Nethogs is great when you need to determine what processes are transferring data or how much they're transferring. I got curious how it works, so I ran it through strace and looked through the source. /proc/net/tcp lists all established TCP connections. It includes local and remote addresses and ports and the inode for the socket. Nethogs sniffs traffic and associates it with its entry in /proc/net/tcp. It takes the inode from there and scans through /proc//fd/ looking for the file descripter that has that inode to determine which process has the socket open. Once it finds the process it adds it to a table of inode to process id mappings so it doesn't have to scan through /proc again the second time a packet for that connection comes through.