iftop tool view
You can use the sar -n DEV 1 5 command to obtain the network card-level traffic graph. In the command, 1 5 means that the value is taken once every second, for a total of 5 times.
After the command is executed, the average data of the five values of each network card will be listed, and the name of the network card with full bandwidth will be determined according to the actual situation. By default, eth0 is the internal network card, and eth1 is the external network card.
Install the iftop tool
yum install iftop -y
iftop -i eth1 -P
The -P parameter will display the port of the requested service, that is, which port of the server is used to establish the connection, and execute the iftop -i eth0 -P command to see the intranet traffic . 
As shown in the example above, through analysis, it is found that the most traffic consuming is the connection established by some ports on the server and the corresponding address, which generates a large amount of network traffic. Execute the netstat command to check the corresponding process of the corresponding port.
netstat - tunlp | grep port number
nethogs view
yum install nethogs -y- Assuming that the current eth1 network card is full, execute the command nethogs eth1 , you can see the network bandwidth of each process in the red box on the right, and the PID corresponding to the process is displayed in the red box on the left. Here you can determine what process is occupied system bandwidth.
If it is determined to be a malicious program, the program can be terminated by kill -TERM <PID>