Network Troubleshooting Methodology

Category: Network Troubleshooting
Type: Network Tools & Commands
Generated on: 2025-07-11 01:34:30
For: Network Engineering, Administration & Technical Interviews

This cheatsheet provides a comprehensive guide to network troubleshooting, covering essential tools, commands, and methodologies for network administrators and engineers.

1. Tool Overview

Tool	Description	When to Use
`ping`	Tests reachability to a host by sending ICMP Echo Request packets.	Verifying basic network connectivity, checking DNS resolution, measuring round-trip time (RTT).
`traceroute` / `tracert`	Maps the path packets take to a destination, identifying intermediate hops.	Identifying network bottlenecks, diagnosing routing issues, verifying path selection.
`ipconfig` / `ifconfig`	Displays and configures network interface settings.	Checking IP address, subnet mask, default gateway, DNS servers, enabling/disabling interfaces.
`nslookup` / `dig`	Queries DNS servers to resolve domain names to IP addresses and vice versa.	Troubleshooting DNS resolution problems, verifying DNS records, checking authoritative name servers.
`netstat` / `ss`	Displays network connections, routing tables, and interface statistics.	Monitoring active connections, identifying listening ports, troubleshooting port conflicts, analyzing network traffic. `ss` is a modern replacement for `netstat`.
`tcpdump` / `Wireshark`	Captures and analyzes network traffic.	Troubleshooting network protocols, debugging application issues, analyzing security threats, monitoring network performance. Wireshark provides a GUI interface, while `tcpdump` is command-line based.
`nmap`	Network mapper; discovers hosts and services on a network.	Network discovery, port scanning, OS detection, vulnerability assessment.
`mtr`	Combines `ping` and `traceroute` for continuous path analysis.	Continuously monitoring network path and latency, identifying intermittent network issues.
`route`	Displays and modifies the routing table.	Troubleshooting routing issues, adding/deleting static routes. Use `ip route` on Linux systems.
`arp`	Displays and modifies the Address Resolution Protocol (ARP) cache.	Troubleshooting MAC address resolution problems, identifying rogue devices on the network.
`curl` / `wget`	Transfers data from or to a server.	Testing HTTP/HTTPS connectivity, downloading files, verifying web server functionality.

2. Basic Syntax

# ping
ping <hostname_or_ip>

# traceroute (Linux) / tracert (Windows)
traceroute <hostname_or_ip>
tracert <hostname_or_ip>

# ipconfig (Windows) / ifconfig (Linux - deprecated, use ip)
ipconfig /all
ifconfig <interface>
ip addr show <interface>

# nslookup
nslookup <hostname>

# dig
dig <hostname>

# netstat (deprecated, use ss)
netstat -an
ss -lntp

# tcpdump
tcpdump <options> <filter>

# nmap
nmap <target>

# mtr
mtr <hostname_or_ip>

# route (deprecated, use ip route)
route -n
ip route

# arp
arp -a

# curl
curl <url>

# wget
wget <url>

3. Practical Examples

# Ping Google's DNS server to check connectivity
ping 8.8.8.8

# Example Output:
# PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
# 64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=12.3 ms
# 64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=11.9 ms
# ...

# Traceroute to a website
traceroute google.com

# Example Output: (Truncated)
#  1  gateway.local (192.168.1.1)  1.234 ms  1.345 ms  1.456 ms
#  2  10.0.0.1 (10.0.0.1)  5.678 ms  5.789 ms  5.890 ms
#  3  ...
#  ...

# Display IP configuration (Windows)
ipconfig /all

# Display IP address (Linux)
ip addr show eth0

# DNS lookup for a domain
nslookup example.com

# Example Output:
# Server:         8.8.8.8
# Address:        8.8.8.8#53
#
# Non-authoritative answer:
# Name:   example.com
# Address: 93.184.216.34

# List listening TCP ports (ss)
ss -lntp

# Example Output:
# State      Recv-Q Send-Q    Local Address:Port     Peer Address:Port   Process
# LISTEN     0      128           0.0.0.0:22          0.0.0.0:*
# LISTEN     0      128              [::]:22             [::]:*

# Capture HTTP traffic on port 80
tcpdump -i eth0 port 80

# Example Output: (Binary data)
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
# listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
# 14:34:56.789012 IP 192.168.1.100.50000 > 172.217.160.142.80: Flags [S], seq 1234567890, win 65535, options [mss 1460,nop,wscale 7,nop,nop,TS val 123456789 ecr 0,sackOK,eol], length 0

# Scan a host for open ports
nmap 192.168.1.1

# Continuous network path analysis
mtr google.com

# Display routing table
route -n # Linux
netstat -rn # Alternative (deprecated)
ip route # Linux

# Display ARP cache
arp -a

# Download a file using curl
curl -O https://example.com/file.txt

# Download a file using wget
wget https://example.com/file.txt

4. Common Options

Tool	Option	Description	Example
`ping`	`-c <count>`	Specifies the number of ping packets to send.	`ping -c 5 google.com`
`ping`	`-t` (Windows)	Ping continuously until stopped.	`ping -t google.com`
`traceroute` / `tracert`	`-m <max_hops>`	Sets the maximum number of hops to trace.	`traceroute -m 20 google.com`
`traceroute` / `tracert`	`-w <timeout>`	Sets the timeout for each hop in seconds.	`traceroute -w 2 google.com`
`ipconfig`	`/release`	Releases the IP address.	`ipconfig /release`
`ipconfig`	`/renew`	Renews the IP address.	`ipconfig /renew`
`ifconfig`	`up` / `down`	Enables/disables the interface.	`ifconfig eth0 up` / `ifconfig eth0 down`
`ip`	`link set dev <interface> up/down`	Enables/disables the interface.	`ip link set dev eth0 up` / `ip link set dev eth0 down`
`nslookup`	`-type=<record>`	Specifies the type of DNS record to query (e.g., A, MX, TXT).	`nslookup -type=MX example.com`
`dig`	`<record>`	Specifies the type of DNS record to query (e.g., A, MX, TXT).	`dig MX example.com`
`netstat` / `ss`	`-a`	Shows all connections and listening ports.	`netstat -a` / `ss -a`
`netstat` / `ss`	`-n`	Displays addresses and port numbers numerically (no DNS resolution).	`netstat -an` / `ss -n`
`netstat` / `ss`	`-t`	Shows TCP connections.	`netstat -t` / `ss -t`
`netstat` / `ss`	`-u`	Shows UDP connections.	`netstat -u` / `ss -u`
`tcpdump`	`-i <interface>`	Specifies the network interface to capture traffic on.	`tcpdump -i eth0`
`tcpdump`	`-n`	Prevents hostname resolution.	`tcpdump -n`
`tcpdump`	`-w <file>`	Writes the captured traffic to a file for later analysis.	`tcpdump -i eth0 -w capture.pcap`
`nmap`	`-p <port>`	Specifies the port(s) to scan.	`nmap -p 80,443 192.168.1.1`
`nmap`	`-sV`	Enables service version detection.	`nmap -sV 192.168.1.1`
`nmap`	`-O`	Enables OS detection.	`nmap -O 192.168.1.1`
`mtr`	`-r`	Report mode; displays a summary instead of continuous output.	`mtr -r google.com`
`curl`	`-O`	Saves the downloaded file with the name from the URL.	`curl -O https://example.com/file.txt`
`curl`	`-I`	Shows only the HTTP headers.	`curl -I https://example.com`
`wget`	`-q`	Quiet mode; suppresses output.	`wget -q https://example.com/file.txt`

5. Advanced Usage

# Ping with custom packet size and timestamp
ping -s 1000 -D google.com

# Traceroute with TCP SYN packets (bypass ICMP filtering)
traceroute -T google.com

# Capture traffic from a specific host and port, saving it to a file
tcpdump -i eth0 host 192.168.1.100 and port 80 -w capture.pcap

# Analyze the capture file using tcpdump
tcpdump -r capture.pcap

# Scan a network for live hosts using ping sweep
nmap -sn 192.168.1.0/24

# Scan a host for vulnerabilities using nmap scripts
nmap --script vuln 192.168.1.1

# Use dig to trace the DNS resolution path
dig +trace example.com

# Use ss to filter established connections to a specific port
ss -nt '( dport = :80 )'

# Display routing table and filter for default gateway
ip route | grep default

# Find the MAC address associated with a specific IP address
arp -n 192.168.1.100

# Test website availability and response time using curl
curl -s -w "Connect: %{time_connect} TTFB: %{time_starttransfer} Total: %{time_total} \n" -o /dev/null https://example.com

# Get only the IP address from ipconfig/ifconfig output (using grep, awk, and sed)
# Windows
ipconfig | findstr /i "IPv4 Address" | awk "{print $4}"
# Linux
ip addr show eth0 | grep "inet " | awk '{print $2}' | sed 's/\/.*//'

6. Troubleshooting Scenarios

Scenario	Tools/Commands	Steps
No Network Connectivity	`ipconfig`/`ifconfig`, `ping`, `traceroute`, `arp`	1. Check IP address, subnet mask, and default gateway using `ipconfig`/`ifconfig`. 2. Ping the default gateway. If it fails, check physical connectivity (cable, switch port). 3. If the gateway is reachable, ping a public IP address (e.g., 8.8.8.8). 4. If the public IP fails, check DNS resolution. 5. Use `traceroute` to identify the point of failure. 6. Check ARP table for gateway MAC address.
Slow Network Performance	`ping`, `traceroute`, `mtr`, `tcpdump`, `netstat`/`ss`	1. Use `ping` to measure RTT to the destination. 2. Use `traceroute` or `mtr` to identify hops with high latency. 3. Use `tcpdump` to capture traffic and analyze packet loss or retransmissions. 4. Use `netstat`/`ss` to monitor active connections and identify potential bottlenecks. 5. Check for duplex mismatch between devices. 6. Check device CPU and memory utilization.
DNS Resolution Failure	`nslookup`, `dig`, `ping`	1. Use `nslookup` or `dig` to query the DNS server. 2. Check the configured DNS server address using `ipconfig`/`ifconfig`. 3. Ping the DNS server to verify reachability. 4. Try a different DNS server (e.g., 8.8.8.8 or 1.1.1.1). 5. Check the local hosts file for incorrect entries. 6. Verify DNS server configuration on the network.
Port Conflict	`netstat`/`ss`	1. Use `netstat -an` or `ss -lntp` to list all listening ports. 2. Identify the process using the conflicting port. 3. Stop the conflicting process or reconfigure it to use a different port.
Website Unreachable	`ping`, `traceroute`, `curl`, `wget`, `nslookup`	1. Ping the website’s domain name to check DNS resolution. 2. Ping the website’s IP address to bypass DNS issues. 3. Use `traceroute` to identify potential routing problems. 4. Use `curl` or `wget` to test HTTP/HTTPS connectivity. 5. Check firewall rules on the client and server. 6. Verify the web server is running and listening on the correct port. 7. Check the server’s error logs.
Intermittent Network Disconnects	`ping`, `mtr`, `tcpdump`	1. Use `ping -t` (Windows) or `ping` in a loop (Linux) to monitor connectivity over time. 2. Use `mtr` to continuously monitor the network path for intermittent latency spikes or packet loss. 3. Use `tcpdump` to capture traffic during disconnects and analyze the cause (e.g., ARP issues, broadcast storms). 4. Check for loose cables or faulty network hardware. 5. Check for wireless interference.
DHCP Issues (No IP Address)	`ipconfig /release`, `ipconfig /renew`, `tcpdump`	1. Attempt to release and renew the IP address using `ipconfig /release` and `ipconfig /renew` (Windows) or `dhclient -r` and `dhclient` (Linux). 2. Use `tcpdump` to capture DHCP traffic and analyze the DHCP discovery process. 3. Verify the DHCP server is running and properly configured. 4. Check for DHCP scope exhaustion. 5. Check for rogue DHCP servers on the network.
High CPU Utilization on Network Device	`top`, `htop`, `netstat`, `ss`	1. Use `top` or `htop` to identify processes consuming high CPU. 2. Use `netstat` or `ss` to identify network connections associated with the high CPU usage. 3. Analyze network traffic patterns to identify potential causes (e.g., excessive broadcast traffic, denial-of-service attacks). 4. Check for software bugs or misconfigurations.

7. Output Interpretation

ping: High RTT indicates network latency. Packet loss indicates network congestion or connectivity issues.
traceroute / tracert: * * * indicates a timeout at a hop. High latency at a specific hop suggests a bottleneck.
nslookup / dig: NXDOMAIN indicates the domain name does not exist. SERVFAIL indicates a DNS server failure. Incorrect IP address indicates DNS record issues.
netstat / ss: ESTABLISHED indicates an active connection. LISTEN indicates a port is listening for connections. TIME_WAIT indicates a connection is waiting to close.
tcpdump: Analyze packet headers to identify protocols, source/destination addresses, and flags. Look for retransmissions, SYN floods, or other anomalies.
nmap: Open indicates a port is listening for connections. Filtered indicates a port is blocked by a firewall. Closed indicates a port is not listening.
mtr: Shows packet loss and latency per hop. Consistent packet loss at a particular hop suggests an issue at that point in the network.
arp: Incorrect MAC address mapping indicates ARP poisoning or network misconfiguration.

8. Security Considerations

nmap: Port scanning can be considered intrusive and may trigger security alerts. Use it responsibly and with permission.
tcpdump: Capturing network traffic can expose sensitive data. Use encryption (HTTPS, SSH) whenever possible. Store capture files securely.
route: Incorrect routing table modifications can disrupt network connectivity. Test changes in a lab environment before implementing them in production.
General: Avoid running network troubleshooting tools from untrusted sources. Be cautious when interpreting output, as attackers may attempt to manipulate results.

9. Platform Differences

Tool	Linux	Windows	macOS
`traceroute`	`traceroute`	`tracert`	`traceroute`
`ifconfig`	`ifconfig` (deprecated, use `ip`)	`ipconfig`	`ifconfig` (deprecated, use `ip`)
`ip`	`ip addr show`, `ip route`, `ip link`	N/A (use `netsh interface ip show config`)	`ip addr show`, `ip route`, `ip link`
`netstat`	`netstat` (deprecated, use `ss`)	`netstat`	`netstat` (deprecated, use `ss`)
`ss`	`ss`	N/A (use `Get-NetTCPConnection` in PowerShell)	`ss`
`route`	`route`, `ip route`	`route print`	`route`, `netstat -rn`
`arp`	`arp`	`arp -a`	`arp -a`
`tcpdump`	`tcpdump`	`windump` (requires WinPcap/Npcap)	`tcpdump`
`Wireshark`	Available for installation via package manager	Available for download and installation	Available for download and installation

This cheatsheet provides a foundation for network troubleshooting. Continuous learning and practical experience are essential for mastering these tools and techniques. Always refer to the official documentation for the most up-to-date information.