Linux network commands
Server Administration

Linux Network Commands Used In Network Troubleshooting

In the previous post, we’ve talked about Linux process management, in this post will talk about Linux network commands and how to troubleshoot your network.

From packet errors to stream failures, connectivity errors to missing routes, once you have confirmed that the physical network is working, the next step is to troubleshoot your network and here we come to our topic which is Linux network commands and how to use it to troubleshoot your network.

We are going to cover the most used Linux network commands. This is the basic of network toolkit, so we will discuss the essential commands on this post and on future posts we will cover more of Linux network commands.

Our main points are:

The ping command

The dig and host commands

The traceroute command

The mtr commands

The ss command

iftop command

arp command

Packet analysis with tcpdump

The ping command

The ping command is one of the most used Linux network commands in network troubleshooting. It is used to check whether or not a specific IP address can be reached or in other means it checks whether there is an available connection.

$ ping IP Address or Domain

The ping command works by issuing an ICMP echo request to a specified destination in order to verify and check network connectivity.

$ ping google.com

ping linux network commands

These results are shows a successful ping, and it can be described as the trip of an echo request issued by our system to google.com

This command measures the average response or latency time. However, if there is no response, then it is likely that there is one of the following:

  • There is a physical problem on the network itself
  • The location might be incorrect or non-functional
  • The target machine not honoring a ping request
  • The host routing table is incorrect

If you want to restrict the number of echo requests made to maybe 3 you can do it like this

$ ping -c 3 google.com

ping -c Linux network commands

Here ping command stops sending echo request after 3 cycles

There are some points that you should consider about ping command. These points may not necessarily represent a problem, but they will influence the results of a ping test

Distance to the target: so if you live in U.S. and you ping a server on Asia you should expect that this ping will take much time that pinging a server in U.S.

The connection speed: if your connection is slow ping will take longer time than if you have fast connection

The hop count: this refers to routers and servers the echo travel across till reaching its destination

The important rule about ping is that the low ping is always desirable.

The dig and host commands

The dig command can be used to verify DNS mappings, host addresses, and MX records, and to discover more about any potential reverse DNS issues that can give rise to spam and blacklisting.

The dig command was introduced to replace nslookup command.

$ dig google.com

dig linux network commands

The default action of the dig command is to search for A records, you can obtain information based on a specific record type like MX records or NS records

$ dig google.com MX

dig mx linux network commands

You can get all types of records by using ANY query

$ dig google.com ANY

dig ANY linux network commands

The dig command can be used to implement a reverse lookup in order to obtain relevant DNS information based on a specific IP address like this:

$ dig x 8.8.8.8

dig -x linux network commands

Dig command does his query using the servers listed on /etc/resolv.conf

The host command is similar to dig command

$ host a google.com

host linux network commands

Also, you can perform reverse lookups using host command.

$ host 8.8.8.8

So both commands work in a similar way but dig command provides a more advanced and script option

The traceroute command

The traceroute command is one of the most useful Linux network commands. It is used to show the pathway to a remote destination and the delays that occur at every hop. This command helps basically in

  • Providing the names and the identity of every device on the path
  • Reporting network latency and identify at which device the latency come from

$ traceroute google.com

traceroute linux network commands

The output will provide the specified host, the IP address, the maximum number of hops required, and the size of the packet that will be used. The subsequent lines show the hop number, hostname, IP address, and packet round-trip times.

You can also avoid reverse DNS with the use of the -n option.

$ traceroute -n google.com

traceroute -n linux network commands

The traceroute command is useful in discovering network bottlenecks, and if you begin to see asterisks * then that means there is a potential problem routing to that host as the asterisks can indicate packet loss or a dropped packet

The traceroute command issuing a UDP-based packet, However, there are three different types of traceroute implementation that cover UDP, TCP, and ICMP

If you wanted to use the ICMP variation it can be used like this

$ sudo traceroute -I google.com

traceroute -I linux network commands

To use a TCP variation it can be used like this

$ sudo traceroute -T google.com

traceroute -T linux network commands

Some networks block UDP requests so you can use this method.

You should consider sending your requests using UDP, ICMP, and TCP to circumvent any network issues.

The mtr command

On some Linux systems, you will need to run this as the root user. This command is an alternative to traceroute command

$ mtr google.com

mtr linux network command

The output may look similar to traceroute, but the display is in real-time. So unlike traceroute, instead of taking a snapshot of a single trip, by using mtr you are able to collect data over a longer period of time

Moreover, as an alternative to real-time updates, mtr will also provide a reporting option that will issue the results of 10 packets to each hop encountered like this

$ mtr --report google.com

mtr report linux network command

This command provides a significant amount of detail better than traceroute.

Monitoring network connections with the ss command

The socket statistics command ss is the successor to netstat; it is not only faster, but it is also able to display more information.

Unlike netstat, which obtains its information from the various files contained within the /proc directory, the ss command obtains its information directly from the kernel space.

$ ss | less

ss linux network command

This command outputs of all TCP, UDP, and UNIX socket connections with an optional pipe to less in order to ensure that the results can be seen on screen.

You can combine this command with either the -t, -u or, -x option to show TCP, UDP, or UNIX socket respectively. And you should use –a option combined with any of those options to show the connected and listening sockets.

$ ss -ta

ss -ta linux network command

You can display all established IPv4 TCP sockets like this:

$ ss -t4 state established

ss established connections

You can show all closed TCP states like this:

$ ss -t4 state closed

You can use the ss command to show all ports connected from a remote IP address

$ ss dst XXX.XXX.XXX.XXX

And you can filter it to a specific port like this

$ ss dst XXX.XXX.XXX.XXX:22

Iftop command

Iftop utility or Iftop command is used to monitor traffic on a named interface and display real-time results

You can download the tool like this

$ wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz

Then extract it

$  tar zxvf iftop-0.17.tar.gz

Then compile it

If you got any errors about libpcap you can install it like this

$ yum install libpcap-dev

And you can run the tool as a root user like this

$ sudo iftop -I <interface>

iftop command

And you will see this table with real-time data about your traffic.

add P option with iftop to show ports

$ sudo iftop -P

iftop -P linux network commands

By default, iftop will display rates in bits/sec. To display it in bytes/sec with -B option

$ iftop -B

iftop -B linux ntwork command

There a lot of options, you can check them man iftop.

arp command

Systems keep an ARP look-up table where they store info about what IP addresses are associated with what MAC addresses. When trying to send a packet to an IP address, the system will first check this table to see if it already knows the MAC address. If there is a value cached, ARP is not used.

Linux arp command is used view or add arp table

$ arp

arp linux network command

By default arp command shows the hostnames, you can show IP addresses instead

$ arp -n

arp -n linux network command

You can delete entries from the arp table like this

$ arp -d HWADDR

Packet analysis with tcpdump

One of the most important Linux network commands is The tcpdump command. tcpdump command is a packet analyzer that is able to capture and provide a description of the traffic being transmitted across a network interface.

This access to packets which is the deepest level of the network can be vital when troubleshooting the network.

$ tcpdump -i <device_name>

tcpdump linux network command

You can also specify a protocol (TCP, UDP, ICMP and others) like this:

$ tcpdump -i <device_name> tcp

Also, you can specify the port

$ tcpdump -i <device_name> port 22

Tcpdump will continue running until the request is canceled; it is always preferable to use the -c option in order to capture a pre-determined number of events like this:

$ tcpdump -c 10 -i <device_name>

You can also specify the IP to capture from or to using src option or dst option

$ tcpdump -c 10 -i <device_name> src XXX.XXX.XXX.XXX

You can obtain the device names like this:

$ ifconfig

ifconfig linux network command

You can save the traffic captured from tcpdump to a file and read it later with –w option

$ tcpdump -w /path/ -i <device_name>

And to read that file

$ tcpdump -r /path

I hope that Linux network commands we’ve discussed on this post could help you diagnose some of your network problems and take the right decision.

Thank you.