Ever wondered which process is eating up all your server's bandwidth? While traditional network monitoring tools show overall interface statistics, they leave you guessing about which specific application or service is the culprit behind unexpected traffic spikes.

Enter NetHogs, a lightweight command-line utility that bridges this gap by displaying real-time network usage statistics grouped by process.

What is NetHogs?

NetHogs is an open-source network monitoring tool designed specifically for Linux systems. It functions as a "top" command for network traffic, providing a live view of which processes are consuming network bandwidth on your system.

The tool operates by capturing network packets and correlating them with running processes through the /proc filesystem. This approach allows NetHogs to attribute network activity directly to specific applications, giving you granular visibility into your system's network behavior.

Unlike comprehensive network analyzers like Wireshark or interface-focused tools like iftop, NetHogs specializes in answering one critical question: which process is using how much bandwidth right now?

Key features and capabilities of NetHogs

NetHogs offers several features that make it particularly useful for server administrators:

Real-time process monitoring: View live network usage statistics updated every few seconds, showing both sent and received traffic for each active process.

Minimal resource overhead: The tool uses very little CPU and memory, making it safe to run on production systems without impacting performance.

Process identification: See the full command line and process ID for each network-active application, making it easy to identify exactly what's consuming bandwidth.

Customizable refresh rates: Adjust the update interval to balance between responsiveness and system impact.

Multiple interface support: Monitor network usage across different network interfaces simultaneously.

Installing NetHogs

Most Linux distributions include NetHogs in their standard repositories, making installation straightforward through your package manager.

Ubuntu and Debian systems

sudo apt update
sudo apt install nethogs

CentOS, RHEL, and Fedora systems

For older CentOS and RHEL versions:

sudo yum install nethogs

For newer RHEL distributions such as AlmaLinux, Rocky Linux, and Fedora:

sudo dnf install nethogs

Arch Linux

sudo pacman -S nethogs

Building from source

If you need the latest features or your distribution doesn't include NetHogs, you can compile it from source. NetHogs depends on ncurses for the text-based interface and libpcap for packet capture, so install both development libraries first.

Ubuntu/Debian:

sudo apt-get install build-essential libncurses5-dev libpcap-dev

Yum-based distributions (older CentOS/RHEL):

sudo yum install gcc-c++ libpcap-devel.x86_64 libpcap.x86_64 "ncurses*"

DNF-based distributions (newer RHEL/Fedora):

sudo dnf install gcc-c++ libpcap-devel.x86_64 libpcap.x86_64 "ncurses*"

Getting and building the source:

git clone https://github.com/raboof/nethogs
cd nethogs
make
sudo make install
hash -r

Important: Make sure to change into the nethogs directory before running make. The makefile is located within the cloned repository, not in your current working directory.

You can also download source releases from the GitHub releases page if you prefer not to clone the repository.

How to use NetHogs

NetHogs typically requires root privileges since it needs to capture network packets. The basic syntax is straightforward:

sudo nethogs

This command starts monitoring the default network interface and displays a real-time table showing:

• PID: Process ID
• USER: User running the process
• PROGRAM: Process name and command line
• DEV: Network interface being used
• SENT: Data transmitted by the process
• RECEIVED: Data received by the process

Running without root privileges

If you need to run NetHogs as a non-root user, you can set the required capabilities on the executable:

sudo setcap "cap_net_admin,cap_net_raw,cap_dac_read_search,cap_sys_ptrace+pe" /usr/local/sbin/nethogs

This grants the necessary permissions for packet capture (cap_net_admin, cap_net_raw) and process information access (cap_dac_read_search, cap_sys_ptrace) without requiring full root access.

Monitoring specific interfaces

To monitor a particular network interface, specify it as an argument:

sudo nethogs eth0

You can monitor multiple interfaces simultaneously:

sudo nethogs eth0 eth1 wlan0

Adjusting the refresh rate

By default, NetHogs updates every second. Use the -d flag to change the refresh interval:

# Update every 3 seconds
sudo nethogs -d 3

Filtering by user

To show network usage for processes owned by specific users:

sudo nethogs -u username

Interactive controls

While NetHogs is running, you can use these keyboard shortcuts:

• q: Quit the program
• s: Sort by sent traffic
• r: Sort by received traffic
• m: Toggle between different measurement units (KB/s, MB/s, etc.)

Practical use cases

NetHogs proves particularly valuable in several common scenarios that server administrators encounter regularly.

Troubleshooting bandwidth issues

When users report slow network performance or you notice unusual traffic patterns in your monitoring dashboards, NetHogs can quickly identify the source. For instance, you might discover that a backup script is consuming excessive bandwidth during business hours, or that a compromised service is generating unexpected outbound traffic.

Monitoring server applications

On web servers, database servers, or application servers, NetHogs helps verify that network usage aligns with expected patterns. You can confirm that your web server processes are handling the expected load, or identify if background services are consuming more bandwidth than anticipated.

Security monitoring

Unexpected network activity often indicates security issues. NetHogs can help detect compromised processes that might be participating in botnets, exfiltrating data, or performing other malicious activities by showing unusual network patterns for system processes.

Capacity planning

Understanding which applications consume the most bandwidth helps with infrastructure planning. This data becomes particularly valuable when considering server upgrades or network capacity changes.

Understanding the output

The NetHogs display shows network usage in a tabular format that updates continuously. Traffic measurements appear in human-readable units (KB/s, MB/s) and represent the current transfer rate, not cumulative totals.

You'll notice a line labeled "unknown TCP" in the output. This represents traffic that cannot be associated with any specific process, typically because the process terminated before its network activity could be properly attributed. As long as the amount of unknown traffic remains relatively small, it can usually be ignored safely.

Process identification includes both the executable name and command-line arguments, which helps distinguish between multiple instances of the same program running with different configurations.

Limitations and considerations

While Nethogs excels at process-level network monitoring, it has some limitations to keep in mind.

The tool only captures traffic that passes through network interfaces, so local communication between processes using Unix sockets won't appear in the output. Additionally, Nethogs requires root access to function, which may limit its use in environments with strict privilege restrictions.

On systems with very high network throughput, the process of packet capture and correlation can introduce some overhead, though this is typically minimal for most server workloads.

For comprehensive network analysis involving protocol details, connection states, or historical data, you'll need additional tools alongside NetHogs.

Advanced tips and tricks

Creating network usage reports

You can capture NetHogs output to files for later analysis:

sudo nethogs -t > network_usage.log

The -t flag switches to "tracing mode," which outputs machine-readable text instead of the interactive display.

Monitoring specific processes

While NetHogs doesn't have built-in process filtering, you can combine it with other tools:

sudo nethogs -t | grep -E "(apache2|nginx|mysql)"

Integration with monitoring systems

For automated monitoring, you can parse NetHogs output and send metrics to monitoring systems like Prometheus, Grafana, or custom dashboards.

Running as a service

Consider creating a systemd service to run NetHogs continuously and log output for historical analysis, particularly useful on production servers where ongoing monitoring is important.

Conclusion

NetHogs fills a critical gap in Linux network monitoring by providing process-level visibility into bandwidth usage. Whether you're troubleshooting performance issues, monitoring application behavior, or investigating security concerns, NetHogs offers the specific insight you need to understand which processes are consuming network resources.

The combination of real-time monitoring, minimal overhead, and straightforward output makes NetHogs an essential addition to any system administrator's toolkit. When network issues arise, having the ability to quickly identify the responsible process can save hours of investigation time and prevent costly downtime.

Why not give it a try?

Thanks for reading! If you're looking for reliable digital infrastructure, xTom offers enterprise-grade dedicated servers, colocation services, IP transit solutions, scalable KVM VPS hosting, and more. We'd love to help you next!

Frequently asked questions about NetHogs

What's the difference between NetHogs and other network monitoring tools?

NetHogs focuses specifically on showing network usage per process, while tools like iftop show traffic between hosts and vnstat provides historical interface statistics. NetHogs answers "which process is using bandwidth," while other tools answer different networking questions.

Can NetHogs monitor Docker containers?

Yes, NetHogs can monitor network usage by Docker containers since it tracks processes. Container processes appear in the output with their process IDs, though you may need to correlate PIDs with specific containers using Docker commands.

How accurate are NetHogs measurements?

NetHogs provides very accurate real-time measurements by capturing actual network packets. However, measurements represent instantaneous rates that fluctuate constantly, so observe the tool for several minutes to understand typical usage patterns.

Can NetHogs affect server performance?

NetHogs has minimal performance impact on most systems. The packet capture process uses very little CPU and memory, making it safe for production use even on busy servers.