Skip to content
Related Articles
Open in App
Not now

Related Articles

How to Audit Network Performance, Security, and Troubleshooting in Linux

Improve Article
Save Article
Like Article
  • Last Updated : 02 Jan, 2023
Improve Article
Save Article
Like Article

Network security auditing is the process of assessing a network’s health by analyzing and studying the flow of data through the network. Network auditing is one of the critical steps to detect potential security threats and errors within the network. Security audits are either performed manually or are automated using various testing tools, they are crucial because they ensure whether the network is secure and void of any security vulnerabilities or loopholes that can be exploited by an attacker. A basic security audit may include.

  • Analysis of all Network devices
  • Analysis of the Network Infrastructure
  • Identifying network policies
  • Risk Assessment
  • Firewall Assessment
  • Penetration testing
  • Report drafting

Network performance refers to the quality of the network, it is measured by Bandwidth, Throughput, Latency, and Jitter. They can be measured by using various network monitoring tools. Below mentioned are some tools that are used to monitor network performance. In this article, we will briefly discuss some basic auditing techniques.

Using Etherape to Monitor Network Performance and Traffic

Etherape is a free and open-source tool used to monitor network performance and traffic. Used to display network activity in a Graphical Interface, It shows the nodes involved in the network as well as the protocols used. The below command is used to install Etherape.

$ sudo apt-get install etherape


Once the installation is complete, execute the below command to run etherape application. Make sure they include sudo to allow socket permissions.

$ sudo etherape




Netstat Tool

Netstat is a command line tool that can be used to monitor both incoming and outgoing network traffic. It is also used to analyze the free ports and the ports that are being listened to. Run the following command to execute netstat.

$ sudo netstat -a

Netstat Tool

Socket Analysis and Port Defense

But the netstat tool is now obsolete and is no longer used. The ‘ss’ command is used instead of netstat which displays socket data statistics. Below are some of the commands used for socket investigation. The below command can be used to display all active TCP connections.

$ ss -t -o


We can also filter for specific ports, this is known as Port Scanning. We can use the following command to filter ports.

$ ss -tn sport = :<port-number>


$ ss -tn sport = :55226


Open ports can be identified and can be potentially exploited by attackers, So to prevent this from happening we can use defensive port scanning to identify open ports and then protect them. One of the defense strategies used is altering the default port values for services such as SSH. We can perform a port scan using Nmap. Install Nmap using the following command.

$ sudo apt install nmap 

Installation of nmap

Run a port scan using the following command.

$ nmap <host-name or address>


$ nmap


The above command leaves logs on the target system, to prevent this from happening we can provide the -A flag and the -sS flag along with root privileges.

$ sudo nmap -A -sS <host-name or address>


  • -A: Displays Trace Route
  • -sS: Stands for TCP SYS SCAN , prevents the TCP 3-way handshake


Network Benchmarking and Troubleshooting

For Network Benchmarking and Monitoring we will be discussing two user-friendly tools namely.

  • Nmon
  • Monitorix
  • Darkstat

1. Nmon 

Nmon is a computer performance system monitor and network benchmarking tool for Linux operating systems. It can display various information such as CPU, Disks, Resources, Virtual memory, Network, etc. Run the following command to install nmon tool.

$ sudo apt install nmon


$ aptitude update && aptitude install nmon

Execute the below command to run nmon tool.

$ nmon




Nmon can be used to monitor the network traffic in real-time to prevent unnecessary network loads and look out for threats.

2. Monitorix

Monitorix is a GUI-based utility tool that can be used to monitor both system resources as well as network bandwidth. Monitorix is a lightweight but powerful tool that can display and track usage stats and network traffic data. It is ideal for small to medium scaled networks. Monitorix supports both IPV4 and IPV6 connections and also displays packet traffic graphs. They support an unlimited number of devices in a single network. Install Monitorix using the following command.

$ sudo apt install monitorix


Monitorix comes with a default configuration file at /etc/monitorix/monitorix.conf. The default settings work for most of the part but to fine-tune the settings you can read the official documentation from Monitorix Manual and edit the configuration file using any text editor of your choice.


To access the Monitorix interface enter the following URL in your browser’s address box.


Replace <ip-address> and <port-address> with your desired IP address and port address respectively.

To run monitorix interface on your own computer enter the following URL in your browser.





3. Darkstat

Darkstat is a web-based network analyzer interface that can be used to display statistics on network traffic, protocols, and general connection data. Darkstat can be installed in debian-based systems using the apt package manager by the following command.

$ sudo apt install darkstat


Darkstat has to be configured before the first time, the configuration file is present in /etc/darkstat/init.cfg. Edit the file using the following command.

$ nano /etc/darkstat/init.cfg

Initially the init.cfg file will be like this.


Replace your configuration file with the following code.

# Turn this to yes when you have configured the options below.


# Don’t forget to read the man page.

# You must set this option, else darkstat may not listen to

# the interface you want

INTERFACE=”-i ens33″


PORT=”-p 666″



# File will be relative to $DIR:

DAYLOG=”–daylog darkstat.log”

# Don’t reverse resolve IPs to host names


#FILTER=”not (src net 192.168.0 and dst net 192.168.0)”

# Additional command line Arguments:

# OPTIONS=”–syslog –no-macs”

The interface of your system can be found using the following command.

$ ip addr


Here the name of my interface in use is ens33, so alter the name of the network in the configuration file.


By default darkstat uses the port 666, so we have to open up the port before using it. Use the following commands to allow 666 port to bypass firewall configurations.

$ sudo ufw allow 666/tcp

To reload firewall

$ sudo ufw reload


To check whether darkstat is listening to port 666 execute the following command.

$ ss -antpl | grep 666


Start the darkstat services again to fetch the new configuration files. Use the following command to restart the services

$ sudo systemctl start darkstat

Run the following command to check the status of darkstat

$ systemctl status darkstat


Once everything is up and running you have successfully configured darkstat, and can be accessed using the url http://localhost:666 in your browser.


My Personal Notes arrow_drop_up
Like Article
Save Article
Related Articles

Start Your Coding Journey Now!