bandwhich is a terminal network monitoring utility capable of showing bandwidth use by process and connection on all or a single network interface. It is written in Rust and it has been in development since November 2019. It is capable of showing network use on a single interface correctly but it is wildly off when it comes to special interfaces like bridges and bonds.
"bandwhich" was named "what" until the developer changes its name in January 2020.
Features And Usability
bandwhich will, depending on the size of the terminal window it is launched from, show a list of processes and their bandwidth use on the left side and outgoing connections by process and remote address on the right side. It will only show a list of processes and their connection count and bandwidth use if the terminal window is small. It will adjust what is shown if the terminal window is resized.
bandwhich v0.10.0 in a small terminal window where only "Utilization by process name" is shown.
bandwhich has three switches who make it show just one of the three panes it is capable of showing:
||Only show address table|
||Only show network connections|
||Only show the process table (default)|
These switches are useful if you want to have bandwhich in a terminal window which is too small to show more than one pane. They can be combined,
bandwhich -a -c will show the address table and the network connection table.
bandwhich v0.10.0 started with
bandwhich will by default show connections on all interfaces, including the loopback interface. It can be instructed to listen on just one interface by specifying with
-i interface. bandwhich will do PTR lookups of IP addresses unless you start it with the
bandwhich has a "raw" mode which can be invoked with the
--raw witch. The raw mode will list network connections as text in a terminal. It is useful if you want to
bandwhich does not support switching between network interfaces on the fly, you can either show all or start it with
-i interface and re-start it if you want to view another interface.
Accuracy And Limitations
bandwhich is, naturally, incapable of showing what remote process generated network traffic going through a router. It does, mostly, show local network traffic accurately as long as it is listening on a single real network interface.
bandwhich is totally out of wack if you use it on bridged or bonded interfaces.
bandwhich - left - has no idea what is going on when it is listening on a bond interface. The accurate numbers reported by bmon - shown on the right - are wildly different from the numbers bandwhich reports.
The bandwidth utilization numbers reported by bandwhich will have zero to do with reality if you use it on bridged or bonded interfaces. Something strange is going on when bmon accurately reports 117.34 MBps up while bandwidth claims 7.30 MBps.
Under the hood
bandwhich gets the process information by looking at
/proc on GNU/Linux. It also supprts macOS where it uses
lsof to get process information.
bandwith will place the interface(s) it is listening on in promiscuous mode. Doing so requires root privileges.
Verdict and Conclusion
bandwhich is a interesting project which fills a void in the existing network monitoring tools available for GNU/Linux machines. bmon is excellent if you want to view total network activity on several interfaces but you can't see per-process connection. Running bandwidth is much simpler than getting the same kind of data using
tcpdump and a long list of parameters.
bandwhich is currently only useful if you are using a simple standard network setup, which is too bad. It is utterly useless if you have a more complex setup (bonds, bridges, etc). That limitation will hopefully be fixed in a future version.
bandwhich is a rather new program (in development since November 2019). Very few distributions carry it in their repositories. There is a copr repository for Fedora and packages for Arch, NixOS and Void. Installation instructions for those are on the bandwidth github page.
bandwhich can be installed by checking out the source with
git clone https://github.com/imsnif/bandwhich.git and compiling it using the Rust package manager
cargo install bandwhich in the source folder produces a totally static binary in
~/.cargo/bin/bandwhich. You can simply copy or move that binary to
/usr/local/bin or somewhere else in the root users path if you want to run it as root.
bandwhich will not run under a regular user-account unless it has been given elevated privileges. Those can be given by running
setcap cap_sys_ptrace,cap_dac_read_search,cap_net_raw,cap_net_admin+ep `which bandwhich
as root. It is possible to run it as a regular user once you have done that (This will only work on Linux, macOS users have to run it using sudo).
The bandwhich source and homepage is at github.com/imsnif/bandwhich.