What are the best free network troubleshooting tools?

The five most useful free tools for network admins: Wireshark (packet capture and analysis), MTR (traceroute with live loss and latency stats per hop), Nmap (host discovery and port scanning), iperf3 (throughput testing between two endpoints), and LibreNMS (SNMP-based monitoring with alerting). All are open source and production-ready.

Is Wireshark free for commercial or enterprise use?

Yes. Wireshark is licensed under GPLv2 and is free to use in commercial and enterprise environments with no restrictions or licensing fees. It runs on Windows, macOS, and Linux.

What is the best free alternative to SolarWinds for network monitoring?

LibreNMS is the most capable free alternative to SolarWinds. It supports SNMP auto-discovery, customizable alerting, NetFlow collection, and a polished web dashboard. For smaller deployments, Zabbix and Nagios Core are also widely used. All three are open source with active communities.

5 Free Network Troubleshooting Tools Every Admin Should Have in 2026

The five best free network troubleshooting tools for admins are: Wireshark (packet capture and protocol analysis), Nmap (host and port discovery), iperf3 (real throughput measurement between two endpoints), LibreNMS (SNMP-based monitoring with historical graphs), and MTR (per-hop latency and packet loss combined). All five are free, production-ready, and actively maintained — together they cover the overwhelming majority of real troubleshooting scenarios without a license fee.

Paid tools earn their seat in three places: CIO-facing dashboards, automated alerting at scale, and DPI-class application visibility. Outside those, free wins. Here’s the toolkit in the order you’ll most often reach for it.

1. Wireshark — See What’s Actually on the Wire

What it is: A packet capture and analysis tool. Decodes thousands of protocols, gives you per-packet detail, and reveals what’s actually happening between two endpoints.

When to reach for it:

An app says “connection failed” and you need to know why
TCP retransmissions, zero-window events, RST floods
TLS handshake failures (cipher mismatch, bad cert chain)
DNS or DHCP weirdness you can’t explain from logs alone
Anything where the answer is “what is this device sending and receiving?”

Quick win — find the slow client:

# Display filter: show TCP connections with high RTT
tcp.analysis.ack_rtt > 0.1

# Display filter: show all retransmissions
tcp.analysis.retransmission

# Display filter: TLS SNI — what hostnames is this client hitting?
tls.handshake.extensions_server_name

The Analyze → Expert Information panel summarizes every anomaly in a capture in one screen. If you only learn one Wireshark feature, learn that one.

Where it bites you: You need a span port, a TAP, or local capture access. You can’t capture what you can’t see. Plan your capture point before you start.

Get it: wireshark.org — Windows, Mac, Linux. Pair with tshark for command-line capture and scripting.

2. Nmap — Know Who’s On Your Network

What it is: A network scanner. Discovers hosts, identifies open ports, fingerprints operating systems, and probes services with depth that rivals commercial scanners.

When to reach for it:

“What’s actually on this VLAN?” — the answer your IPAM doesn’t have
Verifying a firewall change actually blocks what it should
Confirming a service is listening (and on the port you think)
Finding rogue devices and shadow IT
Pre-audit inventory in 90 seconds

Three commands worth memorizing:

# Fast ping sweep of a subnet — who's alive?
nmap -sn 192.168.1.0/24

# Service version detection on a target
nmap -sV -p- 192.168.1.50

# Default scripts + version detection (lightweight audit)
nmap -sC -sV 192.168.1.50

The output of nmap -sV is the fastest answer to “what is that mystery host on port 8080?” you’ll find anywhere.

Where it bites you: Run it without permission and you’ll trip every IDS in the building. Always coordinate, especially in production. Aggressive scans (-T5, --max-rate) can knock over fragile embedded gear like printers and IP cameras.

Get it: nmap.org — included by default in Kali, available everywhere else. Zenmap (the GUI) is fine for occasional use; the CLI is faster once you know it.

3. iperf3 — The Real Throughput Number

What it is: A throughput tester. One side runs in server mode, the other side hits it; you get the actual end-to-end throughput between two specific points on your network.

When to reach for it:

“The internet is slow” — confirm or rule out the link itself
Validating a new circuit before signing off
Comparing path A vs path B (failover testing)
Proving the LAN side is fine and the WAN is the bottleneck
Sanity-checking a vendor’s bandwidth claim

The five-second workflow:

# On the receiver
iperf3 -s

# On the sender
iperf3 -c <receiver-ip>           # default 10s test, TCP

# UDP test (for VoIP / real-time path)
iperf3 -c <receiver-ip> -u -b 100M

# Reverse — useful when ISP throttling is asymmetric
iperf3 -c <receiver-ip> -R

Run it client-to-server inside the LAN first, then client-to-WAN-edge, then client-to-internet. The point where the number falls off a cliff is the bottleneck.

Where it bites you: iperf3 measures raw throughput between two iperf endpoints. It does not tell you what your real applications experience — TCP behavior over a saturated link, or jitter that ruins voice but doesn’t show up in megabits per second. Pair it with Wireshark for the full picture.

Get it: iperf.fr — Windows, Mac, Linux, BSD. There’s a public iperf server list if you don’t have a remote endpoint to test against.

4. LibreNMS — History, So You Can Actually Troubleshoot

What it is: An open-source network monitoring system. Polls SNMP, graphs everything, alerts on thresholds, and gives you the history every after-the-fact troubleshooting session needs.

When to reach for it:

“It was slow yesterday at 3 PM” — without history you have nothing
Capacity planning (“are we going to run out of WAN bandwidth?”)
Root-cause for an interface that flaps once a week
Baseline comparison: is this CPU spike normal for this device?
Inventory you can actually trust

The one-time setup pays back forever. Once it’s polling your gear, you stop guessing about historical state. Walked into a “the network was slow last night” ticket? Open the graph, see the spike, find the offender. Without monitoring, that ticket is unanswerable.

# Minimum viable monitoring scope:
- Every WAN/uplink interface (utilization + errors + drops)
- CPU and memory on every router and core switch
- Power and fan status on chassis gear
- Temperature on every closet (humidity too if you have it)
- Ping/uptime to every gateway

Where it bites you: It’s not magic — you have to set the thresholds. Default alerting is noisy until you tune it. Plan a half-day to get alerts useful.

Alternatives at the same price (zero): Zabbix (more powerful, steeper learning curve), PRTG Free (limited to 100 sensors but excellent UI), Observium Community (older codebase but stable).

Get it: librenms.org — Docker image is the fastest path; runs happily on a 2-vCPU VM for a small environment.

5. MTR — Traceroute With a Memory

What it is: A path-analysis tool. It’s traceroute and ping combined, running continuously, showing per-hop latency and packet loss in real time.

When to reach for it:

“Latency to this site is bad sometimes” — find the hop that flutters
ISP troubleshooting when you need data, not feelings
Verifying a path change after BGP failover or a route flap
Detecting asymmetric packet loss that regular ping misses

The first command you’ll run:

# Linux / Mac
mtr -r -c 100 8.8.8.8

# Output: each hop, with loss%, average RTT, jitter

HOST: laptop                     Loss%  Snt  Avg  Best  Wrst StDev
  1.|-- 192.168.1.1              0.0%   100   1.2   0.9   2.1   0.2
  2.|-- 10.0.0.1                 0.0%   100   3.4   2.8   5.1   0.4
  3.|-- 203.0.113.1             14.0%   100  78.2  45.1 198.4  31.8  ← problem
  4.|-- 8.8.8.8                  0.0%   100  12.4  11.9  14.8   0.5

The hop at line 3 is where loss starts. Now you have a specific datum to send your ISP.

Where it bites you: Some routers de-prioritize ICMP, so you’ll see “loss” at intermediate hops that aren’t actually losing user traffic. Always check the destination hop’s loss number to know if real traffic is impacted.

Get it: bitwizard.nl/mtr (or any package manager). On Windows, WinMTR is a perfectly good GUI fork.

Which Free Network Tool Should You Use for Each Problem?

Tool	Use case	Skill curve	OS coverage	Where it shines
Wireshark	Packet-level forensics	Medium-high	Win / Mac / Linux	”What is actually on the wire?”
Nmap	Discovery and audit	Low-medium	Win / Mac / Linux	”What’s out there and what’s open?“
iperf3	Throughput truth	Low	Win / Mac / Linux / BSD	”Is the link really slow, or is the app slow?”
LibreNMS	Long-term history + alerts	Medium (setup) / Low (use)	Linux server	”What did the network look like at 3 PM yesterday?”
MTR	Per-hop path analysis	Low	Linux / Mac / Win (WinMTR)	“Where exactly does the path get bad?”

How Do You Install All Five Free Network Troubleshooting Tools?

Here are the install one-liners. Put these on your jump box and forget about them:

# Debian / Ubuntu
sudo apt install -y wireshark tshark nmap iperf3 mtr-tiny

# Fedora / RHEL
sudo dnf install -y wireshark nmap iperf3 mtr

# Mac (Homebrew)
brew install wireshark nmap iperf3 mtr

# Windows (winget)
winget install WiresharkFoundation.Wireshark
winget install Insecure.Nmap
winget install Iperf-3.iperf3
winget install WinMTR.WinMTR

LibreNMS deserves its own VM — don’t try to bolt it onto a workstation. The official Docker compose is the fastest start.

Free tools have one trait the paid ones don’t: they’re still here next year, regardless of vendor pricing changes, regardless of contract status. Learning them deeply is one of the highest-leverage things a network admin can do — and the five above are where to start.

Frequently Asked Questions

What is the best free tool for capturing network packets? Wireshark is the standard. It decodes thousands of protocols, ships with a display filter builder, and includes tshark for command-line and scripted captures. It’s free, open source, and available on Windows, Mac, and Linux. For headless servers, use tshark directly.

Which tool should I reach for first when the network is slow? Start with MTR (mtr -r -c 100 <destination>) to find where in the path latency or loss appears. If the path looks clean, use iperf3 to measure actual throughput between two points and confirm whether the link itself is the bottleneck. If throughput is fine but an application is slow, move to Wireshark to examine TCP-level behavior.

Is LibreNMS free for commercial use? Yes. LibreNMS is released under the GNU GPL and is free in commercial environments — no license fee, no sensor limit, no feature gating. It contrasts with PRTG Free, which caps you at 100 sensors. LibreNMS requires a dedicated Linux VM or Docker container; it’s not a workstation install.

What’s the difference between Wireshark and MTR? Wireshark captures and decodes the actual content of packets at a single capture point — it answers “what is this device sending?” MTR measures path-level behavior across multiple hops — it answers “where does the path break?” They’re complementary: use MTR to find the problem hop, Wireshark to understand what’s happening at that level.

Can I run Nmap in a production environment? With care, yes. Use -sn for ping sweeps (no port scanning), avoid aggressive timing flags like -T4 or -T5, and coordinate with your team before scanning. The default timing (-T3) is safe on most networks. Aggressive scans can impact fragile devices like older IP cameras and printers.