Master Linux Network Commands: From netstat to ss and tcpdump

The article provides a concise overview of commonly used Linux network commands for system administrators and developers, focusing on practical usage rather than exhaustive listings.

Calculating resources for 1 million connections

Each connection consumes a file descriptor and about 15‑20 KB of socket memory, so 1 M connections would require roughly 20 GB of RAM and significant bandwidth.

Viewing current connections

Use netstat combined with awk to count connections by state, but on high‑traffic servers ss is faster.

# netstat -antp | awk '{a[$6]++} END{for (x in a) print x, a[x]}'

# ss -s

ss command basics

Common ss options: ss -atr – show listening TCP sockets ss -atn – show only IP addresses ss -alt – list all sockets ss -ltp | grep 444 – find process listening on port 444 ss -u -a – display all UDP sockets

Recv‑Q and Send‑Q

In LISTEN state, Recv‑Q indicates connections waiting to be accepted, Send‑Q shows the backlog. In ESTAB state, Recv‑Q is the amount of data not yet read by the application, and Send‑Q is the amount of data not yet acknowledged.

Monitoring network traffic

Tools such as sar -n DEV 1 or watch cat /proc/net/dev provide per‑second bandwidth statistics. iftop helps identify the IP addresses consuming the most traffic.

Packet capture with tcpdump

Use tcpdump to capture packets for debugging, optionally adding -A for ASCII output or -X for hex. Examples:

tcpdump -i eth0 -nn -s0 -v port 80

tcpdump -i eth0 host 10.10.1.1

tcpdump -i eth0 -s0 -w test.pcap

HTTP traffic capture tools

Burp Suite, Fiddler2, and Charles act as proxies to intercept, modify, and replay HTTP traffic.

Traffic replication

Tools like Gor, TCPReplay, and TCPCopy can duplicate production HTTP traffic to staging environments.

Handling excessive connections

TIME_WAIT and CLOSE_WAIT are the most common problematic states. TIME_WAIT can be reduced by tuning kernel parameters (e.g., net.ipv4.tcp_max_tw_buckets, net.ipv4.tcp_tw_reuse, net.ipv4.tcp_fin_timeout). CLOSE_WAIT usually indicates improper socket handling in application code.

Other useful commands

File download: wget -c, site mirroring: wget -r -p -np -k. Network testing: ping, tracepath, dig, nmap, iperf. Interface control: ifdown, ifup, ethtool. Load testing: wrk, ab. Remote access: ssh, telnet. Firewall: iptables -L.