Linux Networking Commands: Essential Reference Guide

Why You Need More Than ping

Most developers know ping and curl. But diagnosing real network problems requires a deeper toolkit. Is a port open? Which process is listening on it? Is a DNS record returning the wrong value? Is a firewall silently dropping packets? Each of these questions requires a different command. This guide is organized by the problem you are trying to solve.

Connectivity Testing: ping and traceroute

ping tests basic ICMP reachability and measures round-trip time. It is your first check when a host seems unreachable:

# Basic ping
ping google.com

# Ping with count (stop after 5 packets)
ping -c 5 google.com

# Ping with interval and packet size
ping -i 0.5 -s 1400 google.com

# Ping an IPv6 address
ping6 2001:4860:4860::8888

traceroute (or tracepath) shows the path packets take through the network, revealing where delays or drops occur:

# Trace route to a host
traceroute google.com

# Use ICMP instead of UDP probes (bypasses some firewalls)
traceroute -I google.com

# Trace without DNS lookups (faster)
traceroute -n google.com

# MTR - combines ping and traceroute, updates in real time
mtr google.com
mtr --report --report-cycles 10 google.com

DNS Resolution: dig and nslookup

dig is the standard tool for querying DNS records. It is far more informative than nslookup and essential for debugging email delivery, domain routing, and SSL certificate issues.

# Basic A record lookup
dig example.com

# Query a specific record type
dig example.com MX
dig example.com TXT
dig example.com NS
dig example.com AAAA

# Query a specific DNS server
dig @8.8.8.8 example.com

# Short output (answer only)
dig +short example.com

# Reverse DNS lookup (PTR record)
dig -x 8.8.8.8

# Check propagation - query authoritative nameserver directly
dig @ns1.example.com example.com

# Trace the full resolution path
dig +trace example.com

nslookup is simpler and available on most systems including Windows:

nslookup example.com
nslookup example.com 8.8.8.8   # Use Google DNS
nslookup -type=MX example.com

Port and Socket Inspection: ss and netstat

ss is the modern replacement for netstat. It queries the kernel directly and is significantly faster on systems with many connections.

# Show all listening TCP sockets
ss -tlnp

# Show all listening UDP sockets
ss -ulnp

# Show all established connections
ss -tnp state established

# Show connections to a specific port
ss -tnp sport = :443

# Show connections from a specific IP
ss -tnp dst 192.168.1.100

# Show socket statistics summary
ss -s

# Legacy equivalent using netstat
netstat -tlnp     # TCP listening sockets with process names
netstat -an       # All connections
netstat -rn       # Routing table

The flags -t (TCP), -l (listening), -n (numeric, no DNS), and -p (show process) form the most common combination. On modern Ubuntu/Debian, netstat may not be installed by default - install with apt install net-tools.

HTTP Testing: curl

curl is indispensable for testing APIs, checking HTTP headers, and diagnosing web server issues.

# Basic GET request
curl https://example.com

# Show response headers only
curl -I https://example.com

# Show both request and response headers (verbose)
curl -v https://example.com

# Follow redirects
curl -L https://example.com

# POST with JSON body
curl -X POST https://api.example.com/data \
  -H "Content-Type: application/json" \
  -d '{"key": "value"}'

# Set a custom Host header (test origin without DNS)
curl -sk -H "Host: example.com" https://93.184.216.34/

# Show only the HTTP status code
curl -o /dev/null -s -w "%{http_code}" https://example.com

# Measure response time breakdown
curl -w "DNS: %{time_namelookup}s | Connect: %{time_connect}s | TTFB: %{time_starttransfer}s | Total: %{time_total}s\n" \
  -o /dev/null -s https://example.com

# Download a file with progress
curl -O https://example.com/file.tar.gz

# Resume a download
curl -C - -O https://example.com/largefile.iso

Network Interfaces: ip Command

The ip command replaced ifconfig on modern Linux systems and provides a unified interface for managing network interfaces, routes, and ARP tables.

# Show all network interfaces
ip addr show
ip a          # shorthand

# Show specific interface
ip addr show eth0

# Show routing table
ip route show
ip r          # shorthand

# Add a temporary IP address
sudo ip addr add 192.168.1.100/24 dev eth0

# Bring an interface up or down
sudo ip link set eth0 up
sudo ip link set eth0 down

# Add a static route
sudo ip route add 10.0.0.0/8 via 192.168.1.1

# Show ARP/neighbour table
ip neigh show

# Show network statistics
ip -s link show eth0

Packet Capture: tcpdump

tcpdump captures live network traffic at the packet level. It is the definitive tool for diagnosing TLS handshake failures, unexpected resets, and protocol-level issues.

# Capture all traffic on eth0
sudo tcpdump -i eth0

# Capture HTTP traffic (port 80)
sudo tcpdump -i eth0 port 80

# Capture traffic to/from a specific host
sudo tcpdump -i eth0 host 93.184.216.34

# Capture HTTPS traffic (shows headers only, content is encrypted)
sudo tcpdump -i eth0 port 443 -n

# Save capture to file for analysis in Wireshark
sudo tcpdump -i eth0 -w /tmp/capture.pcap

# Read a saved capture file
tcpdump -r /tmp/capture.pcap

# Show packet contents in ASCII
sudo tcpdump -i eth0 -A port 80

# Capture DNS queries
sudo tcpdump -i eth0 port 53

Firewall Rules: iptables

Understanding iptables is essential for diagnosing why connections are being silently dropped.

# List all rules with line numbers
sudo iptables -L -n -v --line-numbers

# List NAT table rules
sudo iptables -t nat -L -n -v

# Check if a port is blocked (test from the server itself)
sudo iptables -C INPUT -p tcp --dport 8080 -j ACCEPT

# Temporarily allow a port
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT

# Count packets hitting each rule (useful for identifying which rule is blocking)
sudo iptables -L INPUT -n -v

# Save rules (Ubuntu/Debian)
sudo iptables-save > /etc/iptables/rules.v4

# Restore rules
sudo iptables-restore < /etc/iptables/rules.v4

Netcat: The Network Swiss Army Knife

nc (netcat) can test port connectivity, transfer files, and create simple TCP/UDP servers - all without installing anything:

# Test if a port is open
nc -zv example.com 443
nc -zv example.com 22

# Test a range of ports
nc -zv example.com 80-443

# Simple TCP server on port 8080 (for testing)
nc -l 8080

# Transfer a file (server side)
nc -l 9999 > received_file.txt

# Transfer a file (client side)
nc server-ip 9999 < file_to_send.txt

# UDP port test
nc -zu example.com 53

Step-by-Step: Diagnosing a "Connection Refused" Error

When you see Connection refused, follow this sequence:

1. Confirm the host is reachable: ping -c 4 hostname - if this fails, it's a routing or firewall issue at the ICMP level.
2. Check if the port is open: nc -zv hostname 8080 - "Connection refused" means the host is reachable but nothing is listening on that port.
3. Verify the service is running: ss -tlnp | grep 8080 - if the port is not listed, the process is not running or is listening on a different port.
4. Check for firewall blocks: sudo iptables -L INPUT -n -v - look for DROP or REJECT rules matching your source IP or destination port.
5. Check if the service is bound to the right interface: A service bound to 127.0.0.1:8080 will refuse connections from outside. Look for the local address in ss -tlnp output.
6. Check the service logs: If everything looks correct but connections still fail, the application may be crashing on accept. Check journalctl -u servicename -f.

Frequently Asked Questions

What is the difference between ss and netstat?

Both show socket and connection information, but ss is faster, more feature-rich, and is the modern replacement. ss queries the kernel's netlink interface directly, while netstat reads from /proc/net/. On systems with thousands of connections, ss can be 10x faster. netstat is part of net-tools, which is no longer maintained but still widely available.

How do I find which process is using a specific port?

Use ss -tlnp sport = :PORT or ss -tlnp | grep :PORT. The -p flag shows the process name and PID. You may need sudo to see processes owned by other users. Alternatively: sudo lsof -i :PORT or sudo fuser PORT/tcp.

Why does dig return different results than nslookup?

They use different DNS resolution paths. dig bypasses the system resolver and queries DNS directly using the server specified (defaulting to /etc/resolv.conf nameservers). nslookup may use the system stub resolver or NSS (Name Service Switch), which can include /etc/hosts lookups and split-horizon DNS. If results differ, it usually means your system resolver has different settings than direct DNS - check /etc/resolv.conf and /etc/nsswitch.conf.

How do I test SSL/TLS connectivity from the command line?

Use openssl s_client: openssl s_client -connect example.com:443. This shows the full TLS handshake, certificate chain, and cipher suite. Add -servername example.com for SNI. To check certificate expiry: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates. Or use our free SSL Checker tool.

What is the fastest way to check DNS propagation?

Query multiple DNS servers directly with dig: dig @8.8.8.8 example.com (Google), dig @1.1.1.1 example.com (Cloudflare), dig @9.9.9.9 example.com (Quad9). If these return different results, the record is still propagating. For a global view, use our DNS Lookup tool which queries multiple resolvers simultaneously.

Use our free tool here → DNS Lookup to query any domain's DNS records from your browser without running terminal commands.