Linux. Every. Day. Online.

Who Is Eating the Bandwidth?

by

Johnny
in , ,

Correlating Network Throughput With Real Processes

You now know what is listening.

You know who is talking.

The next question is unavoidable. “Which process is actually costing me performance?”

This is where many troubleshooting efforts fall apart. CPU looks fine. Memory looks stable. Disk is quiet. Yet the system still feels slow. At that point, the network is usually the bottleneck, and Linux will not volunteer that answer unless you ask correctly.

Start at the Interface, Not the Process

Before blaming applications, confirm the problem exists at the network layer.

cat /proc/net/dev

This gives you raw truth. Bytes in. Bytes out. Per interface.

If RX or TX counters are climbing faster than expected, the system is not imagining things. Something is pushing data hard.

Do not optimize yet. Identify first.

Tie Traffic to Active Connections

Now move one layer up.

ss -tnp

Look specifically at the Send-Q and Recv-Q columns. These are not decorative.

If queues are consistently non zero, that process is either:

  • Sending faster than the network can handle
  • Receiving data it cannot process fast enough
  • Blocked downstream by another service

Queues tell you pressure. Pressure tells you where performance is leaking.

Identify Heavy Talkers by Volume

Linux exposes byte counters per socket.

ss -ti

Focus on:

  • bytes_sent
  • bytes_received
  • pacing_rate
  • delivery_rate

If a single process shows disproportionate volume compared to its role, that is your culprit. At this stage, you are no longer guessing. You are attributing cost.

The Defender’s Shortcut

Ask one blunt question. “If I stopped this process, would the system immediately feel better?”

If the answer is yes, you have found the bottleneck. Whether it is a misconfigured backup job, a runaway sync agent, or a compromised service beaconing outward, the response path is the same. Contain first. Fix second.

Common Real World Offenders

You will see these repeatedly:

  • Log shippers retrying endlessly due to TLS or auth failures
  • Monitoring agents duplicating data streams
  • Containerized apps with no egress limits
  • Malware abusing legitimate binaries for outbound traffic

None of these require exotic exploits. They rely on neglect and invisibility.

Why This Matters Operationally

Bandwidth abuse rarely triggers alerts early. It degrades everything quietly. Latency creeps in. Applications stall. Users complain. By the time someone looks at the network, the root cause is buried under symptoms.

Defenders who can correlate throughput to process ownership cut through that noise immediately.

Where This Series Goes Next

The next logical step is control.

Constraining network behavior with:

  • Interface level limits
  • Per process expectations
  • Service binding discipline

In short, turning “we noticed” into “this will not happen again.”

Comments

Leave a Reply