Master Linux Network Commands: From netstat to ss and tcpdump

The article provides a concise overview of commonly used Linux network commands for system administrators and developers, focusing on practical usage rather than exhaustive listings.

Calculating resources for 1 million connections

Each connection consumes a file descriptor and about 15‑20 KB of socket memory, so 1 M connections would require roughly 20 GB of RAM and significant bandwidth.

Viewing current connections

Use

netstat

combined with

awk

to count connections by state, but on high‑traffic servers

ss

is faster.

<code># netstat -antp | awk '{a[$6]++} END{for (x in a) print x, a[x]}'</code>

<code># ss -s</code>

ss command basics

Common ss options:

ss -atr

– show listening TCP sockets

ss -atn

– show only IP addresses

ss -alt

– list all sockets

ss -ltp | grep 444

– find process listening on port 444

ss -u -a

– display all UDP sockets

Recv‑Q and Send‑Q

In LISTEN state, Recv‑Q indicates connections waiting to be accepted, Send‑Q shows the backlog. In ESTAB state, Recv‑Q is the amount of data not yet read by the application, and Send‑Q is the amount of data not yet acknowledged.

Monitoring network traffic

Tools such as

sar -n DEV 1

or

watch cat /proc/net/dev

provide per‑second bandwidth statistics.

iftop

helps identify the IP addresses consuming the most traffic.

Packet capture with tcpdump

Use

tcpdump

to capture packets for debugging, optionally adding

-A

for ASCII output or

-X

for hex. Examples:

<code>tcpdump -i eth0 -nn -s0 -v port 80</code>

<code>tcpdump -i eth0 host 10.10.1.1</code>

<code>tcpdump -i eth0 -s0 -w test.pcap</code>

HTTP traffic capture tools

Burp Suite, Fiddler2, and Charles act as proxies to intercept, modify, and replay HTTP traffic.

Traffic replication

Tools like Gor, TCPReplay, and TCPCopy can duplicate production HTTP traffic to staging environments.

Handling excessive connections

TIME_WAIT and CLOSE_WAIT are the most common problematic states. TIME_WAIT can be reduced by tuning kernel parameters (e.g.,

net.ipv4.tcp_max_tw_buckets

,

net.ipv4.tcp_tw_reuse

,

net.ipv4.tcp_fin_timeout

). CLOSE_WAIT usually indicates improper socket handling in application code.

Other useful commands

File download:

wget -c

, site mirroring:

wget -r -p -np -k

. Network testing:

ping

,

tracepath

,

dig

,

nmap

,

iperf

. Interface control:

ifdown

,

ifup

,

ethtool

. Load testing:

wrk

,

ab

. Remote access:

ssh

,

telnet

. Firewall:

iptables -L

.