Master Linux Network Management: From ping to tcpdump

Network troubleshooting consumes most of a sysadmin's time. This guide lists the most useful Linux commands for diagnosing connectivity, inspecting interfaces, checking routes, monitoring ports, capturing packets, testing HTTP APIs, measuring bandwidth, and configuring network devices.

1. ping – connectivity test

Send ICMP echo requests to verify reachability, latency, and packet loss. Example: ping -c 4 -W 2 8.8.8.8 Zero packet loss and ~12 ms average latency indicate a healthy link. If the gateway is reachable but the Internet is not, the problem lies beyond the gateway; the opposite suggests an internal routing or firewall issue.

2. ip addr – view interface information

The modern replacement for the deprecated ifconfig. It belongs to the iproute2 suite and shows all network interfaces. ip addr show Output lists lo (loopback), eth0 (primary NIC), docker0 (Docker bridge), IPv4 address after inet, and subnet mask as /24.

3. ip route – view routing table

Shows how packets are routed. The line containing default via defines the default gateway. An incorrect or missing default route often explains why external sites are unreachable while the internal network works.

ip route show

4. ss – list listening ports

Modern replacement for netstat, pulling data directly from the kernel netlink socket and being >10× faster under heavy connections. ss -tlnp | head -8 Options: -t (TCP only), -l (listening), -n (numeric, no DNS), -p (process name). Example output 0.0.0.0:80 means the service listens on all IPs, while 127.0.0.1:3306 restricts access to localhost.

5. netstat – classic connection view

Still useful on older systems. The -s flag shows global network statistics. netstat -antp | grep ESTABLISHED Flags: -a (all), -n (numeric), -t (TCP), -p (process). The state ESTABLISHED indicates active connections; a sudden surge may signal an attack or a leak.

6. tcpdump – packet capture

When ping, ss, and netstat give no clues, tcpdump records every packet on the selected interface for detailed inspection. tcpdump -i eth0 -nn port 80 -c 3 Options: -i (interface), -nn (no name resolution), port 80 (filter HTTP), -c (capture count). Flags [S], [S.], [.] represent SYN, SYN‑ACK, and ACK of the TCP three‑way handshake. Adding -w capture.pcap saves output for Wireshark analysis.

7. curl – HTTP request and API debugging

Common tool for testing endpoints, downloading files, or simulating various request methods.

curl -s -o /dev/null -w "%{http_code} %{time_total}s" https://www.baidu.com

Flags: -s (silent), -o /dev/null (discard body), -w (custom output). The response shows HTTP status code (e.g., 200) and total time (e.g., 0.087s). For POST JSON payloads, use

curl -X POST -H 'Content-Type: application/json' -d '{"key":"value"}' https://api.example.com

.

8. wget – command‑line downloader

Specialized for downloading large files, supporting resume, background mode, and recursive fetches.

wget -c -O nginx.tar.gz https://nginx.org/download/nginx-1.25.4.tar.gz

Options: -c (continue), -O (output name). Recursive download up to two levels: wget -r -l 2 https://example.com.

9. traceroute – route tracing

Shows each hop a packet traverses and the latency per hop, helping locate bottlenecks. traceroute -n 8.8.8.8 Option -n disables DNS lookups for speed. A line of * * * is normal for routers that drop traceroute probes. A sudden latency jump pinpoints the problematic segment.

10. dig – DNS query tool

Preferred over nslookup for comprehensive DNS information. dig +short www.baidu.com Flag +short shows only the answer. Other useful queries: dig NS baidu.com (authoritative servers), dig MX baidu.com (mail servers), dig @8.8.8.8 www.baidu.com (use a specific resolver).

11. nmap – port scanning and host discovery

Swiss‑army‑knife for network security, revealing open ports, services, and OS fingerprints. Use only on authorized hosts. nmap -sV -p 22,80,443,3306 192.168.1.100 Flags: -sV (service version detection), -p (port list). Detect firewall rules or unexpected services. OS detection: nmap -O 192.168.1.100. Full‑port scan: nmap -p- 192.168.1.100.

12. nc (netcat) – networking Swiss‑army‑knife

Supports port scanning, TCP/UDP connections, file transfer, and simple chat. nc -zv 192.168.1.100 22-80 Flags: -z (zero‑I/O scan), -v (verbose), range 22-80. Listening mode: nc -l -p 1234 on one host, then nc server_ip 1234 from another to establish a bidirectional text channel.

13. ethtool – NIC hardware query

Shows and configures NIC parameters. Useful when a 10 Gb NIC runs at 1 Gb or duplex mismatches cause packet loss. ethtool eth0 | head -10 Key fields: Speed, Duplex (should be Full), Link detected: yes. To force settings (use with caution): ethtool -s eth0 speed 10000 duplex full autoneg off. Detailed stats: ethtool -S eth0.

14. nmcli – NetworkManager CLI

Default on CentOS/RHEL 7+ and Ubuntu. Allows IP, DNS, and device state changes without editing config files. nmcli device status Change IP and gateway:

nmcli con mod eth0 ipv4.addresses 192.168.1.200/24

nmcli con mod eth0 ipv4.gateway 192.168.1.1

nmcli con up eth0

Show full connection config: nmcli con show.

15. iperf3 – bandwidth testing

Measures real throughput between two hosts, complementing ping’s latency view. iperf3 -c 192.168.1.200 -t 5 -P 4 Run iperf3 -s on the server first. -P 4 launches four parallel streams for a realistic bandwidth figure; -R tests the reverse direction. A result of 1.93 Gbits/sec indicates the link is close to saturating a 1 Gb interface.

Summary

These 15 commands cover roughly 95 % of everyday Linux network‑operations scenarios—from basic connectivity checks with ping and route tracing with traceroute, through port and service inspection with ss, netstat, nmap, and nc, to deep packet analysis with tcpdump, HTTP/API testing with curl, DNS troubleshooting with dig, and performance measurement with iperf3 and ethtool. Mastering these tools eliminates panic when network problems arise.