How to monitor network traffic on Linux

Monitoring network traffic helps your computer systems run quickly, efficiently, and securely by applying insights extracted by monitoring tools. Effective network monitoring equips IT teams with the necessary insights to prevent network downtime, overcome network performance bottlenecks, and mitigate various security threats from incoming connections.

In this article, we’ll discuss how to monitor network traffic on Linux systems. As Linux servers are widely used to host applications and administer networks, most network monitoring tools are designed specifically for Linux operating systems. We’ll discuss key command-line interface (CLI) tools that monitor network traffic efficiently on Linux and show various scenarios in which they can be used.

Importance of monitoring network traffic on Linux

Most modern applications are exposed to various remote networking services via background processes scraping data, push notifications, and web socket connections. This means that your hosts are constantly targeted by traffic from diverse sources. This is especially true about Linux systems, which are widely used as production servers for hosting applications and administering networks. So, understanding network traffic is a key prerequisite for your Linux servers and applications to operate seamlessly.

Here's how efficient network traffic monitoring tools can help IT teams:

  • Ensure full, real-time visibility of network traffic: Network monitoring tools perform real-time collection of network statistics capable of providing insights into the state of your network. Network traffic data can be visualized and integrated with alerts, logs, and audit systems to improve the efficiency of how your IT team handles network performance and security issues.
  • Detect network misconfigurations: Finding traffic usage patterns may help to identify misconfigurations at the network and application levels. For example, if your application is configured to perform additional traffic-intensive background jobs, this feature can be disabled to free up bandwidth for other applications.
  • Troubleshoot network issues: An efficient network monitoring system can help identify and fix network-related issues. These may include disconnections, closed ports, and firewall misconfigurations.
  • Track security anomalies: Traffic spikes originating from remote hosts may indicate the start of DDoS attacks against your servers. Network monitoring tools can help identify traffic flow patterns in your servers and help your team quickly respond to anomalies.
  • Facilitate capacity planning and resource distribution: Network traffic monitoring can also help identify applications with insufficient resources or excessive resource consumption. This information can be used to distribute resources better.

How to monitor network activity on Linux

Network traffic monitoring is a crucial component of Linux system administration. It requires a systematic approach based on clear identification of goals, performance targets, and adherence to security standards. An effective network monitoring system on Linux servers should be based on three interconnected layers: general network health, incoming traffic, and outgoing traffic.

General network health

Understanding the overall state of your network, including network traffic at the interface and device levels, can provide you with insight into network performance and the security of your system. For example, closing unused ports or restricting port access to a list of known IPs can help reduce possible attack vectors on your Linux systems.

Incoming traffic

Monitoring incoming traffic can help thwart network attacks and maintain the security of your Linux servers (or systems). For example, network traffic monitoring tools can help identify connections that send abnormal amounts of traffic to your host. This can be useful for mitigating DDoS attacks or finding malware installed locally.

Outgoing traffic

Another important metric to monitor is bandwidth utilization by individual processes on your system. It’s useful to know which applications consume the most and the least amount of bandwidth. With this knowledge, you can stop processes that consume a high volume of traffic without the need to be active and/or redistribute network resources to applications experiencing problems.

On top of bandwidth utilization, network traffic monitoring should be integrated with data visualization, data analysis, and alerting systems to ensure a fast transition from detection to resolution of networking issues.

Network monitoring tools

Tools for monitoring network traffic on a Linux system can help system administrators achieve the goals listed above. Usually, these are lightweight command-line utilities that display incoming and outgoing traffic, established network connections, and general network statistics. Some tools are designed to collect network traffic statistics at the interface and device levels, while others allow you to evaluate network traffic at the application level.

We’ll discuss basic features offered by the most popular tools: NetFlow, NetHogs, nload, netstat, and iftp.

NetFlow

NetFlow enables traffic metadata collection as it flows through a device (or interface). Though viewing NetFlow data through a terminal is possible, it is tough to parse through all the data on a CLI. Network monitoring tools like Site24x7 make it easy to collate the metadata and present it in an understandable format on a network monitoring dashboard. This dashboard provides complete visibility into your network with stats on peak traffic, surges in traffic volumes, application and interface traffic, and bandwidth-hogging conversations. Additionally, with this tool, you can analyze flows based on different technologies like J-Flow, sFlow, IPFIX, NetStream, AppFlow, and CFlow.

NetHogs

NetHogs allows grouping bandwidth consumption by an individual process (process identifier). This functionality sets NetHogs apart from most other Linux network tools that group traffic by protocol, interface, or subnet. Grouping traffic by process makes NetHogs useful for identifying the causes of sudden traffic spikes. If your Linux system experiences abnormal traffic activity, NetHogs can help immediately identify the process or processes that are causing the abnormal activity.

Fig. 1: Nethogs in the Linux terminal Fig. 1: Nethogs in the Linux terminal

nload

nload is another console-based network monitoring tool for Linux. It provides information about incoming and outgoing traffic, minimum and maximum network usage, and the volume of data transferred. Its main advantage is the visualization of incoming and outgoing traffic directly in the console. However, unlike NetHogs, nload does not provide information about network bandwidth by PID, which limits its abilities.

Fig. 2: Traffic data visualization in nload Fig. 2: Traffic data visualization in nload

netstat

Another popular CLI network monitoring tool is netstat. It displays incoming and outgoing network connections for TCP and UDP protocols. The data it collects is organized by the protocol name, local address, foreign address, and connection state (e.g., ESTABLISHED, CLOSE_WAIT, and so on). In addition, netstat provides information about routing tables, network interfaces, and network protocol statistics. It offers options to filter connections based on attributes. For example, netstat can report the total amount of bytes sent and received (-b, -i), provide ethernet statistics (-e) including packets, filter by connection type, and display general network statistics.

iftop

iftop, which stands for interface top, allows you to display real-time network bandwidth usage by the network interface and connection or host. Using this utility, you can identify remote hosts that slow down your network and network bandwidth for each available interface: For example, ethernet, software-defined networks, wireless, and more.

Although iftop does not show network traffic by process as NetHogs does, you can easily circumvent this limitation. For example, you can note down the port number from iftop and use netstat -p to identify the process.

Fig. 3: List of remote connections in iftop Fig. 3: List of remote connections in iftop

Conclusion

The best approach to network traffic monitoring on Linux is to use a combination of tools. “Network top” tools, such as NetHogs, are useful for identifying bandwidth bottlenecks and redistributing resources among applications efficiently. General network tools, such as iftop and netstat, help collect bandwidth data at the interface and protocol levels. While most CLI-based network traffic monitoring tools are sufficient for maintaining the speed, efficiency, and security of Linux networks, intuitive UI-based network tools like Site24x7's NetFlow Analyzer provide powerful network traffic visualization capabilities for more effective network monitoring.

Was this article helpful?
Monitor your Linux environment

Check the health and availability of your Linux servers for optimal performance with Site24x7's Linux monitoring tool.

Related Articles

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 "Learn" portal. Get paid for your writing.

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 “Learn” portal. Get paid for your writing.

Apply Now
Write For Us