Hi
I need to find out what process is using bandwidth sometime in the past. This is on Ubuntu 14.04 server. Logging one ethernet NIC going to the internets.

I tried vnstat but it does log processes.
I tried nethogs but it does not log anything and if you look at the screen 5 days later (or just one hour later) it is blank as the stuff just scrolls off.
I tried ntop but it does not not log processes. Ntop appears to have some sort of log called "top talkers" which seems to show sites contacted. I would settle for that, but I can't make head nor tails of this log. These top talkers seem to be based on data rate and not data amount which is useless.

Is there an elegant solution that logs and shows the heavy hitters (as opposed to logging everything and filling the disk in short order)?
Thanks

You need to use nethogs command. It is a small “net top” tool.
https://www.cyberciti.biz/faq/linux-...ing-bandwidth/

http://serverfault.com/questions/407...g-my-bandwidth

You can also give Wireshark a try. It's a good software program that does a lot of stuff.
It will even show you if your ISP is throttling you. You will have to read the documentation and learn how to run Wireshirk.

https://www.wireshark.org/docs/wsug_...ldInstall.html

https://wiki.archlinux.org/index.php/wireshark

Otherwise; wait for other members to give you suggestions.--

Good Luck-

Thanks. Unfortunately nethogs doesn't log. I'd need to pay a guy to sit and watch it... I need something called netlogs
As a last resort I can look at something like wireshark or tcpdump. I'd be on a steep learning curve and I think those log everything/fill-up the disk. I should first check and see if there is an existing app.

1 members found this post helpful.

You're Welcome-

Yup, Wireshark does have a learning curve.

I've never tried tcpdump. Good luck and Happy Thanksgiving.

http://www.tcpdump.org/
https://danielmiessler.com/study/tcpdump/#gs.ID=EpoI

iptraf logs.

Thanks Habitual:-

Would the ip traffic log be in /var/log/messages?
(I'm not on a server)

Thanks. Unfortunately:
link

I gave it a try with logging, and (unless I'm mistaken) it produces raw output that essentially requires a whole-nother program to make sense of the output. The same dilemma as with programs such as tcpdump. Also there is no process info.

The irony is that, in my search for such a tool, I keep tripping over Windoze apps. I would have thought it would be the other way-around where linux would have a plethora of tools like this.

What a mess. Sorry this is so difficult for you.

I'd think that there would be something within the application itself that would interpret the output.Isn't there something called ethereal that opens the raw dump and interprets it for you?

Based on what you found (your search) it doesn't sound like understanding what's being analyzed and produced isn't easy to interpret.

I see that interpreting the output isn't a walk in the park.
Examining tcpdump Output
http://books.gigatux.nl/mirror/snort...-2-SECT-6.html

-::- Maybe Habitual knows a way around this:--::-


http://www.binarytides.com/linux-com...nitor-network/
https://www.google.com/#q=linux+prog...ing+ip+traffic

collectl? ?? (1st LQguru to post right switches wins /proc/$$/net/... )

collectl is a darn good tool to have around but I'm not exactly sure how to slice and dice "bandwidth" down to a program/utility level.
When iptraf is set to log (enabled upon start? Check!) it will collect packets similar to wireshark/tcpdump but in textual format.
Are you hosting publicly accessible website content?
Is this a "server" with Wordpress, Joomla!?
Is this a hosted solution such as a VPS, or a rented/leased Dedicated Server?

If you can't make heads or tails of the log, I suppose a snippet of any log you have could
be sanitized and posted? Say 50 lines at http://pastie.org/
Make it Private and paste the url here after your review for sensitive info.

Or not.

Measuring "bandwidth":
18 commands to monitor network bandwidth on Linux server
Find one you like, use it, make an assessment and let us know.
Start a new thread and reference this one as "history".


The shed is pretty well stocked with "bandwidth" tools.
is the first place I check after existing logs.
Install it using:
Wait ah hour, run
again.
If no data, then you may have > 1 NIC or it may be checking the wrong interface.
When I install vnstat, I set a perm alias using
in my ~/.bashrc, so I don't have to remember that it doesn't either,
You may not have an "eth1" designated interface, adjust accordingly. vnstat does log summary data.

Good Luck.