ops@toolbox:~$ man network-debug

Network Troubleshooting Reference

Copy-ready one-liners for the commands network admins reach for every day, with a note on what each flag actually does.

๐Ÿ”” ping, test reachability & measure latency

ping -c 4 8.8.8.8 4 packets to Google DNS, basic connectivity check
ping -c 10 -i 0.2 -s 1400 TARGET Fast ping with 1400-byte packets, tests MTU path
ping -D -O TARGET Print timestamps, show missed replies, useful for intermittent drops
ping -4 -c 4 TARGET # force IPv4 Force IPv4 even if the host has AAAA records

๐Ÿ—บ traceroute / tracepath, trace the network path

traceroute -n 8.8.8.8 No DNS lookup (-n), faster, shows raw IPs per hop
traceroute -T -p 443 TARGET TCP SYN traceroute on port 443, bypasses ICMP blocks
tracepath -n TARGET Discover MTU along path (no root required)
mtr --report --report-cycles 20 -n TARGET mtr: live ping+traceroute combo, 20 cycles report mode

๐Ÿ”Œ ss / netstat, inspect sockets and listening ports

ss -tlnp TCP (-t), listening (-l), numeric (-n), show process (-p)
ss -ulnp Same but UDP, find listening UDP services
ss -tnp state established Show all active established TCP connections with processes
ss -tnp dst :443 All TCP connections to destination port 443
ss -s Socket summary, count by state (SYN_WAIT, ESTABLISHED, etc.)
netstat -tulnp Classic netstat (deprecated but still common on older systems)

๐ŸŒ ip, routes, interfaces, ARP, neighbours

ip addr show Show all interface addresses (replaces ifconfig)
ip route show Show routing table, find which interface a packet would use
ip route get 8.8.8.8 Which interface and gateway would be used to reach 8.8.8.8?
ip neigh show ARP/NDP table, see MAC addresses of local hosts
ip -s link show eth0 Interface stats: TX/RX packets, errors, drops for eth0

๐Ÿ”Ž dig: DNS lookups and debugging

dig example.com A +short Quick A record lookup, just the IP(s)
dig example.com ANY +noall +answer All record types, clean output
dig @8.8.8.8 example.com MX MX lookup using Google DNS, bypass local resolver
dig -x 1.2.3.4 +short Reverse DNS (PTR) lookup for an IP address
dig example.com NS +trace Trace delegation from root, debug propagation issues

๐Ÿ” nmap, port scanning and host discovery

nmap -sV -p 22,80,443 TARGET Version detection on common ports, what's listening and what version?
nmap -sn 192.168.1.0/24 Ping sweep, discover live hosts on a subnet (no port scan)
nmap -p- --open TARGET Scan all 65535 ports, show only open ones
nmap -sU -p 53,161,514 TARGET UDP scan on DNS, SNMP, syslog ports
nmap --script ssl-cert -p 443 TARGET Fetch and display the TLS certificate from a host

๐ŸŒ curl: HTTP debugging and testing

curl -sI https://example.com HEAD request, show response headers only, silent mode
curl -sv https://example.com 2>&1 | grep -E "^[*<>]" Verbose TLS handshake + request/response headers
curl -o /dev/null -w "%{http_code} %{time_total}s\n" https://example.com HTTP status code and total request time, good for health checks
curl --resolve example.com:443:1.2.3.4 https://example.com Force the IP, test a new server before DNS cutover

๐Ÿ“ฆ tcpdump, packet capture

tcpdump -i eth0 -nn port 80 Capture HTTP on eth0, no name resolution (-nn)
tcpdump -i any -nn host 10.0.0.1 All traffic to/from a specific host, any interface
tcpdump -i eth0 -w /tmp/capture.pcap -c 500 Write first 500 packets to a file for Wireshark analysis
tcpdump -i eth0 -nn 'tcp[tcpflags] & tcp-syn != 0' Only SYN packets, see new connection attempts

๐Ÿ”— nc (netcat), quick port connectivity tests

nc -zv TARGET 443 Test if TCP port 443 is open and reachable (no data sent)
nc -zu TARGET 53 Test UDP port 53 (DNS), note UDP tests are less reliable
nc -l 12345 Listen on port 12345, receive data from nc on another host

First principles of network debugging

Work the OSI model from the bottom up. Is the cable plugged in? Does the interface have an IP? Can you reach the default gateway? Can you reach the DNS server? Can you resolve a name? Can you reach the service's port? Each layer eliminates a class of problems and points you to the next one. ip route get is often the fastest way to confirm Layer 3 is working as expected.

When traceroute lies

Many service providers and cloud routers silently drop or rate-limit ICMP TTL-exceeded messages, so gaps and asterisks in a traceroute don't necessarily mean a broken hop, the hop may be forwarding traffic just fine. Use traceroute -T -p 443 (TCP mode) to probe paths that block ICMP, and use mtr for continuous monitoring across all hops at once.

Related tools

Subnet Calculator
IPv4 CIDR calculator with subnet split, find-prefix, and visual bar.
Common Ports Reference
Searchable table of the network ports sysadmins actually meet.
Firewall Rule Builder
Build iptables, nftables and ufw rules with a GUI.