Tooling

Network Debugging

tcpdump, Wireshark, mtr, dig — when the network isn't working.

Capture / packet analysis

  • tcpdump — universal CLI packet capture. Always installed; learn it.
  • Wireshark / tshark — GUI / CLI deep packet analysis; the deepest dives possible.
  • termshark — TUI Wireshark; great over SSH.
  • ngrep — like grep for network traffic.

Routing / latency / connectivity

  • mtr — combined traceroute + ping; shows hop-by-hop loss and latency. Default for "the link is slow."
  • traceroute / tracepath — basic hop discovery.
  • iperf3 — bandwidth testing; most useful network test.
  • bmon / iftop / nload — interface throughput live.
  • vnstat — historical traffic per interface.

Sockets / connections

  • ss (replacement for netstat) — modern; fast; rich filters. ss -tulnp is your friend.
  • netstat — older; still works.
  • lsof -i — open files, including network sockets.
  • conntrack-tools — view / manipulate the conntrack table.

DNS

  • dig — the tool for DNS queries.
  • drill — alternative; from NLnet Labs.
  • dog — Rust replacement for dig; nicer output.
  • q — even shorter alternative.
  • nslookup — old but everywhere.
  • dnsperf — DNS server perf testing.

Port / service scanning

  • nmap — port scanner; service detection; scripting engine. Universal.
  • masscan — far faster but less accurate.
  • rustscan — modern fast scanner, pipes to nmap.
  • nuclei (ProjectDiscovery) — vulnerability scanning by templates.

Live observation

  • ntopng — flow-level network monitoring; web UI.
  • netflow / sflow / IPFIX collectors — for big networks.
  • bpftrace / bcc — eBPF-based for deep observability; see eBPF Tools.
  • pwru (Cilium) — packet trace through the kernel.

TLS / HTTP debugging

  • curl -v — endless flags; the default HTTP debugger.
  • httpie / xh — friendlier curl.
  • openssl s_client — TLS handshake inspection.
  • testssl.sh — TLS configuration audit.
  • mitmproxy — interactive HTTP / HTTPS debugger.
  • @hapi/wreck, insomnia, Bruno — see API Clients.

Container / k8s networking

  • kubectl exec + nsenter — debug from inside a pod.
  • kubectl debug — ephemeral debug containers.
  • netshoot imagenicolaka/netshoot; container with every networking tool preinstalled.
  • Cilium CLI / hubble observe — flow visibility for Cilium clusters.

Common workflows

  • "It can't reach the database": ss → nslookup → dig → curl → tcpdump in that order.
  • "It's slow": mtr to confirm network not at fault → iperf3 between hosts → drop into the app's metrics.
  • "DNS is broken": dig @127.0.0.1, dig @8.8.8.8, dig @resolver-of-record. Compare answers.
  • "TLS error": openssl s_client -connect host:443; check chain, expiry, SNI.

Patterns to know

  • Capture during the failure, not after. Reproduce while tcpdump is running.
  • Filter aggressively. tcpdump host x and port y keeps things readable.
  • Save .pcap and analyze in Wireshark for protocol-deep dives.
  • Use -w to write capture, -r to read later. Save first, analyze in comfort.

Pick this if…

  • Always have installed: tcpdump, ss, dig, mtr, curl, nmap.
  • Deep packet analysis: Wireshark.
  • Container / k8s debugging: netshoot image.
  • Cilium cluster observability: Hubble.
  • HTTP / TLS: curl + openssl s_client + mitmproxy.

On this page