Linux/Unix: Diagnostics – netstat, ss, traceroute, mtr Explained with Output & Usage

Introduction – Why Learn Linux Network Diagnostics?

When network issues arise, system administrators need quick, reliable tools to diagnose connections, identify bottlenecks, or trace packet paths. Linux provides powerful utilities like netstat, ss, traceroute, and mtr to inspect sockets, monitor ports, and track routes in real time.

In this guide, you’ll learn:

• How to analyze open ports and active connections
• How to trace network paths using hops and latency
• The difference between traditional and real-time tools

1. netstat – Legacy Tool for Network Statistics

What is netstat?

netstat displays network connections, routing tables, interface stats, and listening ports. It’s now deprecated in favor of ss.

Syntax:

netstat [options]

Common Options:

Example: Show all TCP listening ports

netstat -tlnp

Output:

Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
tcp   0      0      0.0.0.0:22     0.0.0.0:*        LISTEN  1056/sshd

Shows active TCP ports and which process is using them.

Install with:

sudo apt install net-tools

2. ss – Modern Replacement for netstat

What is ss?

ss (socket statistics) is faster and more accurate than netstat for displaying socket connections and performance.

Syntax:

ss [options]

Common Options:

Example: Show listening TCP ports with process names

ss -tlnp

Output:

State   Recv-Q Send-Q Local Address:Port  Peer Address:Port  Process
LISTEN  0      128     0.0.0.0:22         0.0.0.0:*           users:(("sshd",pid=1056,fd=3))

Much faster than netstat and works well with scripting.

3. traceroute – Track Packet Path to Destination

What is traceroute?

traceroute maps the route packets take to reach a destination, showing each network hop and its latency.

Syntax:

traceroute [destination]

Options:

Example: Trace route to Google

traceroute google.com

Output:

 1  192.168.0.1 (192.168.0.1)  2.123 ms  1.452 ms  1.478 ms
 2  100.65.32.1 (100.65.32.1)  5.876 ms  4.903 ms  4.832 ms
 3  ...

Each line is a hop; shows how long each hop takes in milliseconds.

Install with:

sudo apt install traceroute

4. mtr – Real-Time Traceroute with Stats

What is mtr?

mtr combines traceroute and ping into a real-time visual diagnostic tool. It continuously sends probes and updates live statistics about packet loss and latency.

Syntax:

mtr [destination]

Example: Run mtr to google.com

mtr google.com

Output:

                             My traceroute  [v0.94]
Host              Loss%   Snt   Last   Avg  Best  Wrst StDev
1. 192.168.0.1     0.0%    10    1.1   1.2   1.0   1.5   0.2
2. 100.65.32.1     0.0%    10    5.5   5.6   5.3   6.2   0.3
...

Best tool for detecting packet loss and instability across the route.

Install with:

sudo apt install mtr

Diagnostic Tool Comparison

Summary – Recap & Next Steps

These diagnostic tools help you detect connectivity issues, trace network hops, monitor open ports, and spot real-time packet drops. Each serves a unique role in Linux networking diagnostics.

Key Takeaways:

• Use ss for fast socket/port inspection
• Use netstat for legacy compatibility
• Use traceroute to map the route of packets
• Use mtr to monitor route quality in real time

FAQs

What replaced netstat in modern Linux?
The ss command is the recommended replacement—faster and more detailed.

Can I use traceroute and mtr on servers without GUI?
Yes. Both work entirely in the terminal.

What’s the difference between traceroute and mtr?
traceroute is one-time; mtr is live, continuous, and shows packet loss stats.

How do I find which process is using a port?
Use:

sudo ss -tulnp | grep 8080

How to interpret packet loss in mtr?
Anything >0% is suspicious. Check routers showing consistent loss across hops.