Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- There are several ways to monitor network traffic on Linux.
- You should regularly check on incoming and outgoing traffic.
- One of the best tools for this is iftop.
Linux has a tool for everything. Sometimes those tools come in the form of an easy-to-use GUI, and other times a command is necessary. For monitoring network traffic, your best bet is the command line.
Once you dive down the rabbit hole of possible commands for this task, you could become overwhelmed with choices — and with the complexity of some of those commands.
Also: The first 8 Linux commands every new user should learn
I wanted to find an easier way to check network traffic, and it didn’t take long to find what I was looking for.
The tool I used to use for this is Wireshark, but I’ve found it’s been a bit cumbersome over the years. Also, getting the Flatpak version of Wireshark working properly is a PITA.
Why use something complex when something simple will do?
The best solution I found is the iftop command. According to the iftop man page, “iftop – display bandwidth usage on an interface by host.” The iftop command listens to network traffic on a specific network interface (or the first interface it finds) and displays an easy-to-read table for bandwidth usage.
The table iftop presents displays incoming and outgoing traffic in a way that’s easy to discern.
Also: The 6 Linux distros I expect to rule 2026 – as someone who’s tested hundreds of them
Iftop is also flexible, with several important options. However, you don’t have to get bogged down in options, as I’ve found that only one is necessary.
Let me show you how this is done.
Installing iftop
What you’ll need: Iftop can be installed from the standard repositories of most Linux distributions, so all you’ll need is your Linux distro of choice and a user with sudo access.
First, open your default terminal app from your desktop menu (or panel or dock).
To install iftop, run one of the following commands:
- On Ubuntu-based distributions: sudo apt-get install iftop -y
- On Fedora-based distributions: sudo dnf install iftop -y
- On Arch-based distributions: sudo pacman -S iftop
Once installed, you’re ready to go.
Using iftop
Using iftop is incredibly easy. However, the first step is to identify the network interface to be monitored. If you don’t use a specific interface, iftop will default to the first it finds, which may not function properly.
To locate the interface in question, issue the command:
Ip a
In the output, you should see something that looks like this:
wlp15s0:
The name of the above interface is wlp15s0, and that’s what we’ll use for the iftop command.
Also: I’m a command-line pro, and this is the best terminal app I’ve ever used, thanks to AI
With our interface name in hand, the command you will want to run is:
sudo iftop -i INTERFACE
Where INTERFACE is the name of your interface. For example, I would run the command:
sudo iftop -i wlp15s0
The table will immediately appear and display both incoming and outgoing traffic. What you need to look for are the incoming and outgoing characters, which are:
- => – outgoing
The first thing I look at is what traffic is coming into my system. If I see a URL or IP address that looks suspicious, I’ll look it up using the Whois service. If something doesn’t look right, you can block that IP address in your firewall.
Also: How to manage your Linux firewall the easy way – without touching the terminal
Next, I’ll look at the outgoing traffic. The big thing I’m looking for here is telemetry. In other words, is there an installed app sending information to a third party? For example, I currently see 24.224.186.35.bc.googleusercontent.com. Fortunately, that address is harmless. If, on the other hand, you see outgoing traffic pointing to googlebot.com, your computer could be sending telemetry.
I use iftop quite regularly, because I’m always curious what’s coming in and going out of my computer. If I see anything that looks suspicious, I look it up immediately. If that address turns out to be suspect, you can be sure that I’ll block it using my OS’s firewall.