Lesson 23: Network Debugging — ss, tcpdump, netstat
You wrote a TCP server — but it is not responding. Is it even listening? Is the port occupied? Are packets arriving? In this lesson we will learn three tools every Linux engineer must know: ss for viewing open connections, tcpdump for capturing packets in real time, and netstat for connection detail
ss is like opening the computer's phonebook to see who is connected to whom. tcpdump is like holding a microphone on the street and listening to every passing conversation. netstat is the older version of ss — still useful. Together they give you a full picture of what is happening on the network, without dismantling anything.
- ss
- Socket Statistics — a modern Linux tool for viewing all open sockets. Faster than netstat and supports rich filters. Replaces netstat in most cases.
- tcpdump
- A tool for capturing and analyzing network packets in real time. Lets you see exactly what passes on a network interface, filtered by port, IP address, protocol, and more.
- TIME_WAIT
- A TCP state where a closed connection continues to hold its port for a short time (~60 seconds) to ensure stray late-arriving packets from the old connection are not mistakenly accepted by a new connection.
- CLOSE_WAIT
- A TCP state where the remote side closed the connection but the local side has not yet called close(). Usually indicates a bug in server code that does not clean up connections.
- pcap
- A file format for saving captured packets. tcpdump can save to a .pcap file that can later be opened in Wireshark for detailed analysis.