Any tool to log bandwidth usage per application?

Anyone know a tool to log bandwidth usage that includes what app the traffic comes from OR the address?

There is vnstat, it can tell me how much internet I used at certain period but it does not tell me where are that number came from.

There is nethogs which shows address but it does not keep track of how much I spent.

I’m looking something like Glass Wire, I don’t need firewall feature, I just want to know what app consume my bandwidth the most, is it discord? is it firefox? is it steam?!

Not sure if this is what you’re looking for, but you could try iftop. :arrow_down:

sudo pacman -S iftop

… or… :arrow_down:

pamac install iftop

No no, it shows current traffic similar to nethogs.

What I’m looking for is something like vnstat but it shows me where all the traffic come from OR which application uses it.

like uhmmm…
I installed it, then running it in the background everytime my PC turned on, it will record my internet usage.
And then I can check the recorded usage, something like this:

network usage this month:
firefox - 2,540 MB
discord - 300 MB
steam - 725 MB
pamac - 1,415 MB
-- and so on
Total : 14,248 MB

like a report.

vnstat almost do that, but it only shows Total and nothing else.

I’m not sure there is any such tool, simply because all network traffic must pass through the kernel ─ most people don’t know this, but the Linux kernel is actually a firewall.

So apart from total bandwidth, outgoing traffic, incoming traffic and blocked or rerouted traffic, I don’t think there are any statistics available per individual application. But then again, I’m no expert on networking. :thinking:

Okay, I think I may have found something: bpytop-git. But that’s an AUR package, so it’ll have to be built into binary code on your local machine. pamac can do that for you. :arrow_down:

pamac build bpytop-git

but that iftop can tell the address, it simply didn’t log the activity.

Maybe if per application not possible, logging per address is good enough.

I think nethogs able to detect per application basis.
here is nethogs:


unfortunately again, they didn’t log it. @,@

Hmm, from my understanding after trying it, it work just like gnome-system-monitor. it can show internet traffic but not per applications. Let alone logging the accumulated internet usage.

Perhaps there is no such tool. The best I could find is mostly just work like vnstat which only tell me how much total internet usage.

Maybe wireshark-cli and wireshark-qt? They’re in the Manjaro repos. :arrow_down:

pamac install wireshark-cli wireshark-qt

Probably not. or maybe it’s because it’s too complicated for me to understand. It doesn’t seem to show any bandwidth.

Looks like best solution would be using nethogs and save the log file.
#nethogs -t &> /path/to/logfile.txt
Now I just need to find a way to run bash script on startup with root privilege and then make tool to read it.

Found something similar here.

1 Like

Perhaps writing a systemd service file would be the best way to accomplish that.

https://wiki.archlinux.org/title/Systemd

1 Like

I recently created picosnitch (available in the AUR) which should do exactly what you’re looking for. It uses bpf for bandwidth monitoring, expanding on the approach given here. Hope this helps!

4 Likes

Oh that is very cool tool! But it’s quite noisy one, it kept sending notification.
I got this message:

Warning: running picosnitch on systems with btrfs is not fully supported due to dev number strangeness and non-unique inodes

What does that mean? is it because the / is btrfs or are there specific directory this tool is referring? like /var?

It’s the first time I used btrfs for my /. I’m using ext4 for /home, perhaps there is other directory than /home that may need separate ext4 partition that I did not know yet.

It created /home/$USER/.config/picosnitch directory but it’s owned by root. Is that how it supposed to work?

Thanks! And yes it’s a little noisy at first, but after it’s seen most of the stuff on your system it’ll quiet down, you can also turn off desktop notifications in the configuration if you’re only interested in bandwidth.

For most purposes, using it on BTRFS is perfectly fine, I do as well, it should only send that message when you start the daemon.

The reason for that message is just for awareness that if you have a BTRFS partition anywhere on your system, there is a possibility a malicious program could have the same inode as another program, and then the executable hash associated with the traffic would refer to the other program, possibly allowing the malicious program to hide. This is only theoretical, and extremely unlikely to happen by chance, and then the exe path should still be different unless it knew ahead to use a mount namespace to appear in the same location.

The goal was to make this accurate and reliable enough to be used for security auditing or intrusion detection, since I haven’t seen anything else accurate enough for that purpose.

Yep, exactly, in hindsight though I probably could have picked a better directory to use.