flowtop - Linux

Overview

flowtop is a modern Linux command-line tool that provides a high-level overview of network traffic. It is primarily designed to help network administrators, security analysts, and system operators gain insights into network traffic patterns and identify potential issues.

Syntax

flowtop [-a] [-b BYTES] [-c COUNT] [-d DISPLAY_FIELDS] [-e] [-h] [-i [INTERFACE_NAME]] [-l LOG_FILTER] [-m INTERVAL] [-n] [-P PROTOCOL] [-p PORT] [-s] [-t] [-u] [-x]

Options/Flags

  • -a: Show all network interfaces.
  • -b BYTES: Filter traffic by byte size (e.g., "-b 1024" for traffic over 1KB).
  • -c COUNT: Maximum number of results to display.
  • -d DISPLAY_FIELDS: Specify which fields to display (e.g., "-d ‘src.ip,src.port,dst.ip,dst.port’").
  • -e: Display detailed flow information.
  • -h: Display help.
  • -i [INTERFACE_NAME]:** Specify the network interface to monitor.
  • -l LOG_FILTER: Use a libpcap-style filter to select specific network traffic (e.g., "-l ‘tcp and port 80’").
  • -m INTERVAL: Set the refresh interval in seconds (default: 1).
  • -n: Do not resolve IP addresses to hostnames.
  • -P PROTOCOL: Filter traffic by protocol (e.g., "-P tcp" for TCP traffic).
  • -p PORT: Filter traffic by destination port (e.g., "-p 22" for SSH traffic).
  • -s: Sort results by size (highest first).
  • -t: Sort results by timestamp (newest first).
  • -u: Show unicast traffic only.
  • -x: Exit after a single display.

Examples

  • Display a real-time overview of all network traffic:
flowtop
  • Show only TCP traffic over port 80:
flowtop -l 'tcp and port 80'
  • Display detailed flow information for the last 10 minutes:
flowtop -e -m 600
  • Monitor traffic on a specific interface (e.g., eth0):
flowtop -i eth0

Common Issues

  • No output: Make sure the network interface is active and that you have sufficient permissions to capture traffic.
  • Incorrect IP addresses: If -n is not specified, flowtop may fail to resolve IP addresses to hostnames.
  • Timeouts: Increase the -m interval if the command times out frequently.

Integration

flowtop can be used with other Linux commands, such as:

  • tcpdump: Capture network traffic for later analysis with flowtop.
  • Netstat: View active network connections and use -f flowtop to display flowtop-compatible output.

Related Commands

  • tcptrack: Track and visualize TCP connections.
  • nload: Monitor network bandwidth usage.
  • nethogs: Identify processes consuming network bandwidth.