Mastering 14 Must-Know Linux Networking Commands: A Comprehensive Sysadmin Guide

If you manage Linux systems, understanding networking commands is mandatory. Configuring interfaces, troubleshooting issues, securing connections – the CLI tools outlined in this 2800+ word guide should be part of every Linux admin‘s toolkit.

Content Navigation show

Whether junior or senior, these commands provide the precision control, visibility, and security capabilities that graphical utilities lack. I‘ll explain the purpose and common uses for each while offering tips from my 20+ years as a Linux system administrator.

Why Network Admins Must Master the Linux Command Line

While modern Linux offers fancy graphical desktops, the real power lives down in the terminal and shell. As servers often lack a UI, Linux admins have no choice but to embrace the CLI, but it provides many advantages:

Precision Control – No clicking through menus. The Linux shell allows making granular networking changes safely, even remotely.

Troubleshooting – Commands offer so much more visibility than GUIs into what‘s happening on the network. Critical for diagnosing technical issues.

Security – Inspect traffic, open ports, services much more flexibly. Essential knowledge for hardening systems against threats.

Scripting – Automate tasks by tying commands together. Extremely difficult with point-and-click interfaces.

The 14 essential Linux network commands explained below provide the control, security insights, and troubleshooting capabilities that GUI tools lack. Let‘s dive in!

Overview of Linux Networking Commands

Here‘s a high-level overview of the critical Linux CLI utilities we‘ll be covering:

Command Description
ip Primary interface and routing config utility replacing ifconfig
nmap Network discovery, port scanning, OS fingerprinting
ping traceroute Validate basic connectivity and network paths
iperf TCP/UDP performance measurement
tcpdump Packet capturing for analysis
netstat ss Examine active connections, sockets, ports
ssh Encrypted remote shell access and tunneling
dig DNS interrogation and troubleshooting
ifconfig Legacy interface viewing and configuration
telnet nslookup Plaintext remote access and DNS lookup

Now let‘s break down each command in more detail…

ip – Primary Network Config Command

The ip command manages the kernel‘s network configuration replacing old utilities like ifconfig. With ip you can tune settings for interfaces, routing, firewall policies, and more.

Here are common ip operations:

View network interface details

ip link show

Enable/disable interfaces 

ip link set eth0 up/down

Add/remove IP addresses

ip addr add 192.168.1.10/24 dev eth0
ip addr del 192.168.1.10/24 dev eth0

View IP address assignments 

ip addr show

View routing tables

ip route show

Add/remove routes 

ip route add 10.0.0.0/8 via 10.0.0.1  
ip route delete 10.0.0.0/8

ip command examples

The ip command is very robust with many subcommands – review man ip for all usage options. It‘s the first tool to reach for when configuring any aspect of Linux networking.

Nmap: Network Recon and Security Scanning

Nmap is likely the best known and most widely used network scanner, included in countless movies and TV shows. It was originally created to help admins discover all devices on their networks, inventory open ports/services, and detect potential vulnerabilities.

Over the years Nmap became an indispensable security tool enabling:

  • OS, service, and vulnerability detection
  • Sophisticated network mapping
  • Flexible port scanning techniques

Let‘s break down some common Nmap capabilities:

Host Discovery – Find live devices on internal/external networks: 

nmap -sn 192.168.1.0/24

Port Scanning – Enumerate open TCP/UDP ports and associated services:

sudo nmap 192.168.1.50

Banner Grabbing – Probe listening ports to extract service banners indicating applications + versions:

nmap -sV 192.168.1.50

OS Detection – Fingerprint underlying operating system remotely: 

nmap 192.168.1.50 -O

Vulnerability Scanning – Detect potential vulnerabilities or misconfigurations:

nmap --script vuln 192.168.1.50

There are many more advanced Nmap capabilities like scripting custom probes – review man nmap for usage examples.

nmap scan sample output

Nmap has become a de facto standard that every security team employs for asset discovery, invasion vectors identification, and penetration testing. However, don‘t unleash it without permission on networks you don‘t own!

Ping: Validate Basic Connectivity

The simple ping command verifies basic network connectivity between devices by sending ICMP echo request packets and listening for replies. 

ping google.com

It‘s the first troubleshooting step when experiencing issues reaching a remote host. Unreachable hosts could indicate downstream network infrastructure problems or firewall policies blocking ICMP.

Extra options allow controlling the frequency and timeouts of pings:

ping -i 10 1.1.1.1 (wait 10 seconds between packets)

ping -w 5 1.1.1.1 (wait max of 5 seconds for response)

ping -c 10 1.1.1.1 (stop after 10 packets)

So while simple, ping is invaluable for basic network connectivity testing. But don‘t forget ICMP can be disabled through firewall policies so no response doesn‘t definitively indicate an unreachable host.

traceroute: Trace Packets Route

Where ping shows the final result reaching a destination, traceroute reveals the path traffic takes across a network to get there.

traceroute google.com

Sample output indicates a 30 hop maximum path with each line listing the next device along the way:

traceroute to google.com (172.217.16.14), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  2.392 ms  3.064 ms  3.139 ms  
 2  * * * 
 3  96.120.64.33 (96.120.64.33)  19.234 ms  18.809 ms 96.110.203.97 (96.110.203.97)  21.515 ms
 4  * * *
 5  209.85.253.219 (209.85.253.219)  18.456 ms  19.090 ms 209.85.254.249 (209.85.254.249)  18.897 ms
 6  lax17s44-in-f14.1e100.net (172.217.16.14)  17.539 ms  16.136 ms  18.314 ms

A * indicating no response. Packet loss is common and doesn‘t necessarily indicate an issue. However, consistent packet loss or high latency between specific hops points to a potential problem device. Routing issues cause big network headaches, so traceroute is invaluable for mapping paths and isolating points of failure along them.

iPerf: Network Throughput Measurement

While ping and traceroute test basic connectivity, iPerf analyzes network throughput between devices. iPerf is a client/server tool that measures real TCP & UDP performance metrics like bandwidth, lost packets, jitter, and latency.

On server device: 

iperf3 -s

On client device:

iperf3 -c <server IP>

Common flags:

  • -t 60 – duration to transmit for
  • -P 4 – number of parallel streams
  • --reverse – reverse direction of test

This generates statistics about layer 3+ throughput allowing precise benchmarking. It assists capacity planning when deploying new services and troubleshooting load issues.

tcpdump: Packet Capturing & Analysis

Where other tools analyze network performance metrics and connectivity, tcpdump examines the actual raw data traversing interfaces. Think of it like a network packet sniffer and analyzer.

Basic syntax: 

tcpdump <options>

To capture all packets on interface eth0:

tcpdump -i eth0

Or save a pcap file containing all SMTP traffic: 

tcpdump -i eth0 port 25 -w smtp.pcap

Crop packet capture files or apply filters like:

tcpdump -r server_trace.pcap -w output.pcap ‘(src host 192.168.1.50)‘

This monitors live traffic in real-time and/or saves it for offline analysis. There are advanced filtering capabilities based on hosts, ports, protocols and more.

No other tool provides this level of packet inspection useful for security analysis and troubleshooting. Just be careful not to overload production interfaces!

netstat: Active Connections and Sockets

The netstat command has long been the go-to for revealing active network connections and socket usage on Linux. It shows established, listening TCP + UDP sockets that correspond to inbound or outbound communications.

To see all sockets: 

netstat -a

View only listening TCP/UDP ports:

netstat -l

Include the process using each connection:

netstat -tap

netstat output

This helps identity suspicious communications and troubleshoot unwanted connection attempts. It also validates proper socket usage given that too many TIME_WAIT sockets could indicate an issue.

While still included in Linux, ss replaces most usages of netstat today.

ss – Socket Statistics

The ss command does parallel what netstat provides but pulls data more efficiently from kernel space vs traversing network layers. Otherwise in terms of functionality it offers similar socket reporting:

View all TCP connections:

ss -at

Filter by socket state:

ss -o state established ‘( sport = :ssh or dport = :ssh )‘

Show only DHCP sockets: 

ss dst ( port = :67 or port = :68 )

SS adds additional filtering capabilities and runs much faster than netstat given it‘s pulling raw data directly from the kernel. Going forward it will replace the need for most netstat usage.

SSH – Secure Remote Login & Tunneling

Historically making remote Linux connections required insecure protocols like Telnet or FTP that transmitted data including passwords in cleartext. The introduction of SSH (Secure Shell) revolutionized remote access, providing vital encryption capabilities:

  • Encrypted data channel protecting all traffic
  • Public key certificates to confirm endpoint identity
  • Secure file transfer with SFTP replacing insecure FTP

Basic SSH session establishment: 

ssh [email protected]

Execute remote commands without entering a shell session: 

ssh [email protected] ‘hostname; uptime‘

Local port forwarding enables accessing remote ports through local listening socket:

ssh -L 5000:127.0.0.1:22 [email protected]

This secures all remote Linux management functions that previously leaked sensitive data. There are far more advanced SSH capabilities including agent forwarding, tunnels, and more worth reviewing.

DNS Debugging: dig and nslookup

Domain Name System (DNS) underpins converting human-friendly domains into machine IP addresses. Two common troubleshooting tools exist when web browsing or other DNS dependancies fail.

dig – General purpose DNS interrogation tool to lookup domain records 

dig marketingscoop.com @1.1.1.1

nslookup – Directly query a DNS server to resolve domains

nslookup marketingscoop.com 1.1.1.1

Both assist troubleshooting DNS issues if web sites or other services become unreachable. Dig provides more flexibility for digging up specifics around DNS record configuration and changes.

Legacy Tools: ifconfig, telnet

Many default Linux networking commands have been replaced with better, more modern tools. However you‘ll still encounter:

ifconfig – Original network interface configuration now superseded by ip command.

telnet – Plaintext remote connection application insecurely transmitting credentials that has been displaced by SSH.

Final Thoughts

This sums up 14 essential Linux networking commands considered critical knowledge for any systems or network administrator. Get hands-on experience with each tool beyond this high-level introduction. Memorize these as your go-to troubleshooting checklist when facing network issues or looking to secure systems.

Bookmark and share this reference as a handy overview of Linux networking from a 20-year technologist! You can also download the entire guide as a handy PDF for offline viewing.

Now mastering the network CLI awaits. Good luck!

Tom Klecha
GIS Security Engineer

Tags: