Troubleshooting and the Future of Networking

Troubleshooting Fundamentals

Network issues can occur at any layer of the stack. Effective troubleshooting means systematically isolating which layer is broken:

Layer	What to check	Tool
Physical (L1)	Cable connected? Link light on?	Visual inspection, cable tester
Data Link (L2)	MAC address resolving? Switch port up?	ip link, ethtool, ARP table
Network (L3)	Can you reach the IP? Route exists?	ping, traceroute, ip route
Transport (L4)	Is the port open? Connection established?	nc, ss, telnet, tcpdump
Application (L5)	Is the service responding correctly?	curl, dig, openssl s_client

Tip

The troubleshooting mental model: Start at the bottom. If Layer 1 is broken, nothing above it can work. If ping works (L3 OK) but curl on port 443 fails, the issue is at L4 or L5 - firewall or application.

---

ICMP and the ping Command

ICMP (Internet Control Message Protocol) is the “error reporting” protocol of the network layer. When something goes wrong with IP packet delivery, routers send ICMP messages back to the source.

ICMP Packet Structure

Field	Size	Purpose
Type	8 bits	What kind of ICMP message (see table below)
Code	8 bits	Subtype within the message type
Checksum	16 bits	Integrity check for the ICMP header + data
Rest of Header	32 bits	Varies by type (e.g., sequence number for echo)
Data/Payload	Variable	Contains the IP header + first 8 bytes of the packet that triggered the error

Common ICMP Types

Type	Code	Meaning
0	0	Echo Reply (response to ping)
3	0	Destination network unreachable
3	1	Destination host unreachable
3	3	Destination port unreachable
3	13	Communication administratively prohibited (firewall)
8	0	Echo Request (outgoing ping)
11	0	TTL exceeded (used by traceroute)

ping in Practice

# Basic connectivity test (Linux - 4 packets)
ping -c 4 8.8.8.8
# PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
# 64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=12.3 ms
# 64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=11.8 ms
# --- 8.8.8.8 ping statistics ---
# 4 packets transmitted, 4 received, 0% packet loss, time 3004ms
# rtt min/avg/max/mdev = 11.8/12.1/12.3/0.2 ms

# Ping a hostname (tests DNS + connectivity)
ping -c 4 google.com

# Continuous ping (stop with Ctrl+C)
ping google.com

# Ping with specific packet size (test MTU)
ping -c 4 -s 1472 -M do 192.168.1.1
# -s 1472 = payload size (1472 + 28 overhead = 1500 MTU)
# -M do = don't fragment flag
# If "Frag needed" appears, MTU is smaller than expected

# Windows equivalent
ping -n 4 8.8.8.8
ping -t 8.8.8.8     # continuous (Ctrl+C to stop)

Note

What ping output tells you:

• ttl=118 - Time To Live remaining. Started at 128 (Windows host) or 64 (Linux host) and decremented by each router. 128 - 118 = 10 hops away.
• time=12.3 ms - Round-trip time. Under 50ms is good for LAN/regional. Over 200ms suggests distant or congested links.
• 0% packet loss - Network is reliable. Even 1-5% loss causes noticeable TCP performance degradation.

---

Traceroute

Traceroute maps the path packets take from you to a destination by exploiting TTL behavior. It sends packets with incrementally increasing TTLs (1, 2, 3…), causing each router along the path to send back an ICMP “Time Exceeded” message.

# Linux/Mac - uses UDP probes by default
traceroute google.com
#  1  gateway (192.168.1.1)  1.234 ms  0.987 ms  1.123 ms
#  2  isp-router (10.0.0.1)  5.678 ms  4.321 ms  5.123 ms
#  3  * * *                                                     # no response (firewall)
#  4  72.14.236.208  12.345 ms  11.234 ms  12.678 ms
#  5  google-dns (8.8.8.8)  13.456 ms  12.789 ms  13.234 ms

# TCP traceroute (bypasses ICMP-blocking firewalls)
sudo traceroute -T -p 443 example.com

# mtr - combines ping + traceroute in real-time (best tool for diagnosing path issues)
mtr google.com
# Shows live updating statistics: loss%, sent, last RTT, avg, best, worst

# mtr as a single report (useful for sharing)
mtr --report --report-cycles 10 google.com

# Windows
tracert google.com          # uses ICMP echo by default
pathping google.com         # longer-running trace with statistics per hop

Tip

Interpreting traceroute:

• * * * at a hop = that router doesn’t respond to probes (ICMP blocked). Not necessarily a problem - check if later hops respond.
• Sudden latency spike at one hop = congestion or a long-distance link at that point
• Packet loss at intermediate hops but not the final destination = usually just rate-limited ICMP responses (safe to ignore)
• Packet loss at every hop from a certain point onward = real problem at that point

---

Testing Port Connectivity

When ping (L3) works but a service is unreachable, the issue is likely at the transport layer (L4). Test specific ports:

# netcat (nc) - the Swiss Army knife of networking
# Test if a TCP port is open (Linux/Mac)
nc -zv example.com 443
# Connection to example.com (93.184.216.34) 443 port [tcp/https] succeeded!
# -z = scan mode (don't send data)
# -v = verbose

# Scan a range of ports
nc -zv 192.168.1.1 20-25 80 443

# Test UDP port (harder - may not get a response even if open)
nc -zuv 8.8.8.8 53

# Windows equivalent
Test-NetConnection -ComputerName example.com -Port 443
# ComputerName     : example.com
# RemotePort       : 443
# InterfaceAlias   : Ethernet
# TcpTestSucceeded : True

# Quick multi-port check with bash loop
for port in 22 80 443 3306 5432 8080; do
  nc -zv myserver.com $port 2>&1 | grep -E "succeeded|refused"
done

Note

nc vs ss vs nmap:

• nc -zv - test connectivity to a remote port (client-side)
• ss -tlnp - show what’s listening locally (server-side)
• nmap - full port scanner (only use on hosts you own or have permission to scan)

---

DNS Troubleshooting

dig - The Practitioner’s DNS Tool

dig (Domain Information Groper) replaced nslookup as the go-to DNS debugging tool on Linux/Mac. It shows the full DNS response including answer section, authority section, and timing.

# Basic lookup
dig example.com
# ;; ANSWER SECTION:
# example.com.    3600  IN  A  93.184.216.34
# ;; Query time: 23 msec
# ;; SERVER: 127.0.0.53#53(127.0.0.53)

# Short output (just the answer)
dig +short example.com
# 93.184.216.34

# Query specific record types
dig MX gmail.com           # mail servers
dig NS example.com         # nameservers
dig TXT example.com        # SPF, DKIM, verification
dig AAAA example.com       # IPv6 address
dig -x 8.8.8.8             # reverse lookup (IP -> name)

# Query a specific DNS server
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

# Trace the full resolution path (root -> TLD -> authoritative)
dig +trace example.com

# Check if DNS propagation is complete (compare servers)
dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short
dig @ns1.example.com example.com +short

nslookup - Cross-Platform Alternative

# Basic lookup
nslookup example.com

# Query a specific server
nslookup example.com 8.8.8.8

# Interactive mode
nslookup
> server 8.8.8.8         # switch DNS server
> set type=MX             # change record type
> gmail.com               # query
> set debug               # show full response packets
> exit

# Specific record type (non-interactive)
nslookup -type=MX gmail.com
nslookup -type=NS example.com

DNS Registration

• ICANN sits at the top of the DNS hierarchy, managing the root zone
• Registrars (GoDaddy, Namecheap, Cloudflare, etc.) sell domain names under agreements with ICANN
• Domain transfers between registrars require verification through a special TXT or authorization code
• Domains have expiration dates - if you forget to renew, the domain can be purchased by anyone (domain squatting)

The Hosts File

Before DNS existed, all name-to-IP mappings lived in a single flat file - the hosts file. It still exists on every OS:

OS	Path
Linux / Mac	/etc/hosts
Windows	C:\Windows\System32\drivers\etc\hosts

# Hosts file format (IP followed by hostname)
127.0.0.1    localhost
::1          localhost
192.168.1.50 myserver.local
10.0.0.5     staging.example.com    # override DNS for testing

Caution

Hosts file is checked before DNS. If you add an entry to hosts, it overrides whatever DNS says. This is useful for testing (point a domain to a staging server) but also a security risk - malware can redirect bank URLs to phishing servers by modifying the hosts file.

The loopback address (127.0.0.1 for IPv4, ::1 for IPv6) always points back to the local machine. Used for local development servers and testing without touching the network.

---

Cloud Computing Models

Cloud computing delivers IT resources over the internet with pay-as-you-go pricing. The underlying technology is hardware virtualization - a hypervisor runs multiple virtual machines on shared physical hardware.

Cloud Deployment Models

Model	Who owns it	Accessed by	Pros	Cons
Public	Third-party provider (AWS, GCP, Azure)	Anyone over internet	Scalable, cheap, no hardware maintenance	Shared infrastructure, less control
Private	Your organization	Internal only	Full control, security, compliance	Expensive, requires own staff
Hybrid	Mix of both	Depends on workload	Flexible, keep sensitive data private	Complex to manage

Cloud Service Models

Model	You manage	Provider manages	Example
IaaS (Infrastructure)	OS, apps, data	Hardware, networking, virtualization	AWS EC2, GCP Compute Engine
PaaS (Platform)	Apps, data	OS, runtime, hardware	Heroku, Google App Engine, Azure App Service
SaaS (Software)	Just use it	Everything	Gmail, Slack, Salesforce

---

IPv6 - The Future of Addressing

Why IPv6?

IPv4’s 32-bit address space provides ~4.2 billion addresses. They’re exhausted. IPv6 uses 128-bit addresses, providing 340 undecillion (3.4 x 10^38) addresses - enough for every atom on Earth to have multiple IPs.

IPv6 Address Format

Full:   2001:0db8:0000:0000:0000:ff00:0042:8329
Short:  2001:db8::ff00:42:8329

Shortening rules:

1. Remove leading zeros in each group: 0db8 -> db8, 0042 -> 42
2. Replace one consecutive run of all-zero groups with :: (only once per address)

Reserved IPv6 Addresses

Prefix	Purpose
::1/128	Loopback (equivalent to 127.0.0.1)
FE80::/10	Link-local (auto-configured, not routable beyond the local segment)
FF00::/8	Multicast
2001:db8::/32	Documentation/examples (not routable)
::ffff:0:0/96	IPv4-mapped IPv6 addresses
2000::/3	Global unicast (routable public addresses)

IPv6 Subnetting

IPv6 addresses are divided into two halves:

• First 64 bits = Network ID (includes the /48 routing prefix + 16-bit subnet ID)
• Last 64 bits = Interface ID (host portion, often auto-generated from MAC address via EUI-64 or random)

CIDR notation works the same as IPv4: 2001:db8:abcd::/48 means the first 48 bits are the network prefix.

IPv6 Header vs IPv4

IPv6 simplified the header:

• Removed optional fields and the header checksum (let TCP/UDP handle integrity)
• Fixed header size (40 bytes) instead of variable-length IPv4 headers
• Next Header field replaces IPv4’s Protocol field, enabling a chain of extension headers
• Flow Label (20 bits) - new field for QoS, allowing routers to identify traffic flows without deep packet inspection

# Check your IPv6 addresses
ip -6 addr show

# Ping via IPv6
ping6 google.com
# or
ping -6 google.com

# Traceroute via IPv6
traceroute6 google.com

# Check if a host has AAAA (IPv6) records
dig AAAA google.com +short

# See IPv6 routes
ip -6 route show

IPv4 to IPv6 Transition

A global switch is impossible - billions of devices need time to migrate. Three approaches exist:

Method	How it works	When to use
Dual-stack	Device runs both IPv4 and IPv6 simultaneously	Most common. Preferred approach.
Tunneling	IPv6 packets encapsulated inside IPv4 datagrams	When path between two IPv6 nodes crosses IPv4-only networks
Translation (NAT64)	Gateway translates between IPv4 and IPv6 headers	When IPv6-only clients need to reach IPv4-only servers

Tunneling protocols:

Protocol	How it works	Limitation
6in4 (manual)	IPv6 encapsulated directly in IPv4. Simple, predictable performance.	Doesn’t work behind NAT
TSP	Negotiates tunnel setup parameters automatically	More complex
AYIYA	Encapsulates any protocol in any other. Works behind NAT.	Used primarily by tunnel brokers

Note

Dual-stack is winning. Most modern OSes, routers, and cloud providers support dual-stack out of the box. Google reports that ~45% of connections to their services already use IPv6. Tunneling is a stopgap - the goal is native IPv6 everywhere.

IPv4-mapped IPv6 addresses allow IPv4 traffic to traverse IPv6 networks. Format: ::ffff:192.168.1.1 - the last 32 bits represent the IPv4 address.