// linux
Linux Network Commands Cheat Sheet
The iproute2 + diagnostic commands engineers actually use on Linux boxes in production. ifconfig, netstat, route and arp are deprecated — these are their replacements.
Updated
Interfaces & addresses
| Command | Purpose | Notes |
|---|---|---|
| ip a | List interfaces + addresses | Modern replacement for ifconfig. Add `ip -br a` for one-line-per-iface. |
| ip link set eth0 up | Bring an interface up/down | Use `down` to disable. Survives until reboot only. |
| ip addr add 10.0.0.5/24 dev eth0 | Add an IP | Add `del` to remove. Not persistent — edit /etc/netplan or NetworkManager. |
| ethtool eth0 | Link speed, duplex, driver | `ethtool -S eth0` for per-queue stats. `ethtool -i eth0` for driver/firmware. |
| ip -s link show eth0 | Interface counters | RX/TX errors, drops, overruns — your first stop for NIC issues. |
Routing & neighbors
| Command | Purpose | Notes |
|---|---|---|
| ip r | Routing table | Replaces `route -n`. Add `ip r get 8.8.8.8` to ask which route a destination uses. |
| ip route add 10.1.0.0/16 via 10.0.0.1 | Add a static route | Add `dev eth0` to pin to interface. `ip r del` to remove. |
| ip neigh | ARP / NDP table | Replaces `arp -n`. Look for FAILED/STALE entries when L2 is suspicious. |
| ip -6 r | IPv6 routing | Same flow, different AF. Don't forget link-local fe80::/10. |
| ip rule | Policy routing | Multiple tables (PBR). `ip route show table 100` for a specific table. |
Connectivity & DNS
| Command | Purpose | Notes |
|---|---|---|
| ss -tulnp | Listening sockets + PIDs | Modern replacement for netstat. -t TCP, -u UDP, -l listening, -n no DNS, -p PID. |
| ss -tnp state established | Established TCP sessions | Filter by state. Combine with `dst :443` to scope. |
| ping -c 4 -W 1 host | ICMP reachability | -W timeout per probe in seconds. -i 0.2 for faster probes. |
| mtr -rwzbc 100 host | Continuous traceroute + loss | -r report mode, -w wide, -z ASN, -b show IPs, -c 100 cycles. Far better than plain traceroute. |
| traceroute -T -p 443 host | TCP traceroute on a port | Bypasses ICMP filtering. Use when normal traceroute hits a wall. |
| dig +short host | Quick DNS lookup | `dig host @1.1.1.1` to bypass local resolver. `+trace` to walk the delegation chain. |
| nslookup -type=mx domain | Record-type lookup | Quick when you don't want dig's verbosity. |
| host -a domain | All records for a name | Friendlier output than dig for a one-shot check. |
Capture & throughput
| Command | Purpose | Notes |
|---|---|---|
| tcpdump -i any -nn 'port 443' | Live capture | -nn no name resolution, -i any all ifaces. See the tcpdump cheatsheet for BPF filters. |
| tcpdump -i eth0 -w cap.pcap host 10.0.0.5 | Save to file for Wireshark | Add `-C 100 -W 10` to rotate 100MB × 10 files. |
| iftop -i eth0 -nNP | Live bandwidth per flow | Top-talkers in real time. -P shows ports. |
| nload eth0 | Per-interface throughput graph | Quick visual of in/out rates. |
| iperf3 -c host -P 4 -t 30 | Throughput test | Run `iperf3 -s` on the other end. -P parallel streams, -R reverse direction. |
Firewall & conntrack
| Command | Purpose | Notes |
|---|---|---|
| iptables -L -n -v | Show rules + counters | -n no DNS, -v counters. Add `--line-numbers` to delete by index. |
| nft list ruleset | nftables equivalent | Most modern distros use nftables under the hood. |
| ufw status verbose | UFW firewall state | Ubuntu's friendly frontend. `ufw allow 22/tcp` to add. |
| firewall-cmd --list-all | firewalld state | RHEL/CentOS. Add `--permanent` to persist; reload after. |
| conntrack -L -p tcp | Connection tracking table | When NAT misbehaves, look here. `conntrack -S` for stats. |
Want this as a portable toolkit?
ToolBox bundles these commands as one-liner aliases, a tmux dashboard, and a hardened SSH config you can drop on any jump host. Part of the pingtraceSSH Arsenal.
→ Get ToolBox// free download
Get the Network Engineer Starter Pack
A printable 5-page PDF: first-60-seconds triage, modern Linux network commands, BGP show commands & path-selection order, and a symptom → root-cause map. Free, no fluff.
FAQ
- What replaced ifconfig, netstat, route and arp?
- All four are deprecated and replaced by the iproute2 suite: ifconfig → `ip a` / `ip link`, netstat → `ss`, route → `ip r`, arp → `ip neigh`. They're faster, more accurate, and the only reliable tools on modern interfaces with multiple addresses or VLANs.
- Why does ss show more sockets than netstat did?
- ss reads directly from kernel netlink, so it sees every namespace and every state. netstat parses /proc and missed sockets in certain states. Trust ss.
- Why does my static route disappear after reboot?
- `ip route add` is runtime only. Persist via /etc/netplan (Ubuntu), nmcli (NetworkManager), /etc/sysconfig/network-scripts (RHEL legacy), or /etc/systemd/network/*.network (systemd-networkd).
- Why is ping working but my app can't connect?
- ICMP and TCP take different paths in many firewalls. Use `nc -zv host port` or `curl -v telnet://host:port` to test the actual TCP port your app uses. Also check conntrack and iptables counters.
- What's the difference between traceroute and mtr?
- traceroute sends one round of probes per hop. mtr sends probes continuously and shows per-hop loss and latency over time — far more useful for diagnosing intermittent issues. Use mtr by default.