LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How to log what process is using bandwidth? (https://www.linuxquestions.org/questions/linux-networking-3/how-to-log-what-process-is-using-bandwidth-4175594147/)

bt101 11-23-2016 07:41 PM
How to log what process is using bandwidth?
 
Hi
I need to find out what process is using bandwidth sometime in the past. This is on Ubuntu 14.04 server. Logging one ethernet NIC going to the internets.

I tried vnstat but it does log processes.
I tried nethogs but it does not log anything and if you look at the screen 5 days later (or just one hour later) it is blank as the stuff just scrolls off.
I tried ntop but it does not not log processes. Ntop appears to have some sort of log called "top talkers" which seems to show sites contacted. I would settle for that, but I can't make head nor tails of this log. These top talkers seem to be based on data rate and not data amount which is useless.

Is there an elegant solution that logs and shows the heavy hitters (as opposed to logging everything and filling the disk in short order)?
Thanks

Ztcoracat 11-23-2016 08:34 PM
You need to use nethogs command. It is a small “net top” tool.
https://www.cyberciti.biz/faq/linux-...ing-bandwidth/

http://serverfault.com/questions/407...g-my-bandwidth

You can also give Wireshark a try. It's a good software program that does a lot of stuff.
It will even show you if your ISP is throttling you. You will have to read the documentation and learn how to run Wireshirk.

https://www.wireshark.org/docs/wsug_...ldInstall.html

https://wiki.archlinux.org/index.php/wireshark

Otherwise; wait for other members to give you suggestions.--:)

Good Luck-

bt101 11-24-2016 06:31 PM
Quote:
Originally Posted by Ztcoracat (Post 5634058)
You need to use nethogs command. It is a small “net top” tool.
https://www.cyberciti.biz/faq/linux-...ing-bandwidth/
Thanks. Unfortunately nethogs doesn't log. I'd need to pay a guy to sit and watch it... I need something called netlogs :rolleyes:
As a last resort I can look at something like wireshark or tcpdump. I'd be on a steep learning curve and I think those log everything/fill-up the disk. I should first check and see if there is an existing app.

Ztcoracat 11-24-2016 07:17 PM
You're Welcome-;)

Yup, Wireshark does have a learning curve.

I've never tried tcpdump. Good luck and Happy Thanksgiving.

http://www.tcpdump.org/
https://danielmiessler.com/study/tcpdump/#gs.ID=EpoI

Habitual 11-25-2016 07:10 AM
iptraf logs.

Ztcoracat 11-25-2016 04:37 PM
Thanks Habitual:-

Would the ip traffic log be in /var/log/messages?
(I'm not on a server)

bt101 11-25-2016 07:09 PM
Quote:
Originally Posted by Habitual (Post 5634388)
iptraf logs.
Thanks. Unfortunately:
Quote:
Log files can grow very fast, so be prepared with plenty of free space and delete unneeded logs.
link

I gave it a try with logging, and (unless I'm mistaken) it produces raw output that essentially requires a whole-nother program to make sense of the output. The same dilemma as with programs such as tcpdump. Also there is no process info.

The irony is that, in my search for such a tool, I keep tripping over Windoze apps. I would have thought it would be the other way-around where linux would have a plethora of tools like this. ;)

Ztcoracat 11-25-2016 08:10 PM
Quote:
it produces raw output that essentially requires a whole-nother program to make sense of the output. The same dilemma as with programs such as tcpdump. Also there is no process info.
What a mess. Sorry this is so difficult for you.

I'd think that there would be something within the application itself that would interpret the output.Isn't there something called ethereal that opens the raw dump and interprets it for you?

Based on what you found (your search) it doesn't sound like understanding what's being analyzed and produced isn't easy to interpret.

I see that interpreting the output isn't a walk in the park.
Examining tcpdump Output
http://books.gigatux.nl/mirror/snort...-2-SECT-6.html

-::- Maybe Habitual knows a way around this:-;)-::-


http://www.binarytides.com/linux-com...nitor-network/
https://www.google.com/#q=linux+prog...ing+ip+traffic

Jjanel 11-25-2016 11:19 PM
collectl? ?? (1st LQguru to post right switches wins /proc/$$/net/...;) )

Habitual 11-26-2016 06:13 AM
Code:
sudo apt-get install -y iptraf
collectl is a darn good tool to have around but I'm not exactly sure how to slice and dice "bandwidth" down to a program/utility level.
When iptraf is set to log (enabled upon start? Check!) it will collect packets similar to wireshark/tcpdump but in textual format.
Are you hosting publicly accessible website content?
Is this a "server" with Wordpress, Joomla!?
Is this a hosted solution such as a VPS, or a rented/leased Dedicated Server?

If you can't make heads or tails of the log, I suppose a snippet of any log you have could
be sanitized and posted? Say 50 lines at http://pastie.org/
Make it Private and paste the url here after your review for sensitive info.

Or not.

Measuring "bandwidth":
18 commands to monitor network bandwidth on Linux server
Find one you like, use it, make an assessment and let us know.
Start a new thread and reference this one as "history". :)


The shed is pretty well stocked with "bandwidth" tools.
Code:
vnstat
is the first place I check after existing logs.
Install it using:
Code:
sudo apt-get install vnstat
Wait ah hour, run
Code:
vnstat
again.
If no data, then you may have > 1 NIC or it may be checking the wrong interface.
When I install vnstat, I set a perm alias using
Code:
export vnstat="vnstat -i eth1"
in my ~/.bashrc, so I don't have to remember that it doesn't either,
You may not have an "eth1" designated interface, adjust accordingly. vnstat does log summary data.

Good Luck.


All times are GMT -5. The time now is 04:49 PM.