🖥️ Server Administration
10 นาทีในการอ่าน
Monitoring Network Traffic on Linux Servers
Tools and techniques for monitoring network traffic, identifying bandwidth consumers, and detecting anomalies on Linux servers.
Real-Time Monitoring Tools
iftop — Bandwidth by Connection
Shows real-time bandwidth usage per connection, sorted by throughput:
# Install
sudo apt install iftop
# Monitor eth0
sudo iftop -i eth0
# Filter to a specific port (e.g., HTTP)
sudo iftop -i eth0 -f "port 80 or port 443"
nethogs — Bandwidth by Process
Shows which processes are consuming bandwidth:
sudo apt install nethogs
sudo nethogs eth0
# Output:
# PID USER PROGRAM DEV SENT RECEIVED
# 1234 www nginx eth0 5.2 KB 120 KB
# 5678 root apt eth0 0.1 KB 45 KB
nload — Interface Throughput
Simple real-time graph of incoming/outgoing traffic:
sudo apt install nload
nload eth0
# Shows current, average, min, max, total for in/out
Historical Monitoring
vnstat — Long-Term Statistics
Lightweight daemon that logs traffic statistics persistently:
sudo apt install vnstat
# View daily stats
vnstat -d
# Monthly summary
vnstat -m
# Top 10 traffic days
vnstat -t
# Live monitor
vnstat -l -i eth0
vnstat stores data in a local database and uses minimal resources — ideal for always-on monitoring without performance impact.
Packet Capture & Analysis
tcpdump — Capture Packets
# Capture HTTP traffic
sudo tcpdump -i eth0 port 80 -w capture.pcap
# Live view of DNS queries
sudo tcpdump -i eth0 port 53 -n
# Capture traffic to/from a specific IP
sudo tcpdump -i eth0 host 203.0.113.50
# Read a capture file
tcpdump -r capture.pcap -n
ss — Connection State Analysis
# Count connections by state
ss -s
# Show all established connections with process info
ss -tnp state established
# Count connections per remote IP (detect abuse)
ss -tn state established | awk '{print $5}' | \
cut -d: -f1 | sort | uniq -c | sort -rn | head -20
Setting Up Alerts
Combine monitoring with alerting for proactive response:
# Simple bandwidth alert (cron every 5 minutes)
#!/bin/bash
THRESHOLD=100000 # 100 Mbps in Kbps
CURRENT=$(vnstat --oneline | cut -d';' -f4 | tr -d ' KMG')
if [ "$CURRENT" -gt "$THRESHOLD" ]; then
echo "High bandwidth alert: ${CURRENT} Kbps" | \
mail -s "Bandwidth Alert" [email protected]
fi
What to Monitor
| Metric | Normal Range | Alert Threshold |
|---|---|---|
| Bandwidth | Baseline ±20% | >2x baseline |
| Active connections | Per your app load | >10x normal |
| Unique source IPs | Baseline ±50% | >5x baseline |
| DNS queries/sec | 10-100 | >1000 (possible amplification) |