Network troubleshooting is an essential skill for Linux system administrators and DevOps engineers. This comprehensive guide covers systematic approaches, essential tools, and practical techniques to diagnose and resolve network issues efficiently. From basic connectivity checks to advanced packet analysis, master the art of network problem-solving in Linux environments.
Network Troubleshooting Tools Comparison
| Tool Category | Primary Tools | Purpose | Skill Level |
|---|---|---|---|
| Connectivity | ping, traceroute, mtr | Basic reachability and path analysis | Beginner |
| Interface Analysis | ip, ifconfig, ethtool | Interface status and configuration | Intermediate |
| Port & Service | netstat, ss, lsof, nmap | Service availability and port scanning | Intermediate |
| Packet Analysis | tcpdump, wireshark, tshark | Deep packet inspection | Advanced |
| Performance | iftop, nethogs, iperf | Bandwidth monitoring and testing | Intermediate |
| DNS & Resolution | dig, nslookup, host | DNS configuration and resolution | Intermediate |
Quick Reference:
• Start with basics:
• Check interface:
• Verify routing:
• Test DNS:
• Check listening ports:
• Always work systematically from local to remote
• Document findings and changes for future reference
• Start with basics:
ping google.com and ping 8.8.8.8• Check interface:
ip addr show or ifconfig• Verify routing:
ip route show or route -n• Test DNS:
nslookup google.com and dig google.com• Check listening ports:
ss -tuln or netstat -tuln• Always work systematically from local to remote
• Document findings and changes for future reference
Systematic Troubleshooting Methodology
Network Troubleshooting Process
Local Interface
→
IP Configuration
→
Routing
→
Local Network
→
Remote Network
→
Application
Essential Troubleshooting Tools
| Tool | Command Examples | Purpose | Key Output |
|---|---|---|---|
| ping | ping -c 4 8.8.8.8ping -c 4 google.com |
Basic connectivity testing | Reachability, latency, packet loss |
| traceroute | traceroute google.comtracepath google.com |
Network path analysis | Hop-by-hop path, latency |
| mtr | mtr google.commtr -r -c 10 google.com |
Continuous path monitoring | Real-time path statistics |
| ip/ifconfig | ip addr showifconfig eth0 |
Interface configuration | IP addresses, interface status |
| ss/netstat | ss -tulnnetstat -tuln |
Socket and port information | Listening ports, connections |
| dig/nslookup | dig google.comnslookup google.com |
DNS resolution testing | DNS records, resolution time |
Basic Connectivity Testing
ping - Basic Reachability
Test network connectivity and measure latency.
ping [options] destination
Common Operations:
ping -c 4 8.8.8.8- Test IP connectivityping -c 4 google.com- Test DNS and connectivityping -I eth0 google.com- Use specific interfaceping -s 1472 google.com- Test MTU path discovery
Examples:
# Basic connectivity test
ping -c 4 8.8.8.8
ping -c 4 google.com
# Continuous ping for monitoring
ping -c 100 -i 0.1 google.com
# Test with specific interface
ping -I eth0 google.com
ping -I wlan0 google.com
# MTU path discovery
ping -M do -s 1472 google.com
# Flood ping (use with caution)
ping -f -c 1000 192.168.1.1
# IPv6 testing
ping6 -c 4 2001:4860:4860::8888
# Timestamped output
ping -D -c 10 google.comtraceroute - Path Analysis
Trace network path to identify where connections fail.
traceroute [options] destination
Path Analysis:
# Basic path tracing
traceroute google.com
traceroute -n google.com # Don't resolve names
# Use ICMP instead of UDP
traceroute -I google.com
# Use TCP SYN (bypass firewalls)
traceroute -T google.com
# Specify initial TTL
traceroute -f 5 google.com # Start from hop 5
# Set maximum hops
traceroute -m 30 google.com
# Use specific port
traceroute -T -p 80 google.com
# Continuous monitoring with mtr
mtr google.com
mtr -r -c 10 google.com # 10 reports then exitmtr - Advanced Path Analysis
Combines ping and traceroute functionality for continuous monitoring.
mtr [options] destination
Advanced Features:
# Interactive mode
mtr google.com
# Report mode (non-interactive)
mtr -r -c 10 google.com > mtr_report.txt
# Use specific interface
mtr -i eth0 google.com
# TCP mode instead of ICMP
mtr -T google.com
# Specify packet size
mtr -s 1000 google.com
# IPv6 testing
mtr -6 ipv6.google.com
# CSV output for parsing
mtr -r -c 5 --csv google.com
# Show AS numbers
mtr -z google.comInterface & Configuration Analysis
Interface Status
Check network interface configuration and status.
ip addr show, ifconfig, ethtool
Interface Analysis:
# Show all interfaces (modern)
ip addr show
ip -br addr show # Brief output
# Show specific interface
ip addr show eth0
ip link show eth0
# Legacy commands
ifconfig
ifconfig eth0
# Interface statistics
ip -s link show eth0
ethtool eth0
# Check interface speed and duplex
ethtool eth0 | grep -E "Speed|Duplex"
# Show interface driver info
ethtool -i eth0
# Show interface statistics
ethtool -S eth0
# Check if interface is up
ip link show eth0 | grep stateRouting Analysis
Examine routing tables and gateway configuration.
ip route, route, traceroute
Routing Analysis:
# Show routing table
ip route show
ip route show table main
# Show specific route
ip route get 8.8.8.8
# Legacy routing commands
route -n
netstat -rn
# Check default gateway
ip route show | grep default
route -n | grep UG
# Add temporary route
sudo ip route add 192.168.2.0/24 via 192.168.1.1
# Remove route
sudo ip route del 192.168.2.0/24
# Flush routing cache
sudo ip route flush cache
# Show route cache
ip route show cacheDNS & Resolution
Diagnose DNS configuration and name resolution issues.
dig, nslookup, host, systemd-resolve
DNS Diagnostics:
# Test DNS resolution
dig google.com
dig google.com A
dig google.com MX
# Test specific DNS server
dig @8.8.8.8 google.com
dig @1.1.1.1 google.com
# Reverse DNS lookup
dig -x 8.8.8.8
nslookup 8.8.8.8
# Trace DNS resolution path
dig +trace google.com
# Check DNS configuration
cat /etc/resolv.conf
systemd-resolve --status
# Flush DNS cache
sudo systemd-resolve --flush-caches
# Test with nslookup
nslookup google.com
nslookup
> server 8.8.8.8
> google.com
> exitPort & Service Analysis
Port Scanning
Check open ports and service availability.
nmap, netcat, telnet
Port Scanning:
# Scan local machine
nmap localhost
nmap -sT localhost # TCP connect scan
# Scan specific ports
nmap -p 22,80,443 localhost
nmap -p 1-1000 localhost
# Scan remote host
nmap 192.168.1.100
nmap -A 192.168.1.100 # Aggressive scan
# Quick port test with netcat
nc -zv localhost 22
nc -zv 192.168.1.100 80
# Test with telnet
telnet localhost 22
telnet 192.168.1.100 80
# UDP port scanning
nmap -sU -p 53,123 localhost
# Service version detection
nmap -sV localhostSocket Statistics
Monitor active connections and listening services.
ss, netstat, lsof
Connection Monitoring:
# Show all listening ports
ss -tuln
netstat -tuln
# Show established connections
ss -t
ss -u
# Show process information
ss -tulnp
netstat -tulnp
# Show all TCP connections
ss -ta
# Show specific states
ss -t state established
ss -t state time-wait
# Monitor connections in real-time
watch -n 1 'ss -tuln'
# Show network statistics
ss -s
netstat -s
# Find process using port
lsof -i :80
lsof -i tcp:22Service Testing
Test specific services and application connectivity.
curl, wget, telnet, openssl
Service Diagnostics:
# Test HTTP service
curl -I http://localhost:80
curl -v http://google.com
# Test HTTPS service
curl -I https://google.com
openssl s_client -connect google.com:443
# Test database connectivity
telnet localhost 3306 # MySQL
telnet localhost 5432 # PostgreSQL
# Test SSH service
ssh -v user@localhost
ssh -o ConnectTimeout=5 user@hostname
# Test email services
telnet localhost 25 # SMTP
telnet localhost 143 # IMAP
# Download test
wget http://speedtest.ftp.otenet.gr/files/test1Mb.db
# Bandwidth testing
iperf3 -c iperf.he.net
speedtest-cliAdvanced Troubleshooting Tools
| Tool Category | Tools | Primary Use | Installation |
|---|---|---|---|
| Packet Analysis | tcpdump, wireshark, tshark | Deep packet inspection | sudo apt install tcpdump |
| Bandwidth Monitoring | iftop, nethogs, iperf3 | Real-time traffic analysis | sudo apt install iftop |
| Network Scanning | nmap, masscan, netcat | Port and service discovery | sudo apt install nmap |
| Performance Testing | iperf3, speedtest-cli | Bandwidth and throughput | sudo apt install iperf3 |
| Connection Monitoring | ss, netstat, lsof | Socket and process monitoring | Built-in |
Packet Analysis with tcpdump
Basic Packet Capture
Capture and analyze network traffic.
tcpdump [options] [expression]
Basic Capture:
# Capture on specific interface
sudo tcpdump -i eth0
# Capture specific number of packets
sudo tcpdump -c 10 -i eth0
# Capture to file
sudo tcpdump -w capture.pcap -i eth0
# Read from capture file
sudo tcpdump -r capture.pcap
# Capture with verbose output
sudo tcpdump -v -i eth0
sudo tcpdump -vv -i eth0
# Capture with ASCII output
sudo tcpdump -A -i eth0
# Capture with hex and ASCII
sudo tcpdump -XX -i eth0Filtered Capture
Capture specific traffic using filters.
tcpdump filter expressions
Filter Examples:
# Capture HTTP traffic (port 80)
sudo tcpdump -i eth0 port 80
# Capture traffic to/from specific host
sudo tcpdump -i eth0 host 192.168.1.100
sudo tcpdump -i eth0 src 192.168.1.100
sudo tcpdump -i eth0 dst 192.168.1.100
# Capture specific protocol
sudo tcpdump -i eth0 icmp
sudo tcpdump -i eth0 tcp
sudo tcpdump -i eth0 udp
# Capture on specific port range
sudo tcpdump -i eth0 portrange 1-1024
# Capture DNS traffic
sudo tcpdump -i eth0 port 53
# Capture SSH traffic
sudo tcpdump -i eth0 port 22
# Complex filters
sudo tcpdump -i eth0 "tcp port 80 and (src host 192.168.1.100 or dst host 192.168.1.100)"Performance Monitoring
Monitor network performance and bandwidth usage.
iftop, nethogs, iperf3
Performance Tools:
# Real-time bandwidth monitoring
sudo iftop -i eth0
# Monitor bandwidth by process
sudo nethogs eth0
# Bandwidth testing between hosts
# On server: iperf3 -s
# On client: iperf3 -c server_ip
# Test upload speed
iperf3 -c iperf.he.net -p 5201 -P 8
# Test download speed
iperf3 -c iperf.he.net -p 5201 -P 8 -R
# Monitor network statistics
sar -n DEV 1 # 1 second intervals
vnstat -l -i eth0
# Continuous monitoring
watch -n 1 'cat /proc/net/dev'Practical Troubleshooting Scenarios
Real-World Network Troubleshooting Examples
# 1. Complete Network Diagnostics Script
#!/bin/bash
echo "=== Network Diagnostics ==="
echo "1. Interface Status:"
ip addr show
echo -e "\n2. Routing Table:"
ip route show
echo -e "\n3. DNS Configuration:"
cat /etc/resolv.conf
echo -e "\n4. Listening Ports:"
ss -tuln
echo -e "\n5. Basic Connectivity:"
ping -c 2 8.8.8.8
ping -c 2 google.com
echo -e "\n6. DNS Resolution:"
nslookup google.com
# 2. Interface Issue Diagnosis
#!/bin/bash
INTERFACE="eth0"
echo "Checking interface $INTERFACE..."
ip link show $INTERFACE
ip addr show $INTERFACE
ethtool $INTERFACE | grep -E "Speed|Duplex|Link"
cat /sys/class/net/$INTERFACE/operstate
# 3. DNS Troubleshooting Script
#!/bin/bash
echo "Testing DNS resolution..."
for server in 8.8.8.8 1.1.1.1 9.9.9.9; do
echo "Testing $server:"
time dig @$server google.com | grep "Query time"
done
# 4. Port Connectivity Test
#!/bin/bash
PORTS=(22 80 443 3306 5432 6379)
HOST="localhost"
for port in "${PORTS[@]}"; do
if nc -zv $HOST $port 2>&1 | grep -q "succeeded"; then
echo "Port $port: OPEN"
else
echo "Port $port: CLOSED"
fi
done
# 5. Network Latency Monitoring
#!/bin/bash
echo "Monitoring network latency..."
while true; do
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
ping_result=$(ping -c 1 8.8.8.8 | grep "time=" | cut -d'=' -f4 | cut -d' ' -f1)
echo "$timestamp - Latency: $ping_result"
sleep 5
done
# 6. Bandwidth Usage Alert
#!/bin/bash
THRESHOLD=1000000 # 1 MB/s in bytes
INTERFACE="eth0"
RX=$(cat /sys/class/net/$INTERFACE/statistics/rx_bytes)
TX=$(cat /sys/class/net/$INTERFACE/statistics/tx_bytes)
sleep 1
RX_NEW=$(cat /sys/class/net/$INTERFACE/statistics/rx_bytes)
TX_NEW=$(cat /sys/class/net/$INTERFACE/statistics/tx_bytes)
RX_RATE=$((($RX_NEW - $RX) / 1024 / 1024))
TX_RATE=$((($TX_NEW - $TX) / 1024 / 1024))
if [ $RX_RATE -gt $THRESHOLD ] || [ $TX_RATE -gt $THRESHOLD ]; then
echo "High network usage detected: RX=${RX_RATE}MB/s TX=${TX_RATE}MB/s"
# Send alert or take action
fi
# 7. Connection State Analysis
#!/bin/bash
echo "=== Connection Analysis ==="
echo "ESTABLISHED connections:"
ss -t state established | wc -l
echo "TIME-WAIT connections:"
ss -t state time-wait | wc -l
echo "LISTENING ports:"
ss -tuln | grep LISTEN | wc -l
# 8. Route Tracing with Multiple Methods
#!/bin/bash
TARGET="google.com"
echo "Tracing route to $TARGET..."
echo "1. Standard traceroute:"
traceroute -n $TARGET
echo -e "\n2. MTR report:"
mtr -r -c 3 $TARGET
echo -e "\n3. TCP traceroute:"
traceroute -T -n $TARGET
# 9. Service Dependency Check
#!/bin/bash
SERVICES=("sshd" "nginx" "mysql" "redis")
for service in "${SERVICES[@]}"; do
if systemctl is-active --quiet $service; then
echo "✓ $service is running"
else
echo "✗ $service is NOT running"
fi
done
# 10. Network Configuration Backup
#!/bin/bash
BACKUP_DIR="/root/network_backup_$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
ip addr show > $BACKUP_DIR/ip_addr.txt
ip route show > $BACKUP_DIR/ip_route.txt
cat /etc/resolv.conf > $BACKUP_DIR/resolv.conf
ss -tuln > $BACKUP_DIR/listening_ports.txt
echo "Network configuration backed up to $BACKUP_DIR"
# 11. Firewall Rule Testing
#!/bin/bash
PORTS=(22 80 443 8080)
REMOTE_HOST="test.example.com"
for port in "${PORTS[@]}"; do
if timeout 5 nc -zv $REMOTE_HOST $port 2>&1 | grep -q "succeeded"; then
echo "Port $port: ALLOWED through firewall"
else
echo "Port $port: BLOCKED by firewall"
fi
done
# 12. Network Interface Reset
#!/bin/bash
INTERFACE="eth0"
echo "Resetting interface $INTERFACE..."
sudo ip link set $INTERFACE down
sleep 2
sudo ip link set $INTERFACE up
sleep 5
echo "Interface reset complete"
ip addr show $INTERFACE
# 13. Continuous Network Monitoring
#!/bin/bash
echo "Starting continuous network monitor..."
while true; do
clear
echo "=== Network Status $(date) ==="
echo "Interfaces:"
ip -br addr show
echo -e "\nConnections:"
ss -t | head -10
echo -e "\nBandwidth (last 60s):"
sar -n DEV 1 1 | grep Average | grep -v lo
sleep 10
done
# 14. DNS Cache Analysis
#!/bin/bash
echo "Checking DNS cache and resolution..."
echo "Current DNS servers:"
cat /etc/resolv.conf
echo -e "\nDNS cache statistics:"
sudo systemd-resolve --statistics
echo -e "\nTesting resolution times:"
for domain in google.com github.com stackoverflow.com; do
echo -n "$domain: "
time dig $domain | grep "Query time"
done
# 15. Network Service Discovery
#!/bin/bash
NETWORK="192.168.1.0/24"
echo "Discovering devices on $NETWORK..."
nmap -sn $NETWORK
echo -e "\nScanning common services..."
nmap -sS -p 22,80,443,3306,5432 $NETWORKCommon Network Issues & Solutions
Connectivity Problems
- No Network Access: Check interface status, IP configuration, routing table
- Intermittent Connectivity: Monitor for packet loss, check cable connections
- Slow Network: Test bandwidth, check for congestion, monitor latency
- DNS Resolution Failures: Verify DNS servers, check /etc/resolv.conf, test with different DNS
Service Issues
- Service Not Accessible: Check if service is running, verify firewall rules, test port accessibility
- Connection Timeouts: Check network path, monitor for packet loss, verify service health
- Port Conflicts: Identify processes using ports, check service configurations
- SSL/TLS Issues: Verify certificates, check cipher compatibility, test with openssl
Performance Issues
- High Latency: Use traceroute/mtr to identify slow hops, check for network congestion
- Bandwidth Saturation: Monitor traffic with iftop, identify bandwidth-heavy processes
- Packet Loss: Use ping with large packets, check interface statistics, monitor network health
- Interface Errors: Check ethtool statistics, verify cable quality, inspect hardware
Advanced Diagnostic Techniques
Packet Analysis
Deep packet inspection for complex issues.
tcpdump, wireshark
Advanced Analysis:
# Capture HTTP traffic with full content
sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# Capture and analyze TLS handshake
sudo tcpdump -i eth0 -w ssl.pcap 'tcp port 443'
# Then analyze with: wireshark ssl.pcap
# Monitor for retransmissions
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'Performance Profiling
Comprehensive performance analysis.
perf, systemtap
Performance Tools:
# Network performance profiling
perf record -e skb:*
perf report
# System-wide network monitoring
sar -n DEV,EDEV,SOCK,IP 1
# TCP connection statistics
cat /proc/net/netstat
cat /proc/net/snmp
# Interface buffer analysis
ethtool -g eth0
ethtool -c eth0Security Analysis
Network security monitoring and analysis.
Security-focused tools
Security Monitoring:
# Monitor for port scanning
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0'
# Detect network anomalies
# Use tools like suricata, snort
# Monitor DNS queries for anomalies
sudo tcpdump -i eth0 -n 'port 53' | grep -v 8.8.8.8
# Check for ARP spoofing
arp -a
ip neigh show
Important Considerations:
• Always start with the simplest tests first (ping, interface status)
• Work systematically from local to remote issues
• Document all findings and changes made during troubleshooting
• Be cautious with packet capture - respect privacy and security policies
• Understand that some tools may require root privileges
• Test changes in non-production environments when possible
• Keep network documentation updated with current configurations
• Have rollback plans for any configuration changes
• Always start with the simplest tests first (ping, interface status)
• Work systematically from local to remote issues
• Document all findings and changes made during troubleshooting
• Be cautious with packet capture - respect privacy and security policies
• Understand that some tools may require root privileges
• Test changes in non-production environments when possible
• Keep network documentation updated with current configurations
• Have rollback plans for any configuration changes
Pro Tips:
• Use
• Combine tools:
• Use
• Create custom scripts for repetitive troubleshooting tasks
• Use
• Monitor baseline performance to identify anomalies quickly
• Keep a toolkit of essential troubleshooting scripts ready
• Document common issues and their solutions for future reference
• Use
ss instead of netstat for better performance• Combine tools:
watch -n 1 'ss -tuln' for real-time monitoring• Use
mtr instead of traceroute for continuous path analysis• Create custom scripts for repetitive troubleshooting tasks
• Use
tcpdump with filters to reduce noise in packet captures• Monitor baseline performance to identify anomalies quickly
• Keep a toolkit of essential troubleshooting scripts ready
• Document common issues and their solutions for future reference
Key Takeaways
Effective network troubleshooting requires a systematic approach, the right tools, and practical experience. By following the methodology of working from local to remote, using appropriate diagnostic tools for each layer, and documenting your findings, you can efficiently resolve even complex network issues. Remember that network problems often have multiple potential causes, so methodical testing and elimination are key to successful troubleshooting.
Next Step: Explore advanced network topics like network performance tuning, quality of service (QoS) configuration, network security monitoring, and automated network management with tools like Ansible.