LFCS – Monitoring the Network

Jarret B

Well-Known Member
Staff member
May 22, 2017
Reaction score
Sometimes, on a network, there can be network issues causing slow connections. The connections themselves may be down, such as you may try to ssh into a system, but the service has failed and you cannot make a connection.

There are some tools that you need to be aware of to check network specifics. These tools are useful in any environment with a network when problems can arise. The command or services are:
  1. tracepath
  2. ip
  3. netstat
  4. nmap
  5. sysstat
So, let's look at these individually and help you get a basic understanding. It will be up to you to delve into them deeper if you want more detailed information. The LFCS Exam requires you to have a general understanding.


Sometimes, portions of your network be failing. We can test these devices in the network and see where a failure may occur.

Let's look at how a trace works first. This can help you understand better what is going on when you run a trace on a network.

The first thing that the command performs is a DNS lookup to convert the Fully Qualified Domain Name (FQDN) to an IP Address. Now, if the network is completely down, then it cannot perform the DNS name resolution and failure will occur. If this is the case, you can perform a trace to a Domain Name Server, such as '' or ''. Since a DNS conversion does not need to be performed, the trace should start.

Every packet has a Time-To-Live (TTL) value. Every time the packet gets to a router, it decreases the TTL value by one and passes on the packet. It also refers to this to as a hop. Once the value hist zero, the current router returns the packet and you get an error that it cannot reach the host. The minimum default TTL is 64, unless a system changes the value. By default, the 'tracepath' command has a limit of 30, but we can change it. The 'tracepath' command will manipulate the TTL value for its benefit.

The first thing is to send a packet to the local host to verify the network is functioning. The output should be the first line of output on the screen.

So, the command sends out the first packet with a TTL of 1. This packet should hit your gateway. The Gateway should return a packet to your system that your packet's TTL has hit 0. It includes the information about the Gateway in the packet. The program displays the Gateway information on a line.

The 'tracepath' command will send out another packet with a TTL of 2. Now, you get the router at the end of the next hop and it displayed its information on the next line. The process continues until you get to the IP Address you specified by name or number as the parameter.

The command is 'tracepath <FQDN or IP-Address>'. For example, you can run the command in a terminal 'tracepath www.linux.org' or 'tracepath'. Now, it only shows the hostname of a router, if someone configured the router to allow a response to an ICMP request. If you use the parameter '-b', then you can get both a hostname and an IP Address. If you need to change the max hops from 30, you can use the '-m #' parameter and specify the number of maximum hops.

If you perform the command and do not even get your gateway, then there is a problem with the local system, its network connection, the Gateway or anything that may be in between the local system and the Gateway. The command can rule out your local network and the specific device you are using.

IP Command

As I covered in the recent article 'LFCS – Network Management', we covered the 'ip' command. Here, we will show how to use it to check throughput on your Network Devices.

To start, the command 'ip a s' will list the information for all your devices and include the IP Address, MAC Address and more.

If you are only worried about a specific IP version, you can add the parameter '-4' or '-6' for what you need. For example, to see the specific information for IPv4, the command is 'ip -4 a s'.

If you want to only see the information about a specific device, then you just specify the device name, such as 'enp0s3'. The command is 'ip a s enp0s3'.

You can see the amount of packets sent and received on your devices with the command 'ip -s link'. This shows all the devices and the number of packets transmitted (TX) and received (RX). You will also see the packets that were errors or dropped. If you see the number of errors or dropped packets increasing, then you know there is a problem. The NIC or cable has a failure. The problem could be another system if there is a chattering cable or device on the network.

You can also specify a single device for the command such as 'ip -s link enp0s3'.

The 'ip' command can help you find a problem with a Network Interface Card (NIC) or cable connection. You may also determine if your system is using the proper NIC, if there are multiple cards.


The 'netstat' program displays network statistics for your system. You get similar information as the 'ip -s link' command, but the Interfaces will be sorted by the order of most packets to least packets transferred when using the command 'netstat -i'.

For statistics on specific packet types, such as TCP, UDP, use the command 'netstat -s'.

You can also check a system for all ports that are 'listening'. The ports are open to accept a connection, such as 'ssh'. If you have a system that is not accepting 'ssh' connections, you can check to see that the port is still 'listening'. There are three parameters you can use together: '-lnt'. The parameter 'l' is for showing the 'listening' sockets. Using the 'n' parameter will display the port numbers, such as 22, and not the name, such as 'ssh'. The parameter 't' designates the TCP protocol sockets. You can use a 'u' instead for UDP ports.

The 'netstat' command will help you see your incoming sockets are still available. If not, then you can check that the service is still running.


Previously I wrote articles on 'nmap' which you can find as follows:

If you want more information on NMAP, then these articles can give you more than you probably wanted to know.

For CentOS, to install 'nmap', run the command 'sudo yum install nmap'.

If you use Ubuntu, the command is 'sudo apt install nmap'.

Once you have 'nmap' installed, then everything is the same when running a scan.

A good command to try is 'nmap --iflist'. The result is a listing of your NICs and their IP Addresses. You can also see which devices are up and running. The command lists the MAC Addresses for each device. Finally, you get a routing table so you can make sure everything looks in order.

To have your system scanned for open ports, use the command 'nmap scanme.nmap.org'. For a little more detail, try the command 'nmap -v -A scanme.nmap.org'.

Like 'netstat', you can see what sockets are listening.


For any system, we need to install 'sysstat' so we can get System Statistics.

If you are using CentOS, the command is 'sudo yum install sysstat -y'. For Ubuntu, 'sudo apt install sysstat -y'.

For a CentOS system, 'sysstat' starts automatically. For Ubuntu, we need to start it.

So, to start 'sysstat' on Ubuntu, you need to edit the file '/etc/default/sysstat' with 'sudo' privileges. The file is empty, so just add a line like 'ENABLED="true"'. Save and close your editor. All you need to do is enable the service to start at boot and start the service now, with the commands:

sudo systemctl enable sysstat
sudo systemctl start sysstat

Once everything is running, you can verify that the service is actively getting system information by running the command 'ls /etc/cron.d'. Listed in the output should be 'sysstat'.

The system stores the logs in the folder '/etc/logs/sa'. You cannot read the logs outright since it formatted them for viewing with the program 'sar'.

Now, the default time to log statistics is 10 minutes. You can see this by issuing the command 'sar -n DEV'. It should show the output statistics for the network devices every 10 minutes (just make sure the service has been running 20 minutes or more).

If you need something more real-time, then you can specify an immediate time in seconds and how many times you want the statistics displayed on the screen. For instance, if we wanted to get the statistics every 5 seconds for 10 times, the command is 'sar -n DEV 5 10'.

Now, if you have updates to do the system packages, you can perform the update, then run a statistics on the network to watch the amount of data being downloaded.

If you do not want to limit the number of times to grab the statistics before quitting the program, do not specify the number of captures. For example, the command 'sar -n DEV 5' will display information every 5 seconds and not stop until you press CTRL-C. You can adjust the time frame as you need with a smaller or larger number.

In this manner, you can see if there is limited bandwidth throughout, so you know that there is a bottleneck in the network capacity.


All five tools can be useful. Maybe you will find one you prefer to the others, but any one can be very useful.

It is necessary for the LFCS Exam to understand them all. Be familiar with them.

If you aren't concerned about the exam, at least know these programs, because at some point, there are always network issues to take care of when dealing with computers.

Staff online

Members online