CIS120 Linux Fundamentals by Scott Shaper

ip and netstat Commands

Think of your Linux system's network like a postal service. The ip command is like the postal worker who manages addresses and delivery routes, helping set up where your data lives and how it travels. The netstat command is like a tracking system that shows you all the packages (data) coming and going, where they're headed, and if there are any delivery problems. Understanding these commands helps you see and control how your computer talks with others across networks.

Quick Reference

Command What It Does Common Use
ip addr Shows IP addresses assigned to interfaces Checking your computer's network addresses
ip link Displays network interface information Checking if network cards are up and running
ip route Shows routing table (traffic directions) Finding how traffic leaves your computer
netstat -tuln Shows listening ports and connections Checking what services are running and connected
netstat -r Displays routing table information Viewing network routes in a different format
netstat -i Shows network interface statistics Monitoring network adapter performance

When to Use These Commands

The ip Command

Think of the ip command as your network configuration toolbox. Just like you might use different tools to fix different parts of your house, the ip command has different "subcommands" for working with different parts of your network setup. The ip command is newer and more powerful than older commands like ifconfig, giving you more control over your network settings.

The basic structure of the ip command is:

ip [OPTIONS] OBJECT COMMAND

Where OBJECT is what you want to work with (like addresses, links, or routes), and COMMAND is what you want to do with it.

Subcommand What It Does When to Use
ip addr Manages IP addresses on interfaces When checking or changing IP addresses
ip link Manages network interfaces When enabling/disabling network cards
ip route Manages routing table entries When controlling how traffic flows out
ip neigh Shows neighbor table (like ARP) When checking which MAC addresses are known
ip -s Shows statistics for objects When monitoring traffic volumes

Practical Examples

# Check all your IP addresses
ip addr
# Shows all interfaces and their addresses

# View just network interfaces and their status
ip link
# Shows interfaces and if they're UP or DOWN

# See your routing table (where traffic goes)
ip route
# Shows default gateway and all routes

# Add a temporary IP address to an interface
ip addr add 192.168.1.200/24 dev eth0
# Adds additional IP without removing existing ones

# Bring a network interface up or down
ip link set eth0 down
ip link set eth0 up
# Disables and then enables the interface

# Add a temporary static route
ip route add 10.0.0.0/24 via 192.168.1.1
# Sends traffic for 10.0.0.x through the specified gateway

Understanding ip addr Output

Think of ip addr output like reading your home address, apartment number, and access codes all at once. Let's break down what you're seeing when you run this command:

Sample Output Explained

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever

This is your loopback interface - think of it like an internal phone line that only connects to yourself:

  • lo: The device name (loopback)
  • LOOPBACK,UP,LOWER_UP: Status flags showing it's active
  • mtu 65536: Maximum packet size (much larger than normal since it's internal)
  • inet 127.0.0.1/8: Your "localhost" address that always points to your own computer
2: eth0:  mtu 1500 qdisc pfifo_fast state UP
    link/ether 08:00:27:53:8b:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 86352sec preferred_lft 86352sec

This is your network interface - like your connection to the outside world:

  • eth0: The device name (first Ethernet adapter)
  • BROADCAST,MULTICAST,UP,LOWER_UP: Status flags showing it's active and can send to multiple recipients
  • mtu 1500: Standard maximum packet size for Ethernet
  • link/ether 08:00:27:53:8b:dc: Your MAC address (like the serial number of your network card)
  • inet 192.168.1.10/24: Your IP address on the local network
  • valid_lft 86352sec: How long this address is valid (from DHCP)

Understanding ip route Output

Think of ip route output like a set of driving directions for your data. Just as you'd look at a map to see which roads to take, your computer uses routes to determine how to send traffic to different destinations.

Sample Output Explained

default via 192.168.1.1 dev eth0 proto dhcp metric 100 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10 metric 100

Breaking this down:

  • default via 192.168.1.1: "For any destination not otherwise specified, send traffic to 192.168.1.1" (your router)
  • dev eth0: Use the eth0 interface (your network card) for this route
  • proto dhcp: This route was learned from DHCP (your router told you to use it)
  • 192.168.1.0/24 dev eth0: "For destinations in the 192.168.1.x network, use eth0 directly"
  • scope link: This route is for directly connected networks
  • src 192.168.1.10: Use this source address when sending packets through this route

The netstat Command

Think of netstat as the health monitor for your network - like having a dashboard that shows all network activity. While ip helps you configure your network, netstat helps you see what's happening on it. It shows active connections, open ports, network statistics, and routing information.

Although netstat is gradually being replaced by newer tools like ss, it's still widely used and available on most systems.

Option What It Does When to Use
-a Shows all sockets (open connections) When you want to see everything
-t Shows only TCP connections When checking web servers, SSH, etc.
-u Shows only UDP connections When checking DNS, streaming services
-l Shows only listening sockets When checking what services are running
-n Shows numerical addresses When you want IPs instead of hostnames
-p Shows the process using each socket When identifying which program is using a port
-r Shows the routing table When checking network routes
-i Shows network interface statistics When checking for packet errors or drops
-s Shows summary statistics by protocol When monitoring overall network performance

Practical Examples

# See all active connections and listening ports
netstat -a
# Lists everything connected or listening

# See TCP connections with program names and don't resolve names
netstat -tnp
# Good for seeing which programs are connecting where

# Check what's listening for connections on TCP
netstat -tln
# Shows all TCP ports open for connections

# See network interface statistics (errors, drops)
netstat -i
# Useful for identifying network hardware issues

# Check the routing table
netstat -r
# Shows routes similar to "ip route" but in different format

# View summary statistics to check for issues
netstat -s
# Good for spotting unusual network behavior at a glance

Understanding netstat Output

Think of netstat output like a call log for your computer - it shows who's calling whom, which lines are open, and how many calls have been made.

Active Connections

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.10:22         192.168.1.100:54678     ESTABLISHED

Breaking this down:

  • Proto: Protocol (tcp or udp)
  • Recv-Q/Send-Q: Data queued but not yet processed (high numbers indicate problems)
  • Local Address: Your IP and port - 0.0.0.0:22 means "listening on port 22 on all interfaces"
  • Foreign Address: Remote IP and port - the other end of the connection
  • State: Connection state - LISTEN means waiting for connections, ESTABLISHED means connected

From the above, we see:

  • SSH server (port 22) is running and listening for connections from anywhere
  • Someone from 192.168.1.100 is currently connected to our SSH server

Interface Statistics

Kernel Interface table
Iface   MTU  RX-OK RX-ERR RX-DRP RX-OVR  TX-OK TX-ERR TX-DRP TX-OVR Flag
eth0   1500  4823      0      0      0   4325      0      0      0 BMRU

This tells you how your network interfaces are performing:

  • RX-OK/TX-OK: Successfully received/transmitted packets
  • RX-ERR/TX-ERR: Packets with errors
  • RX-DRP/TX-DRP: Packets dropped (often due to congestion)
  • Flag: Interface status flags (B=broadcast, M=multicast, R=running, U=up)

Tips for Success

Common Mistakes to Avoid

Best Practices

Common Troubleshooting Techniques

Checking Connectivity Issues

# Check if interface has an IP address
ip addr show eth0
# Should show an IP address like 192.168.1.10/24

# Check if interface is actually up
ip link show eth0
# Should show state UP

# Check if you have a default route
ip route show
# Should have a "default via" entry

# Check if you can reach your gateway (router)
ping -c 4 $(ip route | grep default | awk '{print $3}')
# Should get responses from your router

# Check if DNS is working
ping -c 4 google.com
# If this fails but IP pings work, DNS is your problem

Finding What's Using Your Network

# Find programs listening for connections
sudo netstat -tulnp
# Shows all listening ports and what program is using them

# Find which connections are active
sudo netstat -tunp
# Shows all established connections and what programs are using them

# Check network usage by interface
netstat -i
# Look for high error or drop counts that might indicate problems