How to Monitor Network Traffic on a VPS: Complete Guide & Tools

Monitoring network traffic on your VPS is essential to ensure security, identify anomalies and optimize performance of your server. Whether you run a WordPress site, a Discord bot, a Minecraft server or a web application, knowing what flows through your network interface protects you against attacks, saturation and spying.

In this tutorial, we'll show you the best tools to monitor VPS network traffic on Linux, how to install them, and how to interpret the results to quickly detect issues.

🎯 Why monitor network traffic?

Before diving into the tools, understand why this practice is crucial:

• Attack detection: spot DDoS attacks, port scans, SSH brute-force attempts
• Proactive cybersecurity: identify suspicious processes sending data to external servers (spying, malware)
• Debugging: diagnose slowness, connectivity loss or application issues
• Optimization: count consumed bandwidth, identify peak hours
• Compliance: generate logs to report abnormal activity to your administrator

🛠️ Top 7 tools to monitor network traffic

1️⃣ Netstat & ss — view active connections

For a quick overview of who's connected to your VPS, use ss (modern replacement for netstat):

# All established TCP connections
ss -tn state established

# All listening ports
ss -tlnp

# Count connections per IP
ss -tn state established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head

Interpretation: if a single IP has hundreds of connections, it's probably an attack or a bot. Block it with ufw deny from <IP>.

2️⃣ iftop — real-time visualization per IP

iftop displays live traffic per connection, sorted by bandwidth used. It is the ideal tool to quickly identify the connections consuming the most network resources.

Installation

sudo apt install iftop      # Debian/Ubuntu
sudo yum install iftop      # CentOS/RHEL

Usage

sudo iftop -i eth0

You'll see IPs, ports, and bandwidth in real time. Press t to toggle views, q to quit.

3️⃣ nload — visual in/out overview

nload displays a simple text-mode graph of incoming and outgoing traffic. Its simplicity makes it an excellent starting point for novice administrators.

sudo apt install nload
nload eth0

You immediately see traffic spikes (downloads, uploads, server under load). Use left/right arrows to switch between network interfaces.

4️⃣ vnstat — cumulative statistics

Unlike real-time tools, vnstat records data over time to give you hourly, daily and monthly stats.

sudo apt install vnstat
sudo systemctl enable --now vnstat

# Today's stats
vnstat -d

# This month's stats
vnstat -m

# Live tracking
vnstat -l

Ideal to monitor your monthly bandwidth quota.

5️⃣ tcpdump — packet capture for debugging

tcpdump is the reference tool to capture and inspect network packets. Based on the libpcap library, it constitutes a versatile and essential tool for network debugging.

Installation

sudo apt install tcpdump

Concrete examples

# Capture 100 packets on eth0
sudo tcpdump -i eth0 -c 100

# Capture traffic on a specific port (HTTP)
sudo tcpdump -i eth0 port 80

# Capture traffic from/to an IP
sudo tcpdump -i eth0 host 1.2.3.4

# Save to .pcap file for Wireshark
sudo tcpdump -i eth0 -w capture.pcap

6️⃣ Wireshark / tshark — deep analysis

Wireshark is the most powerful GUI tool for traffic analysis. For a VPS without GUI, use its CLI version tshark.

sudo apt install tshark
sudo tshark -i eth0 -f "port 443" -c 50

For deeper analysis, capture with tcpdump (tcpdump -w capture.pcap) then download the .pcap file to your PC and open it in Wireshark (free download at wireshark.org).

7️⃣ Netdata — continuous monitoring with alerts

For a real-time web dashboard with history and automatic alerts, Netdata is one of the most comprehensive solutions available on the market.

bash <(curl -Ss https://my-netdata.io/kickstart.sh)

Once installed, access http://your-ip:19999 to see:

• Real-time network traffic per interface
• Active TCP/UDP connections
• Automatic anomaly detection
• Alerts via email / Discord / Slack

🚨 How to detect anomalies

Common warning signals:

DDoS attack / SYN flood

# Count pending connections (SYN_RECV)
ss -tn state syn-recv | wc -l

If > 50 → probable SYN flood attack. Check with your hosting provider.

Too many connections from one IP

ss -tn | awk 'NR>1 {print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -5

If an IP has +100 connections, block it.

Suspicious outgoing traffic

sudo iftop -i eth0 -P

If you see your server sending lots of data to an unknown IP → potential malware or compromised server.

Unexpected open ports

sudo ss -tlnp

List all listening ports. If an unknown service is listening → immediate investigation.

🛡️ Security best practices

• Configure a firewall: ufw enable, only allow necessary ports (22, 80, 443)
• Install fail2ban to automatically block IPs that spam SSH
• Monitor regularly with vnstat (daily cron) or Netdata (auto alerts)
• Update your system: sudo apt update && sudo apt upgrade weekly
• Disable SSH password login, use SSH keys only
• Centralized logs: send your logs (auth, ufw, etc.) to an external log server for later analysis
• Use a WireGuard VPN for admin connections (less exposed than open SSH on internet)

🚀 Monitor a LordHosting VPS

If you manage a LordHosting KVM VPS, you can install all these tools directly via SSH. Our infrastructure includes Anti-DDoS Netrix protection active 24/7, but application monitoring remains your responsibility.

For advanced users, our Ryzen VPS offers optimal performance to host a monitoring dashboard like Netdata or Grafana without impacting your other services.

Discover our KVM VPS plans →

📋 Quick recap — which tool for which need?

By following this guide, you now know how to observe, inspect, detect and react to any suspicious traffic on your VPS. Cybersecurity starts with visibility.

To go further, check our Discord bot installation guide or how to install Azuriom on a VPS.