Skip to Content

How to Track and Fix High Network Traffic on Your Linux Instance

By: Author David Cao

Posted on Last updated:

0 Comments

Categories Linux

If you’re running a Linux instance and suspect that the bandwidth is being overused, you can use a few tools to investigate what’s causing the high traffic.

Tools like SAR, iftop, and NetHogs can help you identify the processes responsible for the load and take action to fix the issue.

Common Scenarios

  1. High bandwidth usage: If your instance is using too much bandwidth, you need to figure out which processes are causing it.
  2. Fix the issue: Once you identify the problematic processes, you can either:
    • Check if the process is behaving normally and take action (e.g., upgrade bandwidth or stop the process).
    • Terminate the process if it’s not working as expected.

Using SAR (System Activity Reporter)

SAR is a powerful tool that provides detailed system performance data. It can show you how much data is being sent and received by each network interface.

Basic SAR Command:

Get Your Free Linux training!

Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!

To monitor network traffic, you can run:

sar -n DEV 1 5
  • [interval]: Time between statistics collection (e.g., 1 second).
  • [count]: How many times to collect data.

Example:

Run the following command to monitor traffic every second for 5 times:

sar -n DEV 1 5

Sample Output:

Linux 4.18.0-80.el8.x86_64 (my-ecs-instance)     01/25/2024  _x86_64_        (4 CPU)

12:00:01 PM  IFACE  rxpck/s  txpck/s  rxkB/s  txkB/s  rxcmp/s  txcmp/s  rxmcst/s
12:00:02 PM  eth0     204.00   150.00    16.00    12.00     0.00     0.00     0.00
12:00:03 PM  eth0     198.00   145.00    15.50    11.80     0.00     0.00     0.00
12:00:04 PM  eth1     250.00   180.00    20.00    14.00     0.00     0.00     0.00
12:00:05 PM  eth1     270.00   190.00    22.00    16.00     0.00     0.00     0.00
Average:      eth0     200.00   150.00    16.25    11.90     0.00     0.00     0.00
Average:      eth1     260.00   185.00    21.00    15.00     0.00     0.00     0.00

In this example, eth1 (Internet interface) is showing higher traffic, which might be the cause of high bandwidth usage. You can now investigate this interface further using iftop or NetHogs.

Using iftop

iftop is a real-time tool that shows traffic on network interfaces. It can help you see which ports or IP addresses are using the most bandwidth.

Basic iftop Command:

To monitor the eth0 interface, you can use:

iftop -i eth0

You can also include the -P flag to display port numbers:

iftop -i eth0 -P

Sample Output:

                            2s   10s   40s       Total
IP Address    Port   TX (KB/s)   RX (KB/s)   TX (KB/s)   RX (KB/s)
--------------------------------------------------------------
192.168.1.1   58690   25.0   30.0   30.0   35.0    0.0    1.0
192.168.1.2   80      5.0    10.0    5.0    12.0    0.0    0.0
--------------------------------------------------------------
Total         -      30.0   40.0   35.0   47.0    0.0    1.0

In this output:

  • 192.168.1.1 is using port 58690 with a lot of traffic (TX = 25 KB/s, RX = 30 KB/s). This could be a process that’s consuming a lot of bandwidth.

To find out which process is using that port, you can run:

netstat -tunlp | grep 58690

Sample Output:

tcp        0      0 0.0.0.0:58690           0.0.0.0:*               LISTEN      12345/myapp

This tells you that myapp is listening on port 58690 with a process ID (PID) of 12345.

If you need to stop this process, run:

kill -TERM 12345

Using NetHogs

NetHogs shows the bandwidth usage per process, making it easy to see which program is consuming bandwidth.

Basic NetHogs Command:

To monitor the eth1 interface, use:

nethogs eth1

Sample Output:

PID   USER     PROGRAM       DEV  SENT    RECEIVED
------------------------------------------------
12345  root     myapp         eth1  2.1 KB  15.3 KB
67890  user     webserver     eth1  5.2 KB  3.1 KB
------------------------------------------------
Total               eth1     7.3 KB   18.4 KB

Here:

  • myapp (PID 12345) is sending 2.1 KB/s and receiving 15.3 KB/s on eth1.
  • webserver (PID 67890) is using 5.2 KB/s sent and 3.1 KB/s received.

If you suspect myapp is causing problems, you can stop it:

kill -TERM 12345

You can sort the processes by sent or received data by pressing s or r while running NetHogs.

Handling Malicious Traffic

If you discover a malicious or unwanted process using too much bandwidth, you can:

  1. Terminate the process with: 
    kill -TERM [PID]
  2. Block suspicious IP addresses using iptables: 
    iptables -A INPUT -s [malicious-IP] -j DROP

If the traffic is coming from a specific IP, you can also analyze access logs (e.g., web server logs) to verify whether the traffic is harmful.

Summary of Key Commands

  • SAR:sar -n DEV 1 5

    Monitors network activity and shows the amount of data sent and received per interface.

  • iftop: 
    iftop -i eth0 -P

    Displays real-time traffic information by IP and port.

  • NetHogs: 
    nethogs eth1

    Shows the traffic usage by each process on a specific interface.

 

By Author David Cao

Posted on Last updated:

Categories Linux