What is Linux network monitoring?

Linux network monitoring deals with checking, analyzing, reporting, and optimizing Linux-based networks. As this operating system is the de facto standard on the majority of servers, enterprise networks, and cloud services, Linux network monitoring is an important area for any network administrator to focus on.

Network monitoring for Linux is not vastly different from any other operating system. The metrics that are collected are the same, but the methods to collect them differ. As is traditional for Linux systems, a good number of CLI applications are available for free to enable some network monitoring tasks. These are basic tools, which cannot replace full-fledged network monitoring software that supports infinitely more devices, checks, and operating systems.

Most of these small Linux network tools serve as the foundation for many larger ones, and are suitable for quick checks or automation of specific monitoring duties in absence of a more complete monitoring solution. Especially in small networks or as the first steps in troubleshooting, basic Linux monitoring tools can give initial insights.

Linux network monitoring is thus made of both basic apps (mostly CLI-based) and large, fairly more complex and advanced network monitoring and network traffic monitoring systems.

Network monitoring for Linux means either using a few Linux network tools available for free under any Linux distribution, or going the advanced route and using a proper network monitoring solution. In enterprise networks, this is not a choice, as the basic tools of Linux alone are not capable of serving all the monitoring needs of a large network infrastructure. A complete monitoring solution is therefore a necessity, not an option.

But tiny companies, with a few computers and fairly straightforward network topologies, may find the monitoring tools of Linux sufficient, even if not optimal. For any interested network administrator, we present some of the useful tools for network monitoring under Linux to show their possibilities.

netstat, in most recent distribution releases being substituted by ss, is a tool to display content of /proc/net. It focuses on showing connection and routing table info on all local ports. It is of no use for monitoring remote hosts but can provide a quick idea of local traffic, and is considered a basic network traffic monitoring tool for Linux.

A very short example of its output can be:

Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 127.0.0.1.62132 127.0.0.1.http ESTABLISHED
tcp4 0 0 127.0.0.1.http * LISTEN

tcpdump is a sniffer, a program that captures packets off a network interface and interprets them for you. It understands all basic internet protocols and can be used to save entire packets for later inspection. While far from being as refined as a Linux network monitoring tool that makes use of flow protocols, it provides a raw dump of packets on an interface to be analyzed later or in real time.

Wireshark is a graphical interface for tcpdump.

ping uses ICMP to send echo requests to remote hosts to check if they are up (and set up to answer). As a Linux network tool, it is of the most basic type, informing only whether a host is reachable and responding. Yet for quick troubleshooting it may be worth launching a terminal and trying the ping command to immediately include and exclude a range of causes for the occurring issue.

traceroute and tracepath are two Linux network tools that show the route to a destination, and are thus used to troubleshoot routing issues on Linux. Technically, traceroute is the most advanced, using various protocols like TCP, UDP, and ICMP to find the correct route, while tracepath only implements UDP. traceroute can manipulate packets, while tracepath stops at sending.

An example run of traceroute to find the path to www.checkmk.com:

# traceroute www.checkmk.com
traceroute to www.checkmk.com (45.133.11.28), 30 hops max, 60 byte packets
 1  kl****** (172.27.224.1)  0.546 ms  0.494 ms  0.661 ms
 2  192.168.0.1 (192.168.0.1)  16.455 ms  6.095 ms  20.363 ms
 3  * * *
 4  89-75-5-97.infra.chello.pl (89.75.5.97)  34.704 ms  26.233 ms  32.822 ms
 5  pl-krk07a-ra1-ae-0-1499.aorta.net (84.116.193.21)  66.906 ms  66.897 ms  41.181 ms
 6  pl-ktw01a-rc1-ae-7-1400.aorta.net (84.116.193.26)  41.173 ms  35.290 ms  35.265 ms
 7  de-fra11b-rc1-ae-24-0.aorta.net (84.116.137.50)  29.571 ms  43.890 ms  32.941 ms
 8  de-fra02a-ri1-ae-48-0.aorta.net (84.116.130.62)  32.934 ms  62.005 ms  60.596 ms
 9  213.46.179.114.aorta.net (213.46.179.114)  42.129 ms  32.907 ms  42.884 ms
10  ae1-0.bbr01.anx82.fra.de.anexia-it.net (144.208.208.145)  55.262 ms  42.881 ms  42.877 ms
11  ae0-0.bbr02.anx82.fra.de.anexia-it.net (144.208.208.147)  42.097 ms  60.530 ms  42.851 ms
12  fra1.mx204.ae3.anexia.as48314.net (144.208.211.213)  41.432 ms  42.822 ms  29.554 ms
13  fra1.cc.as48314.net (194.45.196.22)  43.541 ms  54.044 ms  57.596 ms

dig and nslookup are two simple Linux network tools used to query DNS-related information, like the DNS records of a server, the IP address, the DNS servers used to resolve its domain and more. They are fairly similar, showing only slightly different info.

For instance, dig output looks like this:

# dig www.checkmk.com

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> www.checkmk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43707
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.checkmk.com.               IN      A

;; ANSWER SECTION:
www.checkmk.com.        0       IN      A       45.133.11.28

;; Query time: 0 msec
;; SERVER: 172.27.224.1#53(172.27.224.1) (UDP)
;; WHEN: Thu Dec 15 10:49:02 CET 2022
;; MSG SIZE  rcvd: 64

A tool with more management capabilities is ifconfig. It is used under Linux to configure network interfaces, display their current configuration, and activate or deactivate them as needed. For wired connections, ifconfig is the one to utilize, while iwconfig is used to configure wireless interfaces.

isof is not the first command that comes to mind when thinking of Linux network monitoring tools. After all, its name is an acronym for “list open files”. How does it help administrators trying to monitor networks?

That’s because everything under Linux, as it was under Unix, is a file, network connections included. lsof can be used to show network activity like:

isof -nP -i

This will show all connections. If only established connections are desired, isof can be run with the following options:

isof -nP -iTCP -sTCP:ESTABLISHED

isof is rather limited to these or similar tasks, but for just viewing network activity, it is a simple enough command that can help in troubleshooting Linux network issues.

Where the well-known top shows the local processes on a Linux system, iftop does the same but for network activity. Just running it without arguments opens a command-line interface much similar to the top command. In this interface, you can see active connections, their origin and destination addresses or domains, and how much bandwidth each is using, with a grand total at the bottom. iftop is thus useful for calculating how much bandwidth is being used, for example if we are on a metered connection and want to limit our network utilization.

But iftop can also serve as a simple little utility to show Linux network activity, regardless of how interested we are in the actual bandwidth.

Pretty much a more featureful version of iftop, iptraf has a similar interface too. Active connections are shown with their destination IP addresses, next to the packet numbers and sizes. iptraf is a packet capture tool as well, and the live statistic of packets is shown in the lower half of the program. iptraf can also show a summary of the current open ports, which is quite handy in troubleshooting firewall misconfigurations or notice intrusions. All in all, a good tool for showing network activity on Linux.