Network Troubleshooting with Commands: ping, traceroute, netstat, ss - Complete Guide

Introduction

Network troubleshooting is a critical skill for system administrators, DevOps engineers, and IT professionals who manage servers and infrastructure. When network connectivity issues arise, the difference between hours of downtime and quick resolution often depends on mastering fundamental network diagnostic tools. Unlike graphical network monitoring solutions that may not be available on headless servers or during emergency situations, command-line tools provide immediate, detailed insights into network behavior, connectivity problems, routing issues, and service availability.

This comprehensive guide covers essential network troubleshooting commands that every Linux administrator must master: ping for connectivity testing, traceroute for path analysis, netstat for network statistics, and ss (socket statistics) for modern connection monitoring. You'll learn not just how to use these tools, but when to use them, how to interpret their output, and how to combine them for effective problem diagnosis. Whether you're investigating why a server cannot reach the Internet, diagnosing slow connections, identifying port conflicts, or tracking down network security issues, these commands form the foundation of systematic network troubleshooting.

By mastering these tools, you'll be equipped to quickly diagnose and resolve network issues, reducing downtime and maintaining reliable infrastructure in production environments.

Understanding Network Troubleshooting Methodology

Systematic Troubleshooting Approach

1. Define the Problem

  • What exactly is not working?
  • When did the problem start?
  • Has anything changed recently?

2. Gather Information

  • Check error messages
  • Review recent changes
  • Identify affected systems

3. Test Network Layers

  • Physical layer: cables, interfaces
  • Network layer: routing, IP addressing
  • Transport layer: TCP/UDP ports
  • Application layer: service configuration

4. Isolate the Issue

  • Test from different locations
  • Eliminate variables systematically
  • Narrow down root cause

5. Implement and Verify Solution

  • Apply fix
  • Test thoroughly
  • Document changes

OSI Model and Troubleshooting

Layer 7 - Application: Service configs, protocols
Layer 6 - Presentation: Encryption, data formatting
Layer 5 - Session: Connection management
Layer 4 - Transport: TCP/UDP ports, connections
Layer 3 - Network: IP routing, addressing
Layer 2 - Data Link: MAC addresses, switches
Layer 1 - Physical: Cables, NICs, link status

Start troubleshooting from Layer 1 upward for systematic diagnosis.

Prerequisites

Before using network troubleshooting commands, ensure you have:

  • Basic understanding of TCP/IP networking concepts
  • Root or sudo access for certain commands
  • Knowledge of your network topology
  • Network diagram or documentation (helpful)
  • IP addresses, subnet masks, and gateway information

Install Required Tools

# Ubuntu/Debian
sudo apt update
sudo apt install iputils-ping traceroute net-tools iproute2 dnsutils tcpdump -y

# CentOS/RHEL/Rocky Linux
sudo dnf install iputils traceroute net-tools iproute bind-utils tcpdump -y

# Verify installations
ping -V
traceroute --version
ss -V

ping - Connectivity Testing

The ping command tests network connectivity by sending ICMP Echo Request packets and measuring responses.

Basic ping Usage

# Basic ping
ping google.com

# Ping specific number of packets
ping -c 4 google.com

# Ping with timestamp
ping -D google.com

# Ping IPv6 address
ping6 2001:4860:4860::8888

Understanding ping Output

$ ping -c 4 google.com

PING google.com (142.250.185.46) 56(84) bytes of data.
64 bytes from lga25s67-in-f14.1e100.net (142.250.185.46): icmp_seq=1 ttl=117 time=15.2 ms
64 bytes from lga25s67-in-f14.1e100.net (142.250.185.46): icmp_seq=2 ttl=117 time=14.8 ms
64 bytes from lga25s67-in-f14.1e100.net (142.250.185.46): icmp_seq=3 ttl=117 time=15.1 ms
64 bytes from lga25s67-in-f14.1e100.net (142.250.185.46): icmp_seq=4 ttl=117 time=14.9 ms

--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 14.822/15.000/15.169/0.142 ms

Key metrics:

  • icmp_seq: Sequence number (detect packet loss)
  • ttl: Time To Live (hops remaining)
  • time: Round-trip time in milliseconds
  • packet loss: Percentage of lost packets
  • rtt: Round-trip time statistics (min/avg/max/std deviation)

Advanced ping Options

Set Packet Size

# Larger packet size (test MTU issues)
ping -s 1472 google.com

# Maximum standard Ethernet MTU
ping -s 1500 google.com

# Prohibit fragmentation
ping -M do -s 1472 google.com

Adjust Timing

# Fast ping (interval 0.2 seconds)
sudo ping -i 0.2 google.com

# Flood ping (root only, use carefully)
sudo ping -f google.com

# Set timeout
ping -W 2 google.com  # 2 second timeout

Source Interface

# Ping from specific interface
ping -I eth0 google.com

# Ping from specific source IP
ping -I 192.168.1.100 google.com

ping Diagnostic Scenarios

Test Local Network Connectivity

# Test loopback interface
ping 127.0.0.1

# Test default gateway
ping $(ip route | grep default | awk '{print $3}')

# Test local network hosts
ping 192.168.1.1

Test Internet Connectivity

# Test well-known servers
ping 8.8.8.8          # Google DNS
ping 1.1.1.1          # Cloudflare DNS
ping 208.67.222.222   # OpenDNS

# Test with hostname (verifies DNS too)
ping google.com

Detect Intermittent Connection Issues

# Continuous ping with statistics
ping -c 1000 google.com | tee ping-results.txt

# Monitor packet loss
ping -c 100 google.com | grep "packet loss"

Measure Network Latency

# Ping multiple times and analyze
ping -c 50 remote-server.com

# Watch for variance in response times
# High variance indicates network instability

Interpreting ping Results

Successful ping:

64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=15.2 ms

✓ Network connectivity working

Destination unreachable:

From 192.168.1.1 icmp_seq=1 Destination Host Unreachable

✗ Host not reachable, routing issue or host down

Request timeout:

Request timeout for icmp_seq 1

✗ No response received, firewall blocking or network issue

High packet loss:

10 packets transmitted, 5 received, 50% packet loss

✗ Network congestion or unstable connection

High latency variance:

rtt min/avg/max/mdev = 15.2/156.3/892.1/245.8 ms

✗ Network instability, congestion, or routing problems

traceroute - Path Analysis

Traceroute shows the network path packets take to reach a destination, identifying each hop along the route.

Basic traceroute Usage

# Trace route to destination
traceroute google.com

# Use ICMP instead of UDP
sudo traceroute -I google.com

# Use TCP SYN packets (useful for firewall traversal)
sudo traceroute -T -p 80 google.com

# IPv6 traceroute
traceroute6 google.com

Understanding traceroute Output

$ traceroute google.com

traceroute to google.com (142.250.185.46), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  1.245 ms  1.189 ms  1.156 ms
 2  10.0.0.1 (10.0.0.1)  8.423 ms  8.395 ms  8.367 ms
 3  72.14.218.26 (72.14.218.26)  12.445 ms  12.428 ms  12.401 ms
 4  108.170.252.1 (108.170.252.1)  13.876 ms  13.859 ms  13.832 ms
 5  142.251.61.221 (142.251.61.221)  14.234 ms  14.217 ms  14.190 ms
 6  lga25s67-in-f14.1e100.net (142.250.185.46)  15.123 ms  14.956 ms  14.929 ms

Each line shows:

  • Hop number
  • Hostname (if reverse DNS available) and IP address
  • Three round-trip times (three probes per hop)

Advanced traceroute Options

Control Number of Probes

# Send 5 probes per hop instead of 3
traceroute -q 5 google.com

# Single probe per hop (faster)
traceroute -q 1 google.com

Set Maximum Hops

# Maximum 15 hops
traceroute -m 15 google.com

# Maximum 50 hops (increase for long routes)
traceroute -m 50 google.com

Adjust Timeout

# Wait 1 second per probe
traceroute -w 1 google.com

# Wait 5 seconds (slow connections)
traceroute -w 5 google.com

Specify Source Interface

# Use specific interface
traceroute -i eth1 google.com

# Use specific source address
traceroute -s 192.168.1.100 google.com

traceroute Diagnostic Scenarios

Identify Network Bottlenecks

# Look for sudden latency increases
traceroute remote-server.com

# Compare routes to different destinations
traceroute server1.com > route1.txt
traceroute server2.com > route2.txt
diff route1.txt route2.txt

Detect Routing Loops

# Routing loop shows repeated IP addresses
traceroute problematic-destination.com

# Look for hop counts exceeding reasonable limits

Firewall and Filtering Detection

# Asterisks indicate filtered hops
traceroute -I destination.com

# Try different protocols
traceroute -T -p 443 destination.com

Interpreting traceroute Results

Normal hop:

3  72.14.218.26 (72.14.218.26)  12.445 ms  12.428 ms  12.401 ms

✓ Router responding normally

Timeout at hop:

4  * * *

⚠ Hop not responding (firewall blocking ICMP or router configured not to respond)

Sudden latency increase:

5  router1.isp.com (10.1.1.1)  15 ms  16 ms  14 ms
6  router2.isp.com (10.1.1.2)  145 ms  152 ms  148 ms

✗ Congestion or slow link between hop 5 and 6

Asymmetric routing: Different paths for different probes indicate load balancing or route flapping

netstat - Network Statistics (Legacy Tool)

Netstat displays network connections, routing tables, interface statistics, and more. While largely replaced by ss, it remains widely available and understood.

Basic netstat Usage

# Show all connections
netstat -a

# Show listening ports
netstat -l

# Show TCP connections
netstat -t

# Show UDP connections
netstat -u

# Show listening TCP ports
netstat -lt

# Show numerical addresses (no DNS lookup)
netstat -n

# Show program names
sudo netstat -p

Common netstat Combinations

# Show all listening TCP ports with programs
sudo netstat -tlnp

# Show all established connections
netstat -tnp | grep ESTABLISHED

# Show all listening UDP ports
sudo netstat -ulnp

# Show all connections with numerical addresses
netstat -an

Understanding netstat Output

$ sudo netstat -tlnp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1234/sshd
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      5678/mysqld
tcp6       0      0 :::80                   :::*                    LISTEN      9101/apache2

Columns:

  • Proto: Protocol (tcp, tcp6, udp, udp6)
  • Recv-Q: Bytes in receive queue
  • Send-Q: Bytes in send queue
  • Local Address: Local IP:Port
  • Foreign Address: Remote IP:Port
  • State: Connection state
  • PID/Program: Process ID and name

Connection States

LISTEN      - Waiting for connection requests
ESTABLISHED - Active connection
TIME_WAIT   - Connection closed, waiting to ensure remote received acknowledgment
CLOSE_WAIT  - Remote has closed, waiting for local close
SYN_SENT    - Trying to establish connection
SYN_RECV    - Received connection request
FIN_WAIT1   - Connection closing
FIN_WAIT2   - Connection closed, waiting for remote close
CLOSING     - Both sides closing simultaneously

netstat Diagnostic Scenarios

Find Which Process Uses a Port

# Find what's listening on port 80
sudo netstat -tlnp | grep :80

# Find all processes listening on ports
sudo netstat -tlnp | grep LISTEN

Check Established Connections

# Show all established connections
netstat -tn | grep ESTABLISHED

# Count connections by state
netstat -an | awk '/tcp/ {print $6}' | sort | uniq -c

Monitor Network Interface Statistics

# Show interface statistics
netstat -i

# Continuous interface monitoring
netstat -ic

# Detailed interface stats
netstat -s

View Routing Table

# Display routing table
netstat -r

# Numerical routing table
netstat -rn

ss - Socket Statistics (Modern Alternative)

The ss command is the modern replacement for netstat, providing faster and more detailed socket information.

Basic ss Usage

# Show all sockets
ss -a

# Show listening sockets
ss -l

# Show TCP sockets
ss -t

# Show UDP sockets
ss -u

# Show listening TCP sockets
ss -lt

# Show numerical addresses
ss -n

# Show process information
sudo ss -p

Common ss Combinations

# Show all listening TCP ports with process info
sudo ss -tlnp

# Show all established TCP connections
ss -tn state established

# Show all sockets with process and numeric output
sudo ss -tunap

# Show listening sockets with extended info
ss -lte

Understanding ss Output

$ sudo ss -tlnp

State    Recv-Q  Send-Q   Local Address:Port   Peer Address:Port  Process
LISTEN   0       128      0.0.0.0:22            0.0.0.0:*          users:(("sshd",pid=1234,fd=3))
LISTEN   0       80       127.0.0.1:3306        0.0.0.0:*          users:(("mysqld",pid=5678,fd=25))
LISTEN   0       511      *:80                  *:*                users:(("apache2",pid=9101,fd=4))

Columns:

  • State: Socket state
  • Recv-Q: Receive queue size
  • Send-Q: Send queue size
  • Local Address:Port: Local endpoint
  • Peer Address:Port: Remote endpoint
  • Process: Process information (with -p)

Advanced ss Options

Filter by State

# Show established connections
ss -t state established

# Show listening connections
ss -t state listening

# Show time-wait connections
ss -t state time-wait

# Multiple states
ss -t state established state syn-sent

Filter by Port

# Show connections on port 80
ss -tn sport = :80

# Show connections to port 443
ss -tn dport = :443

# Show port range
ss -tn sport ge :1024

Extended Information

# Show extended socket information
ss -te

# Show memory usage
ss -tm

# Show internal TCP information
ss -ti

# Show all extended options
ss -tiem

Socket Summary

# Summary of socket statistics
ss -s

# Output example:
# Total: 589
# TCP:   12 (estab 5, closed 2, orphaned 0, timewait 2)
# Transport Total     IP        IPv6
# RAW       1         0         1
# UDP       8         5         3
# TCP       10        6         4

ss Diagnostic Scenarios

Identify Port Conflicts

# Check if port is already in use
sudo ss -tlnp | grep :8080

# Find process using specific port
sudo ss -tlnp 'sport = :3306'

Monitor Connection States

# Count connections by state
ss -tan | awk '{print $1}' | sort | uniq -c

# Watch TIME_WAIT connections
watch -n 1 'ss -tan | grep TIME-WAIT | wc -l'

Detect Connection Flooding

# Show connections per IP
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

# Monitor SYN_RECV (potential SYN flood)
ss -tan | grep SYN-RECV

Check Listen Queue

# Show listen queue details
ss -tlnp

# Large Recv-Q on listening socket indicates backlog
# May need to increase listen backlog or process faster

Combining Tools for Effective Troubleshooting

Complete Connectivity Diagnosis

#!/bin/bash
# network-diagnosis.sh - Comprehensive network check

TARGET=$1

echo "=== Network Diagnostic for $TARGET ==="

echo -e "\n1. Testing connectivity..."
if ping -c 4 $TARGET > /dev/null 2>&1; then
    echo "✓ Ping successful"
    ping -c 4 $TARGET | tail -2
else
    echo "✗ Ping failed"
fi

echo -e "\n2. Tracing route..."
traceroute -m 15 $TARGET

echo -e "\n3. Testing DNS resolution..."
dig $TARGET +short

echo -e "\n4. Checking local network..."
echo "Default gateway:"
ip route | grep default

echo -e "\nLocal IP addresses:"
ip addr show | grep "inet " | grep -v 127.0.0.1

echo -e "\n5. Checking listening services..."
sudo ss -tlnp

echo -e "\n6. Connection summary..."
ss -s

Usage:

chmod +x network-diagnosis.sh
./network-diagnosis.sh google.com

Server Port Accessibility Test

#!/bin/bash
# port-check.sh - Test if specific port is accessible

HOST=$1
PORT=$2

echo "Testing $HOST:$PORT"

# Test with nc (netcat)
if nc -zv -w 5 $HOST $PORT 2>&1 | grep -q "succeeded"; then
    echo "✓ Port $PORT is open"
else
    echo "✗ Port $PORT is closed or filtered"
fi

# Alternative: using telnet
timeout 5 telnet $HOST $PORT 2>&1 | grep -q "Connected" && \
    echo "✓ Telnet connection successful" || \
    echo "✗ Telnet connection failed"

# Check local listening
if sudo ss -tlnp | grep -q ":$PORT "; then
    echo "✓ Service listening locally on port $PORT"
    sudo ss -tlnp | grep ":$PORT "
else
    echo "✗ No service listening on port $PORT locally"
fi

Connection Monitoring Script

#!/bin/bash
# monitor-connections.sh - Monitor network connections

echo "=== Network Connection Monitor ==="
echo "Press Ctrl+C to stop"

while true; do
    clear
    echo "=== Active Connections at $(date) ==="

    echo -e "\nEstablished connections:"
    ss -tn state established | tail -n +2 | wc -l

    echo -e "\nTop 10 external connections:"
    ss -tn state established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10

    echo -e "\nConnections by state:"
    ss -tan | awk '{print $1}' | tail -n +2 | sort | uniq -c

    echo -e "\nListening services:"
    sudo ss -tlnp | grep LISTEN | wc -l

    sleep 5
done

Additional Network Troubleshooting Tools

dig - DNS Lookup

# Basic DNS lookup
dig google.com

# Query specific record type
dig google.com A
dig google.com AAAA
dig google.com MX
dig google.com TXT

# Query specific DNS server
dig @8.8.8.8 google.com

# Short output
dig google.com +short

# Reverse DNS lookup
dig -x 8.8.8.8

nslookup - DNS Query

# Basic lookup
nslookup google.com

# Query specific DNS server
nslookup google.com 8.8.8.8

# Query specific record type
nslookup -type=MX google.com

host - Simple DNS Lookup

# Basic lookup
host google.com

# Reverse lookup
host 8.8.8.8

# All records
host -a google.com

nc (netcat) - Network Swiss Army Knife

# Test port connectivity
nc -zv google.com 80

# Test port range
nc -zv google.com 80-443

# Listen on port
nc -l 8080

# Transfer file
# Receiver: nc -l 8080 > received_file
# Sender: nc target-ip 8080 < file_to_send

tcpdump - Packet Capture

# Capture on specific interface
sudo tcpdump -i eth0

# Capture specific port
sudo tcpdump -i eth0 port 80

# Capture and save to file
sudo tcpdump -i eth0 -w capture.pcap

# Read from file
tcpdump -r capture.pcap

# Filter by host
sudo tcpdump -i eth0 host 192.168.1.100

mtr - Combined ping and traceroute

# Interactive mode
mtr google.com

# Report mode (10 cycles)
mtr -r -c 10 google.com

# No DNS resolution
mtr -n google.com

Troubleshooting Common Network Issues

Issue 1: Cannot Reach Website

Diagnosis:

# Test DNS resolution
dig example.com

# Test basic connectivity
ping example.com

# Test specific port
nc -zv example.com 80

# Trace route
traceroute example.com

Common causes:

  • DNS not resolving
  • Firewall blocking
  • Service not running
  • Routing issues

Issue 2: Slow Network Performance

Diagnosis:

# Check packet loss
ping -c 100 remote-server.com

# Identify slow hops
mtr remote-server.com

# Check for congestion
ss -s

# Monitor interface errors
netstat -i

Issue 3: Port Already in Use

Diagnosis:

# Find process using port
sudo ss -tlnp | grep :8080
sudo lsof -i :8080

# Kill process
sudo kill -9 <PID>

# Or stop service
sudo systemctl stop apache2

Issue 4: Too Many Connections

Diagnosis:

# Count total connections
ss -s

# Check TIME_WAIT connections
ss -tan | grep TIME-WAIT | wc -l

# Identify connection sources
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn

Solutions:

  • Adjust kernel parameters
  • Implement rate limiting
  • Investigate potential DDoS

Issue 5: DNS Resolution Failures

Diagnosis:

# Test DNS servers
dig @8.8.8.8 google.com
dig @1.1.1.1 google.com

# Check /etc/resolv.conf
cat /etc/resolv.conf

# Test with different query types
dig google.com A
dig google.com AAAA

Best Practices

1. Establish Baseline Metrics

# Collect baseline data when systems are healthy
ping -c 1000 critical-server.com > baseline-ping.txt
ss -s > baseline-connections.txt
netstat -s > baseline-stats.txt

2. Create Troubleshooting Checklists

  • Verify physical connectivity
  • Check IP configuration
  • Test gateway reachability
  • Verify DNS resolution
  • Test service availability
  • Check firewall rules
  • Review application logs

3. Document Network Topology

Maintain diagrams showing:

  • Network subnets
  • Gateway/router locations
  • Firewall placement
  • Critical servers and services

4. Use Logging and Monitoring

# Log continuous ping results
ping -D remote-server.com | tee -a ping-monitor.log

# Monitor connection states
watch -n 5 'ss -s'

# Track interface statistics
while true; do netstat -i >> interface-stats.log; sleep 60; done

5. Automate Routine Checks

# Cron job for network monitoring
*/5 * * * * /usr/local/bin/network-check.sh >> /var/log/network-check.log 2>&1

Security Considerations

Limit Information Exposure

# Disable ICMP response (carefully!)
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

# Rate limit ICMP
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

Monitor for Suspicious Activity

# Watch for port scans
sudo ss -tan | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head

# Monitor SYN flood attempts
watch 'ss -tan | grep SYN-RECV'

Secure Diagnostic Tools

  • Restrict tcpdump to authorized users
  • Limit netstat/ss execution
  • Review captured packet data carefully
  • Never share packet captures with sensitive data

Conclusion

Mastering network troubleshooting commands is essential for maintaining reliable, secure infrastructure. The tools covered in this guide—ping for connectivity testing, traceroute for path analysis, netstat for legacy compatibility, and ss for modern socket statistics—form the foundation of systematic network diagnosis and problem resolution.

Key takeaways:

  • ping validates connectivity and measures latency
  • traceroute identifies routing paths and bottlenecks
  • netstat provides legacy network statistics (still widely used)
  • ss offers modern, fast socket information with extensive filtering
  • Combined tools enable comprehensive network diagnosis
  • Systematic approach improves troubleshooting efficiency
  • Documentation and monitoring support proactive problem detection

These command-line tools work on virtually every Linux distribution, require minimal resources, and provide immediate insights during critical troubleshooting scenarios. Whether diagnosing connectivity failures, performance issues, security incidents, or service availability problems, the skills developed through this guide will serve you throughout your career in system administration and infrastructure management.

Continue expanding your network troubleshooting expertise by exploring advanced tools like Wireshark for packet analysis, iperf for bandwidth testing, and nmap for network discovery and security auditing.