Loading...

VONDS ©

Lab 58: Network Commands and Diagnostics

Back to Lab Index

Perform baseline network diagnostics to validate local TCP/IP behavior, interface state changes, and listening service exposure. Use packet capture to confirm ICMP traffic on the wire and capture evidence for escalation.

network troubleshooting core

Scenario

The networking team reports intermittent connectivity issues on several systems in the 192.168.1.0/24 subnet. You’ve been asked to perform basic diagnostics on your host and validate interface behavior. You will verify the local TCP/IP stack, cycle an interface, inspect listening ports, and capture ICMP packets for evidence.

Operator context

This is baseline evidence collection before deeper routing, switchport, firewall, or MTU analysis. The goal is to prove local stack health, confirm interface transitions, and capture packet-level artifacts that support escalation.

Objective

  • Verify local TCP/IP functionality by pinging loopback.
  • Bring an interface down and back up to validate link transitions.
  • Confirm assigned addressing after re-enable.
  • Inspect listening ports to validate service availability.
  • Capture ICMP traffic with tcpdump for packet evidence.

Concepts

  • Loopback tests isolate the host stack from the network and validate local IP/ICMP behavior.
  • Interface cycling is a controlled way to prove link transitions and refresh DHCP/state.
  • Listening socket inventory helps confirm expected exposure (e.g., SSH) and catch surprises.
  • Packet capture is evidence. It answers “did it leave the box?” and “did anything return?”
  • Evidence-first workflows reduce guesswork and speed escalation to networking teams.

Walkthrough

Step 1 : Ping loopback to validate the local TCP/IP stack.
Command 
ping -c 2 127.0.0.1

A successful loopback ping validates local IP processing and ICMP handling on the host. If this fails, pause network debugging and focus on local stack issues. 

2 packets transmitted, 2 received, 0% packet loss
Step 2 : Bring down the interface enp0s3.
Command 
sudo ifdown enp0s3

Cycling an interface forces a state transition and can clear transient link issues. Coordinate this change on production hosts. 

Bringing down interface enp0s3:  [  OK  ]
Network interface 'enp0s3' is now inactive.
Step 3 : Bring the interface back online.
Command 
sudo ifup enp0s3

Bringing the interface up should re-establish link and obtain addressing. Confirm IP, mask, and gateway assignment are consistent with expectations. 

Assigned IP address: 192.168.1.42/24
Gateway: 192.168.1.1
Step 4 : Confirm addressing and link state after re-enable.
Command 
ip addr show enp0s3
ip link show enp0s3

This is your post-change verification. You want to see state UP and confirm the expected address is present on the interface. 

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet 192.168.1.42/24 brd 192.168.1.255 scope global dynamic enp0s3
       valid_lft 86390sec preferred_lft 86390sec
Step 5 : Check active listening ports and services.
Command 
netstat -tuln

This snapshot shows what the system is exposing on the network. Confirm expected services are listening and watch for unexpected open ports. 

tcp        0      0 0.0.0.0:22    0.0.0.0:*    LISTEN
tcp6       0      0 :::80         :::*         LISTEN
Step 6 : Capture ICMP traffic using tcpdump.
Command 
sudo tcpdump -i enp0s3 -nn icmp

Packet capture confirms what actually traverses the interface. Filtering on ICMP provides a clean view of echo requests and replies, which is often enough to validate basic reachability. 

listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.1.42 > 192.168.1.1: ICMP echo request, id 1234, seq 1, length 64
IP 192.168.1.1 > 192.168.1.42: ICMP echo reply, id 1234, seq 1, length 64
^C
4 packets captured
0 packets dropped by kernel

Breakpoints

Loopback ping fails

If ping 127.0.0.1 fails, stop and troubleshoot the local host stack (permissions, firewall rules, kernel/ICMP settings).

ifdown/ifup not found

Some distros do not ship ifdown/ifup by default. Use ip link set dev enp0s3 down|up or the system’s network manager tooling.

No IP after interface up

If the interface is up but no address is assigned, confirm DHCP is reachable and check the interface config. Capture evidence with ip addr, ip route, and journalctl for escalation.

tcpdump shows requests only

If echo requests leave but no replies return, you likely have a network path issue (ACL/firewall, routing, VLAN, switchport, MTU). Save the capture output as evidence.

Cleanup checklist

  • Stop any running tcpdump capture.
  • Confirm the interface is up.
  • Confirm the expected address is present.
Commands 
ip link show enp0s3
ip addr show enp0s3
Success signal

enp0s3 is state UP and your expected 192.168.1.0/24 address is present.

Reference

  • ping -c <count> <host> : Send a fixed number of ICMP echo requests.
    • -c: limit packet count
  • ifdown <iface> : Bring an interface down (legacy workflow; depends on distro/network stack).
  • ifup <iface> : Bring an interface up and apply configuration.
  • ip addr show <iface> : Show addressing on an interface.
  • ip link show <iface> : Show link state (UP/DOWN) and flags.
  • netstat -tuln : Show listening TCP/UDP sockets.
    • -t: TCP
    • -u: UDP
    • -l: listening
    • -n: numeric output
  • tcpdump -i <iface> -nn icmp : Capture ICMP traffic on an interface.
    • -i: interface
    • -nn: no DNS/service resolution