27
13
There's an evil application that is eating ALL my upload bandwidth (I'm brazilian, it's only ~35kbps) for like 80% of the time my PC is turned on.
I would like to know if there's any way to track this usage and discover what app is doing this.
igorsantos07
Posted 2009-08-26T00:57:42.637
Reputation: 1 208
12
What about nethogs? In my opinion, it is lot more humane. Lists which command/program using network and how much bandwidth for each of them, in realtime.
Install it in ubuntu/debian systems with:
sudo apt-get install nethogs
Run it to monitor your network interface like this:
sudo nethogs eth0
vulcan_hacker
Posted 2009-08-26T00:57:42.637
Reputation: 200
19
iftop is a console/shell-based program similar to top that can use the pcap library (also used by tcpdump and wireshark). It is available for Ubuntu from Universe.
sudo aptitude install iftop
sudo iftop
While running an upgrade on an ubuntu system:
With netstat, you can find out what process is connected to a particular port or IP. For ports, its a good idea to prefix with a colon.
sudo netstat -plantu | grep "some_port_number_or_ip_address"
For example, to look at open connections for ssh:
sudo netstat -plantu | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2376/sshd
tcp 0 0 10.13.37.122:22 10.13.37.105:59130 ESTABLISHED 4033/sshd: jtimberm
tcp6 0 0 :::22 :::* LISTEN 2376/sshd
You can also look for open port connections with lsof:
sudo lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 2376 root 3u IPv4 5613 0t0 TCP *:ssh (LISTEN)
sshd 2376 root 4u IPv6 5615 0t0 TCP *:ssh (LISTEN)
sshd 4033 root 3u IPv4 11608 0t0 TCP 10.13.37.122:ssh->10.13.37.105:59130 (ESTABLISHED)
sshd 4086 jtimberman 3u IPv4 11608 0t0 TCP 10.13.37.122:ssh->10.13.37.105:59130 (ESTABLISHED)
You can get more information about the open files from lsof with -p PID.
sudo lsof -p 2376
(Lots of output from that suppressed)
jtimberman
Posted 2009-08-26T00:57:42.637
Reputation: 20 109
With this program I could determine where IT was eating my connection... and with netstat I could determine who was doing this. I need to mark those both answers as correct! XD – igorsantos07 – 2009-08-26T04:57:54.770
I really don't think it's fair to edit your answer and add a lot of new info... but i can't think about any other solution, so.. thank you again =] – igorsantos07 – 2009-08-26T13:48:40.397
2@Igoru Just making the answer better so people get more relevant information if they're searching for questions similar to your own. – jtimberman – 2009-08-26T14:34:22.553
1Wait...is that an Ubuntu system? It looks like OS X. – Mechanical snail – 2011-10-19T07:05:30.453
I ssh'd to an ubuntu system from my mac. – jtimberman – 2011-10-22T06:31:57.700
9
ntop is your friend. Packages are in linux repos and macports.
Nicholas
Posted 2009-08-26T00:57:42.637
Reputation: 99
2ntop is an excellent program, but it is probably overkill and overcomplicated for this. – jtimberman – 2009-08-26T02:54:24.467
I don't think it's friendly as I would like to... I think there are so much info for what I need. And your answer is not exactly.... helful. But thank you anyway =] – igorsantos07 – 2009-08-26T05:01:10.443
5
In addition to using iftop to identify the address and port that's using bandwidth, you can use netstat to identify the process
sudo netstat -ntp
This will show all TCP connections open and the process name/id attached to each.
Rog
Posted 2009-08-26T00:57:42.637
Reputation: 212
As I can't vote "accepted" for both you and iftop, I'll accept him - that showed me EXACTLY when and how someone was eating my bandwidth - and vote you up 'cos with netstat I could know who I should kill. Thank you! – igorsantos07 – 2009-08-26T04:59:25.113
Alternatively, you can use lsof -i tcp:80 to concentrate your search on one port. This particular version will list all the processes connected on tcp port 80. – None – 2009-08-26T08:31:40.847
2
In my opinion, iftop's user interface is not well-designed. In practice there is hardly ever a need for viewing the IPs or hostnames in realtime. If I needed, a listing of all current connections, I would just go with netstat as jtimberman explained.
For my purposes, bmon is better suited than iftop. It has a very simplistic user interface with support for multiple interfaces and drawing of "graphs". Here is a screenshot:
If you do not need all the features bmon offers, bwm-ng might be the perfect tool for you. It only shows the current occupied bandwidth per interface -- no more and no less:
timn
Posted 2009-08-26T00:57:42.637
Reputation: 796
2
nload is a great tool for monitoring bandwidth in real time and easily installed in Ubuntu or Debian with sudo apt-get install nload.
Device eth0 [10.10.10.5] (1/2):
=====================================================================================
Incoming:
. ...|
# ####|
.. |#| ... #####. .. Curr: 2.07 MBit/s
###.### #### #######|. . ## | Avg: 1.41 MBit/s
########|#########################. ### Min: 1.12 kBit/s
........ ################################### .### Max: 4.49 MBit/s
.##########. |###################################|##### Ttl: 1.94 GByte
Outgoing:
########## ########### ###########################
########## ########### ###########################
##########. ########### .###########################
########### ########### #############################
########### ###########..#############################
############ ##########################################
############ ##########################################
############ ########################################## Curr: 63.88 MBit/s
############ ########################################## Avg: 32.04 MBit/s
############ ########################################## Min: 0.00 Bit/s
############ ########################################## Max: 93.23 MBit/s
############## ########################################## Ttl: 2.49 GByte
Another excellent tool is iftop, also easily apt-get'able:
191Mb 381Mb 572Mb 763Mb 954Mb
└────────────┴──────────┴─────────────────────┴───────────┴──────────────────────
box4.local => box-2.local 91.0Mb 27.0Mb 15.1Mb
<= 1.59Mb 761kb 452kb
box4.local => box.local 560b 26.8kb 27.7kb
<= 880b 31.3kb 32.1kb
box4.local => userify.com 0b 11.4kb 8.01kb
<= 1.17kb 2.39kb 1.75kb
box4.local => b.resolvers.Level3.net 0b 58b 168b
<= 0b 83b 288b
box4.local => stackoverflow.com 0b 42b 21b
<= 0b 42b 21b
box4.local => 224.0.0.251 0b 0b 179b
<= 0b 0b 0b
224.0.0.251 => box-2.local 0b 0b 0b
<= 0b 0b 36b
224.0.0.251 => box.local 0b 0b 0b
<= 0b 0b 35b
─────────────────────────────────────────────────────────────────────────────────
TX: cum: 37.9MB peak: 91.0Mb rates: 91.0Mb 27.1Mb 15.2Mb
RX: 1.19MB 1.89Mb 1.59Mb 795kb 486kb
TOTAL: 39.1MB 92.6Mb 92.6Mb 27.9Mb 15.6Mb
Don't forget about the classic and powerful sar and netstat utilities on older *nix!
Jamieson Becker
Posted 2009-08-26T00:57:42.637
Reputation: 331
1
Wireshark is also a very good (multiplatform) app for monitoring network traffic. Here's a description from the site:
Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.
alex
Posted 2009-08-26T00:57:42.637
Reputation: 16 172
0
You could do this at the router level depending on your firmware. For example, if you use DD-WRT, you could track usage over time and by machine.
th3dude
Posted 2009-08-26T00:57:42.637
Reputation: 9 189
In fact i think that using my ADSL router just to solve this small problem is overkill and overcomplicated. I think it's just an easy thing to solve. But thank you for your help! – igorsantos07 – 2009-08-26T03:44:52.267
0
Install a firewall and, at least temporarily, make it block all outgoing connections. It should notify you when something tries to make a connection at which point you should have your culprit :-)
here is one of many articles online that gives you info on installing a firewall on ubuntu:
http://linux.com/news/enterprise/systems-management/8256-installing-a-firewall-on-ubuntu
Joel Martinez
Posted 2009-08-26T00:57:42.637
Reputation: 1 227
I think I already have UFW in my Ubuntu.. Anyway I think that this would be a little bit trouble to solve with this approach.. The problem doesn't happen all the time, it, intermitent but a little frequent. But if the other net info apps fails, i'll give the firewall a try! Thank you! – igorsantos07 – 2009-08-26T03:48:08.657
this doesn't seem to have a batch mode. – Nicholas DiPiazza – 2016-06-28T06:44:40.830
very interesting! =D Fix my problem better than the combo iftop+netstat. Not that both are not good, they are awesome, but not for what I needed. =D – igorsantos07 – 2009-11-22T18:20:34.810