Basic and advanced tools for Linux network monitoring
Linux comes with useful but basic tools for network and traffic monitoring. How do they compare with advanced solutions like Checkmk?
What is Linux network monitoring?
Linux network monitoring deals with checking, analyzing, reporting, and optimizing Linux-based networks. As this operating system is the de-facto standard on the majority of servers, enterprise networks, and cloud services, Linux network monitoring is an important area for any network administrator to focus on.
Network monitoring for Linux is not vastly different from any other operating system. The metrics that are collected are the same, but the methods to collect them differ. As is traditional for Linux systems, a good number of CLI applications are available for free to do some network monitoring tasks. These are basic tools, which cannot replace a fully-fledged network monitoring software that supports infinitely more devices, checks, and operating systems.
Most of these small Linux network tools are the base for many larger ones, and suitable for quick checks or automation of specific monitoring duties in absence of a more complete monitoring solution. Especially in small networks or as the first steps in troubleshooting, basic monitoring Linux tools can give initial insights.
Linux network monitoring is thus made of both, basic apps, mostly CLI-based, and large, fairly more complex and advanced, network monitoring and network traffic monitoring systems.
How to monitor network traffic on Linux hosts?
To monitor network traffic on Linux, there are a few possible routes to take. The first option, and the option the vast majority of network administrators will opt for, is a fully capable network monitoring tool. These tools are advanced and offer a great choice of monitoring and managing options for Linux hosts. Most of them will include the possibility of monitoring all the traffic on a device, often in real-time. This is by far the most common and complete option.
Another route for network traffic monitoring on Linux is a packet sniffer. It is a complete solution as it grabs all packets, but it is both time and resource-consuming, and not the most user-friendly one.
Third, a simpler, albeit limited, route is using the Linux firewall to track traffic on a host-per-host basis. Iptables offers a
-nvL set of parameters that will show traffic statistics for each rule. Along with
iptables -L to show the current rules, it is a fairly sufficient view of network traffic on a single host.
Basic tools for Linux network monitoring
Network monitoring for Linux means either using a few Linux network tools available for free under any Linux distribution, or going the advanced route and using a proper network monitoring solution. In enterprise networks, this is not a choice, as the basic tools of Linux alone are not capable of serving all the monitoring needs of a large network infrastructure. A complete monitoring solution is therefore a necessity, not an option.
But tiny companies, with a few computers and fairly straightforward network topologies, may find the monitoring tools of Linux sufficient, even if not optimal. For any interested network administrator, we present some of the useful tools for network monitoring under Linux to show their possibilities.
Netstat, in most recent distribution releases being substituted by ss, is a tool to display content of
/proc/net. It focuses on showing connection and routing table info on all local ports. It is of no use for monitoring remote hosts but can provide a quick idea of local traffic, and is considered a basic network traffic monitoring tool for Linux.
A very short example of its output can be:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 127.0.0.1.62132 127.0.0.1.http ESTABLISHED
tcp4 0 0 127.0.0.1.http * LISTEN
Tcpdump is a sniffer, a program that captures packets off a network interface and interprets them for you. It understands all basic internet protocols, and can be used to save entire packets for later inspection. While far from being as refined as a Linux network monitoring tool that makes use of flow protocols, it provides a raw dump of packets on an interface to be analyzed later or in real-time.
A graphical interface to Tcpdump is Wireshark.
Ping uses ICMP to send echo requests to remote hosts to check if they are up (and set up to answer). As a Linux network tool, it is of the most basic type, informing only whether a host is reachable and responding. Yet for quick troubleshooting it may be worth launching a terminal and trying the ping command to immediately include and exclude a range of causes for the occurring issue.
Traceroute / Tracepath
Traceroute and tracepath are two Linux network tools that show the route to a destination, and are thus used to troubleshoot routing issues on Linux. Technically, traceroute is the most advanced, using various protocols like TCP, UDP, and ICMP to find the correct route, while tracepath only implements UDP. Traceroute can manipulate packets, while tracepath stops at sending.
An example run of traceroute to find the path to www.checkmk.com:
# traceroute www.checkmk.com
traceroute to www.checkmk.com (18.104.22.168), 30 hops max, 60 byte packets
1 kl****** (172.27.224.1) 0.546 ms 0.494 ms 0.661 ms
2 192.168.0.1 (192.168.0.1) 16.455 ms 6.095 ms 20.363 ms
3 * * *
4 89-75-5-97.infra.chello.pl (22.214.171.124) 34.704 ms 26.233 ms 32.822 ms
5 pl-krk07a-ra1-ae-0-1499.aorta.net (126.96.36.199) 66.906 ms 66.897 ms 41.181 ms
6 pl-ktw01a-rc1-ae-7-1400.aorta.net (188.8.131.52) 41.173 ms 35.290 ms 35.265 ms
7 de-fra11b-rc1-ae-24-0.aorta.net (184.108.40.206) 29.571 ms 43.890 ms 32.941 ms
8 de-fra02a-ri1-ae-48-0.aorta.net (220.127.116.11) 32.934 ms 62.005 ms 60.596 ms
9 18.104.22.168.aorta.net (22.214.171.124) 42.129 ms 32.907 ms 42.884 ms
10 ae1-0.bbr01.anx82.fra.de.anexia-it.net (126.96.36.199) 55.262 ms 42.881 ms 42.877 ms
11 ae0-0.bbr02.anx82.fra.de.anexia-it.net (188.8.131.52) 42.097 ms 60.530 ms 42.851 ms
12 fra1.mx204.ae3.anexia.as48314.net (184.108.40.206) 41.432 ms 42.822 ms 29.554 ms
13 fra1.cc.as48314.net (220.127.116.11) 43.541 ms 54.044 ms 57.596 ms
Dig / Nslookup
Dig and nslookup are two simple Linux network tools to query for DNS related information, like the DNS records of a server, the IP address, the DNS servers used to resolve its domain and more. They are fairly similar, showing only slightly different info.
For instance, dig output looks like this:
# dig www.checkmk.com
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> www.checkmk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43707
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.checkmk.com. IN A
;; ANSWER SECTION:
www.checkmk.com. 0 IN A 18.104.22.168
;; Query time: 0 msec
;; SERVER: 172.27.224.1#53(172.27.224.1) (UDP)
;; WHEN: Thu Dec 15 10:49:02 CET 2022
;; MSG SIZE rcvd: 64
Ifconfig / Iwconfig
A tool with more management capabilities is ifconfig. It is used under Linux to configure network interfaces, display their current configuration, and activate or deactivate them as needed. For wired connections, ifconfig is the one to utilize, while iwconfig is used to configure wireless interfaces.
As far as Linux network tools go, ip is probably the swiss-knife of them. It shows and manipulates routing paths, devices, policies, and tunnels. It can bring interfaces up or down, set their IP addresses, a default route and much more. As a network monitoring tool for Linux, it has limited power, being more useful as a troubleshooting helper.
Why use an advanced network monitoring tool for Linux?
Network monitoring for Linux can be done in a pinch with the basic tools that Linux provides. For quick troubleshooting or simple scripted automation of a few checks, these are sufficient. They also have the advantage of being available virtually on any Linux distribution, as they are often already pre-installed.
But network monitoring requires far more features and better control. To comfortably monitor network traffic on Linux, for example, more than just a packet sniffer, like Tcpdump, is necessary. Network traffic monitoring on Linux is a rather difficult area to cover with only the simplistic tools that we covered earlier. Features like reporting, alerting, and flow monitoring are impossible to achieve with basic tools. That led to the development of a series of advanced monitoring tools that are used by companies in many industries to monitor their Linux-based infrastructure.
Advanced network monitoring tools for Linux exist for the advanced use cases. Along with providing a wealth of sophisticated features, supporting monitoring via specific protocols such as SNMP, they come with a much easier to use and, especially, to read interface. Advanced tools can easily monitor traffic, via the support of flow-based protocols for instance, and alert you whenever any parameter goes above or below a threshold. This is something that would be achievable only with extensive scripting with the basic Linux tools, and even then not with the granularity that large networks require. In addition, this would cost a lot of human resource time to set up. For most companies, this is not enough for their needs and a proper network monitoring software like Checkmk is the right solution.
The only relative disadvantage of advanced network monitoring tools for Linux is that they need to be deployed and their resource’s usage is higher compared to simpler CLI tools. The first is negligible, most of them come with full support for the main Linux distributions and are prepackaged; the second is worth it because of the plethora of offered features, ease of use, and robustness that come with them.
Plus, it is not even a matter of costs. Checkmk in its Raw Edition is free to use. The Enterprise Edition comes at a cost instead, but with the benefit of support and a larger set of features and supported services. It can be tested free of charge for 30 days with the Free Edition. Network monitoring for Linux does not have to be pricey.
For bandwidth monitoring on Linux, a few specific tools exist. Not necessarily the most powerful, but probably the most known ones are NetHogs and IPTraf.
There are a few ways to check network speed on Linux. Without installing specific tools, the quickest is using ethtool as:
sudo ethtool eth0 | grep Speed
This will only show the nominal speed, though. For the actual network speed, a more accurate tool is
speedtest-cli, a Python app installable via pip with
pip install speedtest-cli.
The simplest tool to check network usage on Linux is NetHogs. Once launched, it will open a console showing in real-time the network usage of each process on your system.
A more full-featured alternative is IPTraf, with the “IP traffic monitor” option.