8 Essential Linux Commands to Monitor Real‑Time Network Traffic

In daily work we often need to check a server's real‑time network interface traffic. The following Linux tools can be used for this purpose.

1. sar

The sar command, included in the sysstat package, provides network interface statistics and can display per‑second packet counts and traffic. sar -n DEV 1 2 The command reads the default interface (eth0) once per second for two samples and then displays the results.

2. /proc/net/dev

The Linux kernel exposes a pseudo‑filesystem /proc that allows runtime access to kernel data structures. The file /proc/net/dev provides a way to read or modify network adapter statistics.

bytes – total bytes sent or received packets – total packets sent or received errs – total transmission or reception errors drop – total dropped packets fifo – FIFO buffer errors frame – frame errors colls – collisions detected compressed – compressed packets carrier – carrier losses multicast – multicast frames

Because /proc exists only in memory, the statistics start from system boot and reset after a reboot.

3. ifstat

ifstat

is a tool that reports network interface activity.

Installation:

sudo apt-get update
sudo apt-get install ifstat

-l – monitor the loopback interface (lo) -a – monitor all detectable interfaces -z – hide interfaces with zero traffic -i iface – monitor a specific interface -s – query a remote host via SNMP -n – suppress periodic header lines -t – prepend a timestamp to each line -T – report total bandwidth of all monitored interfaces -w – set column width manually -W – wrap lines that exceed terminal width -S – keep the display on a single line (no scrolling) -b – display bandwidth in kbits/s instead of kbytes/s -q – quiet mode (suppress warnings) -v – show version information -d – specify a driver to collect statistics

Example usage:

ifstat -tT

in – total bytes received out – total bytes transmitted

4. iftop

iftop

is a real‑time traffic monitor that shows TCP/UDP connections; it must be run as root.

Installation:

sudo apt-get update
sudo apt-get install iftop

iftop -h | [-npblNBP] [-i interface] [-f filter code] [-F net/mask] [-G net6/mask6]

-i – specify the interface to monitor -n – display IP addresses only (no DNS lookup) -B – show bandwidth in bytes instead of bits -p – run in promiscuous mode (packet sniffing) -N – show port numbers only -P – show host and port information -F – limit display to a specific network, e.g. iftop -F 192.168.12.0/24 -m – set the maximum scale for the top traffic bar -t – output in text mode (no interactive UI) -L – limit the number of displayed lines -s sec – run for sec seconds then exit -b – display bandwidth in kbits/s -h – show help

Example usage: sudo iftop -i eth0 -t -s 30 -L 100 The iftop output consists of three main parts:

The top line shows the traffic scale (bandwidth ruler).

The central section is split into left, middle and right columns. The left and middle columns list the IPs or hosts communicating with the local machine; “=>” indicates sent data, “<=” indicates received data. The right side shows three sub‑columns with average traffic over the last 2 s, 10 s and 40 s, plus a graphical bar.

The bottom section has three rows: TX (sent), RX (received) and TOTAL (both). Each row contains columns for cumulative traffic (cum), peak traffic (peak) and recent rates (rates for 2 s, 10 s, 40 s).

Key interactive controls after iftop starts: h – toggle help n – toggle host name / IP display s – toggle local host display d – toggle remote host display t – switch display format (2‑line/1‑line, send only, receive only) N – toggle port number / service name S – toggle local port info D – toggle remote port info p – toggle port display P – pause/resume b – toggle average traffic bar B – switch between 2 s, 10 s, 40 s averages T – toggle total traffic per connection l – filter by a string (e.g., an IP) L – toggle scale display j/k – scroll up/down 1/2/3 – sort by the three right‑hand traffic columns < / > – sort by local or remote host/IP o – lock display to current connections only f – edit filter code ! – execute a shell command q – quit

5. nload

nload

is a console application that visualizes inbound and outbound traffic with two graphs and provides additional statistics such as total data transferred, minimum/maximum bandwidth, etc.

Installation:

sudo apt-get update
sudo apt-get install nload

-a – set averaging period (seconds, default 300) -i – set maximum value for inbound traffic graph (default 10240 kbit/s) -m – hide the traffic graph, show only statistics -o – set maximum value for outbound traffic graph -t – refresh interval in milliseconds (default 500) -u – set unit for right‑hand values (auto, b, k, m, g) -U – set unit for TTL column h|b|k|m|g – select unit for display Devices – specify which interfaces to monitor (default all)

Example:

nload eth0

6. iptraf‑ng

iptraf‑ng

is a powerful tool for observing network flow from the hardware layer up to the transport layer.

Installation:

sudo apt-get update
sudo apt-get install iptraf-ng

iptraf-ng [options]: -h, --help : show help message -i : start IP traffic monitor (use '-i all' for all interfaces) -d : start detailed statistics on an interface -s : start TCP/UDP monitor on an interface -z : show packet size counts -l : start LAN station monitor (use '-l all') -g : start general interface statistics -B : run in background (single interface only) -f : clear all locks and counters -t <em>minutes</em> : run only for the specified number of minutes -L <em>logfile</em> : specify an alternate log file

Example:

sudo iptraf-ng -s eth0

7. nethogs

nethogs

is designed to show per‑process bandwidth usage, grouping traffic by PID rather than by protocol or subnet.

Installation:

sudo apt-get update
sudo apt-get install nethogs

-V : print version -h : print help -b : bughunt mode (implies tracemode) -d seconds : delay between updates (default 1) -v mode : view mode (0=KB/s, 1=total KB, 2=total B, 3=total MB) -c count : number of updates (0 = unlimited) -t : tracemode -p : chaotic mode (not recommended) -s : sort by sent column -a : monitor all devices, including loopback device : interface to monitor (default all non‑loopback)

While running, press:

q – quit

s – sort by SENT traffic

r – sort by RECEIVE traffic

m – toggle between KB/s and total KB/MB modes

Example:

sudo nethogs eth0

8. Extensions

Beyond the tools above, Linux also offers other traffic‑monitoring utilities such as ip (total interface traffic), stat (a universal system statistics tool that can replace vmstat, iostat, netstat, nfsstat and ifstat), and ss / netstat (view active connections and listening ports, with ss being the faster replacement for netstat).