If you wish to monitor the top bandwidth consuming processes on a Linux system, you can use the nethogs program, which displays bandwidth usage by process. It will display the process id (PID) of the processes consuming the most bandwidth. E.g.:

Linux Command Line Tutorial For Beginners
Linux Command Line Tutorial
For Beginners
1x1 px

NetHogs version 0.8.5

    PID USER     PROGRAM                    DEV        SENT      RECEIVED       
  19355 jim      sshd: jim@pts/0            enp1s4      0.188       0.082 KB/sec
  15022 apache   /usr/sbin/httpd            enp1s4      0.000       0.000 KB/sec
      ? root     unknown TCP                            0.000       0.000 KB/sec

  TOTAL                                                 0.188       0.082 KB/sec

The above output shows me that the two processes consuming the most bandwidth at the time the program was run had PIDs of 19355 and 15022. I can get additional information on those processes using the ps command.

$ ps 19355
19355 ?        S      0:19 sshd: jim@pts/0
$ ps 15022
15022 ?        S      0:00 /usr/sbin/httpd -DFOREGROUND

To install nethogs on a CentOS Linux system, you can use the yum utility, if you have installed support for the EPEL repository - see Installing support for the EPEL repository on CentOS.

Udemy - April2516-25off-sitewide120x600

# yum install nethogs
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Resolving Dependencies
--> Running transaction check
---> Package nethogs.x86_64 0:0.8.5-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package           Arch             Version                Repository      Size
 nethogs           x86_64           0.8.5-1.el7            epel            38 k

Transaction Summary
Install  1 Package

Total download size: 38 k
Installed size: 71 k
Is this ok [y/d/N]: y
Downloading packages:
nethogs-0.8.5-1.el7.x86_64.rpm                             |  38 kB   00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : nethogs-0.8.5-1.el7.x86_64                                   1/1
  Verifying  : nethogs-0.8.5-1.el7.x86_64                                   1/1

  nethogs.x86_64 0:0.8.5-1.el7


The information for the package installed on a CentOS system is shown below:

# rpm -qi nethogs
Name        : nethogs
Version     : 0.8.5
Release     : 1.el7
Architecture: x86_64
Install Date: Tue 20 Jun 2017 02:21:41 PM UTC
Group       : Applications/Internet
Size        : 72732
License     : GPL+
Signature   : RSA/SHA256, Tue 20 Sep 2016 04:03:39 PM UTC, Key ID 6a2faea2352c64e5
Source RPM  : nethogs-0.8.5-1.el7.src.rpm
Build Date  : Sun 18 Sep 2016 05:02:40 PM UTC
Build Host  :
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         :
Summary     : A tool resembling top for network traffic
Description :
NetHogs is a small "net top" tool.

Instead of breaking the traffic down per protocol or per subnet, like
most such tools do, it groups bandwidth by process and does not rely
on a special kernel module to be loaded.

So if there's suddenly a lot of network traffic, you can fire up
NetHogs and immediately see which PID is causing this, and if it's
some kind of spinning process, kill it.

Once you've installed the program, you can get help on its usage by typing nethogs -h.

Save on a Computer: Run Windows, Mac, and Linux with VirtualBox
Save on a Computer: Run Windows,
Mac, and Linux with VirtualBox
1x1 px

# nethogs -h
usage: nethogs [-V] [-h] [-b] [-d seconds] [-v mode] [-c count] [-t] [-p] [-s] [device [device [device ...]]]
                -V : prints version.
                -h : prints this help.
                -b : bughunt mode - implies tracemode.
                -d : delay for update refresh rate in seconds. default is 1.
                -v : view mode (0 = KB/s, 1 = total KB, 2 = total B, 3 = total MB). default is 0.
                -c : number of updates. default is 0 (unlimited).
                -t : tracemode.
                -p : sniff in promiscious mode (not recommended).
                -s : sort output by sent column.
   -a : monitor all devices, even loopback/stopped ones.
                device : device(s) to monitor. default is all interfaces up and running excluding loopback

When nethogs is running, press:
 q: quit
 s: sort by SENT traffic
 r: sort by RECEIVE traffic
 m: switch between total (KB, B, MB) and KB/s mode

You can also view the man page for nethogs with the command man nethogs.

You will need to be root in order to run the software. If you aren't logged into the root account or running the command with sudo, you will see the message below:

$ nethogs
To run nethogs without being root you need to enable capabilities on the program (cap_net_admin, cap_net_raw), see the documentation for details.

Since NetHogs relies on the existence of /proc, most of its features are only available on Linux, but NetHogs can be built on systems running the Mac OS X/macOS and FreeBSD operating systems, but it will only show connections, not processes, on those systems.

Related articles:

  1. Installing support for the EPEL repository on CentOS
  2. Using the EPEL repository for a CentOS 7 system
  3. Bandwidth Monitoring on a Linux System
  4. Monitoring network traffic with ibmonitor