Network Diagnostics
Network connectivity testing and troubleshooting.
Connectivity Testing
# Basic ping (ICMP echo)
ping -c 4 host # 4 packets
ping -c 4 -W 2 host # 2 second timeout per packet
ping -c 4 -i 0.2 host # 200ms interval (fast ping)
ping -c 10 -q host # Quiet mode (summary only)
# Ping with timestamp and output
ping -D host # Unix timestamp prefix
ping host | while read line; do
echo "$(date +%H:%M:%S) $line"
done
# Large packet test (MTU discovery)
ping -c 4 -M do -s 1472 host # Don't fragment, 1472 + 28 = 1500 MTU
ping -c 4 -s 8972 host # Jumbo frame test (9000 MTU)
# Ping sweep (find live hosts)
for i in {1..254}; do
ping -c 1 -W 1 "10.50.1.$i" &>/dev/null && echo "10.50.1.$i is up" &
done
wait
# Traceroute (path discovery)
traceroute host # UDP probes (default)
traceroute -I host # ICMP probes
traceroute -T host # TCP SYN probes (port 80)
traceroute -p 443 -T host # TCP to specific port
traceroute -n host # No DNS resolution (faster)
traceroute -w 2 -q 1 host # 2s timeout, 1 probe per hop
# MTR - realtime traceroute with statistics
mtr host # Interactive mode
mtr -r -c 100 host # Report mode, 100 cycles
mtr -rwb host # Report with IPs and hostnames
mtr -n host # No DNS (faster)
mtr -u host # UDP mode
mtr -T host # TCP mode
mtr --report-wide --report-cycles=50 host # Wide output, 50 cycles
# TCP connectivity test
timeout 5 bash -c 'echo >/dev/tcp/host/port' 2>/dev/null && echo "open" || echo "closed"
timeout 3 nc -zv host port # netcat verbose
nc -zvw 3 host 22 # 3 second timeout
nc -zv host 20-25 # Port range scanDNS Diagnostics
# Basic DNS lookup
dig example.com # Full output
dig +short example.com # Just the answer
dig example.com A # A record only
dig example.com AAAA # IPv6 address
dig example.com MX # Mail exchangers
dig example.com TXT # TXT records (SPF, DKIM)
dig example.com NS # Nameservers
dig example.com SOA # Start of Authority
dig example.com ANY # All records (may be blocked)
# Query specific DNS server
dig @8.8.8.8 example.com # Google DNS
dig @10.50.1.90 example.com # bind-01 (internal)
dig @10.50.1.1 example.com # pfSense forwarder
# Reverse DNS lookup
dig -x 10.50.1.20 # PTR record lookup
dig +short -x 10.50.1.20 # Just hostname
# DNS trace (follow delegation)
dig +trace example.com # From root servers down
# DNSSEC validation
dig +dnssec example.com # Include DNSSEC records
dig +short +cd example.com # Disable checking (compare results)
# DNS response timing
dig example.com | grep 'Query time'
dig +stats example.com | tail -5 # Full stats
# Test specific record types for ISE/802.1X
dig _kerberos._tcp.inside.domusdigitalis.dev SRV # Kerberos SRV
dig _ldap._tcp.inside.domusdigitalis.dev SRV # LDAP SRV
dig _gc._tcp.inside.domusdigitalis.dev SRV # Global Catalog
# host command (simpler output)
host example.com # Forward lookup
host 10.50.1.20 # Reverse lookup
host -t MX example.com # MX records
host -t SRV _kerberos._tcp.inside.domusdigitalis.dev
# nslookup (interactive debugging)
nslookup example.com
nslookup example.com 10.50.1.90 # Use specific server
nslookup -type=mx example.com # MX query
# DNS cache operations (systemd-resolved)
resolvectl status # Show DNS config
resolvectl query example.com # Query with cache info
resolvectl statistics # Cache statistics
resolvectl flush-caches # Clear cacheAdvanced DNS Analysis
# Compare DNS responses across servers
for server in 10.50.1.1 10.50.1.90 8.8.8.8 1.1.1.1; do
echo "=== $server ==="
dig +short @"$server" example.com
done
# DNS propagation check
DOMAIN="example.com"
for ns in $(dig +short NS "$DOMAIN"); do
echo "=== $ns ==="
dig +short @"$ns" "$DOMAIN"
done
# Zone transfer test (if allowed)
dig @ns1.example.com example.com AXFR # Full zone transfer
dig @ns1.example.com example.com IXFR # Incremental transfer
# Check all nameservers respond consistently
dig +nssearch example.com # Query all NS servers
# DNS lookup with specific options
dig +norecurse @ns1.example.com example.com # Non-recursive (authoritative only)
dig +tcp example.com # Force TCP
dig +bufsize=4096 example.com # Larger EDNS buffer
# Find authoritative nameservers
dig +short NS example.com | xargs -I{} dig +short @{} example.com
# Multi-host DNS resolution with awk
HOSTS="vault-01 ise-01 bind-01 kvm-01 nas-01"
for h in $HOSTS; do
ip=$(host "$h.inside.domusdigitalis.dev" 2>/dev/null | awk '/has address/{print $4}')
printf "%-20s %s\n" "$h" "${ip:-UNRESOLVED}"
done
# DNS response time across servers
for server in 10.50.1.90 10.50.1.1 8.8.8.8; do
time_ms=$(dig @"$server" example.com | awk '/Query time/{print $4}')
printf "%s: %sms\n" "$server" "$time_ms"
donePort and Socket Analysis
# ss (socket statistics) - replacement for netstat
ss -tlnp # TCP listening, numeric, processes
ss -ulnp # UDP listening
ss -tunlp # Both TCP and UDP
ss -tn # Established TCP connections
ss -tnp # With process info (needs root for others)
# Filter by state
ss -t state established # Only established
ss -t state time-wait # TIME_WAIT connections
ss -t state listening # Listening sockets
ss -t '( dport = :22 or sport = :22 )' # Port 22 connections
# Filter by address
ss -tn dst 10.50.1.20 # Connections to ISE
ss -tn src 10.50.1.0/24 # Connections from MGMT subnet
ss -tn 'dport > 1024 and dport < 65535' # High port connections
# Connection counts
ss -tn | awk 'NR>1 {print $4}' | cut -d: -f1 | sort | uniq -c | sort -rn
# Count connections per remote IP
ss -s # Summary statistics
# netstat (legacy but still useful)
netstat -tlnp # TCP listening
netstat -an | grep ESTABLISHED | wc -l # Connection count
netstat -anp | grep ":22" # SSH connections
# lsof (list open files - includes sockets)
lsof -i :22 # What's on port 22
lsof -i TCP:22 # TCP only
lsof -i @10.50.1.20 # Connections to IP
lsof -i TCP -sTCP:LISTEN # All listening TCP
lsof -i -P -n # All network, numeric
# By process
lsof -p $(pgrep sshd) -i # sshd network activity
lsof -c nginx -i # nginx network activity
# fuser (find process using port)
fuser 22/tcp # Process using TCP 22
fuser -v 80/tcp # Verbose with process info
fuser -k 8080/tcp # Kill process using port (dangerous!)IP Configuration
# ip command (modern replacement for ifconfig)
ip addr # All interfaces
ip -4 addr # IPv4 only
ip -6 addr # IPv6 only
ip addr show eth0 # Specific interface
ip -br addr # Brief output
ip -o addr | awk '{print $2, $4}' # Interface + IP only
# Routing table
ip route # Full routing table
ip route get 10.50.1.20 # How to reach specific IP
ip route show table all # All routing tables
ip route show cache # Route cache
# Add/delete routes (temporary)
ip route add 192.168.1.0/24 via 10.50.1.1 # Add route
ip route del 192.168.1.0/24 # Delete route
ip route add default via 10.50.1.1 # Default gateway
# ARP table
ip neigh # ARP/NDP cache
ip neigh show dev eth0 # Specific interface
arp -an # Legacy command
# Interface statistics
ip -s link # Packet stats
ip -s -s link show eth0 # Detailed stats
ip -s -h link show eth0 # Human readable
# Link state
ip link show # All interfaces
ip link show eth0 # Specific interface
ip link set eth0 up # Bring up
ip link set eth0 down # Bring down
ip link set eth0 mtu 9000 # Set MTU
# Useful one-liners
ip -o addr | awk '!/127.0.0.1/{print $2": "$4}' # All non-loopback IPs
ip route get 1.1.1.1 | awk '{print $7}' # Default outbound IPTraffic Analysis
# tcpdump - packet capture
tcpdump -i eth0 # Capture on interface
tcpdump -i any # All interfaces
tcpdump -c 100 # Capture 100 packets
tcpdump -w /tmp/capture.pcap # Write to file
tcpdump -r /tmp/capture.pcap # Read from file
# Common filters
tcpdump host 10.50.1.20 # Traffic to/from IP
tcpdump dst host 10.50.1.20 # Traffic TO IP
tcpdump src host 10.50.1.20 # Traffic FROM IP
tcpdump port 22 # SSH traffic
tcpdump portrange 1-1024 # Port range
tcpdump tcp # TCP only
tcpdump udp # UDP only
tcpdump icmp # ICMP only
tcpdump 'tcp port 80' # HTTP
tcpdump 'tcp port 443' # HTTPS
# Combined filters
tcpdump 'host 10.50.1.20 and port 1812' # RADIUS to ISE
tcpdump 'host 10.50.1.20 and (port 1812 or port 1813)'
tcpdump 'src 10.50.1.0/24 and dst port 53' # DNS queries from MGMT
# Useful options
tcpdump -n # No DNS resolution
tcpdump -nn # No DNS or port names
tcpdump -v # Verbose
tcpdump -vv # More verbose
tcpdump -X # Show packet contents (hex+ASCII)
tcpdump -A # ASCII only (for HTTP debugging)
tcpdump -e # Show MAC addresses
tcpdump -s 0 # Capture full packets
# RADIUS traffic capture
tcpdump -i any -nn 'port 1812 or port 1813' -w /tmp/radius.pcap
# DNS traffic
tcpdump -i any -nn port 53
# Kerberos traffic
tcpdump -i any -nn port 88
# iftop - realtime bandwidth monitor
iftop -i eth0 # Interactive mode
iftop -nP -i eth0 # Numeric, ports
# nethogs - bandwidth per process
nethogs eth0 # Show by process
# nload - interface bandwidth
nload eth0 # Graphical bandwidth
# iptraf - detailed traffic stats (ncurses)
iptraf-ng -i eth0Network Namespaces (Containers/k8s)
# List network namespaces
ip netns list
ls /var/run/netns/
# Execute command in namespace
ip netns exec <namespace> ip addr
ip netns exec <namespace> ping 10.50.1.1
# Create and configure namespace
ip netns add test-ns
ip netns exec test-ns ip link set lo up
ip netns delete test-ns
# Container network debugging
# Find container's network namespace
CONTAINER_ID=$(docker ps -q --filter name=mycontainer)
PID=$(docker inspect -f '{{.State.Pid}}' "$CONTAINER_ID")
nsenter -t "$PID" -n ip addr # Enter container's network NS
# k8s pod networking
# Get pod's network namespace
kubectl get pod mypod -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -d/ -f3
# Then use crictl or docker inspect to find PID
# Cilium-specific debugging (k3s)
kubectl -n kube-system exec cilium-xxxxx -- cilium status
kubectl -n kube-system exec cilium-xxxxx -- cilium endpoint list
kubectl -n kube-system exec cilium-xxxxx -- cilium bpf lb list
# CNI debugging
cat /etc/cni/net.d/*.conflist # CNI configuration
crictl pods # List pods (CRI)
# Pod-to-pod connectivity test
kubectl exec -it pod1 -- ping <pod2-ip>
kubectl exec -it pod1 -- nc -zv <pod2-ip> 80Infrastructure Diagnostics
# Multi-host connectivity matrix
HOSTS="vault-01 ise-01 bind-01 kvm-01 nas-01 k3s-master-01"
DOMAIN="inside.domusdigitalis.dev"
printf "%-20s %-15s %-6s %s\n" "HOST" "IP" "PING" "SSH"
for h in $HOSTS; do
fqdn="$h.$DOMAIN"
ip=$(host "$fqdn" 2>/dev/null | awk '/has address/{print $4; exit}')
ping_ok=$(ping -c1 -W2 "$fqdn" &>/dev/null && echo "✓" || echo "✗")
ssh_ok=$(timeout 3 nc -zv "$fqdn" 22 &>/dev/null && echo "✓" || echo "✗")
printf "%-20s %-15s %-6s %s\n" "$h" "${ip:-N/A}" "$ping_ok" "$ssh_ok"
done
# Service port check across hosts
check_service() {
local host=$1 port=$2 name=$3
if timeout 3 nc -zv "$host" "$port" &>/dev/null; then
echo "✓ $name ($host:$port)"
else
echo "✗ $name ($host:$port)"
fi
}
echo "=== Critical Services ==="
check_service "vault-01.inside.domusdigitalis.dev" 8200 "Vault API"
check_service "ise-01.inside.domusdigitalis.dev" 9060 "ISE ERS"
check_service "ise-01.inside.domusdigitalis.dev" 1812 "RADIUS Auth"
check_service "bind-01.inside.domusdigitalis.dev" 53 "DNS"
check_service "home-dc01.inside.domusdigitalis.dev" 88 "Kerberos"
check_service "home-dc01.inside.domusdigitalis.dev" 389 "LDAP"
# DNS resolution test suite
echo "=== DNS Resolution ==="
for server in 10.50.1.1 10.50.1.90; do
echo "Server: $server"
dig +short @"$server" vault-01.inside.domusdigitalis.dev
dig +short @"$server" -x 10.50.1.60
done
# Certificate expiry check
echo "=== TLS Certificates ==="
for host in vault-01 ise-01 grafana wazuh; do
fqdn="$host.inside.domusdigitalis.dev"
expiry=$(echo | timeout 5 openssl s_client -connect "$fqdn:443" \
-servername "$fqdn" 2>/dev/null | \
openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
printf "%-30s %s\n" "$fqdn" "${expiry:-CONNECTION FAILED}"
done
# Route to critical services
echo "=== Routing ==="
for ip in 10.50.1.60 10.50.1.20 10.50.1.50; do
route=$(ip route get "$ip" 2>/dev/null | head -1)
echo "$ip: $route"
doneWireless Diagnostics
# List wireless interfaces
iw dev # Wireless interfaces
iwconfig # Legacy wireless info
# Scan for networks
sudo iw dev wlan0 scan | grep -E 'SSID:|signal:|freq:'
# Connection status
iw dev wlan0 link # Current connection
iw dev wlan0 station dump # AP statistics
# Signal strength monitoring
watch -n 1 'iw dev wlan0 link' # Realtime signal
# NetworkManager wireless
nmcli device wifi list # Available networks
nmcli device wifi rescan # Force rescan
nmcli device wifi connect "SSID" password "pass" # Connect
nmcli connection show # Saved connections
# wpa_supplicant debugging
wpa_cli status # Connection status
wpa_cli scan_results # Scan results
wpa_cli -i wlan0 log_level DEBUG # Debug logging
# EAP-TLS debugging (802.1X)
# Check certificate
openssl x509 -in /etc/ssl/certs/$(hostname)-eaptls.pem -text -noout | \
grep -E 'Subject:|Issuer:|Not Before:|Not After:'
# wpa_supplicant log for EAP
journalctl -u wpa_supplicant -f
journalctl -u NetworkManager -f | grep -i eap
# WiFi frequency analysis
iw dev wlan0 survey dump | grep -A5 'in use'Performance Analysis
# Bandwidth test with iperf3
# Server mode (run on remote)
iperf3 -s # Start server
iperf3 -s -D # Daemonize
# Client tests
iperf3 -c server # TCP test (default 10s)
iperf3 -c server -t 30 # 30 second test
iperf3 -c server -u -b 100M # UDP 100Mbps
iperf3 -c server -P 4 # 4 parallel streams
iperf3 -c server -R # Reverse (download)
iperf3 -c server -b 0 -u # Max UDP bandwidth
iperf3 -c server -J # JSON output
# Network latency statistics
ping -c 100 host | tail -1 # Summary with avg/min/max
# Measure route latency
for hop in $(traceroute -n host 2>/dev/null | awk 'NR>1 && $2!="*"{print $2}'); do
avg=$(ping -c 3 -q "$hop" 2>/dev/null | tail -1 | cut -d/ -f5)
printf "%s: %sms\n" "$hop" "${avg:-timeout}"
done
# Socket buffer tuning check
sysctl net.core.rmem_max # Receive buffer
sysctl net.core.wmem_max # Send buffer
sysctl net.ipv4.tcp_rmem # TCP receive
sysctl net.ipv4.tcp_wmem # TCP send
# Connection tracking
cat /proc/sys/net/netfilter/nf_conntrack_count # Current connections
cat /proc/sys/net/netfilter/nf_conntrack_max # Max connections
conntrack -L 2>/dev/null | wc -l # Alternative count
# NIC statistics
ethtool -S eth0 | head -20 # NIC counters
ethtool eth0 # NIC settings
ethtool -i eth0 # Driver info
# Packet loss and errors
ip -s link show eth0 | grep -E 'errors|dropped'
netstat -i # Interface statisticsCommon Gotchas
# WRONG: Using ping to test TCP services
ping server.example.com # ICMP != TCP connectivity
# CORRECT: Test the actual port
nc -zv server.example.com 443
curl -I https://server.example.com
# WRONG: Trusting local DNS for external resolution
dig example.com # Uses /etc/resolv.conf
# CORRECT: Compare multiple DNS servers
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
dig @10.50.1.90 example.com
# WRONG: Running tcpdump without -n (slow DNS lookups)
tcpdump -i eth0 port 80 # DNS lookup for every packet
# CORRECT: Disable name resolution
tcpdump -nn -i eth0 port 80
# WRONG: Capturing too much data
tcpdump -w capture.pcap # Could be gigabytes
# CORRECT: Limit capture
tcpdump -c 1000 -w capture.pcap # 1000 packets
tcpdump -G 60 -W 5 -w 'cap_%Y%m%d_%H%M.pcap' # Rotate files
# WRONG: Forgetting ss needs root for process info
ss -tlnp # Shows "-" for non-owned sockets
# CORRECT: Run as root for full info
sudo ss -tlnp
# WRONG: Assuming connectivity means DNS works
ping 8.8.8.8 # Works
ping google.com # Fails (DNS issue)
# CORRECT: Test both
ping 8.8.8.8 && dig +short google.com && ping google.com
# WRONG: iptables rules without checking existing
iptables -A INPUT -j DROP # Locks you out!
# CORRECT: Check first, use temp rules
iptables -L -n -v # Check existing
iptables -A INPUT -j DROP && sleep 60 && iptables -D INPUT -j DROP
# Auto-removes if you lose connectivityQuick Reference
# Connectivity
ping -c4 host # ICMP reachability
traceroute -n host # Path discovery
mtr -rwbn host # Combined traceroute + ping
nc -zv host port # TCP port check
timeout 5 bash -c 'echo >/dev/tcp/host/port' # Pure bash
# DNS
dig +short host # Quick A record
dig @server host # Use specific DNS
dig -x IP # Reverse lookup
host host # Simple lookup
resolvectl flush-caches # Clear systemd DNS cache
# Ports/Sockets
ss -tlnp # TCP listening + process
ss -tunlp # All listening
ss -tn # Established connections
lsof -i :PORT # What's on port
fuser PORT/tcp # Process using port
# IP/Routing
ip addr # IP addresses
ip route # Routing table
ip route get IP # How to reach IP
ip neigh # ARP table
ip -s link # Interface stats
# Traffic
tcpdump -nn -i eth0 # Capture (no DNS)
tcpdump -w file.pcap # Write capture
tcpdump 'host X and port Y' # Filter
iftop -i eth0 # Realtime bandwidth
nethogs eth0 # Per-process bandwidth
# Performance
iperf3 -c server # Bandwidth test
ethtool eth0 # NIC info
ethtool -S eth0 # NIC stats
sysctl net.core.rmem_max # Buffer sizes
# Common ports
# 22 SSH
# 53 DNS
# 80 HTTP
# 88 Kerberos
# 123 NTP
# 389 LDAP
# 443 HTTPS
# 636 LDAPS
# 1812 RADIUS Auth
# 1813 RADIUS Acct
# 8200 Vault
# 9060 ISE ERS