LinuxCommandLibrary

bandwhich

Monitor network bandwidth usage by process

TLDR

Show the remote addresses table only

$ bandwhich [[-a|--addresses]]
copy

Show DNS queries
$ bandwhich [[-s|--show-dns]]
copy

Show total (cumulative) usage
$ bandwhich [[-t|--total-utilization]]
copy

Show the network utilization for a specific network interface
$ bandwhich [[-i|--interface]] [eth0]
copy

Show DNS queries with a given DNS server
$ bandwhich [[-s|--show-dns]] [[-d|--dns-server]] [dns_server_ip]
copy

SYNOPSIS

bandwhich [-l ADDR:PORT] [-r] [-t] [--show-process] [--show-total] [--no-filter] [-h | -V]

PARAMETERS

-h, --help
    Print help information

-V, --version
    Print version information

-l, --listen ADDR:PORT
    Listen on TCP socket (e.g., 127.0.0.1:8080) for remote access

-r, --raw
    Output raw CSV data instead of TUI

-t, --treeless
    Disable hierarchical process tree view

--show-process
    Display process IDs alongside names

--show-total
    Include total system bandwidth usage

--no-filter
    Do not filter loopback/localhost traffic

DESCRIPTION

bandwhich is a Rust-written CLI tool for monitoring network bandwidth usage at the process level on Linux systems.

It provides an interactive, curses-based TUI (text user interface) that displays real-time inbound and outbound network I/O rates, aggregated by process in a hierarchical tree view (showing parent-child relationships). This helps identify bandwidth-intensive applications, such as downloads, streaming, or misbehaving services.

Unlike connection-focused tools like iftop or nethogs, bandwhich emphasizes process ownership using kernel interfaces like netlink sockets (/proc/net/tcp, /proc/net/udp), conntrack, and process info from /proc. It supports TCP and UDP, filters loopback by default, and updates dynamically (typically every second).

For remote use, it can listen on a TCP port. Raw CSV mode enables scripting or logging. Requires root (sudo) for full socket-to-process mapping due to kernel restrictions.

Ideal for servers, troubleshooting network hogs, or optimizing resource usage in containers/VMs. Lightweight, zero dependencies beyond standard Linux.

CAVEATS

Requires root (sudo) privileges for accurate process attribution.
May miss data on some kernels, namespaces, or without conntrack.
UDP support limited; focuses on TCP/UDP sockets.

INSTALLATION

Via Cargo: cargo install bandwhich
Debian/Ubuntu: sudo apt install bandwhich
Arch: bandwhich (AUR); macOS: brew install bandwhich

BASIC USAGE

sudo bandwhich (default TUI)
sudo bandwhich -r (CSV output)
sudo bandwhich --listen 0.0.0.0:8080 (remote TCP)

HISTORY

Developed by arsduo (Jay Weisskopf) in Rust; first release ~2018 on GitHub. Gained popularity for process-centric view; actively maintained with ports to other package managers (AUR, Homebrew, apt repos).

SEE ALSO

nethogs(1), iftop(8), ss(8), netstat(8), bmon(1)

Copied to clipboard