Explain several ways for Linux to view real-time network card traffic

Keywords: Linux network shell

If kept has 10 VIPs, how to check the traffic of each VIP?

Here you can use the sar command to view the network card traffic. The premise is that when you keep listening to the network card. Set the subinterface when setting up the network card.

That is, your network card is bound to the sub interface. In this way, eth0:0 and eth0:1 can see the traffic of each network card

In our work, we often need to check the real-time network card traffic of the server. Usually, we will check the real-time network card traffic of Linux server through these methods.

1. sar -n DEV 1 2

The sar command is included in the sysstat toolkit and provides many statistics of the system. There are some differences in commands on different systems. The sar provided by some systems supports data statistics based on network interface, and can also view the number of packets received and traffic on the device per second.

sar –n DEV 1 2

DEV displays the network interface information command, which means: take the value once every second and take it twice.

In addition, the - n parameter is very useful. It has six different switches: DEV | EDEV | NFS | NFSD | SOCK | ALL, which represents the following meanings:

  1. DEV displays network interface information.
  2. EDEV displays statistics about network errors.
  3. NFS counts information about active NFS clients.
  4. NFSD counts NFS server information
  5. SOCK displays socket information
  6. ALL displays ALL 5 switches
[sre@CDVM-213017031 ~]$ sar -n DEV 1 2

Linux 2.6.32-431.el6.x86_64 (CDVM-213017031)  05/04/2017  _x86_64_ (4 CPU)

08:05:30 PM  IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s

08:05:31 PM  lo  0.00  0.00  0.00  0.00  0.00  0.00  0.00

08:05:31 PM  eth0 1788.00 1923.00 930.47 335.60  0.00  0.00  0.00

08:05:31 PM  IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s

08:05:32 PM  lo  0.00  0.00  0.00  0.00  0.00  0.00  0.00

08:05:32 PM  eth0 1387.00 1469.00 652.12 256.98  0.00  0.00  0.00

Average:  IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s

Average:   lo  0.00  0.00  0.00  0.00  0.00  0.00  0.00

Average:   eth0 1587.50 1696.00 791.29 296.29  0.00  0.00  0.00

Parameter Description:

  1. IFACE: LAN interface
  2. rxpck/s: packets received per second
  3. txpck/s: packets sent every second
  4. rxbyt/s: number of bytes received per second
  5. txbyt/s: number of bytes sent per second
  6. rxcmp/s: compressed packets received per second
  7. txcmp/s: compressed packets sent every second
  8. rxmcst/s: multicast packets received per second
  9. rxerr/s: bad packets received per second
  10. txerr/s: bad packets sent every second
  11. coll/s: conflicts per second
  12. rxdrop/s: the number of received packets dropped per second because the buffer is full
  13. txdrop/s: the number of sent packets dropped per second because the buffer is full
  14. txcarr/s: number of carrier errors per second when sending packets
  15. rxfram/s: the number of frame alignment errors received per second
  16. rxfifo/s: the number of FIFO over speed errors per second of received packets
  17. txfifo/s: the number of FIFO over speed errors per second in packets sent

This method is simple, intuitive and recommended.

2. Real time monitoring script



while true


 RX_pre=$(cat /proc/net/dev | grep $ethn | sed 's/:/ /g' | awk '{print $2}')

 TX_pre=$(cat /proc/net/dev | grep $ethn | sed 's/:/ /g' | awk '{print $10}')

 sleep 1

 RX_next=$(cat /proc/net/dev | grep $ethn | sed 's/:/ /g' | awk '{print $2}')

 TX_next=$(cat /proc/net/dev | grep $ethn | sed 's/:/ /g' | awk '{print $10}')


 echo -e "\t RX `date +%k:%M:%S` TX"



 if [[ $RX -lt 1024 ]];then


 elif [[ $RX -gt 1048576 ]];then

 RX=$(echo $RX | awk '{print $1/1048576 "MB/s"}')


 RX=$(echo $RX | awk '{print $1/1024 "KB/s"}')


 if [[ $TX -lt 1024 ]];then


 elif [[ $TX -gt 1048576 ]];then

 TX=$(echo $TX | awk '{print $1/1048576 "MB/s"}')


 TX=$(echo $TX | awk '{print $1/1024 "KB/s"}')


 echo -e "$ethn \t $RX $TX "



This script does not require additional software installation, and can customize the interface to be viewed, accurate to decimal, and can flexibly display the unit according to the flow size. The default acquisition interval is 1 second.


1. Save the script as an executable script file, such as net.sh.

2. Chmod + X. / net.sh changes the file to an executable script.

3. sh net.sh eth0 to start monitoring the interface eth0 traffic, press ctrl+c to exit.

The script is obtained by reading the network real-time data in the runtime file system / proc/net/dev and simple calculation. For the directory / proc/net/dev, see below.

3. cat /proc/net/dev

The Linux kernel provides a mechanism to access the internal data structure of the kernel and change the kernel settings at runtime through the / proc file system. Proc file system is a pseudo file system, which only exists in memory and does not occupy external memory space. It provides an interface for accessing system kernel data in the form of file system. Users and applications can get the system information through proc, and can change some parameters of the kernel. Because the information of the system, such as the process, changes dynamically, when the user or application reads the proc file, the proc file system dynamically reads the required information from the system kernel and submits it/ The proc file system contains many directories, in which / proc/net/dev holds the network adapter and statistics.

[sre@CDVM-213017031 ~]$ cat /proc/net/dev

Inter-| Receive            | Transmit

 face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed

 lo:137052296 108029 0 0 0  0   0   0 137052296 108029 0 0 0  0  0   0

 eth0:13661574714188 31346790620 0 0 0  0   0   0 5097461049535 27671144304 0 0 0  0  0   0

The leftmost indicates the name of the interface, Receive indicates receiving packets, and Transmit indicates sending packets;   

  1.   Bytes indicates the number of bytes sent and received;
  2.   Packets indicates the correct number of packets sent and received;
  3.   errs indicates the number of packets sent and received incorrectly;
  4.   drop indicates the number of packets received and received and discarded;

In fact, many commands we often use to view the real-time traffic of the network card are obtained by reading the real-time traffic under the directory and simple calculation.

4. Use the watch command in combination with ifconfig, more /proc/net/dev and cat /proc/net/dev to monitor in real time. For example, execute watch -n 1 "ifconfig eth0"

Every 1.0s: ifconfig eth0Thu May 4 20:26:45 2017

eth0  Link encap:Ethernet HWaddr FA:16:3E:7E:55:D1

   inet addr: Bcast: Mask:

   inet6 addr: fe80::f816:3eff:fe7e:55d1/64 Scope:Link


   RX packets:31350149703 errors:0 dropped:0 overruns:0 frame:0

   TX packets:27674701465 errors:0 dropped:0 overruns:0 carrier:0

   collisions:0 txqueuelen:1000

   RX bytes:13663400883450 (12.4 TiB) TX bytes:5098104759633 (4.6 TiB)

Watch can help you monitor the running results of a command, saving you from running it manually over and over again. Under Linux, watch executes the next program periodically and displays the execution results in full screen.   

Finally, in addition to the above, there are many ways to view the network card traffic of the current system. I won't repeat them one by one. If the above methods can't meet your needs, please google by yourself.

Methods 1 and 2 are highly recommended based on their ease of use and readability. I hope it will be helpful to your study, and I also hope you can support the script home.

Posted by XenoPhage on Mon, 08 Nov 2021 11:01:58 -0800