NETHOGS(8) System Manager's Manual NETHOGS(8) NAME nethogs - Net top tool grouping bandwidth per process SYNOPSIS nethogs [-V] [-h] [-x] [-d seconds] [-v mode] [-c count] [-t] [-p] [-s] [-a] [-l] [-f filter] [-C] [-b] [-g period] [-P pid] [device(s)] DESCRIPTION NetHogs is a small 'net top' tool. Instead of breaking the traffic down per protocol or per subnet, like most such tools do, it groups bandwidth by process - and does not rely on a special kernel module to be loaded. So if there's suddenly a lot of network traffic, you can fire up NetHogs and immediately see which PID is causing this, and if it's some kind of spinning process, kill it. Options -V prints version. -h prints available commands usage. -x bughunt mode - implies tracemode. -d delay for update refresh rate in seconds. default is 1. -v view mode (0 = kB/s, 1 = total kB, 2 = total bytes, 3 = total MB, 4 = MB/s, 5 = GB/s). default is 0. kB: 2e10 bytes, MB: 2e20 bytes, GB: 2e30 bytes -c number of updates. default is 0 (unlimited). -t tracemode. -p sniff in promiscuous mode (not recommended). -s sort output by sent column. -l display command line. -a monitor all devices, even loopback/stopped ones. -C capture TCP and UDP. -b Display the program basename. -g garbage collection period in number of refresh. default is 50. -P Show only processes with the specified pid(s). -f EXPERIMENTAL: specify string pcap filter (like tcpdump). This may be removed or changed in a future version. device(s) to monitor. default is all interfaces up and running excluding loopback INTERACTIVE CONTROL q quit s sort by SENT traffic r sort by RECEIVED traffic l display command line b display the program basename m switch between total (KB, B, MB) and throughput (KB/s, MB/s, GB/s) mode RUNNING WITHOUT ROOT In order to be run by an unprivileged user, nethogs needs the cap_net_admin and cap_net_raw capabilities. Additionally, to display process names, cap_dac_read_search and cap_sys_ptrace capabilities are required. These can be set on the executable by using the setcap(8) command, as follows: sudo setcap "cap_net_admin,cap_net_raw,cap_dac_read_search,cap_sys_ptrace+pe" /usr/local/sbin/nethogs Notes 1. When using the -P option, in a case where a process exited (normally or abruptly), Nethogs does not track that it exited. So, the operating system might create a new process (for another program) with the same pid. In this case, this new process will be shown by Nethogs. SEE ALSO netstat(8) tcpdump(1) pcap(3) AUTHOR Written by Arnout Engelen . 14 February 2004 NETHOGS(8)