At work, we often need to see the real-time NIC traffic of the server. Usually, we use these methods to view the real-time network card traffic of the Linux server.
directory
1、sar
2、 /proc/net/dev
3、ifstat
4、iftop
5、nload
6、iptraf-ng
7、nethogs
8. Expansion
1、sar
The sar command is included in the sysstat toolkit and provides statistics based on network interfaces, as well as viewing the number of packets sent and received per second and traffic on the device.
sar -n DEV 1 2 The meaning of the above command is: read the value to the network card (default eth0) 1 time per second, read a total of 2 times, and then display:
Detailed tutorial reference blog: sar — one of the most comprehensive system profiling tools on Linux
2、cat /proc/net/dev
The Linux kernel provides a mechanism to access kernel internal data structures and change kernel settings at runtime through the /proc file system. The proc file system is a pseudo-file system that exists only in memory and does not occupy external memory space. It provides an interface to access system kernel data in the form of a file system. Users and applications can get information about the system through proc, and can change certain parameters of the kernel. Since system information, such as processes, is dynamically changed, when a user or application reads a proc file, the proc file system dynamically reads the required information from the system kernel and submits it.
The /proc file system contains many directories, of which /proc/net/dev is a way for users to read or change network adapters and statistics.
Note: Because proc is a pseudo-file system and only exists in memory, the time start and end time of the data statistics here is: the system starts to the command execution, if the system restarts at this time, the data will be cleared.
Parameter description:
bytes: The total number of bytes of data sent or received by the interface
packets: The total number of packets sent or received by the interface
errs: The total number of send or receive errors detected by the device driver
drop: The total number of packets dropped by the device driver
FIFO: The number of FIFO buffer errors
frame: The number of grouping frame errors
colls: The number of collisions detected on the interface
compressed: The number of compressed packets sent or received by the device driver
carrier: The number of carrier losses detected by the device driver
multicast: The number of multicast frames sent or received by the device driver
In fact, many of the commands we often use to view the real-time traffic of the network card are obtained by reading the real-time traffic in the directory and simply calculating.
3、ifstat
ifstat is a tool that counts the activity status of network interfaces.
(1) Installation
sudo apt-get update
sudo apt-get install ifstat (2) Command options
-l Monitor loop network interface (LO). By default, ifstat monitors all non-loop network interfaces that are active. After use, it has been found that adding the -l parameter can monitor all network interface information, not only the interface information of lo, that is, adding the -l parameter will have one more LO interface status information than without the -l parameter.
-a Monitors status information for all network interfaces that can be detected. Using discovery, there is one more plip0 interface information than adding the -l parameter, and searching to find that this is a parallel port (one in the network device is called PLIP (Parallel Line Internet Protocol). It provides a parallel port... )
-z Interfaces where hidden traffic is none, such as those interfaces that are up but not used
-i specifies the interface to monitor, followed by the network interface name
-s equals the -d snmp:[comm@][#]host[/nn]] parameter, which queries a remote host through SNMP
-h Displays brief help information
-n turns off the display of periodic header information (that is, the name of the network interface will appear at the top when running ifstat without the -n parameter, and when the screen cannot be displayed, the name of the interface will appear again, prompting us which network interface the traffic information displayed is from. Add the -n parameter to turn off the periodic display of interface names, only once)
-t Add a time stamp at the beginning of each line (tells us the exact time)
-T reports the total bandwidth of all monitored interfaces (the last column has a total that shows the IN traffic for all interfaces and the OUT traffic for all interfaces, simply add the IN traffic of all interfaces and add the OUT traffic)
-w uses the specified column width instead of automatically enlarging the column width to accommodate the length of the interface name
-W wraps text automatically if the content is wider than the width of the terminal window
-S Keep state updated on the same line (no scrolling, no line breaking) Note: This is handy if you don't like screen scrolling, similar to how bmon is displayed
-b Displays bandwidth in kbits/s instead of kbytes/s
-q Quiet mode, no warning message appears
-v Displays version information
-d specifies a driver to collect state information
(3) Example of use:
ifstat -tT
Parameter description:
in: The total number of bytes received by the NIC
out: The total number of bytes sent by the NIC
4、iftop
iftop is a real-time traffic monitoring tool that monitors TCP/IP connections, etc., but the disadvantage is that there is no reporting function. You must be root to run.
(1) Installation
sudo apt-get update
sudo apt-get install iftop
(2) Command options
iftop -h | [-npblNBP] [-i interface] [-f filter code]
[-F net/mask] [-G net6/mask6]
Detailed parameter description:
-i : Specify the NIC to be monitored
-n: Displays the output host information by IP, and does not perform reverse DNS resolution
-B: Display the NIC traffic in bytes, which is bits by default
-p: Runs iftop in promiscuous mode, at which point iftop can be used as a network sniffer
-N: Displays only the connection port number, not the service name corresponding to the port
-P: Displays host and port information, this parameter is very useful
-F: Displays the incoming and outgoing traffic of the NIC for a specific network segment, for example: iftop –F 192.168.12.0/24
-m: Set the maximum value of the top flow scale in the iftop output interface, and the flow scale is displayed in five large segments
-t : Displays the result using text instead of the interface
-L : Specifies the number of rows for which the result is displayed
-s sec: sec outputs the result after a second and then automatically exits
(3) Example of use:
1、sudo iftop -i eth0 -t -s 30 -L 100
Note that if the time is longer, the cumulative sum of the cumulatives of each IP address may not be equal to the final Cumulative, and the results can be counted every 40s and then accumulated.
2、sudo iftop -i eth0
The output of iftop can be divided into three main parts as a whole:
- The top line in the iftop output, this line information is the traffic scale, which is used to display the bandwidth traffic of the network card.
- The largest part of the iftop output, which is divided into left, center, and right columns, the left and middle columns record which IPs or hosts are connecting to the local network. Among them, the "=>" in the column represents sending data, and "<=" represents receiving data, and the communication between the two IPs can be clearly known through this indicator arrow. The rightmost column is divided into three small columns, and these real-time parameters represent the average traffic value of the external IP within 2 seconds, 10 seconds, and 40 seconds when connecting to the unit, respectively. In addition, this section also has a traffic graph bar, which is a dynamic display of the flow size, based on the flow scale in the first part. Through this traffic graph bar, it is easy to see which IP has the most traffic, and then quickly locate possible traffic problems in the network.
- The third part is located at the bottom of the iftop output and can be divided into three lines, where "TX" means sending data, "RX" means receiving data, and "TOTAL" means sending and receiving all traffic. Corresponding to these three rows are three columns, where the "" column represents the total data traffic sent, received, and present from running IFTOP to the present. The "peak" column represents the spikes in sending, receiving, and total traffic. The "rates" column represents the average traffic value in the past 2s, 10s, and 40s.
After entering the iftop interface, click the following buttons to adjust the content control:
h: Displays the help switch
n: Displays the hostname/hostIP switch
S: Displays the local host switch
d: Display the remote host host switch
t: Switch the display format to 2 lines/1 line/only display sent traffic/only display received traffic
N: Displays the port number or port service name switch
S: Displays the port information switch of the unit
D: Displays the port information switch of the remote target host
p: Display port information switch
P: Toggle pause/resume display
b: Display the average flow graph bar switch, with the bandwidth of the first line of the interface as the ruler, the white bar chart in the figure above is
B: Toggle calculates the average traffic over a period of 2 seconds or 10 seconds or 40 seconds
T: Displays the total flow switch for each connection
l: Turn on the screen filtering function, enter the characters to be filtered, such as IP, and press enter, the screen will only display the traffic information related to this IP
L: Toggle the scale on the top of the display screen; Depending on the scale, the flow graph bar will change
J or K: Connection records that can scroll up or down the screen display
1 or 2 or 3: You can sort based on the three columns of traffic data displayed on the right
<: Sort by the native name or IP on the left
>: Sort according to the hostname or IP address of the remote destination host
o: Toggle whether to fix whether to show only the current connection
f: You can edit the filter code
!: Shell commands can be used
Q: Exit
5、nload
nload is a console application that monitors network traffic and bandwidth usage in real time, using two graphs to visualize incoming and outgoing traffic and provide additional information such as total amount of data exchanged, minimum/maximum network bandwidth usage, and more.
(1) Tool installation
sudo apt-get update
sudo apt-get install nload (2) Command options
Option description: nload [options] [devices]
-a: Set the time period for calculating the average network speed, the unit is seconds, the default is 300.
-i: The maximum display ratio of the traffic graph entering the network card is set, and the default is 10240 kBit/s.
-m: Does not display the traffic graph, only the statistics.
-o: The maximum display ratio of the traffic graph of the outgoing network card is set, and the default is 10240 kBit/s.
-t: Displays the refresh interval of the data, the unit is milliseconds, the default is 500.
-u: Set the data units of Curr, Avg, Min, and Max on the right, which are automatically changed by default. Note that the case units are different!
h|b|k|m|g h: auto, b: Bit/s, k: kBit/s, m: MBit/s etc.
H| B| K| M|G H: auto, B: Byte/s, K: kByte/s, M: MByte/s etc.
-U: Set the data unit of Ttl on the right, the default is automatically changed, note that the case unit is different (the same as -u)!
Devices: The network card for custom monitoring, all monitored by default, use the left and right buttons to switch.
(3) Example of use:
nload eth0
6、iptraf-ng
iptraf-ng is a powerful tool for observing network flow rates, allowing you to drill down from the hardware layer (network card), to the network layer (IPv4, IPv6), to the transport layer (TCP, UDP etc.), all the way to each pair of socket pairs.
(1) Tool installation
sudo apt-get update
sudo apt-get install iptraf-ng (2) Command options
Parameter description:
iptraf-ng [options]:
-h, --help :show this help message
-i :start the IP traffic monitor (use '-i all' for all interfaces)
-d :start the detailed statistics facility on an interface
-s :start the TCP and UDP monitor on an interface
-z :shows the packet size counts on an interface
-l :start the LAN station monitor (use '-l all' for all LAN interfaces)
-g :start the general interface statistics
-B :run in background (use only with one of the above parameters
-f :clear all locks and counters
-t :run only for the specified number of minutes
-L :specifies an alternate log file
(3) Use examples
sudo iptraf-ng -s eth0 is used to count the traffic of each port:
7、nethogs
Nethogs was created primarily to see the traffic of individual processes. NetHogs is a small nettop tool that does not group bandwidth by protocol or subnet speed like most tools, but by process. nethogs does not need to rely on a special kernel module, if a network blockage occurs, you can start nethogs to immediately see which PID is causing it, so that you can easily find the program that is taking up the bandwidth, and then control the corresponding content.
(1) Tool installation
sudo apt-get update
sudo apt-get install nethogs (2) Tool options
Usage:
nethogs [-V] [-h] [-b] [-d seconds] [-v mode] [-c count] [-t] [-p] [-s] [device [device [device ...]]]
-V : Print version.
-h : Print this help.
-b : Bughunt mode - implies tracemode.
-d : Deferred update refresh rate in seconds. The default value is 1.
-v : View mode (0 = KB / s, 1 = total KB, 2 = total B, 3 = total MB). The default value is 0.
-c : Number of updates. The default is 0 (unlimited).
-t : tracemode.
-p : Inciting chaos mode (not recommended).
-s : Sorts the output by the send column.
-a : Monitor all devices, even loopback/stop.
device : The device to monitor. The default is that all interfaces are up and running, excluding loopback
When nethogs is running, press:
Q: Exit
s: Sort by SENT traffic
r: Sort by RECEIVE traffic
m: Switch between total (KB, B, MB) and KB/s mode
(3) Use examples
sudo nethogs eth0
8. Expansion
In addition to the tools mentioned above, Linux also provides some other traffic monitoring tools, such as:
- IP: View the total traffic on the NIC
- stat: An all-round system information statistics tool used to replace vmstat, iostat, netstat, nfstat and ifstat, supporting real-time data refresh and intuitive and easy to understand
- ss and netstat: Common commands for viewing active link/listening ports. SS is a better alternative to Netstat and is recommended
- NetHogs: A tool designed to view the traffic of individual processes, grouping bandwidth by process