Mylg - A Command Line Network Monitoring Tool for Linux Systems

In this article, we will show how to install and use the network monitoring software called My Looking Glass, or mylg. It supports lots of great features like for example packet analyzer, web dashboard, port scanning and many more. We will install it on Ubuntu 16.04 LTS.

What mylg can diagnose in network

1) Real-time trace route (support IPv4 and IPv6 networks)
2) Dig command enhanced
3) TCP/IP packet analyzer
4) Enhanced HTTP Ping and Dump
5) Port scanning commands
6) Peer information
7) Network LAN Discovery
8) Collect ASN, IP/CIDR information
9) DNS lookup information

How to install mylg

The mylg software is written in Go programming language. It also requires libcap as a dependency.

sudo apt-get install libpcap-dev golang

Next we need to get mylg deb package


And then install it

sudo dpkg -i mylg.amd64.deb

Next we already can start it and welcome screen will greet us

mylg banner

With that, the install part is over. We move to using it.

Using mylg packet analyzer

Mylg contains powerful packet analyzing functionality that relies on libcap and which is somewhat comparable to Wireshark. So that will be first feature we will test. To get packet captured and analyzed we will use dump command.

dump -c 7

It should capture and analyze up to 7 packets. We got 6. As I have active SSH connection with KVM Ubuntu instance that is running mylg, it will capture the communication between VM and host. Here is what I got:

mylg dump command

Notice that protocols are colored, and your own host where mylg runs is bold. To get more specific output you can use berkeley packet filter syntax, and long list of modifiers. For example, to get only udp packets. You can type

local> dump -c 3 udp
Interface: ens3, capture size: 6144 bytes
13:03:04.351 IPv4/UDP > , len: 145
13:03:04.355 IPv4/UDP miki-Standard-PC-i440FX-PIIX-1996.:40595 > , len: 0
13:03:04.355 IPv4/UDP > miki-Standard-PC-i440FX-PIIX-1996.:40595 , len: 0

To get only packets from one host you can type that host's hosname or ip address like this:

local> dump -c 1 host miki-Standard-PC-i440FX-PIIX-1996.
Interface: ens3, capture size: 6144 bytes
13:02:22.067 IPv4/UDP miki-Standard-PC-i440FX-PIIX-1996.:37228 > , len: 0

The commands are in bold letters. Some syntax which you can use to get information you need:

host hostname

src host hostname

dst host hostname

and, not, or support in the syntax

tcp, udp, icmp, icmp6, ip, ipv6

How to perform Trace routes

The mylg supports traceroute comparably to most other network monitoring tools but it adds a little extra with realtime support. Lets trace google with basic trace command:

local> trace
trace route to (, 30 hops max
1 0.092 ms 0.097 ms 0.061 ms
2 1.886 ms 1.195 ms 1.652 ms
3 [ASN 8400/TELEKOM-AS] 10.282 ms 13.892 ms 8.344 ms
4 [ASN 8400/TELEKOM-AS] 8.929 ms 8.749 ms 8.287 ms
5 [ASN 8400/TELEKOM-AS] 12.248 ms 19.486 ms 11.621 ms
6 [ASN 8400/TELEKOM-AS] 10.686 ms 11.148 ms 10.833 ms
7 [ASN 8400/TELEKOM-AS] 22.842 ms 22.434 ms 25.806 ms
8 [ASN 15169/GOOGLE] 22.145 ms 23.683 ms 23.397 ms
9 [ASN 15169/GOOGLE] 21.702 ms 22.207 ms 21.780 ms
10 ( [ASN 15169/GOOGLE] 22.946 ms 23.247 ms 22.676 ms

You can see that my ISP is Telekom, and latency of routes it uses. If you needt to capture the report, the trace command can run realtime for you for 10 packets capture, and make report.

local> trace -r -R
──[ myLG ]── traceroute to (
Host ASN Holder Sent Lost% Last Avg Best Wrst 10 0.0 0.18 0.17 0.08 0.20 10 0.0 1.32 1.42 1.06 2.34 8400 TELEKOM 10 0.0 16.09 14.18 8.49 21.78 8400 TELEKOM 10 0.0 24.93 16.90 8.05 24.93 8400 TELEKOM 10 0.0 12.36 12.21 11.44 13.23 8400 TELEKOM 10 0.0 12.07 16.81 10.30 32.09 8400 TELEKOM 10 0.0 23.25 25.45 23.25 53.53 1200 AMS 10 0.0 51.46 51.44 51.03 52.97 8075 MICROSOFT 10 0.0 61.44 61.78 61.44 63.82
??? 10 100.0
??? 10 100.0
??? 10 100.0 8068 MICROSOFT 10 0.0 60.04 59.95 59.41 61.26

If you need more than 10 packet sample, use -c counter with number.

How to use dig command

With dig command you can perform a DNS query and get IP address, nameserver, mail exchange and text annotations. It also has trace option which will give information about routes taken.

dig +trace

Without trace option


How to probe sites with HTTP ping

Mylg hping command is used to probe some host or site similar to ping command, but instead ICMP which ping uses, hping uses HTTP protocol. It shows response time, version of HTTP protocol, code that it returns (staus HTTP code) and roundup time. When used without counter (the -c option with number) it pings 5 times. We will use now request two times.

local> hping -c 2
HPING (, Method: HEAD, DNSLookup: 32.0384 ms
HTTP Response seq=0, proto=HTTP/1.1, status=405, time=130.057 ms
HTTP Response seq=1, proto=HTTP/1.1, status=405, time=129.607 ms

--- HTTP ping statistics ---
2 requests transmitted, 2 replies received, 0% requests failed
HTTP Round-trip min/avg/max = 129.61/129.83/130.06 ms
HTTP Code [405] responses : [████████████████████] 100.00%

The hping also have a -trace option, which will give us additional info about how much it took it to read first byte and how long connection lasted.

local> hping -c 2 -trace
HPING (, Method: HEAD, DNSLookup: 53.2580 ms
HTTP Response seq=0, proto=HTTP/1.1, status=405, time=129.112 ms, connection=61.990 ms, first byte read=67.022 ms
HTTP Response seq=1, proto=HTTP/1.1, status=405, time=128.614 ms, connection=61.797 ms, first byte read=66.740 ms

--- HTTP ping statistics ---
2 requests transmitted, 2 replies received, 0% requests failed
HTTP Round-trip min/avg/max = 128.61/128.86/129.11 ms
HTTP Code [405] responses : [████████████████████] 100.00%

Lan discovery and RIPE NCC query

To discover hosts on your local network you just need to use simple disc command. But since I am using KVM instance in NAT mode there are none:

local> disc
please wait . .
Network LAN Discovery
0 host(s) has been found

Next lets try RIPE database querying. RIPE is European organization and a open online forum that is maintains database of public ip addresses and phone numbers. Mylg whois command queries that database. You only need to type IP address, ASN or CIDR.

So lets see who stands behind ip addres

local> whois
| | 15169 | GOOGLE - Google Inc., US |

Who would expect, Google DNS servers are operated by Google.

local> whois 605
VHS-CHIL - Vanguard Health Management, Inc., US
| United States - IL | 100.0000 |

Ok, I have no idea who this is, but I guess I need help managing my health as I managed to catch a cold the other day.

How to perform Port scanning

Mylg scan command can help you scan any ports on a given host. It accepts hostname or ip address. Lets scan yahoo.

local> scan
| TCP | 443 | Open | |
| TCP | 80 | Open | |
Scan done: 2 opened port(s) found in 2.007 seconds

Next lets scan the VM where mylg is running

local> scan localhost
| TCP | 22 | Open | |
Scan done: 1 opened port(s) found in 0.013 seconds

Only ssh port is open. This simple scan command is extremely useful for various set of reasons. For example, if you have a connectivity problem you want to scan your server or localhost to see if the firewall is blocking what it shouldn't block. Or if you want to say... hack someone, you also need to know which ports are open. That is why I scanned Bing :)


We have installed mylg and gone trough the most useful commands. Most of those functionalities and commands are not unique to mylg, other software of similar role also have it. But mylg development team tries, and I think succeeds, to put its own twist and added usability to the commands that we expect from this kind of software. This is all for this article, thank you for reading.

Read Also:

Leave a Comment