Network Troubleshooting Tools

When packets are not flowing the way you expect, Linux offers a deep toolkit for diagnosing the problem. This guide covers the essential utilities: tcpdump for packet capture, ss for socket inspection, ping and traceroute/mtr for reachability testing, nmap for port scanning, and arp/ip neigh and ethtool for link-layer diagnostics.

Back to the Networking hub. Related guides: Network Configuration | Firewall Guide.

tcpdump

tcpdump captures packets directly from a network interface. It is the single most useful tool for understanding what is actually happening on the wire.

# Capture on eth0, no DNS or port-name resolution
tcpdump -i eth0 -nn

# Limit to 100 packets
tcpdump -i eth0 -nn -c 100

# Write to a pcap file for later analysis in Wireshark
tcpdump -i eth0 -nn -w /tmp/capture.pcap

# Read back a pcap file
tcpdump -nn -r /tmp/capture.pcap

Filters

tcpdump uses BPF (Berkeley Packet Filter) expressions to narrow the capture:

# Only traffic to or from a specific host
tcpdump -i eth0 -nn host 10.0.0.5

# Only TCP traffic on port 443
tcpdump -i eth0 -nn tcp port 443

# Traffic from a subnet to a specific port
tcpdump -i eth0 -nn src net 192.168.1.0/24 and dst port 80

# DNS queries (UDP port 53)
tcpdump -i eth0 -nn udp port 53

# ICMP only
tcpdump -i eth0 -nn icmp

# Combine filters with and / or / not
tcpdump -i eth0 -nn 'host 10.0.0.5 and (port 80 or port 443)'

# Show packet contents in hex and ASCII
tcpdump -i eth0 -nn -X -c 10 port 80

ss (socket statistics)

ss replaced netstat and is faster on busy machines. Use it to discover which processes are listening and which connections are active.

# Show all TCP listening sockets with process info
ss -tlnp

# Show all UDP listening sockets
ss -ulnp

# Show all established TCP connections
ss -tnp

# Combined: all listening TCP and UDP sockets
ss -tulnp

# Filter by port
ss -tlnp 'sport = :443'

# Filter by state
ss -tn state established

# Show detailed socket memory info
ss -tmni

ping

The simplest reachability test. It sends ICMP Echo Request packets and reports round-trip times.

# Send 4 pings
ping -c 4 8.8.8.8

# Set the packet size (useful for MTU testing)
ping -c 4 -s 1472 -M do 10.0.0.1    # 1472 + 28 byte header = 1500

# Ping with a short interval (flood-style, needs root)
ping -c 100 -i 0.01 10.0.0.1

# IPv6 ping
ping6 -c 4 ::1

If ping fails, check: Is the interface up? Is there a default route? Is a firewall dropping ICMP?

traceroute, tracepath, and mtr

These tools show the path packets take to reach a destination.

# Classic traceroute (uses UDP by default)
traceroute -n 8.8.8.8

# TCP traceroute to port 443 (bypasses some firewalls)
traceroute -T -p 443 8.8.8.8

# tracepath -- no root required, also discovers MTU
tracepath 8.8.8.8

# mtr -- combines ping and traceroute in a live display
mtr 8.8.8.8

# mtr in report mode (10 pings then exit)
mtr -r -c 10 8.8.8.8

# mtr with TCP SYN on port 80
mtr -T -P 80 -r 8.8.8.8

mtr is especially useful because it continuously updates loss and latency statistics for every hop, making intermittent problems much easier to spot.

nmap

nmap is a network scanner used for discovering open ports and services.

# TCP connect scan on common ports
nmap -sT 10.0.0.5

# SYN scan (faster, needs root)
nmap -sS 10.0.0.5

# Scan specific ports
nmap -p 22,80,443 10.0.0.5

# Scan an entire subnet
nmap -sn 10.0.0.0/24     # ping sweep, no port scan

# Service version detection
nmap -sV -p 22,80 10.0.0.5

# OS detection
nmap -O 10.0.0.5

# Scan all 65535 ports
nmap -p- 10.0.0.5

Only scan hosts you own or have explicit permission to test.

ARP and neighbour table

ARP maps IPv4 addresses to MAC addresses on the local network:

# Show the ARP table (legacy command)
arp -a

# Show the neighbour table (iproute2)
ip neigh show

# Delete a stale entry
ip neigh del 10.0.0.99 dev eth0

# Manually add an entry
ip neigh add 10.0.0.99 lladdr aa:bb:cc:dd:ee:ff dev eth0

A common issue is a stale or duplicate ARP entry. If ping works for some hosts on the LAN but not others, inspect the neighbour table.

ethtool

ethtool queries and configures NIC hardware settings:

# Show link status and speed
ethtool eth0

# Show driver and firmware info
ethtool -i eth0

# Show NIC statistics (rx/tx errors, drops)
ethtool -S eth0

# Force speed and duplex (rarely needed)
ethtool -s eth0 speed 1000 duplex full autoneg off

# Show offload settings
ethtool -k eth0

# Disable TCP segmentation offload (debugging)
ethtool -K eth0 tso off

A troubleshooting checklist

When connectivity is broken, work from the bottom of the stack upward:

1. Physical/link layer   ethtool eth0          -- link detected?
2. IP layer              ip addr show           -- address assigned?
                         ip route show          -- default route?
3. Firewall              iptables -L -n         -- rule blocking traffic?
4. DNS                   dig example.com        -- name resolution working?
5. Application           ss -tlnp               -- service listening?
6. Path                  traceroute -n target   -- where do packets stop?
7. Packet capture        tcpdump -i eth0 -nn    -- what is on the wire?

Work through each layer systematically and you will find the problem.