Network Monitoring

Network monitoring on a Linux server covers three areas: interface utilization (how much of your bandwidth is being used), connection state (what connections exist and in what state), and packet-level analysis (what traffic looks like at the byte level). Most network problems on a correctly configured server are bandwidth saturation, too many connections in TIME_WAIT state, or packet loss causing retransmissions. These are diagnosed with different tools.

Interface statistics

ip -s link show eth0    # Packet and byte counters with error stats

ip -s link show eth0 output

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
    RX: bytes  packets  errors  dropped  missed  mcast
    8523456789 45234567       0        0       0      0
    TX: bytes  packets  errors  dropped carrier collsns
    2345678901 12345678       0        0       0      0

errors > 0 = hardware or driver problem
dropped > 0 = interface buffer overrun or firewall drop

# Real-time per-interface bandwidth:
sudo apt install -y nload ifstat

nload eth0        # Real-time bandwidth graph per interface
ifstat -i eth0 1  # Numeric bandwidth per second

Connection monitoring

# ss: modern netstat replacement (faster, more information)
ss -s            # Summary of connection states
ss -tlnp         # TCP listening ports with process info
ss -tnp          # Established TCP connections

# Count connections by state:
ss -tan | awk '{print $1}' | sort | uniq -c | sort -rn

Connection state summary

1423 ESTABLISHED   ← normal active connections
 234 TIME_WAIT     ← normal cleanup state (high values indicate heavy traffic or tuning needed)
  45 CLOSE_WAIT    ← application not closing connections properly (potential bug)
   3 LISTEN        ← listening services

# Find top connection sources:
ss -tn | awk 'NR>1 {print $5}' | sed 's/:[0-9]*$//' | sort | uniq -c | sort -rn | head -10

Bandwidth monitoring

# iftop: real-time per-connection bandwidth (like top but for network)
sudo apt install -y iftop
sudo iftop -i eth0   # Show per-connection bandwidth usage

# vnstat: historical bandwidth statistics
sudo apt install -y vnstat
sudo vnstat -i eth0 --live    # Live view
vnstat -d                     # Daily statistics
vnstat -m                     # Monthly statistics

vnstat -d output

day         rx      |       tx      |    total    |  avg. rate
-----------+--------+--------+----------+-----------
2025-06-07      2.34 GiB |    18.42 GiB |    20.76 GiB |  1.96 Mbit/s

Packet capture and analysis

# tcpdump: capture packets for diagnosis
# Capture HTTP traffic (port 80):
sudo tcpdump -i eth0 port 80 -c 100

# Capture traffic to/from a specific IP:
sudo tcpdump -i eth0 host 192.168.1.100 -c 50

# Save to pcap file for Wireshark analysis:
sudo tcpdump -i eth0 -w /tmp/capture.pcap -c 1000

# Show TCP retransmissions (packet loss indicator):
sudo tcpdump -i eth0 "tcp[tcpflags] & tcp-syn != 0"

Conclusion

For daily network health: check ip -s link for interface errors (hardware problems), use ss -s for connection state summary (high CLOSE_WAIT indicates application bugs, high TIME_WAIT is usually normal), and use nload or iftop to identify which connections are consuming bandwidth. tcpdump is the definitive tool for diagnosing network issues at the packet level when higher-level tools do not give enough detail.

FAQ

Is Network Monitoring important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support