Network Debugging from the Terminal: 5 Essential Commands

August 2026 · 8 min read

Every developer has been there: your app can't reach the database, a third-party API is timing out, or a domain mysteriously stopped resolving. You need answers fast — and you're already in the terminal.

Traditional network debugging tools like dig, nslookup, openssl s_client, nmap, and traceroute are powerful, but they're not always installed on every machine. Jumping onto a fresh server, a minimal Docker container, or a colleague's laptop and finding these tools missing is frustrating.

This post covers five essential network debugging commands that work out of the box — no apt-get install, no brew install, no compiling from source. One pip install evolver-tools and you're set on any system that runs Python (Linux, macOS, WSL, even Windows).

⚡ Prerequisite: One-time install. All commands below come from a single package.

$ pip install evolver-tools

That's it. 261 CLI tools, zero external dependencies, pure Python stdlib.

1. DNS Debugging: dns-lookup

When a domain isn't resolving or routes to the wrong IP, you need to check what DNS records actually exist. The dns-lookup tool resolves any record type and shows you the raw results.

$ evtool dns-lookup example.com --type A
example.com. 46844 IN A 93.184.216.34

$ evtool dns-lookup gmail.com --type MX
gmail.com. 263 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 263 IN MX 10 alt1.gmail-smtp-in.l.google.com.
gmail.com. 263 IN MX 20 alt2.gmail-smtp-in.l.google.com.
gmail.com. 263 IN MX 30 alt3.gmail-smtp-in.l.google.com.
gmail.com. 263 IN MX 40 alt4.gmail-smtp-in.l.google.com.

$ evtool dns-lookup stripe.com --type TXT
stripe.com. 227 IN TXT "google-site-verification=..."
stripe.com. 227 IN TXT "v=spf1 include:_spf.google.com ~all"
stripe.com. 227 IN TXT "stripe-verified=..."

Real-world scenarios

Email delivery issues: Check MX records to see if mail servers are correctly configured
Domain migration: Verify A/AAAA/CNAME records propagated after changing DNS providers
SPF/DMARC troubleshooting: Look up TXT records to check email authentication
Load balancer routing: Multiple A records can reveal round-robin DNS configurations

💡 Pro tip: Also try evtool dig example.com for a more detailed DNS query with timing information and the response from specific nameservers.

2. Port Scanning: portcheck

Is that service actually listening? Is the firewall blocking the port? A quick port scan tells you exactly which ports are open, closed, or filtered — without installing nmap.

$ evtool portcheck example.com 80 443 22 3306 5432
Port Scanner — example.com
────────────────────────────────────
  80/tcp   open    → HTTP
  443/tcp  open    → HTTPS
  22/tcp   open    → SSH
  3306/tcp filtered → MySQL
  5432/tcp filtered → PostgreSQL
────────────────────────────────────
  3 open, 2 filtered, 0 closed

$ evtool port_scan localhost
Scanning localhost...
  22/tcp    SSH           open
  80/tcp    HTTP          open
  3000/tcp  pserver?      open
  5432/tcp  PostgreSQL    open
  6379/tcp  Redis         open

Real-world scenarios

Dev server debugging: Your Node.js app says it's running on port 3000, but curl says "connection refused" — verify with a quick scan
Firewall validation: After changing security group rules, confirm only the intended ports are open
Container networking: Check if a Docker container actually exposed the port it should
Security audit: Scan localhost to find accidental services running on unexpected ports

💡 Pro tip: evtool scan-ports 192.168.1.1 --range 1-1024 for a full scan of well-known ports. The scan-open-ports tool adds concurrent scanning for speed.

3. SSL Certificate Checks: ssl-check

Few things cause as much panic as a sudden "SSL_ERROR_BAD_CERT_DOMAIN" or an expired certificate notification at 3 AM. The ssl-check tool tells you everything about a server's TLS certificate — expiry dates, issuer, chain, and any issues.

$ evtool ssl-check example.com
SSL Check: example.com:443
────────────────────────────────────────
  Status:       ✓ Valid
  Subject:      CN = example.com
  Issuer:       CN = R3, O = Let's Encrypt
  Valid from:   2026-05-15 14:32:00
  Expires:      2026-08-13 14:31:59
  Days left:    31
  SANs:         example.com, www.example.com
  Self-signed:  No

$ evtool cert-info stripe.com
Certificate Info: stripe.com:443
────────────────────────────────────────
  Serial:       04:23:...:a1
  Algorithm:    RSA 2048 bits
  SHA1:         A1:B2:C3:D4:...
  Subject:      CN = stripe.com
  Issuer:       CN = R3, O = Let's Encrypt
  Expires:      2026-09-20
  Chain length: 3
  OCSP:         http://r3.o.lencr.org

Real-world scenarios

Certificate expiry monitoring: Automate a daily check for certificates expiring within 14 days
API integration debugging: Your request to a third-party API fails — check if their SSL cert is still valid
After certificate renewal: Verify the new certificate was actually deployed and the old one revoked
Internal PKI troubleshooting: Check if internal services have correct, non-expired certificates

💡 Pro tip: Script it for monitoring: evtool ssl-check example.com | grep -q "Expired" && echo "CERT EXPIRED!" | mail -s "ALERT" admin@example.com

4. Domain Information: whois-lookup

When you need to know who owns a domain, when it expires, or what nameserver it uses, a WHOIS lookup is the fastest way. It's also essential for security investigations — checking if a suspicious domain was recently registered.

$ evtool whois-lookup example.com
WHOIS: example.com
────────────────────────────────────────
  Domain:       EXAMPLE.COM
  Registrar:    RESERVED-1074
  Created:      1992-12-24
  Expires:      2027-12-23
  Nameservers:  a.iana-servers.net
                b.iana-servers.net
  DNSSEC:       signedDelegation
  Status:       clientDeleteProhibited
────────────────────────────────────────

Real-world scenarios

Domain expiry tracking: Check when your own domains are about to expire to avoid accidental lapse
Phishing investigation: A suspicious email claims to be from your bank with a link to "secu re-bank-login.com" — when was it registered? If it's 3 days ago, that's a red flag
Competitor research: See when a competitor registered their domain and who hosts it
DNS troubleshooting: Verify nameserver delegation matches your DNS provider configuration

💡 Pro tip: Combine with evtool ip-info 93.184.216.34 (or geo-ip) to get the geographic location and ISP of the hosting server. Great for checking CDN routing or locating suspicious IPs.

5. Network Route Tracing: route-trace

When your connection to a server is slow or intermittent, route-trace shows you every hop between your machine and the destination — and which hop is causing the trouble.

$ evtool route-trace github.com
Tracing route to github.com (140.82.121.3)
  1    0.4ms    192.168.1.1
  2    3.1ms    10.0.0.1
  3    5.2ms    172.16.0.1
  4    8.7ms    72.14.215.98
  5   12.3ms    108.170.252.129
  6   150.2ms   209.85.252.25    ← latency spike
  7   180.5ms   140.82.121.3     ← destination

Real-world scenarios

Latency troubleshooting: A specific hop showing 150ms+ latency points to network congestion or routing issues
CDN routing verification: Confirm your traffic is actually going through the CDN edge and not a distant origin server
VPN issues: Trace the route with and without VPN to see how traffic changes
Connectivity blackout: When a server is unreachable, trace shows you exactly where packets stop getting replies

💡 Pro tip: evtool net-analyzer bundles ping, trace, port scan, and DNS into one interactive TUI dashboard — perfect for a comprehensive check without running four separate commands.

Bonus: Everything in One Place

All five tools — and 256 more — come from a single install. Here's what a full network diagnostic workflow looks like:

# Quick health check of a server
$ evtool dns-lookup api.myservice.com --type A
api.myservice.com. 300 IN A 203.0.113.42

$ evtool ssl-check api.myservice.com
SSL Check: api.myservice.com:443
  Status:       ✓ Valid
  Days left:    89

$ evtool portcheck api.myservice.com 443 80 22
Port Scanner — api.myservice.com
  443/tcp  open
  80/tcp   open
  22/tcp   open

$ evtool route-trace api.myservice.com
Tracing route to 203.0.113.42
  1    0.4ms    192.168.1.1
  2   12.1ms    203.0.113.42
────────────────────────────────────────
✓ DNS resolves correctly
✓ SSL certificate valid (89 days)
✓ All expected ports open
✓ Direct route, no packet loss

All from one package. No dig, no nmap, no openssl, no whois, no traceroute — just Python standard library, which is already on every system.

Why This Matters

The traditional approach to network debugging has a hidden cost: environment setup drift. Every machine has a different subset of tools installed. A colleague runs macOS and has different versions. Your CI server has none. The production Docker container was stripped to minimum for security.

evtool solves this with one principle: zero external dependencies. Every tool uses only modules from os, socket, ssl, json, csv, datetime, and other Python standard library modules. This means:

Instant install: pip install evolver-tools completes in seconds — no compiling, no 100MB download
Same everywhere: Identical behavior on Linux, macOS, WSL, and Windows
Docker-friendly: Add one line to your Dockerfile: RUN pip install evolver-tools
Air-gap safe: Works in environments with no internet access (after initial install)
No conflicts: Zero version conflicts with any other Python package

⚡ Try It Now

One command to get all 261 tools:

$ pip install evolver-tools
$ evtool dns-lookup your-domain.com --type A

Or try the interactive demo without installing:

$ curl -sL https://evolver-dev.github.io/evolver-tools/try.sh | bash

GitHub · PyPI · Full Tool List

Health check script idea: Combine dns-lookup, ssl-check, and portcheck into a cron job that alerts when something changes. No external monitoring service required.