Essential Network Diagnostic Tools
When a website is unreachable, an email fails to deliver, or a connection is slow, network diagnostic tools help you pinpoint the problem. This guide covers the most important command-line and GUI tools with practical examples for real-world troubleshooting scenarios.
Table of Contents
1. ping
ping tests reachability and measures round-trip time by sending ICMP Echo Request packets to a target host.
Basic usage:
# Linux / macOS
ping -c 4 example.com
# Windows
ping -n 4 example.com
Output:
PING example.com (93.184.216.34): 56 data bytes
64 bytes from 93.184.216.34: icmp_seq=0 ttl=56 time=11.234 ms
64 bytes from 93.184.216.34: icmp_seq=1 ttl=56 time=10.891 ms
64 bytes from 93.184.216.34: icmp_seq=2 ttl=56 time=11.012 ms
64 bytes from 93.184.216.34: icmp_seq=3 ttl=56 time=10.978 ms
--- example.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss
round-trip min/avg/max/stddev = 10.891/11.029/11.234/0.127 ms
What to look for:
- Packet loss: Any loss above 0% indicates a network problem.
- Latency (time): Consistent high latency suggests congestion or distance. Jitter (variance) indicates instability.
- TTL: Lower values suggest more hops or longer routes.
Use cases: Verify a host is online, test basic connectivity, measure latency, detect packet loss.
Limitations: Many servers block ICMP, so a failed ping does not always mean the host is down. Use alongside TCP-based checks (curl, telnet) for confirmation.
2. traceroute / tracert
traceroute (Linux/macOS) or tracert (Windows) maps the network path to a destination by sending packets with incrementing TTL values. Each router along the path responds when the TTL expires, revealing its identity.
Basic usage:
# Linux / macOS
traceroute example.com
# Windows
tracert example.com
Output:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets
1 gateway (192.168.1.1) 1.234 ms 1.123 ms 1.089 ms
2 10.0.0.1 (10.0.0.1) 5.678 ms 5.456 ms 5.234 ms
3 isp-router.net (203.0.113.1) 8.901 ms 8.789 ms 8.678 ms
4 * * *
5 ae-5.r01.example.net (198.51.100.1) 12.345 ms 12.234 ms 12.123 ms
6 93.184.216.34 (93.184.216.34) 15.678 ms 15.567 ms 15.456 ms
What to look for:
- Star (*) entries: Indicate packets were dropped or the router does not respond to TTL-expired messages (common, not always a problem).
- Latency spikes: Sudden increases at a specific hop indicate congestion or misconfiguration at that point.
- Consistent failure at a hop: Indicates a routing problem or firewall blocking traffic.
Use cases: Identify where packets are being dropped, diagnose routing loops, trace the network path to a destination.
3. nslookup
nslookup is a DNS lookup utility available on all major operating systems. It queries DNS servers to resolve domain names and diagnose DNS issues.
Basic usage:
# Simple A record lookup
nslookup example.com
# Query a specific record type
nslookup -type=MX example.com
nslookup -type=TXT example.com
nslookup -type=AAAA example.com
# Query a specific DNS server
nslookup example.com 8.8.8.8
# Interactive mode
nslookup
> set type=NS
> example.com
> server 1.1.1.1
> example.com
Output:
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: example.com
Address: 93.184.216.34
"Non-authoritative answer" means the response came from a cache (recursive resolver) rather than directly from the authoritative name server. Use a specific authoritative server to get authoritative answers.
Use cases: Quick DNS lookups, verify DNS changes, test specific DNS servers, check MX records for email issues.
4. dig
dig (Domain Information Groper) is the standard DNS query tool on Linux and macOS. It provides more detailed output than nslookup and is preferred by DNS professionals.
Basic usage:
# Simple lookup
dig example.com
# Short output
dig +short example.com
# Query specific record type
dig MX example.com
dig TXT example.com
dig ANY example.com
# Query authoritative server directly
dig @ns1.example.com example.com
# Trace full resolution path
dig +trace example.com
# Check DNSSEC signatures
dig +dnssec example.com
# Reverse DNS lookup
dig -x 93.184.216.34
Output sections:
;; HEADER: opcode: QUERY, status: NOERROR, id: 12345
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 300 IN A 93.184.216.34
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns1.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 86400 IN A 199.43.135.53
Key flags:
+short— Returns only the answer (good for scripts).+trace— Shows the full resolution path from root servers.+dnssec— Includes DNSSEC signatures in the response.+noall +answer— Shows only the answer section.-p 5353— Query a non-standard port.
Use cases: Advanced DNS debugging, DNSSEC verification, zone transfer testing, DNS propagation checks.
5. netstat / ss
netstat and its modern replacement ss display network connections, listening ports, routing tables, and interface statistics.
Common commands:
# Show all listening ports with process IDs
netstat -tlnp # Linux (legacy)
ss -tlnp # Linux (modern)
# Windows
netstat -ano
# Show established connections only
ss -tn state established
# Show connections to a specific port
ss -tn dst :443
# Show connection statistics
ss -s
Output (netstat -ano on Windows):
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 192.168.1.10:52341 93.184.216.34:443 ESTABLISHED 12345
TCP 192.168.1.10:52342 93.184.216.34:443 TIME_WAIT 0
Use cases: Identify which process is using a port, check for unexpected listening services, diagnose connection issues, detect unauthorized connections.
6. curl
curl is a versatile HTTP client for testing web servers, APIs, and URLs. It supports numerous protocols including HTTP, HTTPS, FTP, SMTP, and more.
Common commands:
# Basic GET request
curl https://example.com
# Show response headers
curl -I https://example.com
# Verbose output (shows TLS handshake, headers, etc.)
curl -v https://example.com
# Follow redirects
curl -L https://example.com
# Custom headers
curl -H "Authorization: Bearer token" https://api.example.com
# POST data
curl -X POST -d '{"name":"test"}' -H "Content-Type: application/json" https://api.example.com
# Measure timing
curl -o /dev/null -s -w "DNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTLS: %{time_appconnect}s\nTotal: %{time_total}s\n" https://example.com
# Resolve to a specific IP (bypass DNS)
curl --resolve example.com:443:93.184.216.34 https://example.com
# Ignore certificate errors (testing only)
curl -k https://self-signed.example.com
Timing breakdown (-w format):
| Variable | Measures | Typical Value |
|---|---|---|
| time_namelookup | DNS resolution | 5–50ms |
| time_connect | TCP connection | +10–100ms |
| time_appconnect | TLS handshake | +20–150ms |
| time_starttransfer | First byte received | +10–500ms |
| time_total | Complete request | Varies |
Use cases: Test HTTP endpoints, measure response times, debug TLS issues, test APIs, verify redirects and headers.
7. Wireshark
Wireshark is a graphical network protocol analyzer that captures and inspects packets in real time. It supports hundreds of protocols and provides deep inspection of network traffic.
Key concepts:
- Capture filters: Applied during capture to limit what is recorded (e.g.,
host 8.8.8.8,port 443,tcp). - Display filters: Applied after capture to narrow the view (e.g.,
dns,tcp.port == 443,http.request.method == "GET"). - Follow streams: Right-click a packet and select "Follow TCP Stream" to see the full conversation.
- Color coding: Green = TCP, Blue = DNS, Black = errors, Red = warnings.
Common display filters:
dns # All DNS traffic
http # All HTTP traffic
tcp.port == 443 # HTTPS traffic
ip.addr == 93.184.216.34 # Traffic to/from specific IP
tcp.flags.syn == 1 # TCP SYN packets (new connections)
dns.qry.name == "example.com" # DNS queries for a specific domain
Use cases: Deep packet inspection, protocol debugging, latency analysis, security forensics, understanding TLS handshakes, diagnosing retransmissions.
Alternative (command-line): tshark is Wireshark's CLI equivalent, useful for remote servers and scripting.
# Capture DNS traffic on interface eth0
tshark -i eth0 -f "port 53"
# Capture and write to file
tshark -i eth0 -w capture.pcap -f "port 443"
# Read and filter a capture file
tshark -r capture.pcap -Y "dns"
8. MTR and nmap
MTR (My Traceroute) combines ping and traceroute into a single, continuously updating tool. It shows packet loss and latency at each hop in real time.
# Basic usage (Linux/macOS)
mtr example.com
# Report mode (non-interactive, 10 cycles)
mtr -r -c 10 example.com
# Windows (WinMTR or pathping)
pathping example.com
MTR output columns:
| Column | Meaning |
|---|---|
| Loss% | Packet loss at this hop |
| Snt | Packets sent |
| Last | Most recent round-trip time |
| Avg | Average round-trip time |
| Best | Minimum round-trip time |
| Wrst | Maximum round-trip time |
| StDev | Standard deviation (jitter) |
nmap (Network Mapper) is a network scanning and discovery tool. It identifies hosts, open ports, running services, and operating systems.
# Scan a host for open ports
nmap example.com
# Scan a specific port range
nmap -p 1-1000 example.com
# Scan all ports (1-65535)
nmap -p- example.com
# Service version detection
nmap -sV example.com
# OS detection
nmap -O example.com
# Quick scan (top 100 ports)
nmap -F example.com
# Scan a network range
nmap 192.168.1.0/24
Ethical note: Only scan networks and systems you own or have explicit permission to scan. Unauthorized scanning may violate laws and terms of service.
Use cases: Network discovery, security auditing, port scanning, service identification, vulnerability assessment.