Using nethogs, iftop, tcpdump, and iptables to Diagnose Network Bandwidth Issues on Linux

1. Use nethogs for investigation [root@nginx-local ~]# nethogs eth0 The nethogs tool displays per‑process network bandwidth on a specified interface; when the interface (e.g., eth0) is saturated, the output shows each process’s bandwidth usage and its PID, allowing you to pinpoint the bandwidth‑consuming process.

2. Use iftop for investigation [root@nginx-local ~]# iftop -i eth0 -P The -P option shows the service ports, indicating which server port each connection uses, which helps identify internal traffic sources.

3. Use tcpdump for packet capture

[root@nginx-local ~]# tcpdump tcp port 80 -nnei eth0 -w web.pcap

or [root@nginx-local ~]# tcpdump -i eth0 -w web.pcap The -w flag writes captured packets to a binary file (e.g., web.pcap) that can be analyzed later with Wireshark. Install tcpdump if necessary:

[root@nginx-local center]# yum -y install tcpdump

[root@nginx-local ~]# tcpdump tcp port 443 -nnei eth0 -w web.pcap

Output example:

Click "Statistics → Sessions" in the analysis tool to view the captured data as shown in the following screenshots:

4. Block abnormal IP directly with iptables

iptables -I INPUT -s 27.185.1.27 -j DROP

iptables -I OUTPUT -s 27.185.1.27 -j DROP

These steps provide a practical workflow for diagnosing and mitigating network bandwidth problems on Linux servers.