what’s using my bandwidth, take 20

Perpetual problem; network is slow, some process is using all the bandwidth, what is it?

On a Mac, the new short answer may be “use Mavericks”. The Activity Monitor includes a Network view and while it’s not perfect, it helps.

On an older Mac or other Unix machine, here’s one way:

Run iftop. It’s a top-like program that shows individual network sockets. Press “p” to turn on port number display. Press “t” to simplify to one line per host. The three columns of numbers on the left are download rates in kilobits/second, averages over 2/10/40 seconds.

Note the port number of the top flow. Then run lsof (as root) and search through the output for that port number. It contains the program name and process ID.

Using this I managed to find it was ocspd taking all my CPU. That program downloads fresh certificate revocation lists. Amazing how much data it had to grab.

iftop and lsof use existing kernel services, doesn’t require installing a kernel module or anything. Should be possible to write a patch to iftop that does the lsof-side of things to show the process ID and name. Or else a separate tool.

Rubbernet is a fine graphical tool to manage and shape Mac bandwidth in this fashion. But it’s €30. Also it requires a kernel module, which feels like dangerous overkill.