Skip to content
SSE reading notes

Networking — Practical

Networking — Practical (commands & tricks)

Section titled “Networking — Practical (commands & tricks)”

Diagnostics

Section titled “Diagnostics”
Terminal window
# DNS
dig +short example.com A
dig +trace example.com         # full resolution path
nslookup -type=MX example.com
host -a example.com


# Connectivity
ping -c 4 example.com
traceroute example.com         # or tracepath / mtr
mtr --report --report-cycles=10 example.com


# Sockets / connections
ss -tnp                        # TCP listening + connected with PIDs
ss -s                          # summary
netstat -anp | grep :8080
lsof -i :8080                  # what's on port


# Process file descriptors
ls /proc/<pid>/fd | wc -l
cat /proc/<pid>/limits


# Kernel TCP stats
cat /proc/net/sockstat
sysctl net.ipv4.tcp_max_syn_backlog

HTTP debugging

Section titled “HTTP debugging”
Terminal window
# headers + verbose
curl -vI https://example.com


# follow redirects, save body
curl -L -o /tmp/x.html https://example.com


# show timing
curl -w '@-' -o /dev/null -s https://example.com <<'EOF'
time_namelookup:  %{time_namelookup}\n
time_connect:     %{time_connect}\n
time_appconnect:  %{time_appconnect}\n
time_pretransfer: %{time_pretransfer}\n
time_starttransfer: %{time_starttransfer}\n
time_total:       %{time_total}\n
EOF


# specific HTTP version
curl --http2 -v ...
curl --http3 -v ...


# custom headers, body
curl -X POST -H 'content-type: application/json' -d '{"x":1}' https://api/x

TLS

Section titled “TLS”
Terminal window
# inspect cert
openssl s_client -showcerts -connect example.com:443 -servername example.com </dev/null


# expiry
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -dates


# verify chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt cert.pem


# generate CSR
openssl req -new -newkey rsa:4096 -keyout key.pem -out csr.pem -nodes \
  -subj "/CN=example.com"


# self-signed for dev
openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout k.pem -out c.pem -subj "/CN=localhost"

Packet capture

Section titled “Packet capture”
Terminal window
sudo tcpdump -nn -i any -s 0 -w out.pcap port 8080
sudo tcpdump -nn 'tcp port 80 and host 1.2.3.4'


# read
tcpdump -r out.pcap -nn -A
wireshark out.pcap   # GUI

Common kernel tunings (Linux, server)

Section titled “Common kernel tunings (Linux, server)”
/etc/sysctl.d/99-server.conf
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.core.netdev_max_backlog = 50000
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6
net.ipv4.tcp_congestion_control = bbr
fs.file-max = 2097152
Terminal window
# apply
sudo sysctl --system


# raise per-process FDs
ulimit -n 1048576

Nginx as L7 reverse proxy (sketch)

Section titled “Nginx as L7 reverse proxy (sketch)”
upstream app {
  least_conn;
  keepalive 64;
  server 10.0.0.10:8080 max_fails=3 fail_timeout=30s;
  server 10.0.0.11:8080 max_fails=3 fail_timeout=30s;
}


server {
  listen 443 ssl http2;
  ssl_certificate /etc/ssl/cert.pem;
  ssl_certificate_key /etc/ssl/key.pem;
  ssl_protocols TLSv1.2 TLSv1.3;


  location / {
    proxy_pass         http://app;
    proxy_http_version 1.1;
    proxy_set_header   Connection "";          # required for upstream keepalive
    proxy_set_header   Host $host;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_read_timeout 30s;
    proxy_connect_timeout 5s;
  }
}

HAProxy basic L4

Section titled “HAProxy basic L4”
frontend tcp_in
  bind *:6379
  mode tcp
  default_backend redis_pool


backend redis_pool
  mode tcp
  balance leastconn
  option tcp-check
  server r1 10.0.0.20:6379 check
  server r2 10.0.0.21:6379 check backup

Probing HTTP/2 / 3

Section titled “Probing HTTP/2 / 3”
Terminal window
curl -o /dev/null -s -w '%{http_version}\n' https://example.com   # 2 or 3
nghttp -nv https://example.com

Load testing

Section titled “Load testing”
Terminal window
# autocannon
npx autocannon -d 30 -c 100 https://api/endpoint


# wrk
wrk -t8 -c200 -d30s --latency https://api/endpoint


# k6 (scripted scenarios)
k6 run --vus 200 --duration 1m script.js

Latency measurement gotchas

Section titled “Latency measurement gotchas”
  • Always report percentiles (p50/p95/p99/p999), not averages.
  • Coordinated omission: many tools wait for response before sending next; under saturation, this masks tail latency. Use tools that fix this (wrk2, k6).
  • Warm-up phase before measuring.

SSL termination strategies

Section titled “SSL termination strategies”
ApproachProsCons
At LB onlysimpler app, central certLB ↔ app plaintext (private network)
End-to-end (re-encrypt)encrypted internallyoverhead, cert mgmt everywhere
mTLS via service meshstrong identity, zero trustmesh complexity
Section titled “Recommended reading”
  • High Performance Browser Networking — Ilya Grigorik (free online).
  • Cloudflare’s blog (TCP, TLS, QUIC posts).
  • AWS Networking & Content Delivery blog.
  • “It’s always DNS” — Julia Evans guides.