much like a real-time version of top for network traffic.

To install on Ubuntu/Debian:

sudo apt install iftop

iftop shows total bandwidth rate, separated by TCP send/receive and UDP send/receive, along with the most active hosts/connections at any given time:

sudo iftop

iftop does not show bandwidth usage per process out of the box. But once again, by combining it with netstat you can map the active connections and ports to running processes.

The main advantages of iftop are the real-time rate display, allowing you to detect bandwidth spikes, and the ability to filter by IP address or network subnet.

ntopng

ntopng is a much more full-featured bandwidth monitoring tool, providing both CLI and web interfaces to analyze network usage in real-time:

To install on Ubuntu/Debian:

sudo apt install ntopng 

Once running, you can access the web UI at http://localhost:3001.

Some key features of ntopng for per-process monitoring:

• Sort connections by application process
• View application bandwidth usage graphs
• Set alerts on bandwidth thresholds
• Generate on-demand reports
• Rest API for automation

For troubleshooting mystery bandwidth usage, enable the "Host Activity" auto-detection – this will scan traffic and identify hosts even without active connections.

ntopng requires more system resources than other tools covered but provides the most detailed real-time analytics around network activity.

nethogs

nethogs is a simple CLI utility that breaks down bandwidth by process similar to top, making it very quick and easy to identify the heaviest traffic sources.

To install:

sudo apt install nethogs 

To launch:

sudo nethogs

nethogs shows total bandwidth rate at the top, then bandwidth per process using a rolling time window.

It‘s handy for getting a snapshot of usage when you notice heavy network utilization. The refresh rate can also be customized with the -d option.

SNMP Monitoring

For centralized and historical reporting on network utilization across multiple Linux servers, Simple Network Management Protocol (SNMP) is the standard.

Most network devices and Linux distributions support SNMP out of the box for exporting network metrics:

• Bandwidth utilization
• Error rates
• Uptime monitoring
• Trap alerts

Using an SNMP monitoring tool like Nagios, Zabbix, Datadog or LibreNMS, you can graph historical trends on network usage, set alerts on abnormalities, and much more.

SNMP separates usage stats by interface, so it does not break down traffic by process specifically. But by tracking usage spikes to interfaces over time, you can determine when an application starts using higher resources.

Other Handy Tools

Here are some other useful CLI monitoring tools for network troubleshooting in Linux:

• netstat – Print network connections, routing tables, interface stats, and more
• ss – Socket statistics (similar to netstat)
• nmap – Network discovery and security auditing
• tcpdump – Capture and analyze packets
• traceroute – Print the network path to a destination host
• airmon – Enable monitor mode on wireless devices

And some GUI tools providing visualizations:

• wireshark – Network protocol analyzer
• nethogs – Top-like interface for bandwidth by process

Summary

There are many great command-line tools available in Linux for analyzing network traffic and narrowing down usage by process.

Combining utilities like iptraf, iftop and nethogs provides powerful real-time visibility into bandwidth usage that can help track down connectivity and performance issues.

For further analytics and reporting, SNMP-enabled monitoring tools leveraging Nagios, Zabbix or similar provide added visibility over time.

Getting to know these network troubleshooting tools is an invaluable skill for any Linux system administrator. Understanding typical bandwidth usage patterns and being quick to identify anomalies allows you to optimize performance and minimize outages caused by resource constraints.