NETHOGS(8) System Manager's Manual NETHOGS(8)

nethogs - Net top tool grouping bandwidth per process

nethogs [-V] [-h] [-x] [-d seconds] [-v mode] [-c count] [-t] [-p] [-s] [-a] [-l] [-f filter] [-C] [-b] [-g period] [-P pid] [device(s)]

NetHogs is a small 'net top' tool. Instead of breaking the traffic down per protocol or per subnet, like most such tools do, it groups bandwidth by process - and does not rely on a special kernel module to be loaded. So if there's suddenly a lot of network traffic, you can fire up NetHogs and immediately see which PID is causing this, and if it's some kind of spinning process, kill it.

prints version.
prints available commands usage.
bughunt mode - implies tracemode.
delay for update refresh rate in seconds. default is 1.
view mode (0 = kB/s, 1 = total kB, 2 = total bytes, 3 = total MB, 4 = MB/s, 5 = GB/s). default is 0.

kB: 2e10 bytes, MB: 2e20 bytes, GB: 2e30 bytes

number of updates. default is 0 (unlimited).
tracemode.
sniff in promiscuous mode (not recommended).
-s
sort output by sent column.
-l
display command line.
monitor all devices, even loopback/stopped ones.
capture TCP and UDP.
-b
Display the program basename.
garbage collection period in number of refresh. default is 50.
Show only processes with the specified pid(s).
EXPERIMENTAL: specify string pcap filter (like tcpdump). This may be removed or changed in a future version.

device(s) to monitor. default is all interfaces up and running excluding loopback

quit
sort by SENT traffic
sort by RECEIVED traffic
display command line
display the program basename
switch between total (KB, B, MB) and throughput (KB/s, MB/s, GB/s) mode

In order to be run by an unprivileged user, nethogs needs the cap_net_admin and cap_net_raw capabilities. Additionally, to display process names, cap_dac_read_search and cap_sys_ptrace capabilities are required. These can be set on the executable by using the setcap(8) command, as follows:


sudo setcap "cap_net_admin,cap_net_raw,cap_dac_read_search,cap_sys_ptrace+pe" /usr/local/sbin/nethogs

1. When using the -P <pid> option, in a case where a process exited (normally or abruptly), Nethogs does not track that it exited. So, the operating system might create a new process (for another program) with the same pid. In this case, this new process will be shown by Nethogs.

netstat(8) tcpdump(1) pcap(3)

Written by Arnout Engelen <arnouten@bzzt.net>.
14 February 2004