BLOG POSTS
    MangoHost Blog / Track Bandwidth by Process with nethogs: Easy Linux Monitoring
Track Bandwidth by Process with nethogs: Easy Linux Monitoring

Track Bandwidth by Process with nethogs: Easy Linux Monitoring

Table of Contents

What This Post Is About

Ever found your Linux server or VPS gasping for bandwidth, but you can’t put your finger on which process is slurping up all the goodness? If you’ve ever tail-chased a sneaky process, or just want a quick, clear way to see which process is using network bandwidth in real time, you’re in the right place. This post is a deep-dive into nethogs — a small, nerdy tool that can save you hours of detective work, whether you’re running a VPS, cloud instance, Docker host, or your own rack of dedi’s.

We’ll go through why this matters, how nethogs works, how to get it running in two minutes flat, and which geeky scenarios it can save your bacon. Expect real-world examples, weird edge cases, and a few laughs along the way.

A Real-World Headache: The Case of the Mysterious Bandwidth Hog

Imagine this: You just spun up a fresh VPS for a client. Everything’s shiny, the firewall’s up, and your monitoring says you’re pushing twice the expected outbound traffic. Is it your app? A runaway cron job? Some container you left running last week? Or (gulp) something more sinister?

You run the usual suspects: iftop, vnstat, netstat. You see traffic, you see ports, but nothing tells you which process is guilty. You need answers, fast. That’s where nethogs jumps in with its superhero cape.

Why Track Bandwidth by Process? (And Why Is It So Hard?)

  • Security: Malware and rootkits are expert bandwidth thieves. A process-level view lets you spot them fast.
  • Debugging: Web apps, Docker containers, or even dev scripts can misbehave. “Which process is hammering my network?” is a question worth answering…
  • Cost: On cloud or metered VPS, every byte is $$$. Track down waste before it burns your wallet.
  • Performance: One noisy process can starve the rest — and your users will feel it.

The catch? Traditional Linux tools show traffic by port, not by process. Sure, iftop and nload show flow-level data — but not the actual process name or PID. That’s like seeing footprints but not knowing who made them.

That’s what makes nethogs special: It connects the dots between active processes and their network usage, live.

How Does Nethogs Actually Work?

Here’s the geeky, under-the-hood scoop (but in plain English):

  • Nethogs sniffs packets using libpcap (like tcpdump does).
  • For each TCP/UDP packet, it checks local port/source address.
  • It cross-references the kernel’s /proc filesystem to map open sockets to running processes (by PID).
  • It builds a real-time table: process name, PID, user, and how much bandwidth they’re using (up/down).
  • Refreshes every second by default.

That’s it! No kernel modules, no magic — just clever use of the data Linux already exposes.

Fast setup? Yes. No config files, no daemons. Just run it as root (needs to see all traffic), and you’re good.

Use Cases & Benefits: Who Needs This Anyway?

  • DevOps: Debugging noisy microservices, rogue containers, or third-party scripts that “phone home”.
  • Sysadmins: Locking down multi-user servers, catching bandwidth hogs, or checking for data exfiltration.
  • Cloud/VPS Owners: Keeping an eye on what’s burning your bandwidth quota.
  • Home Lab Geeks: Spotting that one torrent client you forgot about.
  • Developers: Optimizing apps for chatty network behavior during development.

Bonus: It’s interactive. You can sort, filter, and even kill processes straight from the terminal.

Step-By-Step Nethogs Setup Guide (With Pro Tips!)

  1. Install Nethogs

    • On Ubuntu/Debian: sudo apt-get update && sudo apt-get install nethogs
    • On CentOS/Fedora: sudo yum install nethogs
    • On Arch: sudo pacman -S nethogs
    • Or build from source: https://github.com/raboof/nethogs
  2. Run as root (required):

    • Single interface: sudo nethogs eth0
    • Multiple interfaces: sudo nethogs eth0 eth1
    • All interfaces: sudo nethogs (shows all, but can get busy)
  3. Understand the display:

    • Columns: PID, USER, PROGRAM, DEV, SENT, RECEIVED
    • Totals at the bottom, per-process stats in real time.
  4. Interactive controls:

    • m: Switch between KB/s, KB, or total bytes
    • r: Reset counters
    • q: Quit
  5. Filter by process or user:

    • Not built-in, but you can grep the output, or better: run nethogs -t for text output (good for scripting/logging)

Pro Tip: Use nethogs -t to output machine-readable stats for automation, or to grep/sed/awk your way to custom alerts or dashboards.

Need a new server or VPS to play with? Order a VPS at MangoHost or go big with a dedicated server!

Mini Glossary: Real-Talk Definitions

  • nethogs: Like a task manager for network bandwidth, but per process.
  • libpcap: The “sniffer” library used by tcpdump and Wireshark to grab raw packets.
  • /proc: Linux’s magical directory for exposing all running processes and their open files/sockets.
  • interface: Your network’s front door (like eth0, ens33, wlan0, etc.)
  • PID: Process ID. The unique number for every running thing on Linux.

Examples & Cases (Comic Comparison Table!)

Time for a head-to-head match-up. Here’s a “comic” table of how different tools handle the “Who’s eating my bandwidth?” problem:

Tool What It Tells You Personality (Metaphor!) Best Use
iftop Shows top connections (by host/port, not process) The traffic cop at a busy intersection (but can’t see who’s driving) Spotting which destination or port is busiest
vnstat Bandwidth usage over time (totals, not live) The bean counter who only works 9-5 (and doesn’t care about live drama) Long-term stats, billing reports
netstat Lists open connections (no traffic stats) The bouncer with a clipboard (knows who’s inside, not how loud they’re partying) Security audits, digging into open sockets
nethogs Bandwidth by process, live The private investigator with night vision goggles Spotting noisy apps, debugging, live forensics

In short: Use nethogs when you want to know “which process” — not just “which port” or “which IP”.

Beginner Mistakes, Myths & Alternatives

  • Myth: “I can see process info with iftop!” Nope. iftop only tracks network flows, not the process owner.
  • Mistake: Running nethogs as a regular user and seeing… nothing. Always sudo it.
  • Myth: “It works for all network traffic!” Actually, it only tracks traffic it can map to a process — so things like kernel-level forwarding or NAT may not show up per-process.
  • Alternative tools: bandwhich (Rust-based, pretty, similar idea), iperf (for throughput testing), ntopng (full-blown network analytics, but heavier).

Should You Use Nethogs? (The Geeky Decision Tree)

Let’s keep it simple — follow the arrows!


You want to see which process is using bandwidth right now?
→ YES → Use nethogs!
→ NO → Want historical data?
   → YES → Use vnstat.
   → NO → Want per-host/port stats?
      → YES → Use iftop.
      → NO → Use netstat for open connections.
Still not sure? Try them all — but nethogs is the only one that connects bandwidth stats to the actual process.

Automation, Scripting & Weird-but-Awesome Uses

  • Automate alerts: Pipe nethogs -t output into a script. Example: email yourself if any process uses more than 1MB/s for more than 10 seconds.
  • Save forensics logs: Cron nethogs -t > /var/log/nethogs.log and grep for odd spikes.
  • Integrate with dashboards: Parse the text output into Prometheus, Grafana, or even Slack bots for live monitoring.
  • Weird hack: Combine with kill to auto-nuke processes that go rogue (dangerous but fun in dev environments!).

Sample Script: (alerts if a process called “python” uses >500 KB/s outbound)

#!/bin/bash
nethogs -t -d 2 | grep python | awk '{if ($6 > 500) print "ALERT: " $0}' 

Note: This is a toy example! For real automation, you’d want more robust parsing and alerting.

Fun Fact: Some hackers use nethogs to check if their CTF malware is “phoning home” during competitions!

Short Sysadmin Story: The Case of the Vanishing Bandwidth

Once upon a midnight, a sysadmin noticed their server’s outbound traffic was spiking every hour. They checked logs, banned suspect IPs, even blamed the neighbor’s cat. No luck. In a last-ditch effort, they ran sudo nethogs eth0 — and watched as a forgotten rsync backup script kicked in, flooding the pipe. Mystery solved, sleep restored, cat acquitted.

Conclusion: Why, How, and Where to Use Nethogs

If you’re serious about running any kind of Linux server, be it on a VPS, dedicated server, or even in your own lab, knowing which process is chewing through your bandwidth is critical. Nethogs is a fast, free, no-nonsense tool that gives you answers in seconds — not hours.

It’s not a replacement for full NetFlow or historical monitoring, but for live forensics and debugging, nothing beats it. It’s a staple in any sysadmin or dev toolbox — especially when something weird is going on and you need answers now.

So, next time your server is running hot, don’t guess. Run nethogs. See the truth. And if you need a playground for all this tech wizardry, check out a VPS or dedicated server from MangoHost.

Happy debugging, and may your bandwidth always be under your control!



This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.

This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.

Leave a reply

Your email address will not be published. Required fields are marked