Skip to content
Linux Administration
Networking Commands Deep Dive — ip, ss, tcpdump, nmap, curl, wget

Networking Commands Deep Dive — ip, ss, tcpdump, nmap, curl, wget

DodaTech Updated Jun 20, 2026 11 min read

Linux networking commands are essential tools for diagnosing connectivity issues, monitoring traffic, and securing servers. This deep dive covers the most powerful networking utilities — ip, ss, tcpdump, nmap, curl, and wget — with real-world scenarios and security analysis techniques.

What You’ll Learn

You’ll master the modern replacements for legacy tools (ip vs ifconfig, ss vs netstat), capture and analyze packets with tcpdump, scan networks with nmap, and transfer data with curl and wget. You’ll also learn how these commands are used in production security monitoring at DodaTech.

Why Networking Commands Matter

Network problems are the most common cause of application failures. A misconfigured firewall, a blocked port, or a slow DNS resolution can bring down a service faster than any code bug. Knowing how to trace packets, inspect sockets, and verify connectivity end-to-end is the difference between a 5-minute fix and a 2-hour outage. Durga Antivirus Pro uses tcpdump and nmap internally for network threat detection, while DodaZIP relies on curl for health-checking its distributed compression nodes.

Learning Path 

    flowchart LR
  A[Essential Commands] --> B[Network Commands<br/>You are here]
  B --> C[File Permissions]
  C --> D[Process Management]
  D --> E[Security Hardening]
  style B fill:#f90,color:#fff

The ip Command (Modern ifconfig)

The ip command from the iproute2 suite replaces the legacy ifconfig, route, and arp commands. It’s the single tool for all network interface and routing management.

# Show all network interfaces
ip addr show

# Show only active interfaces
ip link show up

# Show routing table
ip route show

# Show ARP cache (neighbors)
ip neigh show

# Add an IP address to an interface
sudo ip addr add 192.168.1.100/24 dev eth0

# Bring interface up or down
sudo ip link set eth0 up
sudo ip link set eth0 down

Expected output for ip addr show:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever

ip vs ifconfig — Why ip Wins

Featureipifconfig
JSON outputip -j addr showNo
Network namespace supportYesNo
Active developmentYesDeprecated
Single binaryYes (iproute2)No (net-tools)
# JSON output for scripting
ip -j addr show | jq '.[] | {name: .ifname, ips: .addr_info[].local}'

The ss Command (Modern netstat)

The ss (socket statistics) command is faster and more detailed than the legacy netstat. Use it to inspect sockets, connections, and listening services.

# Show all listening TCP ports (with process info)
ss -tlnp

# Show all TCP connections (established)
ss -tup

# Show all UDP sockets
ss -uln

# Show Unix domain sockets
ss -x

# Show socket statistics summary
ss -s

# Filter by port number
ss -tlnp sport = :80
ss -tlnp dport = :443

Expected output for ss -tlnp:

State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   Process
LISTEN   0        511              0.0.0.0:80            0.0.0.0:*       users:(("nginx",pid=1234,fd=8))
LISTEN   0        128              0.0.0.0:22            0.0.0.0:*       users:(("sshd",pid=789,fd=3))
LISTEN   0        128                 [::]:22               [::]:*       users:(("sshd",pid=789,fd=4))

Bandwidth and Connection Monitoring 

# Watch connections in real time
watch -n 1 'ss -tup | grep ESTAB | wc -l'

# Find connections from a specific IP
ss -tup src 10.0.0.100

# Show processes using the most connections
ss -tup | awk '{print $7}' | sort | uniq -c | sort -rn | head

tcpdump — Packet Capture and Analysis

Tcpdump is the industry-standard packet analyzer. It captures raw network traffic for deep inspection.

# Basic syntax
sudo tcpdump -i eth0

# Capture with human-readable names
sudo tcpdump -i eth0 -n

# Capture a specific number of packets
sudo tcpdump -i eth0 -c 100

# Save to a file for later analysis
sudo tcpdump -i eth0 -w capture.pcap

# Read a saved capture
sudo tcpdump -r capture.pcap

Filter Expressions

The real power of tcpdump comes from BPF (Berkeley Packet Filter) expressions:

# Filter by host
sudo tcpdump -i eth0 host 8.8.8.8

# Filter by port
sudo tcpdump -i eth0 port 80
sudo tcpdump -i eth0 portrange 8000-9000

# Filter by protocol
sudo tcpdump -i eth0 tcp
sudo tcpdump -i eth0 udp
sudo tcpdump -i eth0 icmp

# Combine filters
sudo tcpdump -i eth0 'tcp port 443 and host 10.0.0.1'

# Show packet contents (ASCII)
sudo tcpdump -i eth0 -A port 80

# Show packet contents (hex)
sudo tcpdump -i eth0 -X port 80

Expected output for sudo tcpdump -i eth0 -n tcp port 443:

12:34:56.789012 IP 10.0.0.5.54321 > 203.0.113.42.443: Flags [S], seq 1234567890, win 65535, length 0
12:34:56.789123 IP 203.0.113.42.443 > 10.0.0.5.54321: Flags [S.], seq 987654321, ack 1234567891, win 65535, length 0
12:34:56.789234 IP 10.0.0.5.54321 > 203.0.113.42.443: Flags [.], ack 1, win 65535, length 0

Practical tcpdump Scenarios 

# Diagnostic: Check if a server is responding on port 80
sudo tcpdump -i eth0 -n 'tcp port 80 and host target-server'

# Security: Monitor all SSH login attempts
sudo tcpdump -i eth0 'tcp port 22 and (tcp[tcpflags] & tcp-syn != 0)'

# Performance: Measure TCP handshake timing
sudo tcpdump -i eth0 -ttttt 'host db-server and port 5432'

nmap — Network Scanning

Nmap is the standard network exploration and security auditing tool. Use it to discover hosts, open ports, running services, and OS detection.

# Basic host discovery (ping sweep)
nmap -sn 192.168.1.0/24

# Scan specific ports
nmap -p 22,80,443,3306 10.0.0.5

# Service version detection
nmap -sV 10.0.0.5

# OS detection
nmap -O 10.0.0.5

# Aggressive scan (OS + services + scripts + traceroute)
nmap -A 10.0.0.5

# Scan from a file of targets
nmap -iL targets.txt

Expected output for nmap -sn 192.168.1.0/24:

Starting Nmap 7.80 ( https://nmap.org ) at 2026-06-20 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.5
Host is up (0.0015s latency).
Nmap scan report for 192.168.1.100
Host is up (0.0030s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 4.21 seconds

Nmap Scripts (NSE)

Nmap’s Scripting Engine provides hundreds of pre-built scripts for vulnerability detection, enumeration, and exploitation testing:

# HTTP security headers check
nmap --script http-security-headers -p 80,443 example.com

# SSL/TLS certificate check
nmap --script ssl-cert -p 443 example.com

# Brute force SSH
nmap --script ssh-brute -p 22 target

# List all available scripts
ls /usr/share/nmap/scripts/

# Run a script category (safe, default, vuln, etc.)
nmap --script "safe" target
Authorized Use Only: Running nmap against systems you don’t own or don’t have written permission to test is illegal in most jurisdictions. Always get explicit authorization first.

curl — Data Transfer and API Testing

Curl supports dozens of protocols and is the go-to tool for HTTP debugging, API testing, and file transfer automation.

# Basic GET request
curl https://api.example.com/users

# Show response headers
curl -I https://example.com

# Show full request/response details
curl -v https://example.com

# Follow redirects
curl -L http://example.com

# POST JSON data
curl -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d '{"name": "Alice", "email": "alice@example.com"}'

# Download a file
curl -O https://example.com/file.zip

# Resume an interrupted download
curl -C - -O https://example.com/large-file.zip

# Timeout and retry
curl --connect-timeout 5 --max-time 30 --retry 3 https://example.com

HTTP Health Check Script 

#!/bin/bash
# healthcheck.sh — Check service health
URL="${1:-http://localhost:8080/health}"

status_code=$(curl -s -o /dev/null -w "%{http_code}" "$URL")
response_time=$(curl -s -o /dev/null -w "%{time_total}" "$URL")

if [ "$status_code" = "200" ]; then
    echo "HEALTHY — Status: $status_code, Time: ${response_time}s"
else
    echo "UNHEALTHY — Status: $status_code, Time: ${response_time}s"
    exit 1
fi

Expected output:

HEALTHY — Status: 200, Time: 0.045s

wget — Recursive Download and Mirroring

Wget excels at recursive downloads, mirroring entire websites, and batch file retrieval.

# Simple download
wget https://example.com/file.zip

# Download with a different name
wget -O output.zip https://example.com/file.zip

# Resume an interrupted download
wget -c https://example.com/large-file.zip

# Mirror a website (recursive)
wget --mirror --page-requisites --convert-links https://example.com

# Download with rate limiting
wget --limit-rate=200k https://example.com/large-file.zip

# Download from a list of URLs
wget -i urls.txt

curl vs wget — When to Use Which

Featurecurlwget
Recursive downloadNo (needs scripting)Yes (native)
ProtocolsDICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTPHTTP, HTTPS, FTP, FTPS
Built-in retry--retry--tries
Cookie supportYesYes (limited)
Upload files-T file / -d data--post-file
LicenseMIT-styleGPL

Common Networking Mistakes

1. Forgetting to Run as Root

Packet capture tools (tcpdump, nmap) and interface configuration (ip) require root privileges. Running tcpdump -i eth0 without sudo gives Permission denied.

2. Confusing IPv4 and IPv6

ss -tlnp shows only IPv4 by default. Use ss -tlnp -A inet6 or check the [::] vs 0.0.0.0 addresses in output. A service listening on 0.0.0.0:80 doesn’t automatically listen on IPv6.

3. Blocking Yourself with Firewall Rules

When applying firewall rules over SSH, always add a delay or use at to schedule a revert. A typo like sudo ufw deny 22 locks you out permanently.

4. Not Using -n (No DNS Resolution)

Commands like ss, tcpdump, and nmap perform DNS reverse lookups by default. In production environments with broken DNS, this causes hangs. Always use -n or -n --dns-servers to skip or specify DNS.

5. Overly Broad nmap Scans

nmap -p- 10.0.0.0/8 scans all 65535 ports on all 16 million IPs. This generates massive traffic, may crash network equipment, and will certainly trigger intrusion detection systems.

6. Trusting traceroute Output

Modern networks use load balancers, firewalls, and MPLS which don’t always decrement TTL. Traceroute may show * * * for hops that actually exist but don’t respond to ICMP.

7. Ignoring Time Skew in Packet Captures

If your server’s clock is wrong, tcpdump timestamps are wrong. Always check date before capturing, and use sudo tcpdump --time-stamp-precision nano for high-resolution timing.

Practice Questions

1. What is the difference between ip addr show and ifconfig? ip addr show is the modern replacement from iproute2. It shows the same information as ifconfig but supports JSON output, network namespaces, and is actively maintained. ifconfig is deprecated.

2. How do you find which process is listening on port 8080? ss -tlnp sport = :8080 shows the PID and process name. The -p flag is essential — without it, process information is hidden.

3. What tcpdump command captures HTTP traffic to and from a specific host? sudo tcpdump -i eth0 -A 'tcp port 80 and host 10.0.0.5' captures HTTP packets and shows the ASCII payload.

4. How does curl differ from wget for recursive downloads? Curl does not support recursive download natively — it requires shell scripting with loops. Wget has --mirror and --recursive built in for mirroring entire sites.

5. Challenge: You suspect a server is dropping packets. Use three different tools to confirm or deny this, and explain what each tool reveals. Answer: (1) ping -c 100 -f 8.8.8.8 — flood ping shows packet loss percentage. (2) ss -s — shows socket statistics including retransmissions. (3) tcpdump -i eth0 'icmp and host 8.8.8.8' — packet capture shows exactly which packets are lost or duplicated.

Mini Project: Network Health Dashboard

Create a script that monitors key network metrics and displays a real-time dashboard:

#!/bin/bash
# net_dashboard.sh — Network health dashboard
# Requires: ip, ss, ping, curl

DASHBOARD_REFRESH=5
TARGET_HOST="${1:-8.8.8.8}"

while true; do
    clear
    echo "=== Network Health Dashboard ==="
    echo "Updated: $(date '+%H:%M:%S')"
    echo ""

    # Interface stats
    echo "--- Interface Statistics ---"
    ip -s -h link show eth0 | grep -E "(RX|TX)" | head -4

    # Connection count
    total_conn=$(ss -tup | grep ESTAB | wc -l)
    listening=$(ss -tlnp | tail -n +2 | wc -l)
    echo ""
    echo "Active connections: $total_conn"
    echo "Listening services: $listening"

    # Latency check
    ping_result=$(ping -c 1 -W 2 "$TARGET_HOST" 2>/dev/null | grep "time=")
    if [ -n "$ping_result" ]; then
        latency=$(echo "$ping_result" | sed 's/.*time=//' | sed 's/ ms//')
        echo "Latency to $TARGET_HOST: ${latency}ms"
    else
        echo "Latency to $TARGET_HOST: TIMEOUT"
    fi

    # DNS resolution time
    dns_time=$(time (dig +short "$TARGET_HOST" >/dev/null 2>&1) 2>&1 | grep real | awk '{print $2}')
    echo "DNS resolution: ${dns_time:-N/A}"

    sleep "$DASHBOARD_REFRESH"
done

Expected output (varies):

=== Network Health Dashboard ===
Updated: 10:05:23
--- Interface Statistics ---
    RX: 1.2G bytes 890K packets
    TX: 890M bytes 1.1M packets
Active connections: 47
Listening services: 8
Latency to 8.8.8.8: 12.3ms
DNS resolution: 0.045s

This dashboard runs continuously and refreshes every 5 seconds. DodaZIP uses a similar monitoring loop to track connection health across its distributed compression cluster, alerting when latency exceeds 500ms or packet loss exceeds 1%.

FAQ

What is the difference between ss and netstat?
ss is the modern replacement. It’s faster because it reads socket information directly from the kernel’s netlink interface instead of parsing /proc. ss supports filters on ports, states, and processes that netstat can’t match.
How do I capture traffic on a specific port with tcpdump?
Use sudo tcpdump -i eth0 port 80. For port ranges: portrange 8000-9000. Combine with host, tcp, udp for precise filters.
Is nmap legal to use?
Nmap is legal when used on networks you own or have written permission to scan. Scanning networks without authorization may violate computer fraud laws. Always get permission first.
How do I measure bandwidth usage per interface?
Use ip -s link for cumulative stats, nload or iftop for real-time monitoring, or vnstat for historical bandwidth data.
What’s the fastest way to download a large file?
Use curl -C - -O URL for resumable downloads, or aria2c -x 16 URL for multi-connection downloads. Wget with --continue also supports resumption.
How do I check if a specific port is reachable from outside?
Use a remote machine: nc -zv your-server.com 80. Or use an online port checker. From the server itself, use ss -tlnp to confirm the service is listening.

What’s Next

File Permissions Advanced
Next
Security Hardening
Related
Monitoring & Logging
Related

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Updated 2026-06-20.

Previous Systemd: Managing Services on Linux Next File Permissions Advanced — chmod, chown, ACLs, setuid, Sticky Bit, umask

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Linux Administration