In the previous post, we talked about Linux process management. In this post, we will talk about Linux network commands and how to troubleshoot your network.
Once you have confirmed that the physical network is working, the next step is to troubleshoot your network and here we come to our topic which is Linux network commands and how to use them to troubleshoot your network.
We are going to cover the most used Linux network commands.
Table of Contents
The ping command is one of the most used Linux network commands in network troubleshooting. It is used to check whether or not a specific IP address can be reached, it checks whether there is an available connection.
The ping command works by sending an ICMP echo request to the specified destination in order to verify and check network connectivity.
$ ping google.com
These results are showing a successful ping, and it can be described as the trip of an echo request issued by our system to google.com.
This command measures the average response. If there is no response, then maybe there is one of the following:
- There is a physical problem on the network itself.
- The location might be incorrect or non-functional.
- The target machine not honoring a ping request.
- The host routing table is incorrect.
If you want to limit the number of echo requests made to 3, you can do it like this:
$ ping -c 3 google.com
Here ping command stops sending echo requests after 3 cycles.
There are some issues that you should consider about ping command. These issues may not necessarily mean that there is a problem, but they will influence the results of a ping test.
Distance to the target: so if you live in the U.S. and you ping a server on Asia, you should expect that this ping will take much time than pinging a server in the U.S.
The connection speed: if your connection is slow, ping will take longer time than if you have a fast connection.
The hop count: this refers to routers and servers that the echo travels across till reaching its destination.
The important rule about ping is that the low ping is always desirable.
dig and host commands
You can use the dig command to verify DNS mappings, host addresses, MX records, and to discover more about any potential reverse DNS issues that can lead to spam and blacklisting.
The dig command was developed to replace nslookup command.
$ dig google.com
The dig command by default searches for A records, you can obtain information for specific record types like MX records or NS records.
$ dig google.com MX
You can get all types of records by using ANY query.
$ dig google.com ANY
You can use the dig command to implement a reverse lookup in order to obtain relevant DNS information based on a specific IP address like this:
$ dig –x 18.104.22.168
dig command does its query using the servers listed on /etc/resolv.conf.
The host command is similar to dig command.
$ host –a google.com
Also, you can perform reverse lookups using host command.
$ host 22.214.171.124
So both commands work in a similar way, but dig command provides more advanced options.
The traceroute command is one of the most useful Linux network commands. It is used to show the pathway to a remote destination and the delays that occur at every hop. This command helps basically in:
- Providing the names and the identity of every device on the path.
- Reporting network latency and identify at which device the latency come from.
$ traceroute google.com
The output will provide the specified host, the size of the packet that will be used, the IP address, and the maximum number of hops required. The subsequent lines show hostname, IP address, the hop number, and packet round-trip times.
You can also avoid reverse DNS using the -n option.
$ traceroute -n google.com
The traceroute command is useful in discovering network bottlenecks, and if you begin to see asterisks * then that means there is a potential problem in routing to that host, as the asterisks indicate packet loss or dropped packets.
The traceroute command issuing a UDP-based packet, However, there are three different types of traceroute implementation that cover UDP, TCP, and ICMP.
If you wanted to use the ICMP variation, it can be used like this:
$ sudo traceroute -I google.com
To use a TCP variation, it can be used like this:
$ sudo traceroute -T google.com
Some networks block UDP requests, so you can use this method.
You should consider sending your requests using UDP, ICMP, and TCP to circumvent any network issues.
On some Linux systems, you will need to run this command as a root user. This command is an alternative to traceroute command.
$ mtr google.com
The output may look similar to traceroute, but the display is in real-time. So unlike traceroute, instead of taking a snapshot of a single trip, you will be able to collect data over a longer period of time.
Furthermore, the mtr command will also provide a reporting option that will issue the results of 10 packets to each hop encountered like this:
$ mtr --report google.com
This command provides a significant amount of details better than traceroute.
Monitoring network connections with the ss command
The socket statistics command ss is a replacement for netstat; it is not only faster, but it is also able to display more information.
Unlike netstat, which gets its information from the various files contained within the /proc directory, the ss command gets its information directly from the kernel.
$ ss | less
This command outputs all TCP, UDP, and UNIX socket connections and pipes the result to the less command in order to ensure that the results can be seen on screen.
You can combine this command with either the -t, -u or, -x option to show TCP, UDP, or UNIX socket respectively. And you should use -a option combined with any of these options to show the connected and listening sockets.
$ ss -ta
You can display all established IPv4 TCP sockets like this:
$ ss -t4 state established
You can show all closed TCP states like this:
$ ss -t4 state closed
You can use the ss command to show all ports connected from a remote IP address:
$ ss dst XXX.XXX.XXX.XXX
And you can filter by a specific port like this:
$ ss dst XXX.XXX.XXX.XXX:22
iftop utility or iftop command is used to monitor the traffic on a named interface and display real-time results.
You can download the tool like this:
$ wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Then extract it:
$ tar zxvf iftop-0.17.tar.gz
Then compile it:
$ cd iftop-0.17
$ make install
If you got any errors about libpcap, you can install it like this:
$ yum install libpcap-dev
And you can run the tool as a root user like this:
$ sudo iftop -I <interface>
And you will see this table with a real-time data about your traffic.
add –P option with iftop to show ports.
$ sudo iftop -P
By default, iftop will display rates in bits/sec. To display it in bytes/sec with -B option.
$ iftop -B
There a lot of options, you can check them man iftop.
Systems keep an ARP lookup table where they store info about what IP addresses are associated with what MAC addresses. When trying to send a packet to an IP address, the system will first check this table to see if it already knows the MAC address. If there is a value cached, ARP is not used.
The Linux arp command is used view or add arp table.
By default, arp command shows the hostnames, you can show IP addresses instead like this:
$ arp -n
You can delete entries from the arp table like this:
$ arp -d HWADDR
Packet analysis with tcpdump
One of the most important Linux network commands is The tcpdump command. tcpdump command is a packet analyzer that is able to capture and provide a description of the traffic being transmitted across a network interface.
This kind of access to the packets which is the deepest level of the network can be vital when troubleshooting the network.
$ tcpdump -i <device_name>
You can also specify a protocol (TCP, UDP, ICMP and others) like this:
$ tcpdump -i <device_name> tcp
Also, you can specify the port:
$ tcpdump -i <device_name> port 22
tcpdump will keep running until the request is canceled; it is better to use the -c option in order to capture a pre-determined number of events like this:
$ tcpdump -c 10 -i <device_name>
You can also specify the IP to capture from using src option or going to using dst option.
$ tcpdump -c 10 -i <device_name> src XXX.XXX.XXX.XXX
You can obtain the device names like this:
You can save the traffic captured from tcpdump to a file and read it later with -w option.
$ tcpdump -w /path/ -i <device_name>
And to read that file:
$ tcpdump -r /path
I hope that Linux network commands we’ve discussed in this post could help you troubleshooting some of your network problems and take the right decision.