What is flowtop?
////////////////

flowtop is a top-like connection tracking tool that can run on an end host or
router. It is able to present TCP or UDP flows that have been collected by the
kernel space netfilter framework. Hence, to enable flowtop you must have
netfilter/iptables running in some way. For instance, a minimal config to start
with could be:

  iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT

Then, flowtop will receive flow information from the kernel. Unlike other tools
that use libpcap for sniffing all network traffic and performing connection
tracking, we let the kernel do this job in the first place. Hence, only data
gets transferred from kernel space to user space that is really relevant. The
communication between address spaces is performed by netlink that is
incorporated by libnetfilter-conntrack.

A typical output of flowtop with TCP flows can be seen here (note: line breaks
have been introduced for a better readability; reverse DNS of flow source has
been removed and marked with '****'):

Kernel netfilter TCP/UDP flow statistics, [+0]

  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:41536 (Norway, Oslo) =>
        mil01s07-in-f30.1e100.net:80 (United States, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:35029 (Norway, Oslo) =>
        a195-176-255-146.deploy.akamaitechnologies.com:443 (Switzerland, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:35028 (Norway, Oslo) =>
        a195-176-255-146.deploy.akamaitechnologies.com:443 (Switzerland, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:35027 (Norway, Oslo) =>
        a195-176-255-146.deploy.akamaitechnologies.com:443 (Switzerland, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:35026 (Norway, Oslo) =>
        a195-176-255-146.deploy.akamaitechnologies.com:443 (Switzerland, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:35025 (Norway, Oslo) =>
        a195-176-255-146.deploy.akamaitechnologies.com:443 (Switzerland, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:35024 (Norway, Oslo) =>
        a195-176-255-146.deploy.akamaitechnologies.com:443 (Switzerland, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:https ->
     ****:34535 (Norway, Oslo) =>
        github.com:443 (United States, N/A)
  [11001/chromium-browser]:ipv4:tcp[ESTABLISHED]:http ->
     ****:40710 (Norway, Oslo) =>
        mil01s16-in-f31.1e100.net:80 (United States, N/A)
  [11001/chromium-browser]:ipv4:tcp[TIME_WAIT]:http ->
     ****:40711 (Norway, Oslo) =>
        mil01s16-in-f31.1e100.net:80 (United States, N/A)
  [11001/chromium-browser]:ipv4:tcp[CLOSE]:http ->
     ****:36152 (Norway, Oslo) =>
        mil01s16-in-f24.1e100.net:80 (United States, N/A)

What you can see in a single line is the following:
 - PID and process name on your host, if available
 - If it's not available (i.e. on a router), it will say 'bridged(?)'
 - Internet protocol (ipv4, ipv6)
 - Transport protocol (tcp, udp, icmp, ...)
 - Connection state (of TCP in particular)
 - Estimated protocol (http, https, ssh, ...)
 - Reverse DNS and Port of flow source
 - Country and City if available of flow source
 - Reverse DNS and Port of flow destination
 - Country and City if available of flow destination

All lines in flowtop are sorted by connection state. If the list of flows exceed
the number of visible lines on your terminal, you can scroll up or down with
your arrow keys.
