Network Monitoring

Expert knowledge for real-time network traffic monitoring using modern Rust-based tools: bandwhich for CLI-based per-process bandwidth analysis and Sniffnet for visual traffic inspection.

Core Expertise

Why These Tools

Key Advantages

• Per-process visibility: See which applications consume bandwidth (unlike traditional iftop)
• Connection-level detail: Track individual connections to remote hosts
• Modern Rust performance: Minimal overhead, safe memory handling
• Cross-platform: Works on Linux, macOS, Windows

Privilege Requirements

Both tools require elevated privileges to capture network traffic:

# Run with sudo
sudo bandwhich

# Or grant capabilities (Linux, avoids sudo)
sudo setcap cap_net_raw,cap_net_admin+ep $(which bandwhich)

Essential Commands

bandwhich - CLI Bandwidth Monitor

Basic Usage

# Start monitoring (requires sudo or capabilities)
sudo bandwhich

# Monitor specific interface
sudo bandwhich -i en0
sudo bandwhich -i eth0

# Raw mode (no TUI, machine-readable)
sudo bandwhich -r

# Disable DNS resolution (faster startup)
sudo bandwhich -n

Output Modes

# Default TUI with three panels:
# - Processes (bandwidth by application)
# - Connections (bandwidth by socket)
# - Remote addresses (bandwidth by host)

# Raw output for scripting
sudo bandwhich -r
# Output: <interface>:<process>:<bytes_down>:<bytes_up>

# Combined options
sudo bandwhich -i en0 -n -r

TUI Navigation

Sniffnet - GUI Traffic Monitor

Installation

# macOS
brew install sniffnet

# Cargo
cargo install sniffnet

# Or download from GitHub releases
# https://github.com/GyulyVGC/sniffnet/releases

Features

• Real-time traffic charts
• Filter by protocol, port, IP
• Domain and provider identification
• Geo-location of remote hosts
• Export reports

Launch

# GUI application (requires sudo or admin)
sudo sniffnet

# On macOS, may need to grant network access in System Preferences

Common Patterns

Diagnose High Bandwidth Usage

# Quick check: which process is using bandwidth?
sudo bandwhich -n

# Watch specific interface during download
sudo bandwhich -i en0

Script-Friendly Monitoring

# Capture 10 seconds of raw data
sudo timeout 10 bandwhich -r > /tmp/bandwidth.log

# Parse raw output
cat /tmp/bandwidth.log | cut -d: -f2 | sort | uniq -c | sort -rn

Compare Interface Traffic

# Monitor WiFi
sudo bandwhich -i en0

# Monitor Ethernet (separate terminal)
sudo bandwhich -i en1

Identify Unexpected Connections

# Raw mode shows all connections
sudo bandwhich -r -n | grep -v "127.0.0.1" | head -20

Agentic Optimizations

Quick Reference

bandwhich Flags

Raw Output Format

<interface>:<process_name>:<bytes_downloaded>:<bytes_uploaded>

Example:

en0:firefox:1048576:65536
en0:curl:4096:1024

Installation

bandwhich

# macOS
brew install bandwhich

# Cargo
cargo install bandwhich

# Linux (grant capabilities to avoid sudo)
sudo setcap cap_net_raw,cap_net_admin+ep $(which bandwhich)

Sniffnet

# macOS
brew install sniffnet

# Cargo
cargo install sniffnet

# GitHub releases (pre-built binaries)
# https://github.com/GyulyVGC/sniffnet/releases

Troubleshooting

Permission Denied

# Use sudo
sudo bandwhich

# Or set capabilities (Linux)
sudo setcap cap_net_raw,cap_net_admin+ep $(which bandwhich)

# Verify capabilities
getcap $(which bandwhich)

Interface Not Found

# List available interfaces
ip link show        # Linux
networksetup -listallhardwareports  # macOS
ifconfig -l         # BSD/macOS

# Then specify
sudo bandwhich -i <interface_name>

DNS Resolution Slow

# Disable DNS lookup
sudo bandwhich -n

Resources

• bandwhich: https://github.com/imsnif/bandwhich
• Sniffnet: https://github.com/GyulyVGC/sniffnet
• Sniffnet Wiki: https://github.com/GyulyVGC/sniffnet/wiki