bandwhich — Terminal Bandwidth Utilization by Process and Connection

Introduction

When your network is mysteriously saturated, the question "what is using my bandwidth?" usually ends in a 20-minute Wireshark dive. bandwhich answers it in a single command: a live terminal table of processes, remote hosts, and connections, sorted by bandwidth usage.

With over 11,000 GitHub stars, bandwhich is a favorite among sysadmins and power users. It's a Rust rewrite of nethogs + iftop conceptually, with a cleaner UI and better accuracy.

What bandwhich Does

bandwhich captures packets using libpcap/PF_RING, correlates them to processes via /proc or kernel APIs (depending on OS), and renders three tables: Processes (bandwidth per process), Remote Hosts (bandwidth per destination), and Connections (each TCP/UDP flow). Each updates live with rx/tx rates.

Architecture Overview

[bandwhich (Rust)]
      |
[Packet capture]
   libpcap / BPF on macOS/BSD
   PF_RING / af_packet on Linux
      |
[Process attribution]
   Linux: /proc/net/tcp + /proc/<pid>/fd
   macOS: lsof fallback
   Windows: IP Helper API
      |
[Live aggregation]
   per-process, per-connection, per-host
   rolling byte counters
      |
[Terminal UI]
   3 tables: Processes / Remote Hosts / Connections
   sort by total / up / down

Self-Hosting & Configuration

# Raw output (for scripting, CSV-able)
sudo bandwhich --raw

# Filter by specific interface
sudo bandwhich -i eth0

# Don't resolve DNS (hostnames will be shown as IPs)
sudo bandwhich -n

# Show totals instead of rates
sudo bandwhich --total-utilization

# Show only processes matching a name pattern
sudo bandwhich --show-dns --raw | grep -i firefox

# Common workflow: "who is eating my uplink?"
sudo bandwhich
# (scan processes, spot the hog, then narrow down with tcpdump if needed)

# Persistent install with capability (no sudo needed)
sudo setcap cap_net_raw,cap_sys_ptrace+eip $(which bandwhich)
bandwhich
# (cap_sys_ptrace needed to peek at other users' sockets on Linux)

Key Features

• Per-process bandwidth — see exactly which app is using network
• Per-host bandwidth — which remote server is receiving your traffic
• Per-connection view — every active TCP/UDP flow, sortable
• DNS resolution — hostnames instead of raw IPs (optional)
• Live updates — 1s refresh with smoothed rates
• Interface selection — focus on eth0 vs wlan0 vs tun0 (VPN)
• Raw mode — CSV output for scripting, alerting, logging
• Cross-platform — Linux, macOS, Windows, FreeBSD

Comparison with Similar Tools

FAQ

Q: Why does bandwhich need sudo? A: Raw sockets (to capture packets) and process-table reads require privilege. One-time setcap grant is a nicer permanent solution than sudoing every run.

Q: Is it accurate? A: Yes — counts bytes at packet layer. Occasionally under-reports processes that use namespaces in unusual ways (Docker host mode is fine; some VPN clients can be tricky).

Q: Can I monitor a remote server? A: Not directly — bandwhich is for local interfaces. For remote monitoring, run it over SSH: ssh host -t 'sudo bandwhich'.

Q: Does it capture full packets? A: No — only headers (size + source/dest IPs + ports). No payload is recorded, so it's privacy-safe and uses negligible CPU.

Sources

• GitHub: https://github.com/imsnif/bandwhich
• License: MIT