The Linux kernel does not maintain counters for the number of network accesses issued per process or per thread.
As a consequence, it is not possible to analyze which process and/or thread causes most load in case that atop
shows a high utilization on one of your network interfaces.
The optional kernel module netatop can be loaded to gather statistics about the TCP and UDP packets that have been transmitted/received per process and per thread. As soon as atop discovers that this module is active, it shows columns in the generic screen for the number of transmitted and received packets per process. When the 'n' key is pressed, it shows detailed counters about the number packets transmitted/received via TCP and UDP, the average sizes of these packets, and the total bandwidth consumed for input and output per process/thread.
The daemon netatopd is packaged with the netatop kernel module.
This daemon takes care that information is gathered about processes that are finished.
For every finished process that has transferred network packets, a binary record is written to a dedicated logfile.
The added records in the logfile are read by atop with every sample to show information about
the network activity of finished processes as well.
The netatopd daemon tries to limit the consumed disk space for the logfile by compressing the binary records, by truncating the file as soon as no atop processes are running any more, and by refusing to write more records when the concerning filesystem has 5% or less free space left.
The daemon is started automatically in the init script after the kernel module has been loaded. However, the kernel module netatop can be used without the netatopd daemon.
The kernel module netatop uses the netfilter interface, offered by the kernel. It is called for the network packets that pass the IP layer. For every packet, netatop tries to identify the process and thread involved. However, this is only possible from the moment that at least one packet has been transmitted for this connection (TCP) or port (UDP) within the context of the concerning process/thread. In the 'file' /proc/netatop counters can be found reflecting the number of unidentified packets.
For performance reasons, atop deliberately does not use the pcap library (user-level analysis). All packet analysis is done in kernel mode by the netatop module, which makes this feature suitable for permanent monitoring.
Find more details about the netatop module and netatopd daemon in the man-pages after installation.