'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Traffic analysis tools
- Routing table analysis tools
- Tracing tools
- Tools for checking active connections
Traffic analysis tools
In network diagnostics, the
ping command remains one of the simplest yet most powerful tools for testing connectivity between two machines. It checks whether a remote host is reachable at a given time, while also providing information on latency, link stability, and DNS resolution.The
ping command relies on the ICMP (Internet Control Message Protocol) protocol. When a user sends a ping request, the system sends an ICMP "Echo Request" packet to an IP address or hostname. If the target machine is online and the network path is valid, it responds with an ICMP "Echo Reply" packet. This simple mechanism can be used to measure latency and detect connectivity or name resolution problems.Example of a classic command:
ping 172.17.18.19
Typical response:
mydmn.org (172.17.18.19): 56 data bytes 64 bytes from 172.17.18.19: icmp_seq=0 ttl=56 time=7.7 ms 64 bytes from 172.17.18.19: icmp_seq=1 ttl=56 time=6.0 ms 64 bytes from 172.17.18.19: icmp_seq=2 ttl=56 time=5.5 ms
In this example, name resolution has been performed automatically: the domain
mydmn.org is associated with the IP address 172.17.18.19, confirming that DNS resolution works correctly. The command also provides technical details such as:- iCMP sequence number (
icmp_seq), useful for checking the order of responses; - TTL (Time-To-Live), which indicates the number of remaining hops before the packet is discarded;
- round-trip time/delay (
time), expressed in milliseconds, providing an estimate of link latency.
More detailed analysis of ICMP parameters
The TTL is a critical field in the IP protocol. Each datagram is initialized with a TTL value by the sender (often 64, 128 or 255). Every router along the path decrements this value by 1. If the TTL reaches 0 before reaching its destination, the packet is discarded and an ICMP error is returned to the sender. This mechanism prevents infinite routing loops.
The propagation time (round-trip delay/time) measures the delay for a packet to leave the sender, reach the target, and return. In practice, a delay below 200 ms is considered acceptable for a stable link. Abnormally high delays may indicate network congestion, inefficient routing, or poor link quality.
Advanced ping usage
ping provides options to refine tests and observe specific network behaviors.To send broadcast requests, you can use the
-b option to target all hosts on a subnet:ping -b 192.168.1.255
This is useful on local networks to quickly detect active hosts or test how the network handles broadcast requests. However, in many setups, routers and firewalls block broadcast pings to prevent amplification attacks.
You can also specify a custom interval between requests with the
-i option (default: 1 second):ping -i 0.2 -c 10 192.168.1.7
This sends 10 ICMP requests at 0.2-second intervals. Such testing is useful for detecting latency fluctuations over a short period or for lightly stressing a link to evaluate its stability.
Routing table analysis tools
The
ip route command, part of the iproute2 suite, is the recommended and standard tool on modern Linux systems for inspecting and managing the kernel's IP routing table. It replaces the obsolete route command, offering clearer syntax, greater consistency, and extended support for modern features (IPv6, multiple tables, namespaces, etc.).Displaying the routing table
To display the current routing table:
ip route show
This output lists all routes known to the kernel, that is, the paths outgoing packets take depending on their destination.
Example output:
default via 192.168.1.1 dev eth0 proto dhcp metric 100 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.100
Each line represents a route. Key fields include:
- default: the default route, used when no more specific route matches.
- via: the gateway used to reach the destination.
- dev: the network interface used.
- proto: how the route was created (manual, DHCP, kernel, etc.).
- metric: route cost, used to prioritize multiple possible paths.
- scope: route scope (e.g.
linkfor a directly connected route). - src: the source IP address used for outgoing packets on this interface.
Adding and deleting routes
You can also modify the routing table dynamically, for example by adding or removing static routes.
Adding a static route:
ip route add 192.168.1.0/24 via 192.168.1.1 dev eth0
This configures a route to the
192.168.1.0/24 network, via the 192.168.1.1 gateway on interface eth0.Remove this route:
ip route del 192.168.1.0/24
This command deletes the previously defined route.
Useful commands
Here are some useful variants for analysis or scripting:
ip -4 route: displays IPv4 routes only;ip -6 route: displays IPv6 routes only;ip route list table main: displays the main routing table (default value) ;ip route get <Address>: show which interface and gateway a packet to the given address would use.
Example:
ip route get 8.8.8.8
This displays the exact route a packet would take to reach
8.8.8.8.Tracing tools
One of the most effective tools for analyzing the route taken by IP packets between a source host and a target destination is the
traceroute command. It shows, step by step, the path followed by packets and identifies the intermediate routers they traverse. In the event of a network link malfunction or service outage, traceroute helps pinpoint the precise location of the problem.As with the
ping command, the target can be specified either by its fully qualified domain name (FQDN) or by its IP address. For example:traceroute mydmn.org
Operating principle
traceroute relies on the TTL (Time To Live) field in the IP packets header. As explained earlier, this field is a counter decremented by each router along the path. When the TTL reaches zero, the packet is discarded, and the router returns an ICMP "Time Exceeded" message to the sender. This mechanism prevents infinite loops in the event of misrouting.traceroute takes advantage of this behavior to map the routers between sender and recipient:- It first sends a series of UDP packets (usually three), with a TTL of 1. The first router encounters a TTL of 0 so it discards the packet and then replies with an ICMP message, revealing its IP address and response time.
- Next, it sends another series of packets with a TTL of 2, revealing the second router.
- The process repeats until the destination is reached, at which point the host responds with an ICMP Port Unreachable message, indicating that the endpoint has been reached.
By default,
traceroute uses UDP packets sent to unused ports (typically starting at 33434), but can also be configured to use ICMP (like ping) or even TCP, depending on systems or command variants.Example output:
traceroute to www.google.fr (216.58.210.35), 64 hops max, 52 byte packets 1 par81-024.ff.avast.com (62.210.189.205) 25.107 ms 24.235 ms 24.383 ms 2 62-210-189-1.rev.poneytelecom.eu (62.210.189.1) 27.341 ms 27.119 ms 28.184 ms 3 a9k1-45x-s43-1.dc3.poneytelecom.eu (195.154.1.92) 25.910 ms 25.040 ms 25.558 ms 4 72.14.218.182 (72.14.218.182) 36.234 ms 39.907 ms 38.130 ms 5 108.170.244.177 (108.170.244.177) 25.880 ms 108.170.244.240 (108.170.244.240) 25.791 ms 108.170.244.177 (108.170.244.177) 26.449 ms 6 216.239.62.143 (216.239.62.143) 26.491 ms 216.239.43.157 (216.239.43.157) 26.414 ms 216.239.62.139 (216.239.62.139) 26.400 ms ... 9 108.170.246.161 (108.170.246.161) 33.174 ms 108.170.246.129 (108.170.246.129) 34.342 ms 108.170.246.161 (108.170.246.161) 33.707 ms 10 108.170.232.105 (108.170.232.105) 33.845 ms 33.846 ms 108.170.232.103 (108.170.232.103) 34.206 ms 11 lhr25s11-in-f35.1e100.net (216.58.210.35) 34.094 ms 33.353 ms 33.718 ms
Each line corresponds to a router traversed, with up to three time measurements (in milliseconds) indicating the latency of the round trip to that router. These values help assess the performance of each network segment.
Result interpretation
If a router doesn't respond or filters ICMP messages, asterisks
* are displayed instead of the response time. This may indicate:- a firewall blocking ICMP replies,
- a device configured not to respond, or
- a temporary connectivity issue along the path.
Thus,
traceroute not only identifies the route taken but also highlights points of abnormal latency or interruptions.On some systems, the equivalent
tracepath command can be used, which does not require root privileges. For IPv6, use traceroute6 or tracepath6.Example for IPv6 tracing:
traceroute6 ipv6.google.com
Tools for checking active connections
To diagnose active network connections and monitor network activity on a Linux system, the
ss command (short for socket statistics) is the modern reference tool. Part of the iproute2 suite, it replaces the now-obsolete netstat, offering better performance and more accurate results.ss displays active TCP and UDP connections, listening ports, local and remote addresses, connection states and associated processes.General use
When run without options, the
ss command displays active TCP connections. Basic syntax:ss [options]
Some common options for refining analysis:
-t: show TCP connections only;-u: show UDP connections only;-l: show listening sockets only;-n: disable name resolution (raw IPs and port numbers) ;-p: display each socket associated processes (PID and program name),-a: show all connections, including inactive ones,-s: display high-level socket statistics.
Case studies
To display all active connections using TCP port 80 (HTTP):
ss -ant | grep ':80'
This shows active TCP connections involving port 80. States such as
LISTEN, ESTABLISHED, TIME-WAIT indicate the current status of each exchange.Example output:
ESTAB 0 0 192.168.1.10:54321 93.184.216.34:80
To display all network connections with associated processes:
ss -tulnp
To obtain an overall socket usage summary:
ss -s
To filter UDP connections only:
ss -unp
These commands are particularly useful for detecting suspicious connections, unexpected listening ports, or monitoring the activity of a specific service.
Quiz
Quiz1/5
net3025.2
Which Linux command displays the active network routing table?