Essential Network Diagnostic Tools

When a website is unreachable, an email fails to deliver, or a connection is slow, network diagnostic tools help you pinpoint the problem. This guide covers the most important command-line and GUI tools with practical examples for real-world troubleshooting scenarios.

1. ping

ping tests reachability and measures round-trip time by sending ICMP Echo Request packets to a target host.

Basic usage:

# Linux / macOS
ping -c 4 example.com

# Windows
ping -n 4 example.com

Output:

PING example.com (93.184.216.34): 56 data bytes
64 bytes from 93.184.216.34: icmp_seq=0 ttl=56 time=11.234 ms
64 bytes from 93.184.216.34: icmp_seq=1 ttl=56 time=10.891 ms
64 bytes from 93.184.216.34: icmp_seq=2 ttl=56 time=11.012 ms
64 bytes from 93.184.216.34: icmp_seq=3 ttl=56 time=10.978 ms

--- example.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss
round-trip min/avg/max/stddev = 10.891/11.029/11.234/0.127 ms

What to look for:

  • Packet loss: Any loss above 0% indicates a network problem.
  • Latency (time): Consistent high latency suggests congestion or distance. Jitter (variance) indicates instability.
  • TTL: Lower values suggest more hops or longer routes.

Use cases: Verify a host is online, test basic connectivity, measure latency, detect packet loss.

Limitations: Many servers block ICMP, so a failed ping does not always mean the host is down. Use alongside TCP-based checks (curl, telnet) for confirmation.

2. traceroute / tracert

traceroute (Linux/macOS) or tracert (Windows) maps the network path to a destination by sending packets with incrementing TTL values. Each router along the path responds when the TTL expires, revealing its identity.

Basic usage:

# Linux / macOS
traceroute example.com

# Windows
tracert example.com

Output:

traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets
 1  gateway (192.168.1.1)  1.234 ms  1.123 ms  1.089 ms
 2  10.0.0.1 (10.0.0.1)  5.678 ms  5.456 ms  5.234 ms
 3  isp-router.net (203.0.113.1)  8.901 ms  8.789 ms  8.678 ms
 4  * * *
 5  ae-5.r01.example.net (198.51.100.1)  12.345 ms  12.234 ms  12.123 ms
 6  93.184.216.34 (93.184.216.34)  15.678 ms  15.567 ms  15.456 ms

What to look for:

  • Star (*) entries: Indicate packets were dropped or the router does not respond to TTL-expired messages (common, not always a problem).
  • Latency spikes: Sudden increases at a specific hop indicate congestion or misconfiguration at that point.
  • Consistent failure at a hop: Indicates a routing problem or firewall blocking traffic.

Use cases: Identify where packets are being dropped, diagnose routing loops, trace the network path to a destination.

3. nslookup

nslookup is a DNS lookup utility available on all major operating systems. It queries DNS servers to resolve domain names and diagnose DNS issues.

Basic usage:

# Simple A record lookup
nslookup example.com

# Query a specific record type
nslookup -type=MX example.com
nslookup -type=TXT example.com
nslookup -type=AAAA example.com

# Query a specific DNS server
nslookup example.com 8.8.8.8

# Interactive mode
nslookup
> set type=NS
> example.com
> server 1.1.1.1
> example.com

Output:

Server:  192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: example.com
Address: 93.184.216.34

"Non-authoritative answer" means the response came from a cache (recursive resolver) rather than directly from the authoritative name server. Use a specific authoritative server to get authoritative answers.

Use cases: Quick DNS lookups, verify DNS changes, test specific DNS servers, check MX records for email issues.

4. dig

dig (Domain Information Groper) is the standard DNS query tool on Linux and macOS. It provides more detailed output than nslookup and is preferred by DNS professionals.

Basic usage:

# Simple lookup
dig example.com

# Short output
dig +short example.com

# Query specific record type
dig MX example.com
dig TXT example.com
dig ANY example.com

# Query authoritative server directly
dig @ns1.example.com example.com

# Trace full resolution path
dig +trace example.com

# Check DNSSEC signatures
dig +dnssec example.com

# Reverse DNS lookup
dig -x 93.184.216.34

Output sections:

;; HEADER: opcode: QUERY, status: NOERROR, id: 12345

;; QUESTION SECTION:
;example.com.           IN  A

;; ANSWER SECTION:
example.com.        300     IN  A   93.184.216.34

;; AUTHORITY SECTION:
example.com.        86400   IN  NS  ns1.example.com.

;; ADDITIONAL SECTION:
ns1.example.com.    86400   IN  A   199.43.135.53

Key flags:

  • +short — Returns only the answer (good for scripts).
  • +trace — Shows the full resolution path from root servers.
  • +dnssec — Includes DNSSEC signatures in the response.
  • +noall +answer — Shows only the answer section.
  • -p 5353 — Query a non-standard port.

Use cases: Advanced DNS debugging, DNSSEC verification, zone transfer testing, DNS propagation checks.

5. netstat / ss

netstat and its modern replacement ss display network connections, listening ports, routing tables, and interface statistics.

Common commands:

# Show all listening ports with process IDs
netstat -tlnp        # Linux (legacy)
ss -tlnp             # Linux (modern)

# Windows
netstat -ano

# Show established connections only
ss -tn state established

# Show connections to a specific port
ss -tn dst :443

# Show connection statistics
ss -s

Output (netstat -ano on Windows):

Proto  Local Address      Foreign Address    State        PID
TCP    0.0.0.0:80         0.0.0.0:0          LISTENING    4
TCP    0.0.0.0:443        0.0.0.0:0          LISTENING    4
TCP    192.168.1.10:52341 93.184.216.34:443  ESTABLISHED  12345
TCP    192.168.1.10:52342 93.184.216.34:443  TIME_WAIT    0

Use cases: Identify which process is using a port, check for unexpected listening services, diagnose connection issues, detect unauthorized connections.

6. curl

curl is a versatile HTTP client for testing web servers, APIs, and URLs. It supports numerous protocols including HTTP, HTTPS, FTP, SMTP, and more.

Common commands:

# Basic GET request
curl https://example.com

# Show response headers
curl -I https://example.com

# Verbose output (shows TLS handshake, headers, etc.)
curl -v https://example.com

# Follow redirects
curl -L https://example.com

# Custom headers
curl -H "Authorization: Bearer token" https://api.example.com

# POST data
curl -X POST -d '{"name":"test"}' -H "Content-Type: application/json" https://api.example.com

# Measure timing
curl -o /dev/null -s -w "DNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTLS: %{time_appconnect}s\nTotal: %{time_total}s\n" https://example.com

# Resolve to a specific IP (bypass DNS)
curl --resolve example.com:443:93.184.216.34 https://example.com

# Ignore certificate errors (testing only)
curl -k https://self-signed.example.com

Timing breakdown (-w format):

VariableMeasuresTypical Value
time_namelookupDNS resolution5–50ms
time_connectTCP connection+10–100ms
time_appconnectTLS handshake+20–150ms
time_starttransferFirst byte received+10–500ms
time_totalComplete requestVaries

Use cases: Test HTTP endpoints, measure response times, debug TLS issues, test APIs, verify redirects and headers.

7. Wireshark

Wireshark is a graphical network protocol analyzer that captures and inspects packets in real time. It supports hundreds of protocols and provides deep inspection of network traffic.

Key concepts:

  • Capture filters: Applied during capture to limit what is recorded (e.g., host 8.8.8.8, port 443, tcp).
  • Display filters: Applied after capture to narrow the view (e.g., dns, tcp.port == 443, http.request.method == "GET").
  • Follow streams: Right-click a packet and select "Follow TCP Stream" to see the full conversation.
  • Color coding: Green = TCP, Blue = DNS, Black = errors, Red = warnings.

Common display filters:

dns                     # All DNS traffic
http                    # All HTTP traffic
tcp.port == 443         # HTTPS traffic
ip.addr == 93.184.216.34  # Traffic to/from specific IP
tcp.flags.syn == 1      # TCP SYN packets (new connections)
dns.qry.name == "example.com"  # DNS queries for a specific domain

Use cases: Deep packet inspection, protocol debugging, latency analysis, security forensics, understanding TLS handshakes, diagnosing retransmissions.

Alternative (command-line): tshark is Wireshark's CLI equivalent, useful for remote servers and scripting.

# Capture DNS traffic on interface eth0
tshark -i eth0 -f "port 53"

# Capture and write to file
tshark -i eth0 -w capture.pcap -f "port 443"

# Read and filter a capture file
tshark -r capture.pcap -Y "dns"

8. MTR and nmap

MTR (My Traceroute) combines ping and traceroute into a single, continuously updating tool. It shows packet loss and latency at each hop in real time.

# Basic usage (Linux/macOS)
mtr example.com

# Report mode (non-interactive, 10 cycles)
mtr -r -c 10 example.com

# Windows (WinMTR or pathping)
pathping example.com

MTR output columns:

ColumnMeaning
Loss%Packet loss at this hop
SntPackets sent
LastMost recent round-trip time
AvgAverage round-trip time
BestMinimum round-trip time
WrstMaximum round-trip time
StDevStandard deviation (jitter)

nmap (Network Mapper) is a network scanning and discovery tool. It identifies hosts, open ports, running services, and operating systems.

# Scan a host for open ports
nmap example.com

# Scan a specific port range
nmap -p 1-1000 example.com

# Scan all ports (1-65535)
nmap -p- example.com

# Service version detection
nmap -sV example.com

# OS detection
nmap -O example.com

# Quick scan (top 100 ports)
nmap -F example.com

# Scan a network range
nmap 192.168.1.0/24

Ethical note: Only scan networks and systems you own or have explicit permission to scan. Unauthorized scanning may violate laws and terms of service.

Use cases: Network discovery, security auditing, port scanning, service identification, vulnerability assessment.