iftop and ntopng are fantastic tools for real-time network bandwidth monitoring, and NetFlow is a powerful protocol for collecting flow data from routers and switches. While iftop gives you a live, top-N view of connections, ntopng offers a more comprehensive, long-term analysis. NetFlow, on the other hand, is about exporting flow records that tools like ntopng can ingest.
Here’s iftop in action:
sudo iftop -i eth0 -n -P
This command starts iftop on the eth0 interface, disables DNS lookups (-n for faster display), and shows port numbers (-P). You’ll see a terminal-based display like this:
4s 2s 5s
TOTAL 100Mb 100Mb 100Mb
192.168.1.100:54321 10Mb 10Mb 10Mb
192.168.1.100:54322 5Mb 5Mb 5Mb
192.168.1.101:80 20Mb 20Mb 20Mb
192.168.1.102:443 15Mb 15Mb 15Mb
Each line represents a connection, showing the source/destination IP and port, and the current bandwidth usage. The columns represent the average bandwidth over 4 seconds, 2 seconds, and 5 seconds.
Now, let’s look at ntopng. It’s a web-based application, so you’d typically install and configure it to run as a service. After starting, you access its web interface (usually at http://your-server-ip:3000). You’ll see dashboards with graphs and tables for traffic by host, protocol, and port.
Here’s a snippet of what you might see in ntopng’s "Top Talkers" view:
(Note: This is a placeholder image. A real screenshot would show actual traffic data.)
This view lists hosts and their total bandwidth consumed, broken down by ingress and egress. You can drill down into individual hosts to see their specific connections and protocols.
NetFlow, to contrast, isn’t something you run directly on your laptop in the same way. It’s a protocol implemented by network devices (routers, switches) to export metadata about IP traffic flows. A "flow" is a sequence of packets between a source and destination with specific common properties (source/dest IP, ports, protocol, etc.).
Your router or switch is configured to send NetFlow records to a "collector" – this is where ntopng often comes in, acting as a NetFlow collector (among other things).
The problem iftop and ntopng solve is making network traffic visible. Without them, you know the pipe’s capacity, but not who’s using it or for what. iftop is for immediate, "what’s happening right now on this interface?" troubleshooting. ntopng is for understanding patterns over time, identifying bandwidth hogs, and detecting anomalies. NetFlow enables ntopng (and other collectors) to gather this data from multiple network devices without needing to run agents on every host.
The core mechanism of iftop is packet capture (using libpcap). It listens to traffic on an interface and, for each packet, extracts the source and destination IP addresses, ports, and protocol. It then aggregates these into "flows" in memory and displays the bandwidth consumption for each flow. The display is updated rapidly, giving that real-time feel.
ntopng uses similar packet capture for its local interface monitoring but can also ingest NetFlow, sFlow, IPFIX, and other flow data protocols. When acting as a collector, it receives flow records from network devices, stores them (often in a database), and provides rich analytical tools through its web UI. This allows for centralized monitoring of traffic across an entire network, not just on the host where ntopng is running.
The most surprising thing about how iftop calculates bandwidth is its reliance on packet timing. It doesn’t measure bytes directly in a continuous stream. Instead, it timestamps packets and calculates the time elapsed between receiving packets belonging to the same flow. The bandwidth is then inferred by dividing the number of bytes in those packets by the elapsed time. This means that under extreme load, especially with very small packets, the accuracy can be slightly affected by the scheduler’s ability to deliver packets to iftop promptly.
When configuring NetFlow on a Cisco device, for instance, you’d typically use commands like:
Router(config)# ip flow-export version 9
Router(config)# ip flow-export destination 192.168.50.10 2055
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
Here, version 9 is a common NetFlow version, 192.168.50.10 2055 is the IP address and UDP port of your NetFlow collector, and ip flow ingress / ip flow egress enable flow accounting on the interface for traffic entering and leaving it.
The next concept you’ll want to explore is setting up ntopng as a NetFlow collector and then configuring your network devices to export flow data to it.