TCP/IP Network Diagnostics

TCP/IP Network Diagnostics

After you configure Ethernet and TCP/IP (during Red Hat Linux installation or by running netcfg later on), you should be able to use various networking applications without any problem. The TCP/IP protocol suite includes several tools that help you monitor and diagnose problems.

Looking at Network Interface Status

Use the /sbin/ifconfig command to view the currently configured network interfaces. The ifconfig command is used to configure a network interface (that is, to associate an IP address with a network device). If you run ifconfig without any command-line arguments, the command displays information about the current network interfaces. The following is a typical invocation of ifconfig and the resulting output:

eth0      Link encap:Ethernet  HWaddr 02:60:8C:8E:C6:A9
          inet addr:  Bcast:  Mask:
          RX packets:2738 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1397 errors:0 dropped:0 overruns:0 carrier:0
          RX bytes:638288 (623.3 Kb)  TX bytes:575658 (562.1 Kb)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:48 errors:0 dropped:0 overruns:0 frame:0
          TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
          RX bytes:3148 (3.0 Kb)  TX bytes:3148 (3.0 Kb)

This output shows that two interfaces—the loopback interface (lo) and an Ethernet card (eth0)—are currently active on this system. For each interface, you can see the IP address, as well as statistics on packets delivered and sent. If the Red Hat Linux system had a dial-up PPP link up and running, you’d also see an item for the ppp0 interface in the output.

Viewing the IP Routing Table

The other network configuration command, /sbin/route, also provides status information when it is run without any command-line argument. If you are having trouble checking a connection to another host (that you specify with an IP address), check the IP routing table to see whether a default gateway is specified. Then check the gateway’s routing table to ensure that paths to an outside network appear in that routing table.

A typical output from the /sbin/route command looks like the following:

Kernel IP routing table
Destination    Gateway        Genmask         Flags Metric Ref  Use Iface    *       U     0      0      0 eth0      *           U     0      0      0 lo
default         UG    0      0      0 eth0 

As this routing table shows, the local network uses the eth0 Ethernet interface, and the default gateway is also that Ethernet interface. The default gateway is a routing device that handles packets addressed to any network, other than the one in which the Linux system resides. In this example, packets addressed to any network address other than ones that begin with 192.168.0 are sent to the gateway— The gateway forwards those packets to other networks (assuming, of course, that the gateway is connected to another network).

Checking Connectivity to a Host

To check for a network path to a specific host, use the ping command. Ping is a widely used TCP/IP tool that uses a series of Internet Control Message Protocol (ICMP, often pronounced as eye-comp) messages. (ICMP provides for an Echo message to which every host responds.) Using the ICMP messages and replies, Ping can determine whether or not the other system is alive and can compute the round-trip delay in communicating with that system.

The following example shows how I run Ping to see whether or not one of the systems on my network is alive:

PING ( from : 56(84) bytes of data.
64 bytes from icmp_seq=0 ttl=254 time=2.116 msec
64 bytes from icmp_seq=1 ttl=254 time=1.770 msec
64 bytes from icmp_seq=2 ttl=254 time=1.759 msec
64 bytes from icmp_seq=3 ttl=254 time=1.778 msec

--- ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/mdev = 1.759/1.855/2.116/0.159 ms

In Red Hat Linux, Ping continues to run until you press Ctrl+C to stop it, then it displays summary statistics showing the typical time it takes to send a packet between the two systems. On some systems, Ping simply reports that a remote host is alive. However, you can still get the timing information with appropriate command-line arguments.

You can also use the traceroute command to check connectivity to a host and more. The traceroute command prints the route that packets take from your system to another system on the Internet. For example, here is an example of using traceroute to print the route from a system to

traceroute to (, 30 hops max, 38 byte packets
 1 (  1.509 ms  1.431 ms  4.980 ms
 2 (  11.286 ms  11.882 ms  9.594 ms
 3 (  11.734 ms  10.752 ms  9.883 ms
 4 (  10.438 ms  10.372 ms  14.481 ms
 5 (  11.101 ms  11.662 ms  12.423 ms
 6 (  10.901 ms  9.610 ms  9.946 ms
 7 (  11.715 ms  11.852 ms  11.880 ms
 8  * * *
 9 (  12.151 ms  12.659 ms  11.249 ms
10 (  16.740 ms  28.900 ms  15.532 ms
11 (  17.833 ms  14.777 ms  16.378 ms
12 (  17.521 ms  17.292 ms  17.737 ms
13 (  16.435 ms  15.841 ms  15.776 ms
14 (  15.904 ms  16.826 ms  17.882 ms
15 (  18.668 ms  17.289 ms  16.816 ms
16 (  17.532 ms  19.369 ms  19.142 ms

Checking Network Status

To check the status of the network, use the netstat command. This command displays the status of network connections of various types (such as TCP and UDP connections). You can view the status of the interfaces quickly with the -i option, as follows:

netstat -i
Kernel Interface table
eth0   1500   0  2963      0      0      0    1531      0      0      0 BNRU
lo    16436   0    48      0      0      0      48      0      0      0 LRU

In this case, the output shows the current status of the loopback and Ethernet interfaces. Table 6-1 describes the meanings of the columns.

Table 6-1: Columns in the Kernel Interface Table




Name of the interface


Maximum Transfer Unit—the maximum number of bytes that a packet can contain


Number of error-free packets received (RX) or transmitted (TX)


Number of packets with errors


Number of dropped packets


Number of packets lost due to overflow


A = receive multicast; B = broadcast allowed; D = debugging turned on; L = loopback interface (notice the flag on lo); M = all packets received; N = trailers avoided; O = no ARP on this interface; P = point-to-point interface; R = interface is running; U = interface is up.

Another useful netstat option is -t, which shows all active TCP connections. Following is a typical result of netstat -t on one of my Linux PCs:

netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 dhcppc3:ftp           ESTABLISHED
tcp        0      0 dhcppc3:ftp-data        TIME_WAIT
tcp        0    138 dhcppc3:telnet        ESTABLISHED
tcp        0      0 dhcppc3:1054     ESTABLISHED
tcp        0      1 dhcppc3:1055   LAST_ACK

In this case, the output columns show the protocol (Proto), the number of bytes in the receive and transmit queues (Recv-Q, Send-Q), the local TCP port in hostname:service format (Local Address), the remote port (Foreign Address), and the state of the connection.

Insider Insight 

If you want netstat to display all addresses in numeric format, use the -n option of netstat, like this:

netstat -tn

Many of us prefer the numeric address format because the output looks cleaner and netstat does not have to figure out the name corresponding to each address.

Using the ip Command

The Linux kernel comes with a powerful IP routing engine together with an ip command that looks similar to the command with the same name that Cisco IOS supports (Cisco IOS is the operating system that runs on Cisco routers). You can use the ip command to manage or get information about network objects. The general syntax of the ip command is as follows:

ip [options] OBJECT [command [arg1 arg2 ...]]

where options are flags that modify the behavior of the command, OBJECT is the network object you want to manage or view, and command is the action you want to perform. The command may take zero or more arguments, as indicated by arg1, arg2, . . . in the syntax.

The objects you can manage or view with the ip command are the following:

  • link—Refers to network devices such as eth0 and ppp0

  • address—Refers to the IP or IPv6 address of a network device

  • neighbor—Refers to an entry in the Address Resolution Protocol (ARP) that associates an IP address to a physical Ethernet address

  • route—Refers to entries in the routing table

  • rule—Refers to rules in the routing policy database

  • maddress—Refers to multicast address

  • mroute—Refers to entries in the multicast routing cache

  • tunnel—Refers to a tunnel over IP

To view information about the network interfaces, use the following ip command:

ip address show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet brd scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:08:74:e5:eb:56 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0

This tells you that the eth0 interface is associated with the inet address The /24 stands for the number of bits that are in the network address. There are 32 bits, of which 24 are network address, so there are 8 bits left for the hosts in this network.

To see routes, type ip route show. Here is a typical example of the output of that command: dev eth0  proto kernel  scope link  src dev eth0  scope link dev lo  scope link
default via dev eth0

You can try out ip to view the other network objects, but the greatest power of ip is in configuring the network objects to turn your Linux system into a sophisticated router.

Insider Insight 

The ip command’s capabilities are too extensive to cover in this chapter. To learn more about the ip command and what you can do with it, visit, and consult the documentation in /usr/share/doc/iproute* directory of your Red Hat Linux system.