← Back to blog

Network CLI Troubleshooting Commands for DevOps Engineers

· 5 min read · Stew Team
clitroubleshootingnetworkdevops

Network issues cause more production incidents than almost anything else. The right CLI troubleshooting commands help you isolate whether the problem is DNS, routing, firewall, or application-level.

This guide covers network-specific troubleshooting commands. For system-level commands, see our Linux CLI troubleshooting guide.

Connectivity Testing Commands

Start with basic connectivity to narrow down the problem.

ICMP Ping

ping -c 5 target-host

Confirms network path exists. Packet loss indicates network instability.

TCP Connectivity Test

nc -zv hostname 443 -w 5

Tests if a specific port is reachable. More useful than ping for application debugging.

Multiple Port Check

for port in 80 443 8080; do nc -zv hostname $port 2>&1; done

Quickly test multiple ports.

Telnet Alternative

timeout 5 bash -c 'cat < /dev/null > /dev/tcp/hostname/443' && echo "Open" || echo "Closed"

Works when netcat isn’t installed.

DNS Troubleshooting Commands

DNS problems masquerade as application failures.

Basic DNS Lookup

dig hostname +short

Quick lookup returning just the IP address.

Full DNS Query

dig hostname

Shows complete response including TTL, authoritative servers.

Query Specific DNS Server

dig @8.8.8.8 hostname

Test against a known-good DNS server to isolate resolver issues.

Reverse DNS Lookup

dig -x 10.0.0.1

Find hostname from IP address.

DNS Trace

dig +trace hostname

Follow the complete DNS resolution path from root servers.

Check All Record Types

dig hostname ANY

Shows A, AAAA, MX, TXT, and other records.

DNS Cache Check

systemd-resolve --status

View cached DNS entries on systems using systemd-resolved.

Latency and Performance Commands

Slow networks need different tools than broken networks.

Traceroute

traceroute hostname

Shows each hop between you and the destination. Identify where latency increases.

TCP Traceroute

traceroute -T -p 443 hostname

Uses TCP instead of ICMP. Works when ICMP is blocked.

MTR (Continuous Traceroute)

mtr -rw hostname

Combines ping and traceroute. Report mode shows packet loss per hop.

Measure HTTP Latency

curl -o /dev/null -s -w "Connect: %{time_connect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\n" https://hostname

Breaks down connection time, time to first byte, and total time.

TCP Connection Timing

curl -o /dev/null -s -w "%{time_namelookup} %{time_connect} %{time_appconnect} %{time_starttransfer} %{time_total}\n" https://hostname

Detailed timing breakdown for HTTPS requests.

Packet Analysis Commands

When you need to see what’s actually on the wire.

Capture Traffic

tcpdump -i eth0 host hostname -w capture.pcap

Capture packets for later analysis.

Live Traffic View

tcpdump -i eth0 port 443 -n

Watch traffic in real-time. -n skips DNS resolution for speed.

HTTP Traffic

tcpdump -i eth0 -A -s 0 'tcp port 80'

Capture and display HTTP content (unencrypted only).

Connection Attempts

tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'

Watch for new connection attempts.

Port and Socket Commands

Understanding what’s listening and connected.

Listening Ports

ss -tlnp

Shows all TCP listening ports and their processes.

All Connections

ss -tn

All established TCP connections.

Connection Count by State

ss -s

Summary of socket states. High TIME_WAIT may indicate problems.

Connections to Specific Port

ss -tn dport = :443

Filter connections to a specific destination port.

Process Network Activity

lsof -i -P -n | grep ESTABLISHED

Show established connections with process names.

Firewall Troubleshooting Commands

Firewalls silently drop traffic, making them tricky to debug.

List iptables Rules

iptables -L -n -v

View all rules with packet counts.

Check Specific Chain

iptables -L INPUT -n -v --line-numbers

Numbered rules for easier identification.

Watch for Drops

watch -n 1 'iptables -L -n -v | grep DROP'

Monitor drop counters in real-time.

nftables Status

nft list ruleset

For systems using nftables instead of iptables.

HTTP/API Troubleshooting Commands

Application-layer network issues.

Basic HTTP Request

curl -I https://hostname

Fetch headers only. Quick way to test HTTP connectivity.

Full Response with Headers

curl -v https://hostname

Verbose output showing connection details and headers.

Test with Specific Host Header

curl -H "Host: specific-host.com" http://ip-address

Useful for testing load balancer routing.

Follow Redirects

curl -L -v https://hostname

Shows each redirect step.

Test with Timeout

curl --connect-timeout 5 --max-time 10 https://hostname

Fail fast on slow connections.

Building Network Troubleshooting Runbooks

Combine these CLI troubleshooting commands into structured procedures:

# Service Connectivity Investigation

## Step 1: DNS Check
​```bash
dig service.internal +short
​```

## Step 2: Port Connectivity
​```bash
nc -zv service.internal 443 -w 5
​```

## Step 3: Latency Check
​```bash
mtr -rwc 10 service.internal
​```

## Step 4: HTTP Test
​```bash
curl -o /dev/null -s -w "HTTP %{http_code} in %{time_total}s\n" https://service.internal/health
​```

For more structured procedures, see our runbook examples.

Making Network Commands Executable

Stew transforms your network CLI troubleshooting commands into executable runbooks. Run diagnostics with a click, share procedures with your team, and document what worked.

Join the waitlist and streamline your network troubleshooting.