bandwhich

Show the remote addresses table only

$ bandwhich --addresses

$ bandwhich --show-dns

$ bandwhich --total-utilization

$ bandwhich --interface [eth0]

$ bandwhich --show-dns --dns-server [dns_server_ip]

bandwhich [OPTIONS]

-a, --address
    Show only traffic to the given IP address(es)

-i, --interface
    The network interface to listen on (defaults to all interfaces)

-n, --net
    The network to listen on (defaults to all networks)

-p, --pid
    Show only traffic from the given process ID(s)

-t, --total
    Show the total bandwidth usage for all processes

-u, --unit
    The unit to display bandwidth in (bytes, kbytes, mbytes, gbytes)

-v, --version
    Print version information

-l, --listen
    Listen only instead of sniffing

-c, --color
    Color output (auto, always, never)

-r, --raw
    Print raw data, instead of the interactive interface.

--skip-loopback
    Skip the loopback interface

--log-level
    The log level (trace, debug, info, warn, error)

--config
    Path to the configuration file (defaults to ~/.config/bandwhich/config.yaml).

--search

bandwhich (bandwidth-whatch) is a command-line tool for Linux, macOS, and FreeBSD that displays current network utilization by process. It uses the pcap library to sniff network traffic and then maps that traffic to the processes on the system using information from the operating system's process table. This allows users to quickly identify which processes are consuming the most network bandwidth.

Unlike traditional network monitoring tools like `top` or `iftop` which focus on interfaces, bandwhich shows bandwidth usage per process. This can be very helpful in diagnosing network bottlenecks or identifying applications that are unexpectedly consuming large amounts of network resources. The tool is interactive, providing a real-time updated view of network activity. Users can customize the display, filter processes, and change the refresh rate.

Requires root privileges (or CAP_NET_ADMIN capability) to sniff network traffic. The accuracy of process attribution depends on the operating system's ability to map network connections to processes.

bandwhich can be configured using a configuration file, allowing customization of display settings, filtering options, and other parameters. The default location of the configuration file is `~/.config/bandwhich/config.yaml`. The file format is YAML.

Configuration options in the YAML file allow the user to modify the display to show processes filtered by port, IP address or process name.

The default operation of bandwhich is in interactive mode. In this mode, it provides a real-time, updating display of network bandwidth usage by process.
The refresh rate is typically every half a second, and it provides the list of processes consuming bandwidth. It is possible to zoom in by selecting processes and/or connections.

In order to be able to sniff network packets you need elevated privileges. You either need to run bandwhich as root, or give the binary the CAP_NET_ADMIN capability. For example: sudo setcap cap_net_admin+ep /usr/bin/bandwhich

bandwhich appears to be a relatively recent tool, gaining popularity as a more user-friendly and process-focused alternative to traditional network monitoring tools. Its development is primarily driven by the need for a simple way to identify bandwidth-hogging processes on Linux systems.

tcpdump(1), iftop(1), nethogs(8), ss(8)