Master Linux Network Commands: From netstat to ss and tcpdump

Why Linux network commands matter

Linux offers hundreds of networking utilities, but most developers only need a handful for daily troubleshooting. This guide focuses on the most commonly used commands for inspecting connections, monitoring traffic, and capturing packets.

Estimating resources for massive connections

With the rise of NIO, handling hundreds of thousands of simultaneous connections is feasible. Each connection consumes a file descriptor and roughly 15‑20 KB of socket memory, meaning one million connections can require around 20 GB of RAM and substantial bandwidth.

Viewing current system connections

Use netstat combined with awk to count TCP states:

# netstat -antp | awk '{a[$6]++}END{ for(x in a)print x,a[x]}'
LISTEN 41
CLOSE_WAIT 24
ESTABLISHED 150
Foreign 1
TIME_WAIT 92

For high‑connection servers, ss is faster and more lightweight:

# ss -s
Total: 191 (kernel 220)
TCP:   5056 (estab 42, closed 5000, orphaned 3, synrecv 0, timewait 5000/0), ports 3469
...

netstat

belongs to the net-tools suite, while ss is part of iproute.

Common ss usages

Basic commands for various scenarios:

Show listening TCP sockets: ss -atr or ss -atn (IP only)

List all connections: ss -alt Find process listening on port 444: ss -ltp | grep 444 Show UDP sockets: ss -u -a Filter by destination IP or port, e.g.,

ss dst 10.66.224.130:http

Recv‑Q and Send‑Q

In LISTEN state, Recv‑Q indicates connections waiting to be accept(), while Send‑Q reflects the backlog size. In ESTAB state, Recv‑Q shows bytes pending read by the application, and Send‑Q shows bytes not yet acknowledged.

Monitoring network traffic

Tools like sar can display per‑interface traffic every second: sar -n DEV 1 To identify the IP consuming the most bandwidth, iftop provides a real‑time view.

Packet capture with tcpdump

Capture packets for debugging or analysis, then open the pcap file with Wireshark: tcpdump -i eth0 -nn -s0 -v port 80 Common options: -i: specify interface -n: don’t resolve hostnames -nn: don’t resolve ports either -s 0: unlimited snap length -v, -vv, -vvv: increase verbosity

Examples:

# ASCII output
tcpdump -A -s0 port 80
# Capture packets from a specific host
tcpdump -i eth0 host 10.10.1.1
# Write to file
tcpdump -i eth0 -s0 -w test.pcap
# Filter HTTP GET/POST (non‑HTTPS)
 tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

HTTP‑level capture tools

Popular proxy‑style sniffers include Burp Suite (cross‑platform), Fiddler2 (Windows), and Charles (macOS).

Handling excessive connections

TIME_WAIT and CLOSE_WAIT dominate high‑connection issues. TIME_WAIT can be mitigated by tuning kernel parameters; CLOSE_WAIT usually indicates improper socket handling in application code.

TIME_WAIT tuning

# Increase bucket limit
net.ipv4.tcp_max_tw_buckets = 50000
# Enable fast reuse
net.ipv4.tcp_tw_reuse = 1
# Enable fast recycle (may be deprecated)
net.ipv4.tcp_tw_recycle = 1
# Reduce FIN timeout
net.ipv4.tcp_fin_timeout = 10

Apply changes with sysctl -w or persist in /etc/sysctl.conf and reload via sysctl -p.

CLOSE_WAIT example

A typical bug occurs when an HTTP client discards the response stream on non‑200 status without closing it, leading to connection leaks. Use the client’s abort() method or proper close() handling.

Other useful commands

File download: wget -c $url, wget -r -p -np -k $url HTTP request: curl -XGET $url File transfer: scp, sftp Backup: rsync Connectivity: ping, tracepath DNS lookup: dig, nslookup Port scanning: nmap Load testing: iperf, wrk, ab Network interface control: ifdown, ifup, ethtool Firewall:

iptables -L

Conclusion

Most of the commands discussed are not installed by default on minimal Linux distributions; install them via yum or your package manager. For deeper networking knowledge, read “TCP/IP Illustrated, Volume 1” and build a few Netty applications to solidify concepts.