A Guide to Monitoring Network Traffic on a Linux Server
When it comes to monitoring network activity on a Linux server, you've got more tools and techniques at your disposal than you can shake a USB stick at. Which is the command that will return the specific information you need at the moment, such as total bandwidth used today? Here's a quick look at more than a dozen command-line tools that display the precise network information you're looking for.
It's a simple question: How much data was received and transmitted by a particular Linux server today, this week, this month? Finding a reliable answer is not so simple. In fact, there are almost as many ways to calculate a Linux server's data traffic as there are Linux servers.
The typical scenario is when you use an Internet service that caps your bandwidth. That's what motivated a post to Server Fault asking for a method to track and log a Linux server's network traffic to confirm it remains below the cap. The top-voted solution was to use VnStat, which runs as a background service/daemon and records data transfers on a constant basis. When running without any options, VnStat generates a report of all data transfers since it began running, as well as the total by month and day.
Running VnStat with no options shows total data transfers, and transfers by month and day. Source: BinaryTides
Adding the "-l" option returns only the live data. Other options show transfers by hour, day, week, month, and other categories.
VnStat options display the server's network traffic by hour, day, week, month, and other categories. Source: Server Fault
On The Geek Stuff, Ramesh Natarajan explains how to use VnStat for tracking, logging, and other network-monitoring tasks. To get started, you must specify each interface to be monitored. When you begin monitoring eth0, it creates a database file "eth0" in the /var/lib/vnstat directory that stores all network traffic log messages for that interface. Run "--iflist" to display all available interfaces. Lastly, starting the daemon initializes monitoring in the background, which minimizes the impact your monitoring has on overall performance.
Monitoring "eth0" automatically adds a database file to the /var/lib/vnstat directory that holds the network traffic log messages; "--iflist" shows available interfaces, and the "-d" option enables background monitoring. Source: The Geek Stuff
An abundance of Linux network-monitoring tools
BinaryTides provides a catalog of 18 different commands that relate to monitoring Linux networks. Topping the list is Nload, which graphs incoming and outgoing data traffic. Nload also displays total amount of data transferred and min/max network use.
The Nload command graphs data traffic and shows total data transferred, among other stats. Source: NixCraft
Here's an overview of several other useful Linux commands for tracking and recording network activity:
- iftop -- Similar to the "top" command that shows all running CPU processes, iftop monitors a specific interface and displays data traffic between two hosts. (More on The Geek Stuff.)
- ifstat -- Much like "iostat" and "vmstat" are used for reporting system statistics, this command shows total bandwidth in batch-style mode, which makes the data easy to log and parse using other tools. (More on Die.net.)
- iptraf -- This IP LAN manager captures TCP flag information, ICMP stats, TCP/UDP traffic, TCP connection packet and byte counts, and other data related to TCP, UDP, IP, ICMP, non-IP, IP checksum errors, and interface activity. (More on the official IPTraf site.)
- nethogs -- The "net top" tool displays the bandwidth used by each running process (including PID, user, and program path) sorted from most intensive to least intensive. It's most useful for finding the source of sudden network spikes. (More on NixCraft.)
- netload -- This command reports the current network load and total number of bytes transferred since the program began running. (More on the Netload page.
- netstat --The utility displays all TCP, UDP, and Unix socket connections, as well as listening sockets waiting for an incoming connection. For example, by confirming an open Port 80 you verify that the web server is running on the system. (More on BinaryTides.)
- bmon -- Similar to nload, the Bandwidth Monitor tool is used to detect bandwidth leaks that hinder overall network performance. It monitors bandwidth in real time and displays available interfaces, receive transmit, transfer transmit, and other information, both textually and graphically. (More on LinOxide.)
- bwm-ng -- Bandwidth Monitor NG monitors bandwidth between network and disk-io in real time. (More on Volker Gropp.)
- tcptrack -- The program monitors the TCP connection in real time. It uses the pcap library to capture packets and calculate such statistics as bandwidth used by each connection. Standard pcap filters can be configured to monitor specific connections. (More on Die.net.)
- tcpdump -- The utility describes the contents of packets on a network interface that match the boolean expression. Preceding each description is a timestamp displayed by default as hours, minutes, seconds, and fractions of a second since midnight. (More on the TCDump Manual.)
- arpwatch -- This command monitors MAC and IP address changes (address resolution) and generates a log of address-pair changes along with timestamps. It is particularly handy for discovering ARP spoofing. (More on LinuxCommand.org.)
- slurm -- (Simple Linux Utility for Resource Management) The program's three primary functions are to allocate resources (computer nodes) to users on an exclusive or non-exclusive basis; to serve as the framework for monitoring a set of allocated nodes; and to manage a queue of pending work by arbitrating contention for resources. (More on the SLURM Workload Manager page.)