Network Tools


  • Installation: yum install traceroute
  • Use ICMP ECHO for probes (default is UDP): traceroute -I
  • Do not map IP addresses to host names: traceroute -n
  • Use TCP SYN for probes: traceroute -T
  • Sets the number of probe packets per hop (default is 3): traceroute -q 5


The netstat command reads /proc files and ss takes the values from kernel space

  • Install the tool: yum install iproute
  • Display a list of open non-listening TCP sockets that have established connection: ss
  • Display listening TCP or UDP sockets: ls -lt or ss -ul
  • Display all TCP sockets: ss -ta
  • List all UDP sockets: ss -ua
  • Show process using TCP sockets: ss -pl
  • Do now try to resolve service names: ss -n
  • Try to resolve numeric address/ports: ss -r
  • Display all established connections: ss -t state established
  • Display all SSH connections: ss -o state established '( dport = :ssh or sport = :ssh )'
  • List sockets with destionation port 80 or 443: ss -nt dst :443 or dst :80
  • List sockets by destination: ss -nt dst
  • Watch after syn-sent sockets: watch -n 1 "ss -t state syn-sent"
  • Print summary statistics: ss -s

State options

all - All of the above states
connected - All the states except for listen and closed
synchronized - All the connected states except for syn-sent
bucket - Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
big - Opposite to bucket state.


  • Display the interfaces (similar to ifconfig): ip link show
  • Bring up the interface online (similar to ifconfig eth0 up): ip link set eth0 up
  • Display the IP address on the interface: ip addr show
  • Display ARP table (similar to arp -a): ip neigh show
  • Delete all entries from table: ip neigh flush dev eth0
  • Delete an entry from ARP table: ip neigh delete dev eth0


tcptrack displays the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top(1) command.

  • Install on CentOS 6:
yum install ncurses-devel libpcap-devel
tar zxvf tcptrack-1.4.2.tar.gz
cd tcptrack-1.4.2
make install
  • Sniff packets from the specified network interface: tcptrack -i eth0
  • Show only web traffic: tcptrack -i eth0 port 80
  • Show connections from host tcptrack -i eth0 src or dst
  • Use lipcap advanced filter: tcptrack -i eth0 'ip dst and port (80 or 443 or 22)'

Interactive options

p - Pause/unpause display. No new connections will be added to the display, and all currently displayed connections will remain in the display.
q - Quit tcptrack.
s - Cycle through the sorting options: unsorted, sorted by rate, sorted by total bytes.


  • Install on CentOS 6
cd /root
tar zxvf speedometer-2.8.tar.gz
tar zxvf urwid-1.3.1.tar.gz
cd urwid-1.3.1/
python build
python install or cp -r urwid /root/speedometer-2.8
  • Display RX traffic on eth0: ./ -rx eth0
  • Display TX traffic on eth0: ./ -tx eth0


  • Install on CentOS 6

yum install iftop --enablerepo=epel

  • Listen on named interface: iftop -i eth0
  • Display the port as well: iftop -P -i eth0
  • Do not do hostname lookups: iftop -n -i eth0
  • Show traffic flows in/out of IPv4 network: iftop -F -i eth0


  • Installation on CentOS 6:
green - downloads (RX)
red - uploads (TX)
yum install cmake
cd slurm-upstream
mkdir _build
cd _build
make install
  • Select network interface: slurm -i eth0
  • c - switch to classic mode
  • s - switch to split graph mode
  • l - switch to large graph mode
  • L - enable TX/RX led
  • m - switch between classic, split and large view
  • z - zero counters
  • r - redraw screen
  • q - quit slurm


  • Installation on CentOS 6: yum install dsniff --enablerepo=epel
  • View connections: netstat -tnpa | grep ESTABLISHED
  • Kill connection for port 22: tcpkill -i eth0 port 22
  • Kill all packets arriving from host tcpkill host


  • Display which hosts are running on a network: nmap -n -sn


  • Read pcap file: tcpick -C -yP -r <file>.pcap