Monitoring network traffic helps keep your computer systems running quickly, efficiently, and securely by applying insights extracted by monitoring tools. Effective network monitoring equips IT teams with the necessary insights to prevent network downtime, overcome network performance bottlenecks, and mitigate various security threats originating from incoming connections.
In this article, we’ll discuss how to monitor network traffic on Linux systems. As Linux servers are widely used to host applications and administer networks, mostnetwork monitoring tools are designed specifically for Linux operating systems. We’ll discuss key command-line interface (CLI) tools that can be used to efficiently monitor network traffic on Linux and show various scenarios in which they can be used.
Importance of monitoring network traffic on Linux
Most modern applications are exposed to various remote networking services via background processes scraping data, push notifications, and web socket connections. This means that your hosts are constantly targeted by traffic from diverse sources. This is especially true about Linux systems, which are widely used as production servers for hosting applications and administering networks.
In this context, understanding network traffic becomes a key prerequisite for seamless operation of your Linux servers and applications, which is especially important if your servers are production-grade API providers for end users or other applications. In this case, efficient network traffic monitoring tools can help IT teams in these ways:
- Ensure full real-time visibility of network traffic: Network monitoring tools perform real-time collection of network statistics capable of providing insights into the state of your network. Network traffic data can be visualized and integrated with alerts, logs, and audit systems to improve the efficiency of how your IT team handles network performance and security issues.
- Detect network misconfiguration: Finding traffic usage patterns may help to identify misconfiguration at the network and application level. For example, if your application is configured to perform additional traffic-intensive background jobs, this feature can be disabled to free up bandwidth for other applications.
- Troubleshoot network issues: An efficient network monitoring system can help identify and fix network-related issues. These may include disconnections, closed ports, and firewall misconfiguration.
- Track security anomalies: Traffic spikes originating from remote hosts may indicate the start of DDoS attacks against your servers. Network monitoring tools can help identify traffic flow patterns in your servers and help your team quickly respond to anomalies.
- Facilitate capacity planning and resource distribution: Network traffic monitoring can also help identify applications with insufficient resources or excessive resource consumption. This information can be used to distribute resources better.
How to monitor network activity on Linux
Network traffic monitoring is a crucial component of Linux system administration. It requires a systematic approach based on clear identification of goals, performance targets, and adherence to security standards. An effective network monitoring system on Linux servers should be based on three interconnected layers: general network health, incoming traffic, and outgoing traffic.
General network health
Understanding the overall state of your network, including network traffic at the interface and device level, can provide you with insight into network performance and the security of your system. For example, closing unused ports or restricting port access to the list of known IPs can help reduce possible attack vectors on your Linux systems.
Incoming traffic
Monitoring incoming traffic can help thwart network attacks and maintain security of your Linux servers (or systems). For example, network traffic monitoring tools can help identify connections that send abnormal amounts of traffic to your host. This can be useful for mitigating DDoS attacks or finding malware installed locally.
Outgoing traffic
Another important metric to monitor is bandwidth utilization by individual processes on your system. It’s useful to know which applications consume the most and the least amount of bandwidth. With this knowledge, you can stop processes that consume a high volume of traffic and without the need to be active and/or redistribute network resources to applications experiencing problems.
On top of bandwidth utilization, network traffic monitoring should be integrated with data visualization, data analysis, and alerting systems to ensure a fast transition from detection to resolution of networking issues.
Network monitoring tools
Tools for monitoring network traffic on a Linux system can help system administrators achieve the goals listed above. Usually, these are lightweight command-line utilities that display incoming/outcoming traffic, established network connections, and general network statistics. Some tools are designed to collect network traffic statistics at the interface/device levels while others allow you to evaluate network traffic at the application level.
We’ll discuss basic features offered by the most popular tools: nethogs, nload, netstat, and iftp.
Nethogs
Nethogs allows grouping bandwidth consumption by an individual process (process identifier). This functionality sets nethogs apart from most other Linux network tools that group traffic by protocol, interface, or subnet. Grouping traffic by process makes nethogs useful for identifying the causes of sudden traffic spikes. If your Linux system experiences abnormal traffic activity, nethogs can help immediately identify the process or processes that are causing the abnormal activity.
Fig. 1: Nethogs in the Linux terminal
Nload
Nload is another console-based network monitoring tool for Linux. It provides information about incoming and outgoing traffic, minimum/maximum network usage, and the volume of data transferred. Its main advantage is the visualization of incoming and outgoing traffic directly in the console. However, unlike nethogs, nload does not provide information about network bandwidth by PID, which limits its abilities.
Fig. 2: Traffic data visualization in nload
Netstat
Another popular CLI network monitoring tool is netstat. It displays incoming and outgoing network connections for TCP and UDP protocols. The data it collects is organized by the protocol name, local address, foreign address, and connection state (e.g., ESTABLISHED, CLOSE_WAIT, and so on). In addition, netstat provides information about routing tables, network interfaces, and network protocol statistics. It offers options to filter connections based on attributes. For example, netstat can report the total amount of bytes sent and received (-b, -i), ethernet statistics (-e) including packets, filter by connection type, and display general network statistics.
Iftop
Iftop, which stands for interface top, allows you to display real-time network bandwidth usage by the network interface and connection/host. Using this utility, you can identify remote hosts that slow down your network and network bandwidth for each available interface: for example, ethernet, software-defined networks, wireless, and more.
Although iftop does not show network traffic by process as nethogs does, you can easily circumvent this limitation. For example, you can note down the port number from the iftop and use netstat -p to identify the process.
Fig. 3: List of remote connections in iftop
Conclusion
The best approach to network traffic monitoring on Linux is to use a combination of tools. “Network top” tools, such as nethogs, are useful for identifying bandwidth bottlenecks and redistributing resources among applications efficiently. General network tools, such as iftop and netstat, are useful for collecting bandwidth data at the interface and protocol level. Another option is to use UI-based network tools that provide useful visualization of network traffic statistics. These tools can provide an intuitive interface that can be understood by non-tech users. However, in most cases, CLI-based network traffic monitoring tools are sufficient for maintaining the speed, efficiency, and security of Linux networks.
