Monitoring for Suspicious Activity

Security-conscious administrators can use iftop as part of their basic security monitoring toolkit. Iftop is not a replacement for dedicated security tools, but you can use it to help identify several types of suspicious activity, including:

• Unexpected external connections – Detect calls to unknown external IPs that might indicate malware or data exfiltration
• Port scanning activity – Identify multiple rapid connections to different ports on your host
• Data exfiltration attempts – Spot large outbound transfers to unexpected destinations
• DDoS participation – Notice many connections to a single external service
• Unauthorized services – Find unexpected listening ports receiving connections

Run iftop with appropriate filters to exclude known-good traffic, then look for connections to or from unexpected IP addresses or countries. Look for unusually high bandwidth to any single host, and watch for patterns that suggest scanning (many ports to one host). Investigate any suspicious findings with deeper tools.

Although iftop won't provide complete security visibility, it serves as an excellent "canary in the coal mine" to alert you to potential issues worth deeper investigation with tools like tcpdump, Wireshark, or a security information and event management (SIEM) system.

Verifying Network Configuration Changes

If you make a change to your network, iftop can provide immediate feedback to verify the result. This real-time validation is invaluable for ensuring changes have the intended effect without unexpected side effects. You can use iftop to confirm that the intended traffic is allowed or blocked following a change to firewall rules. Iftop also lets you verify bandwidth limits and prioritization for QoS implementations. If you make a change to a router, iftop will let you ensure that the traffic is flowing as intended.

For example, after implementing QoS to prioritize VoIP traffic, you could run iftop with the focus on common SIP/RTP ports:

iftop -f 'port 5060 or portrange 10000-20000'

Then initiate test calls while generating background traffic and verify that VoIP traffic maintains priority during congestion. This immediate feedback loop helps avoid situations where a configuration error becomes apparent at a critical moment.

Configuration File Options

Although iftop works well with default settings, power users can customize its behavior through a configuration file, typically located at ~/.iftoprc. This file allows persistent customization that applies across all iftop sessions without needing command-line options. See the iftop manpage for more on iftop configuration file settings.