Field Guide Collection · Reference
Copy-ready checks grouped by what you're trying to find out, across Linux, Windows, macOS, and Cisco IOS. Replace HOST, PORT, IF as needed. Command flags vary by OS version — if one is rejected, verify it against your platform rather than assuming the check is wrong. This card stands on its own; the concepts are in the guides, the terms in the Glossary.
Order of attack: local config → reachability → path → DNS → port → TLS → MTU → counters → capture. Stop bisecting the moment a rung fails — that failure names the layer to work. Each check tells you one thing; be precise about what it does and doesn't prove.
Before blaming the network, confirm what the host thinks it is — addresses, mask, gateway, resolver, and the route it would actually pick.
Test in order: loopback → own IP → default gateway → next hop → remote host. The first failure marks your segment. Ping proves ICMP reachability and rough round-trip time only — not that a port or an application works, and ICMP may be filtered even where the service is fine.
A latency spike at a middle hop that doesn't carry through to the destination is usually the router de-prioritizing ICMP to its own control plane — not real forwarding latency. Only loss or latency that persists to the final hop is real. mtr / pathping beat a single traceroute for intermittent loss because they sample over time.
The question is always: which resolver answered, and does it match the authoritative truth?
NOERROR + answer = resolved. NXDOMAIN = the name doesn't exist (and this negative result is itself cacheable). NOERROR + no answer = the name exists but not for that record type (e.g. an AAAA query for an A-only name). SERVFAIL = resolver, upstream, or DNSSEC failure. Timeout = the resolver itself is unreachable (wrong address, or udp/53 & tcp/53 blocked).
SYN-ACK / "succeeded" = port open, service listening. RST / "connection refused" = host reachable, no listener on that port (service down, wrong port, or bound to loopback). Timeout = filtered by a firewall, or the host is down — ambiguous. A fast refused is informative; a timeout is not.
Chain complete (is the intermediate present?), verify return code: 0, dates valid — and the client clock is right, since skew fakes an "expired" error on a good cert. The leaf's SAN must cover the hostname, and -servername (SNI) must match what you're testing. A failure before application data is version/cipher/cert; a failure after a good handshake is an application problem, not TLS.
The signature is "small works, large hangs." Set the don't-fragment bit and grow the payload until it stops passing.
The largest payload that passes + 28 (20-byte IP header + 8-byte ICMP header) is your path MTU. Tunnels and VPNs lower it. If large packets vanish with no error at all, suspect a PMTUD black hole — the ICMP that should signal "too big" is being filtered — and fix it with unblocked ICMP or MSS clamping.
CRC/FCS errors + late collisions + poor throughput point to a duplex mismatch or bad cabling. Rising input drops point to oversubscription or buffer exhaustion, not a physical fault.
A service bound to 127.0.0.1 / ::1 is loopback-only and will refuse remote clients with a RST; 0.0.0.0 / :: is all interfaces. "Works locally, refused remotely" → check the bind address first. Many CLOSE-WAIT usually means the local app isn't closing sockets; many SYN-SENT means outbound connects aren't completing (filtered or down).
Ping is not throughput. If a single stream is slow on a high-bandwidth, high-RTT path but parallel streams saturate it, the limiter is the TCP window / bandwidth-delay product (window scaling), not the link. If even parallel streams can't fill it, the link or a policer is the ceiling.
Capture as close to the problem as possible and filter tightly — a capture only sees what crossed that point, so absence of a packet is not proof the event didn't happen. When opinions conflict, the pcap decides (see the Packet Capture guide for reading one, and for decrypting your own TLS with SSLKEYLOGFILE).
Baselines and fingerprints for reading the results above. Treat the values as common defaults, not guarantees — most are configurable.
| You see | It means |
|---|---|
| SYN-ACK / "succeeded" | Port open, service listening. |
| RST / "connection refused" | Host reachable, no listener on that port. |
| Timeout / no response | Filtered (firewall drop) or host down — ambiguous. |
| ICMP echo reply | Host up at L3; says nothing about ports or apps. |
| ICMP "administratively prohibited" | A firewall actively rejected it. |
LISTEN (waiting) · SYN-SENT / SYN-RECV (handshake in progress) · ESTABLISHED (open) · FIN-WAIT / CLOSE-WAIT / LAST-ACK (closing) · TIME-WAIT (normal post-close wait on the side that closed first). Lots of CLOSE-WAIT → the local app isn't closing sockets; lots of SYN-SENT → outbound connects failing.
Stable defaults — many services are reconfigurable, so verify anything beyond these against IANA/vendor docs: 20/21 FTP · 22 SSH · 23 Telnet · 25 SMTP · 53 DNS (UDP and TCP) · 67/68 DHCP · 80 HTTP · 88 Kerberos · 110 POP3 · 123 NTP · 143 IMAP · 161/162 SNMP · 389 LDAP · 443 HTTPS · 445 SMB · 465/587 SMTP submission · 636 LDAPS · 993 IMAPS · 995 POP3S · 500/4500 IKE/IPsec NAT-T · 3389 RDP. Often-changed app defaults: 3306 MySQL · 5432 PostgreSQL · 1433 MSSQL · 6379 Redis · 27017 MongoDB.
Ephemeral (client source) ports: IANA 49152–65535; Linux often 32768–60999; Windows ~49152–65535. Stateless return rules must permit the range your clients actually use. Initial TTL / hop-limit (common defaults, configurable): Linux/Unix/macOS ≈ 64, Windows ≈ 128, many network devices ≈ 255 — a reply's TTL hints at the responder's OS and hop distance. Latency sanity-check (not targets): same LAN under 1 ms; same metro single-digit ms; cross-continent tens of ms; intercontinental ~100–300 ms. Far above these for the distance → investigate.
Ported from the collection's networking source notes. Command flags vary by OS and version — verify a rejected flag against your platform rather than assuming the check is wrong. Port numbers, TTL defaults, and ephemeral ranges are common defaults and are configurable; confirm anything load-bearing against IANA or vendor documentation. No output on this card is a security verdict: a reachable port is not a safe service, and a check that passes reflects that check's narrow scope, not the health of the system. Pairs with the Triage Decision Trees (which check to run when) and the Network "Follow the Packet", DNS-and-TLS coverage within it, Packet Capture, and Vulnerability Management guides; terms are in the Glossary, and 00 · Start Here indexes the set.