Networking Tools
A self-hosted network is only as manageable as your ability to see what is happening on it. This page covers the networking tools worth having on the Kubuntu desktop: Wireshark for deep packet inspection, a set of indispensable command line utilities, and a few graphical tools that are genuinely useful rather than just elaborate wrappers around things the terminal already does better.
Most of these tools have already appeared elsewhere in this series. This page collects them in one place as a reference.
Installation
Install the core set in one go:
sudo apt install \
wireshark \
tshark \
tcpdump \
nmap \
netcat-openbsd \
mtr-tiny \
traceroute \
dnsutils \
whois \
httpie \
iperf3 \
nethogs \
iftop \
netstat-nat \
iproute2 \
net-tools \
iputils-ping \
ethtool \
ngrep \
socat \
curl \
wget
During Wireshark installation, you will be asked whether non-superusers should be able to capture packets. Select Yes. This adds your user to the wireshark group, allowing packet capture without sudo. Log out and back in for the group membership to take effect.
Packet capture and analysis
Wireshark
Wireshark is the standard graphical packet analyser. It captures live traffic from any network interface, dissects protocols at every layer, and lets you filter, follow streams, and export captures for later analysis.
wireshark
Useful display filters for this setup:
# All DNS traffic
dns
# Traffic to/from your mail server
ip.addr == 10.1.0.10
# All WireGuard traffic
udp.port == 51820
# All MQTT traffic
tcp.port == 1883 or tcp.port == 8883
# Failed TCP connections
tcp.flags.reset == 1
# All traffic between two hosts
ip.addr == 10.1.0.1 and ip.addr == 10.2.0.1
# HTTP without HTTPS
http and not ssl
# DHCP traffic
bootp
Capturing on a specific interface:
Wireshark lists all available interfaces on startup. For the WireGuard tunnel, capture on the wg0 interface. For VLAN traffic, capture on the VLAN interface rather than the physical interface.
Decrypting TLS traffic:
If you have the server’s TLS private key, Wireshark can decrypt TLS sessions. Go to Edit > Preferences > Protocols > TLS > RSA Keys List. Add the server IP, port, protocol, and the path to the private key file. Internal services using certificates from your own CA are straightforward to decrypt for debugging.
Following a TCP stream:
Right-click any packet in a TCP session and select Follow > TCP Stream. This reassembles the entire conversation into a readable format, useful for debugging HTTP, SMTP, or custom protocol issues.
tshark
The command line equivalent of Wireshark. Same dissection engine, no GUI. Essential for capturing on remote servers and for scripted analysis.
# Capture 100 packets on interface wg0
sudo tshark -i wg0 -c 100
# Filter for DNS queries only
sudo tshark -i eth0 -f "udp port 53"
# Decode as JSON output for scripting
sudo tshark -i eth0 -T json -e frame.number -e ip.src -e dns.qry.name \
-Y "dns" 2>/dev/null
# Read a saved capture file
tshark -r capture.pcap -Y "http"
# Capture to a file (rotating every 100MB, keeping 5 files)
sudo tshark -i eth0 -b filesize:102400 -b files:5 -w /tmp/capture.pcap
tcpdump
Lighter than tshark, available everywhere, and faster for quick captures. The tool of choice when you need to capture on a remote machine and examine the output locally.
# Capture all traffic on eth0
sudo tcpdump -i eth0
# Capture and save to file for Wireshark analysis
sudo tcpdump -i eth0 -w /tmp/capture.pcap
# Filter for traffic to/from a specific host
sudo tcpdump -i eth0 host 10.1.0.10
# Filter for a specific port
sudo tcpdump -i eth0 port 25
# Show packet contents in ASCII
sudo tcpdump -i eth0 -A port 80
# Capture DNS and show verbose output
sudo tcpdump -i eth0 -vvv port 53
ngrep
Network grep: searches packet payloads for text patterns. Useful for finding specific strings in HTTP traffic, MQTT messages, or other plaintext protocols without the overhead of a full Wireshark session.
# Find all HTTP requests containing a specific path
sudo ngrep -q -W byline "GET /api" port 80
# Monitor MQTT messages on a specific topic
sudo ngrep -q "temperature" port 1883
# Search for a hostname in DNS traffic
sudo ngrep -q "yourdomain.net" port 53
Network diagnostics
mtr
mtr combines ping and traceroute into a live, continuously updating display. The most useful single tool for diagnosing connectivity and latency issues between hosts.
# Interactive mode (press q to quit)
mtr 10.2.0.1
# Report mode (runs 10 cycles and exits)
mtr --report 10.2.0.1
# Show IP addresses rather than resolving hostnames
mtr --no-dns 10.2.0.1
# Test connectivity across the VPN to Fallowfield
mtr 10.2.0.1
# Test connectivity to The Lighthouse
mtr 10.3.0.1
ping and ping6
The baseline connectivity test. Worth knowing the flags:
# Standard ping
ping 10.1.0.1
# Specific number of packets
ping -c 4 10.1.0.1
# Smaller packet size (useful for MTU testing)
ping -s 1400 10.1.0.1
# Flood ping (requires root, useful for stress testing)
sudo ping -f 10.1.0.1
# IPv6
ping6 ::1
traceroute
Shows the path packets take through the network. Useful for understanding routing decisions and identifying where packets are being dropped.
traceroute 10.2.0.1
traceroute --max-hops=20 8.8.8.8
iperf3
Measures network throughput between two hosts. Run the server on the remote host and the client locally.
On the server:
iperf3 --server
On the desktop:
# TCP throughput test
iperf3 --client 10.1.0.10
# UDP test (useful for checking packet loss)
iperf3 --client 10.1.0.10 --udp --bandwidth 10M
# Reverse test (server sends to client)
iperf3 --client 10.1.0.10 --reverse
# 30 second test with 8 parallel streams
iperf3 --client 10.1.0.10 --time 30 --parallel 8
Particularly useful for verifying actual throughput across the WireGuard VPN tunnel versus the theoretical bandwidth of the underlying connection.
DNS diagnostics
dig
The primary DNS debugging tool. More verbose and controllable than nslookup.
# Basic query
dig yourdomain.net
# Query a specific server
dig @10.1.0.1 server.yourdomain.net
# Query for a specific record type
dig yourdomain.net MX
dig yourdomain.net TXT
dig yourdomain.net AAAA
# Reverse lookup
dig -x 10.1.0.10
# DNSSEC validation check
dig +dnssec sigok.verteiltesysteme.net
# Trace the full resolution path
dig +trace yourdomain.net
# Short output only
dig +short yourdomain.net A
# Check if your internal resolver is working
dig server.yourdomain.net @127.0.0.1
resolvectl
The systemd-resolved diagnostic tool. Shows which DNS server is being used for each interface and can resolve names showing the full resolution path.
# Show current DNS configuration for all interfaces
resolvectl status
# Resolve a name
resolvectl query server.yourdomain.net
# Check DNSSEC status
resolvectl statistics
# Flush the resolver cache
sudo resolvectl flush-caches
Port scanning and service discovery
nmap
The standard network scanner. Useful for discovering what is running on your own servers, verifying firewall rules are working as intended, and auditing the network.
# Ping scan (find all live hosts in a subnet)
nmap -sn 10.1.0.0/24
# Port scan a specific host
nmap 10.1.0.10
# Scan specific ports
nmap -p 22,80,443,587,993 10.1.0.10
# Service version detection
nmap -sV 10.1.0.10
# Operating system detection
sudo nmap -O 10.1.0.10
# Scan the entire internal network (use with care)
nmap -sn 10.0.0.0/8
# Check if a specific port is open
nmap -p 51820 vpn.yourdomain.net
# UDP scan
sudo nmap -sU -p 53,123,5353 10.1.0.1
Note: always scan only networks you own or have explicit permission to scan.
netcat
The Swiss Army knife of TCP/UDP connections. Useful for testing connectivity, proxying connections, and simple file transfer.
# Test if a TCP port is open
nc -zv 10.1.0.10 22
# Test if a UDP port is open
nc -zuv 10.1.0.1 53
# Connect to a service manually
nc 10.1.0.10 25
# Listen on a port
nc -l 9999
# Simple file transfer (receiver first)
# Receiver: nc -l 9999 > received_file
# Sender: nc 10.1.0.10 9999 < file_to_send
# Test WireGuard port reachability
nc -u -v vpn.yourdomain.net 51820
Live traffic monitoring
nethogs
Shows which processes are using network bandwidth, grouped by process. Useful for identifying what is consuming bandwidth on the desktop.
sudo nethogs eth0
sudo nethogs wg0
iftop
Shows live bandwidth usage by connection pair. Useful for seeing which connections are consuming the most traffic.
sudo iftop -i eth0
sudo iftop -i wg0 -n # -n disables hostname resolution for speed
HTTP and API testing
httpie
A human-friendly HTTP client. More readable than curl for testing APIs and web services.
# GET request
http GET https://api.yourdomain.net/status
# POST with JSON body
http POST https://api.yourdomain.net/data key=value
# With authentication
http -a username:password GET https://admin.yourdomain.net/api
# Test your internal mail server's SMTP
http --verify=/path/to/ca-cert.pem GET https://mail.yourdomain.net/
# Show full request and response headers
http -v GET https://yourdomain.net
curl
More widely available than httpie and essential for scripts.
# Basic GET
curl https://yourdomain.net
# Show response headers
curl -I https://yourdomain.net
# Test with your internal CA certificate
curl --cacert /path/to/root-ca.crt https://internal.yourdomain.net
# POST JSON
curl -X POST -H "Content-Type: application/json" \
-d '{"key": "value"}' \
https://api.yourdomain.net/endpoint
# Time the connection phases
curl -w "\nDNS: %{time_namelookup}s\nConnect: %{time_connect}s\nSSL: %{time_appconnect}s\nTotal: %{time_total}s\n" \
-o /dev/null -s https://yourdomain.net
Interface and routing
ip
The modern replacement for ifconfig and route. Everything network interface and routing related.
# Show all interfaces
ip link show
# Show IP addresses
ip address show
# Show routing table
ip route show
# Show a specific route
ip route get 10.2.0.1
# Show WireGuard interface
ip link show wg0
# Add a temporary route (disappears on reboot)
sudo ip route add 192.168.100.0/24 via 10.1.0.1
# Show ARP cache
ip neighbour show
ss
The modern replacement for netstat. Shows socket statistics.
# Show all listening TCP sockets
ss -tlnp
# Show all established connections
ss -tnp
# Show UDP sockets
ss -unlp
# Find what is listening on a specific port
ss -tlnp sport = :22
# Show WireGuard connections
ss -unlp | grep 51820
ethtool
Shows and configures physical network interface properties.
# Show interface details
ethtool eth0
# Show driver and firmware information
ethtool -i eth0
# Show interface statistics
ethtool -S eth0
# Check link speed and duplex
ethtool eth0 | grep -E "Speed|Duplex|Link"
socat
A versatile tool for creating bidirectional data streams between almost any two endpoints. Useful for testing, proxying, and debugging.
# Create a simple TCP proxy
socat TCP-LISTEN:8080,fork TCP:internal.yourdomain.net:80
# Test a TLS connection
socat - SSL:mail.yourdomain.net:993,verify=0
# Forward a local port to a remote host via an SSH tunnel
socat TCP-LISTEN:5432,fork \
EXEC:'ssh server.yourdomain.net nc 127.0.0.1 5432'
# Create a serial-to-TCP bridge (useful for IoT hardware)
socat /dev/ttyUSB0,b115200,raw,echo=0 TCP:192.168.1.100:3000
Wireshark capture permissions
If Wireshark cannot capture without sudo despite being in the wireshark group, verify the group membership has been applied to the current session:
groups | grep wireshark
If wireshark is not in the output, log out and back in. If it still does not appear, add your user manually and log out:
sudo usermod -aG wireshark ${USER}
To verify that dumpcap (the capture engine) has the correct capabilities:
getcap /usr/bin/dumpcap
The output should include cap_net_raw,cap_net_admin=eip.
These tools give you visibility into your own network. Use them on networks you own or have explicit permission to analyse. Packet capture in particular captures all traffic visible to the interface, which on a shared network includes other people’s data. On your own network, capture responsibly and do not store captures longer than needed for the diagnostic task at hand.