20 Essential Linux Network Monitoring and Configuration Commands

When it comes to network monitoring and configuration commands, there is no shortage of options for Linux.  

Having so many Linux commands at your disposal can be overwhelming—plus, some commands still work but have fallen out of favor. That's why understanding the most common commands and when to use them is crucial. It'll save you time and confusion—and make troubleshooting Linux environments easier. Let's take a look at 20 must-know commands for any Linux admin.

1. nmap

Nmap is a powerful 3rd-party port scanner that lets you scan ports on remote endpoints. This can be extremely useful for tasks such as verifying that your firewall configuration is correct or identifying which ports should be open or closed. 

Depending on the endpoint, it may be able to detect the operating system it is running on. It also has a plugin system that allows you to run custom scripts, so its use cases are pretty vast.

2. ss  

The ss command (short for socket statistics) is the modern replacement for netstat. While netstat was long the standard tool for viewing active connections and listening ports, it is now considered deprecated and is no longer installed by default on many Linux distributions.

ss provides the same core functionality—viewing established connections, listening sockets, and protocol usage—but does so more efficiently and with greater detail. Because it interacts directly with kernel socket structures, it is faster and more accurate on busy systems.

3. iftop

Iftop, as its name implies, does something similar to the top command. Instead of processes, though, it does this for network connections. What iftop displays is a list of top connections ranked by throughput, so you can see many of the top offenders consuming your available bandwidth. What is really great about it is that it shows the throughput in both directions of each top offender.

4. ip route

The traditional route command has been largely replaced by ip route, which is part of the modern ip utility suite. ip route allows administrators to view, add, modify, and delete routes in the kernel routing table. It supports advanced routing features and integrates cleanly with the rest of the ip command set, making it the preferred tool for managing routes on modern Linux systems.

5. iperf3 

iperf3 is a widely used tool for testing network performance, including throughput, latency, jitter, and packet loss. It operates in both client and server modes, making it easy to measure performance between two endpoints. iperf3 supports both TCP and UDP testing. 

TCP is commonly used to measure the maximum achievable bandwidth, while UDP is better suited for identifying packet loss, jitter, and latency under load. Test parameters can be adjusted to simulate real-world traffic conditions, providing more meaningful results than simple connectivity checks.

6. tcpdump

Tcpdump is an amazing tool, but still simple. At the core level, it allows you to capture traffic at an endpoint and typically display it on-screen or output it to a file for later review or parsing in another tool. It is extremely useful for viewing traffic to validate that it is arriving or departing as expected, and for examining packet metadata to detect errors.

It can be a little overwhelming at times reading the output of tcpdump if you are not using the right filters or know what you're looking at, but with a little training and experience, it can take you a long way.

7. ipset

Ipset is a tool that works alongside the Linux IPFilter firewall framework. It allows you to create IP address groups. Without this, when creating firewall rules across multiple subnets, each subnet would require a separate rule. With ipset, groupings can be configured to simplify management and improve transparency. 

That said, many modern Linux distributions are transitioning from iptables to nftables, which includes native support for sets and maps without requiring ipset as a separate tool. In environments using iptables, ipset is still highly relevant; in nftables-based systems, similar functionality is built directly into the firewall framework.

8. Wireshark/tshark

Earlier, we mentioned tcpdump. When we talk about Wireshark, we typically mean the GUI version of tcpdump. Previously called Etherea, it changed its name around 2006. In any case, it is an excellent tool for visualizing tcpdump outputs or capturing your own in a gui interface. It is also highly extensible, with numerous extensions that go beyond tcpdump's built-in visualization.

For example, you can drill into TCP streams or filter by them. In other cases, you can decode VoIP streams to listen to the audio and verify the quality. It also does a great job of understanding most protocols and providing their metadata in easy-to-read formats. Tshark is the CLI companion to Wireshark. It operates like tcpdump, except it carries a lot of the logic with it on filtering and extra command line options.

9. netcat

In the old days, when telnet was widely used, you could use it to connect to a remote system to verify that a port was operational and send raw commands. Today, the Telnet protocol is no longer in widespread use, and many systems do not include Telnet by default. Telnet had its own protocol, though, and was not actually a raw socket connection tool. 

Netcat is the tool of choice for this, as it can operate completely raw and be used to do things like connect to an SMTP server and attempt to test commands. On the other hand, it’s also great to just connect to a port like ssh/22 or mysql/3306 just to see if it responds.

10. traceroute

When dealing with path issues on a network, whether they are internet or internal network or a combination of both, the traceroute tool is one of the oldest tools for this. It operates by sending a specially crafted packet to the destination, but modifying the Time To Live or TTL of the packet to determine each hop of the path and its latency. It can be used to detect unexpected internal hops or paths, or to identify loops that may be occurring on the Internet.

11. mtr

Much like traceroute, mtr can trace the path between your endpoint and a remote host, but where mtr excels is that it runs continuously, showing latency for each hop. The traceroute may have looked good, but how does it look over time? Running continuously also allows you to catch transient or intermittent routing issues that may arise.

12. ip neigh 

The arp command was traditionally used to view and manage the ARP cache, mapping IP addresses to MAC addresses on a local network. While it still works in many environments, it has been superseded by ip neigh. ip neigh is part of the ip utility suite and manages neighbor discovery entries, including ARP for IPv4 and NDP for IPv6. This makes it more flexible and future-proof than the legacy ARP command.

13. nslookup

Nslookup is one of the original name server lookup tools. It allows you to specify a nameserver and list the record types you want to query. That said, nslookup is now considered a legacy tool and is used far less frequently in modern Linux environments. Its output is more limited, and it does not always reflect how contemporary resolvers handle DNS queries, particularly in systems with complex resolver configurations.

14. dig

Dig does similar things to nslookup, but depending on your needs, it is slightly tweaked and may better meet your requirements. For starters, it displays the query and answer as well as the Time To Live (TTL) on that answer. This helps determine when a DNS query TTL/cache entry will time out.

DNS servers typically have this locked down, but if allowed, you can perform a full zone transfer from a DNS server, and dig supports the AXFR protocol for that. Keep in mind, pulling a full zone is usually restricted by ACL, so many public name servers do not allow it. But if you are the systems administrator, you can grant yourself access.

15. host

Host is another tool for the same purpose as nslookup and dig. You might wonder why we have so many tools for DNS queries, but each serves a different audience. Host is a simple, nice tool. You simply run the host command with the endpoint you want to query, and it returns the nameserver name and the response. Alternatively, you can point it at an alternate name server.

16. whois

To understand the whois command, it is important to understand domain name registration. When someone purchases a domain name from a registrar, a record is placed in a WHOIS database so it can be looked up. For example, if you need the technical contact for a domain to report that spam is originating from it, that information may be listed.

Often, however, domain owners opt to register anonymously, which can limit how useful the WHOIS data is. Even so, whois is still very effective for checking whether a domain is registered and for viewing metadata such as when it was purchased and when it was last renewed.

17. ping

Ping is one of the most essential tools and oldest tools for basic troubleshooting. It exists on nearly every operating system from Linux, Windows, routers, and even Layer 3 switches. Nearly everything with a TCP/IP stack on it. It serves to perform essential network latency and line condition tests. With ping, our first inclination is to check whether all of the pings are returning or whether there are drops or timeouts. Those can indicate a networking issue somewhere. 

From there, the latency reported is key. Pinging on the same LAN should equate to 1 or sub-1ms latency, whereas pinging across the globe may be many hundreds of milliseconds.

In Linux, it runs a continuous ping by default with a very low payload—but you can also increase the payload and, under certain conditions, do a ping flood to help test the line to see when packets drop or if the network can keep up. It is extremely versatile for basic network troubleshooting.

18. nmcli

Nmcli is a command line tool for managing the NetworkManager. This is a subsystem that stores persistent data regarding the networking and its interfaces so that upon boot, they can be brought up as expected. You may think this is trivial but it helps aid in situations where new NICs are added and ensures the appropriate NICs are assigned the correct IP addresses. Settings as to whether an interface is DHCP or static and its DNS resolver settings.

19. ip

Ip is a tool that deals with ip addressing on Linux machines. The original command ifconfig is still around but ip has been greatly expanded and in some cases, distributions no longer come with ifconfig by default. While ifconfig has been tried and true for decades on viewing and setting interface settings it has not kept up with the items over the years and the ip command does help fill some of those gaps and is a modern version of it. 

With this tool, ip addresses of the local interfaces can be viewed, modified. The routing table can be viewed with it and interfaces can be brought up and down. Even the arp table can be viewed with it so it rolls quite a bit of functionality into it.

20. Tracepath

Tracepath and traceroute do very similar things. The main difference though is that traceroute requires root while tracepath does not. This can be very advantageous when you are on a box without root access. 

Tracepath is very MTU (Maximum Transmission Unit) conscious and tries to determine the MTU that works end-to-end. Sometimes, particularly over VPN tunnels, the MTU along the path can be reduced from the default LAN MTU of 1500 to 1392 or lower. Tracepath attempts to detect this along the way, which can be very useful.

Final Thoughts 

Linux networking hasn’t changed overnight—but the tools Linux administrators rely on have evolved. Many classic commands are still useful, especially when working with older systems or legacy documentation, but modern Linux environments increasingly center around tools like ip, ss, iperf3, and resolver-aware utilities that reflect how networking actually works today.

Knowing which commands are current, which are legacy, and when each still matters is what separates casual troubleshooting from efficient, confident problem-solving. Whether you’re diagnosing bandwidth issues, tracking down DNS problems, or validating routing behavior, these tools form the backbone of real-world Linux network administration.

Want to learn more? Explore Linux training courses with CBT Nuggets.