Find processes using a network interface
For instance, if a connection on port 5432 is using significant bandwidth, we can easily find out process ID with the netstat command: Here, as we can see, the process at port 5432 has PID 2357. We can reveal the issue and keep network traffic running by identifying processes or ports that are draining much of the network bandwidth.
Find processes using a network interface
Such programs will be using Netlink sockets to talk to the network hardware’s driver directly. lsof version 4.85 added support for Netlink sockets, but in my testing on CentOS 5.8, the feature doesn’t appear to work very well. Perhaps it depends on features added in newer kernels.
However, it is possible to make a pretty good guess about when you’ve run into a Netlink socket. If you cat /proc/net/netlink you get a list of open Netlink sockets, including the PID of processes that have them opened. Then if you lsof -p $THEPID those PIDs, you’ll find entries with sock in the TYPE column and can’t identify protocol in the NAME column. It’s not guaranteed that these are Netlink sockets, but it’s a pretty good bet.
You might also infer that a given process is talking directly to an interface if it has files under /sys/class/net/$IFNAME open.
Now, all that having been said, I think your question is wrong-headed.
Let’s say there is a command I haven’t discovered. Call it lsif -i wlan0 , and say it returns a list of PIDs accessing the named interface. What would you be able to do with it which would allow you to «not disturb» processes using that interface, as you’ve requested? Were you planning on killing off all the processes using that interface first? That’s pretty disturbing. 🙂 Maybe you were instead thinking that dropping the interface out from underneath a process using it would somehow be harmful?
What, in the end, is so bad about ifconfig wlan0 down ?
Network interfaces are not storage devices. You don’t have to flush data to disk and unmount them gracefully. Not breaking open sockets might be worthwhile, but as you already know, you can figure that out with netstat and lsof . wpa_supplicant isn’t going to sulk if you bounce its interface unceremoniously. (If it does, it’s a bug and needs to be fixed; it wouldn’t indicate some fault of yours.)
Well-written network programs cope with such things as a matter of course. Networks are unreliable. If a program can’t cope with an interface being bounced, it also won’t be able to cope with unplugged Ethernet cables, balky DSL modems, or backhoes.
How to get process or port Network bandwidth usage in, As far as I know Linux doesn’t offer an alternative interface to pcap for calculating network usage. /proc/
How do I know what processes are using the network?
netstat —inet -ap will show you what processes are using the internet and what host/port each process is using. If you want IP addresses and not hostnames, use -n . ( —inet shows only internet sockets, -a shows both listening and connection sockets, -p shows process name/ID information). You’ll probably want to run it with sudo so that it can give you information about all processes.
nethogs will show you how much bandwidth each process is using, but it doesn’t tell you what host each process is connecting to.
ntop is a bit heavy, but gives you an overview of network traffic in general.
(netstat is installed by default and nethogs and ntop are available in Ubuntu’s repos)
As far I know there’s no single utility that puts 1, 2, and 3 together.
Nethogs can handle your first two requests. Iftop can handle the third. You may need to press p in iftop to show the port number.
NetHogs is a small ‘net top’ tool. Instead of breaking the traffic down per protocol or per subnet, like most tools do, it groups bandwidth by process. NetHogs does not rely on a special kernel module to be loaded. If there’s suddenly a lot of network traffic, you can fire up NetHogs and immediately see which PID is causing this. This makes it easy to indentify programs that have gone wild and are suddenly taking up your bandwidth.
iftop does for network usage what top(1) does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts.
You can also query active connections for each process using netstat -punta run as root to show process names or without to show only PIDs. To get a dynamic real-time view you can easily trick your way around using watch -> watch -n1 netstat -punta (same goes for iftop).
As for alternatives you can use ntop + iftop.
Linux — Find processes using a network interface, If you cat /proc/net/netlink you get a list of open Netlink sockets, including the PID of processes that have them opened. Then if you lsof -p $THEPID those PIDs, you’ll find entries with sock in the TYPE column and can’t identify protocol in the NAME column. It’s not guaranteed that these are Netlink sockets, but it’s a pretty good …
Sort Processes by Network Usage on Linux
1. Overview
In Linux, processes require many resources like CPU, RAM, and disk space, but some processes also take significant network bandwidth resources. For example, video and audio streaming, gaming, real-time communication, IoT, and web crawling server processes are very network-intensive.
In this tutorial, we’ll discuss a few tools and methods to monitor the network usage per process.
2. NetHogs
NetHogs is a small ‘net top’ tool that allows monitoring network usage of a process running in the Linux system. Most common network monitoring tools break the traffic down per protocol or subnet, in contrast, nethogs groups bandwidth usage by process. So, this tool makes it easy to identify and terminate the programs that have run wild and are suddenly taking up our bandwidth.
NetHogs heavily relies on /proc , hence most features are only available on Linux. There is one subdirectory in the /proc directory for each process running on the system, which is named after the process ID or PID.
2.1. Installation
In Debian based machines we can:
It is available with other package managers too in other distributions. We can also directly build and install from source on a local machine, but to perform so we should install development dependencies, ncurses for the text-based interface, and libpcap for user-level packet capture.
2.2. Usage
After the installation, we have to type sudo nethogs or normal nethogs for a root user (it won’t work without root privileges):
This command shows PID, username, process, network interface, and the download and upload speed. In the end, we can see the total traffic sent and received sorted in real-time.
Let’s see an example to make it more clear:
In the above example, when we execute the wget command, we can see that the wget process with PID “1066” is at the top of the list.
We can also use the -i option to detect traffic within a network per interface:
In the above example, we can track traffic on wlan0 . We can also view the network bandwidth of both wlan0 and wlan1 with:
Also, we can use the -p option to sniff the traffic in promiscuous mode, although it isn’t recommended:
Similarly, with the -t option, we can see the output in trace mode:
Another commonly used option is the -d option, with it we can provide the rate with which the tool will refresh its stats on the screen. The output is refreshed every second by default, here in the example below, we have set a delay of 3 seconds:
In addition, the tool also has interactive controls:
- -m: to change the units displayed for the bandwidth in units like KB/sec -> KB -> B-> MB
- -r: to sort by the magnitude of the respective traffic
- -s: to sort by the magnitude of sent traffic
- -q: to quit to the shell prompt
3. Using iftop and netstat
We can use iftop to locate the TCP/UDP ports on the machine that is receiving the most traffic and then, use another network utility, netstat to locate the process that owns the port.
The iftop tool is an open-source command-line utility tool that displays the current bandwidth usage of a specific interface. Unfortunately, it doesn’t display the process which is using the bandwidth. However, we can use netstat, a tool that displays statistics of TCP and UDP protocol. With the port number, we can find out the process that is causing the problem.
3.1. Installation
Before anything else, we should start by installing libpcap and libncurses libraries using our package manager. Then iftop and net-tools (for netstat) can easily be installed using apt , yum , dnf , or any other package manager:
Likewise, install net-tools:
$ sudo apt install net-tools3.2. Usage
Once installation is done, run the iftop command without any arguments to view the bandwidth usage of the default interface, it might need sudo or root privilege to capture on the device.
Let’s check the network usage with a base command and its output:
Here it shows the sent and received bytes in multiple time intervals. At the bottom, it displays cumulative sent and receives bytes.
We can specify an interface with the -i option:
This command listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts. By default, it sorts the connections per usage wise.
We can also use the -p option to view the port number:
This displays the list of connections with their ports. For instance, if a connection on port 5432 is using significant bandwidth, we can easily find out process ID with the netstat command:
$ netstat -ltnup | grep ':5432' (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2357Here, as we can see, the process at port 5432 has PID 2357. There are many other techniques as well to find PID from the port, find out more about it here.
4. Conclusion
In this tutorial, we learned ways to sort processes regarding their network usage with the help of iftop and nethogs . We can reveal the issue and keep network traffic running by identifying processes or ports that are draining much of the network bandwidth.
Linux — How to find process using TCP port?, If you are on unix like system you can use netstat to find out which process is listening on a port: sudo netstat -nlp | grep 9000 Turns out the -p option is not available on OS X.
Find processes using a network device
How do I find which processes are using a given network interface at any given moment? I am using Fedora and Ubuntu.
2 Answers 2
This should show you the information you’re looking for. If you put watch in front of it, you’ll see updates.
If you know the name of the interface in question you can use that name and look among your processes under /proc . We recently ran into an issue where we needed to find which VM (qemu) processes were using a specific network interface.
The interface in question was called enp98s0.134 . That numeric suffix .134 is the VLAN being used for this interface.
$ ip a l enp98s0.134 72: enp98s0.134@enp98s0: mtu 1500 qdisc noqueue master storage state UP group default qlen 1000 link/ether 00:25:34:12:a1:7f brd ff:ff:ff:ff:ff:ff To find which processes were using this we merely looked through the /proc to find which QEMU processes were referencing it.
$ for i in $(pgrep qemu); do find /proc/$i -type f | grep enp98s0.134$;done | head /proc/24217/task/24217/net/vlan/enp98s0.134 /proc/24217/task/24217/net/dev_snmp6/enp98s0.134 /proc/24217/task/24221/net/vlan/enp98s0.134 /proc/24217/task/24221/net/dev_snmp6/enp98s0.134 /proc/24217/task/24222/net/vlan/enp98s0.134 /proc/24217/task/24222/net/dev_snmp6/enp98s0.134 /proc/24217/task/24226/net/vlan/enp98s0.134 /proc/24217/task/24226/net/dev_snmp6/enp98s0.134 /proc/24217/task/24227/net/vlan/enp98s0.134 /proc/24217/task/24227/net/dev_snmp6/enp98s0.134 The 2nd digit in the path is the PID of the QEMU processes. A similar approach can be used if you happen to not know which process at all:
$ find /proc/* -type f | grep enp98s0.134$ | head /proc/1/task/1/net/vlan/enp98s0.134 /proc/1/task/1/net/dev_snmp6/enp98s0.134 /proc/1/net/vlan/enp98s0.134 /proc/1/net/dev_snmp6/enp98s0.134 /proc/10/task/10/net/vlan/enp98s0.134 /proc/10/task/10/net/dev_snmp6/enp98s0.134 /proc/10/net/vlan/enp98s0.134 /proc/10/net/dev_snmp6/enp98s0.134 /proc/100/task/100/net/vlan/enp98s0.134 /proc/100/task/100/net/dev_snmp6/enp98s0.134 $ find /proc/* -type f | grep enp98s0.134$ | awk -F/ '' | sort -u | head -5 1 10 100 101070 104