Track Bandwidth by Process with nethogs: Easy Linux Monitoring

Table of Contents

• What This Post Is About
• A Real-World Headache: The Case of the Mysterious Bandwidth Hog
• Why Track Bandwidth by Process? (And Why Is It So Hard?)
• How Does Nethogs Actually Work?
• Use Cases & Benefits: Who Needs This Anyway?
• Step-By-Step Nethogs Setup Guide (With Pro Tips!)
• Mini Glossary: Real-Talk Definitions
• Examples & Cases (Comic Comparison Table!)
• Beginner Mistakes, Myths & Alternatives
• Should You Use Nethogs? (The Geeky Decision Tree)
• Automation, Scripting & Weird-but-Awesome Uses
• Short Sysadmin Story: The Case of the Vanishing Bandwidth
• Conclusion: Why, How, and Where to Use Nethogs

What This Post Is About

Ever found your Linux server or VPS gasping for bandwidth, but you can’t put your finger on which process is slurping up all the goodness? If you’ve ever tail-chased a sneaky process, or just want a quick, clear way to see which process is using network bandwidth in real time, you’re in the right place. This post is a deep-dive into nethogs — a small, nerdy tool that can save you hours of detective work, whether you’re running a VPS, cloud instance, Docker host, or your own rack of dedi’s.

We’ll go through why this matters, how nethogs works, how to get it running in two minutes flat, and which geeky scenarios it can save your bacon. Expect real-world examples, weird edge cases, and a few laughs along the way.

A Real-World Headache: The Case of the Mysterious Bandwidth Hog

Imagine this: You just spun up a fresh VPS for a client. Everything’s shiny, the firewall’s up, and your monitoring says you’re pushing twice the expected outbound traffic. Is it your app? A runaway cron job? Some container you left running last week? Or (gulp) something more sinister?

You run the usual suspects: iftop, vnstat, netstat. You see traffic, you see ports, but nothing tells you which process is guilty. You need answers, fast. That’s where nethogs jumps in with its superhero cape.

Why Track Bandwidth by Process? (And Why Is It So Hard?)

• Security: Malware and rootkits are expert bandwidth thieves. A process-level view lets you spot them fast.
• Debugging: Web apps, Docker containers, or even dev scripts can misbehave. “Which process is hammering my network?” is a question worth answering…
• Cost: On cloud or metered VPS, every byte is $$$. Track down waste before it burns your wallet.
• Performance: One noisy process can starve the rest — and your users will feel it.

The catch? Traditional Linux tools show traffic by port, not by process. Sure, iftop and nload show flow-level data — but not the actual process name or PID. That’s like seeing footprints but not knowing who made them.

That’s what makes nethogs special: It connects the dots between active processes and their network usage, live.

How Does Nethogs Actually Work?

Here’s the geeky, under-the-hood scoop (but in plain English):

• Nethogs sniffs packets using libpcap (like tcpdump does).
• For each TCP/UDP packet, it checks local port/source address.
• It cross-references the kernel’s /proc filesystem to map open sockets to running processes (by PID).
• It builds a real-time table: process name, PID, user, and how much bandwidth they’re using (up/down).
• Refreshes every second by default.

That’s it! No kernel modules, no magic — just clever use of the data Linux already exposes.

Fast setup? Yes. No config files, no daemons. Just run it as root (needs to see all traffic), and you’re good.

Use Cases & Benefits: Who Needs This Anyway?

• DevOps: Debugging noisy microservices, rogue containers, or third-party scripts that “phone home”.
• Sysadmins: Locking down multi-user servers, catching bandwidth hogs, or checking for data exfiltration.
• Cloud/VPS Owners: Keeping an eye on what’s burning your bandwidth quota.
• Home Lab Geeks: Spotting that one torrent client you forgot about.
• Developers: Optimizing apps for chatty network behavior during development.

Bonus: It’s interactive. You can sort, filter, and even kill processes straight from the terminal.

Step-By-Step Nethogs Setup Guide (With Pro Tips!)

1. Install Nethogs
   • On Ubuntu/Debian: sudo apt-get update && sudo apt-get install nethogs
   • On CentOS/Fedora: sudo yum install nethogs
   • On Arch: sudo pacman -S nethogs
   • Or build from source: https://github.com/raboof/nethogs
2. Run as root (required):
   • Single interface: sudo nethogs eth0
   • Multiple interfaces: sudo nethogs eth0 eth1
   • All interfaces: sudo nethogs (shows all, but can get busy)
3. Understand the display:
   • Columns: PID, USER, PROGRAM, DEV, SENT, RECEIVED
   • Totals at the bottom, per-process stats in real time.
4. Interactive controls:
   • m: Switch between KB/s, KB, or total bytes
   • r: Reset counters
   • q: Quit
5. Filter by process or user:
   • Not built-in, but you can grep the output, or better: run nethogs -t for text output (good for scripting/logging)

Pro Tip: Use nethogs -t to output machine-readable stats for automation, or to grep/sed/awk your way to custom alerts or dashboards.

Need a new server or VPS to play with? Order a VPS at MangoHost or go big with a dedicated server!

Mini Glossary: Real-Talk Definitions

• nethogs: Like a task manager for network bandwidth, but per process.
• libpcap: The “sniffer” library used by tcpdump and Wireshark to grab raw packets.
• /proc: Linux’s magical directory for exposing all running processes and their open files/sockets.
• interface: Your network’s front door (like eth0, ens33, wlan0, etc.)
• PID: Process ID. The unique number for every running thing on Linux.

Examples & Cases (Comic Comparison Table!)

Time for a head-to-head match-up. Here’s a “comic” table of how different tools handle the “Who’s eating my bandwidth?” problem:

In short: Use nethogs when you want to know “which process” — not just “which port” or “which IP”.

Beginner Mistakes, Myths & Alternatives

• Myth: “I can see process info with iftop!” Nope. iftop only tracks network flows, not the process owner.
• Mistake: Running nethogs as a regular user and seeing… nothing. Always sudo it.
• Myth: “It works for all network traffic!” Actually, it only tracks traffic it can map to a process — so things like kernel-level forwarding or NAT may not show up per-process.
• Alternative tools: bandwhich (Rust-based, pretty, similar idea), iperf (for throughput testing), ntopng (full-blown network analytics, but heavier).

Should You Use Nethogs? (The Geeky Decision Tree)

Let’s keep it simple — follow the arrows!

You want to see which process is using bandwidth right now?
→ YES → Use nethogs!
→ NO → Want historical data?
   → YES → Use vnstat.
   → NO → Want per-host/port stats?
      → YES → Use iftop.
      → NO → Use netstat for open connections.
Still not sure? Try them all — but nethogs is the only one that connects bandwidth stats to the actual process.

Automation, Scripting & Weird-but-Awesome Uses

• Automate alerts: Pipe nethogs -t output into a script. Example: email yourself if any process uses more than 1MB/s for more than 10 seconds.
• Save forensics logs: Cron nethogs -t > /var/log/nethogs.log and grep for odd spikes.
• Integrate with dashboards: Parse the text output into Prometheus, Grafana, or even Slack bots for live monitoring.
• Weird hack: Combine with kill to auto-nuke processes that go rogue (dangerous but fun in dev environments!).

Sample Script: (alerts if a process called “python” uses >500 KB/s outbound)

#!/bin/bash
nethogs -t -d 2 | grep python | awk '{if ($6 > 500) print "ALERT: " $0}' 

Note: This is a toy example! For real automation, you’d want more robust parsing and alerting.

Fun Fact: Some hackers use nethogs to check if their CTF malware is “phoning home” during competitions!

Short Sysadmin Story: The Case of the Vanishing Bandwidth

Once upon a midnight, a sysadmin noticed their server’s outbound traffic was spiking every hour. They checked logs, banned suspect IPs, even blamed the neighbor’s cat. No luck. In a last-ditch effort, they ran sudo nethogs eth0 — and watched as a forgotten rsync backup script kicked in, flooding the pipe. Mystery solved, sleep restored, cat acquitted.

Conclusion: Why, How, and Where to Use Nethogs

If you’re serious about running any kind of Linux server, be it on a VPS, dedicated server, or even in your own lab, knowing which process is chewing through your bandwidth is critical. Nethogs is a fast, free, no-nonsense tool that gives you answers in seconds — not hours.

It’s not a replacement for full NetFlow or historical monitoring, but for live forensics and debugging, nothing beats it. It’s a staple in any sysadmin or dev toolbox — especially when something weird is going on and you need answers now.

So, next time your server is running hot, don’t guess. Run nethogs. See the truth. And if you need a playground for all this tech wizardry, check out a VPS or dedicated server from MangoHost.

Happy debugging, and may your bandwidth always be under your control!