I didn’t really start to poke around with nettop until about five years ago, when I got the opportunity to go and give a talk about the nascent iCloud Drive and all the assorted shenanigans that went with it. iCloud, it transpired, would throw all kinds of data up from your machine to all kinds of places in the cloud in a pretty fascinating and intelligent way, and nettop was absolutely vital in showing what went where. Still, right out of the box nettop isn’t particularly user friendly. What follows is an abbreviated primer on how I use nettop. It doesn’t hit on every option, but it’s a good swing at the essentials.
When I plug nettop into the Terminal.app I am immediately hit with something like this:
Still, it’s worth sticking with because it’s entire purpose in life is to report in exacting detail on every single bit of data that goes in and out of your computer; what ports are in use, what interface you’re using, where that data is going and how fast it’s moving at. Used properly, it’s astonishingly capable and useful.
Making it readable
c - collapse all
This is the first option I hit when firing nettop up. The way that the tool throws the expanded view at you by default is pretty frustrating, and this immediately knocks that down to something more like this:
Out of the box you can get this view by launching nettop with a -P option to show a per-process summary. In fact, I’ve added this to my .zprofile:
alias net='nettop -P'
x – toggle human readable numbers
By default nettop is pretty much ideally setup. It’ll give you columns for rx and tx, and let you know in bytes, kilobytes, megabytes, gigabytes and who knows? Probably terabytes and petabytes, too.
You can also hit j in nettop to get this handy menu allowing you to select, deselect and reorder menus, thus:
Being picky
You can use the lowercase -p option to specify a process number or name, thus:
nettop -p Dropbox
…will feed you this:
But better yet you can use this:
nettop -Pp Dropbox
…to get this:
If you don’t know the name of the process you want to isolate (or you just want to pick from a menu later on) then you can hit p while in the nettop screen to get something like this:
If you want to break nettop results down by interface then that’s doable too.
nettop -t wifi – wifi interfaces.
nettop -t wired – wired interfaces.
nettop -t loopback – loopback interfaces.
nettop -t external – the combination of all non-loopback interfaces.
Delta mode
By default nettop shows you the current running total of data in/out for each process, but if you want a more granular look at the current bandwidth in use then you can toggle delta mode by either hitting d in nettop or launching it with the appropriate flag:
nettop -d
This option is pretty useful if you’re looking at a process that’s resting somewhere in the gigabytes. If you’re at 1Mb then the jump to 2Mb goes pretty quickly in the default view, but if a process is sitting at 17GB then it could be a long, long time before it refreshes to 18GB. Jumping into delta mode is a fast way of figuring out if the process is still pushing data in/out, or if it’s stuck or has fallen apart into a thousand little pieces.
Handling data
It’s great that nettop stays open until you want to close it, but sometimes you just want to be able to go grab a cheesy, delicious slice of a few seconds’ worth of output and then get back to your regularly scheduled prompt. That’s where the -l flag comes in; just specify the number of seconds you want to snag and it’ll take the appropriate snapshot and log it to the screen for you. It’s good on its own, but also great with other flags.
Thus nettop -t wifi -t wired -P -l 1 gets you this:
As I said at the top, there’s a lot more to nettop than these basics, and poking around the manpage will doubtless reap you rich rewards…