Linux network troubleshooting: ss + tcpdump (quick workflow)
Tabela de Conteúdo
When something is “down”, I usually don’t start with ping.
I start by answering two questions:
- Is the process listening?
- Are packets arriving/leaving?
Step 1: check listening sockets with ss
Show listening TCP/UDP ports:
sudo ss -lntup
Filter by port:
sudo ss -lntup | grep ':443'
If nothing is listening, fix the service first.
Step 2: confirm who owns the port
ss already shows the process name/pid, but sometimes I double-check:
sudo lsof -iTCP:443 -sTCP:LISTEN
Step 3: capture traffic with tcpdump
Capture traffic to port 443:
sudo tcpdump -ni any port 443
Capture only SYN packets (useful for “connection refused” / “timeout” cases):
sudo tcpdump -ni any 'tcp[tcpflags] & tcp-syn != 0 and port 443'
If you see SYN arriving but no SYN/ACK leaving, it’s usually:
- firewall
- service not bound to the right IP
- routing issues
Step 4: capture a file and analyze later
sudo tcpdump -ni any port 443 -w /tmp/trace.pcap
Open with Wireshark locally.
Quick tip
Try to collect proof, not opinions:
- output from
ss - a small
tcpdumpcapture - service logs
It saves a lot of back and forth.
Easy peasy! :)