CIS120 Linux Fundamentals by Scott Shaper

ip and netstat Commands

Think of your Linux system's network like a postal service. The ip command is like the postal worker who manages addresses and delivery routes, helping set up where your data lives and how it travels. The netstat command is like a tracking system that shows you all the packages (data) coming and going, where they're headed, and if there are any delivery problems. Understanding these commands helps you see and control how your computer talks with others across networks.

Quick Reference

Command What It Does Common Use
ip addr Shows IP addresses assigned to interfaces Checking your computer's network addresses
ip link Displays network interface information Checking if network cards are up and running
ip route Shows routing table (traffic directions) Finding how traffic leaves your computer
netstat -tuln Shows listening ports and connections Checking what services are running and connected
netstat -r Displays routing table information Viewing network routes in a different format
netstat -i Shows network interface statistics Monitoring network adapter performance

When to Use These Commands

The ip Command

Think of the ip command as your network configuration toolbox. Just like you might use different tools to fix different parts of your house, the ip command has different "subcommands" for working with different parts of your network setup. The ip command is newer and more powerful than older commands like ifconfig, giving you more control over your network settings.

The basic structure of the ip command is:

ip [OPTIONS] OBJECT COMMAND

Where OBJECT is what you want to work with (like addresses, links, or routes), and COMMAND is what you want to do with it.

Subcommand What It Does When to Use
ip addr Manages IP addresses on interfaces When checking or changing IP addresses
ip link Manages network interfaces When enabling/disabling network cards
ip route Manages routing table entries When controlling how traffic flows out
ip neigh Shows neighbor table (like ARP) When checking which MAC addresses are known
ip -s Shows statistics for objects When monitoring traffic volumes

Practical Examples

# Check all your IP addresses
ip addr
# Shows all interfaces and their addresses

# View just network interfaces and their status
ip link
# Shows interfaces and if they're UP or DOWN

# See your routing table (where traffic goes)
ip route
# Shows default gateway and all routes

# Add a temporary IP address to an interface
ip addr add 192.168.1.200/24 dev eth0
# Adds additional IP without removing existing ones

# Bring a network interface up or down
ip link set eth0 down
ip link set eth0 up
# Disables and then enables the interface

# Add a temporary static route
ip route add 10.0.0.0/24 via 192.168.1.1
# Sends traffic for 10.0.0.x through the specified gateway

Understanding ip addr Output

Think of ip addr output like reading your home address, apartment number, and access codes all at once. Let's break down what you're seeing when you run this command:

Sample Output Explained

lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever

This is your loopback interface. It's a virtual "connection" that only exists inside your computer — no cable, no Wi-Fi. When a program on your machine talks to another program on the same machine (for example, when you open http://localhost in a browser to reach a web server running on your own computer), that traffic uses loopback. The data never leaves your machine; it just goes out and comes right back. Think of it like passing a note to yourself: the message stays on your desk.

  • lo: The device name (short for loopback)
  • <LOOPBACK,UP,LOWER_UP>: Interface flags — LOOPBACK means traffic never leaves the machine; UP and LOWER_UP mean the interface is enabled and the link is active
  • mtu 65536: Maximum Transmission Unit (max packet size in bytes); 65536 is typical for loopback since there’s no real link
  • qdisc noqueue: Queuing discipline — noqueue means packets are passed through immediately (no queue)
  • state UNKNOWN: Interface state; for loopback this is often UNKNOWN because there's no external link to detect
  • group default qlen 1000: Traffic control group and queue length
  • link/loopback 00:00:00:00:00:00: Link type is loopback; the all-zero address is the standard loopback MAC (no real hardware)
  • brd 00:00:00:00:00:00: Broadcast address (all zeros for loopback)
  • inet 127.0.0.1/8: The loopback IP address — localhost, always referring to this machine
  • scope host lo: Address scope is host (valid only on this host); lo is the device it’s bound to
  • valid_lft forever preferred_lft forever: Address lifetime — the address never expires (unlike DHCP addresses)
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:73:a9 brd ff:ff:ff:ff:ff:ff
    inet 198.111.176.7/24 brd 198.111.176.255 scope global noprefixroute ens192
       valid_lft forever preferred_lft forever

This is your network interface — like your connection to the outside world:

  • 2: ens192: The interface number and device name (this naming is common on VMware and other systems; the first Ethernet adapter might be eth0, ens192, enp0s3, etc.)
  • <BROADCAST,MULTICAST,UP,LOWER_UP>: Interface flags — BROADCAST and MULTICAST mean it can send to multiple hosts; UP and LOWER_UP mean the interface is enabled and the link is active
  • mtu 1500: Maximum Transmission Unit; 1500 bytes is the usual maximum packet size for Ethernet
  • qdisc mq: Queuing discipline — mq (multiqueue) lets the driver use multiple queues for this device
  • state UP: Interface state is UP (link is detected and usable)
  • group default qlen 1000: Traffic control group and queue length
  • link/ether 00:50:56:b9:73:a9: MAC address (hardware address) of this network adapter
  • brd ff:ff:ff:ff:ff:ff: Broadcast address — all one bits, the standard Ethernet broadcast address
  • inet 198.111.176.7/24: This interface’s IPv4 address; /24 means the first 24 bits are the network part (198.111.176.0 network)
  • brd 198.111.176.255: Broadcast address for this subnet
  • scope global noprefixroute ens192: Address is global (reachable from other networks); noprefixroute means no automatic route was added for this prefix; ens192 is the bound device
  • valid_lft forever preferred_lft forever: Address lifetime — the address never expires (statically configured, not from DHCP)

Understanding ip route Output

Think of ip route output like a set of driving directions for your data. Just as you'd look at a map to see which roads to take, your computer uses routes to determine how to send traffic to different destinations.

Sample Output Explained

default via 192.168.1.1 dev eth0 proto dhcp metric 100 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10 metric 100

Breaking this down:

  • default via 192.168.1.1: "For any destination not otherwise specified, send traffic to 192.168.1.1" (your router)
  • dev eth0: Use the eth0 interface (your network card) for this route
  • proto dhcp: This route was learned from DHCP (your router told you to use it)
  • 192.168.1.0/24 dev eth0: "For destinations in the 192.168.1.x network, use eth0 directly"
  • scope link: This route is for directly connected networks
  • src 192.168.1.10: Use this source address when sending packets through this route

The netstat Command

Think of netstat as the health monitor for your network - like having a dashboard that shows all network activity. While ip helps you configure your network, netstat helps you see what's happening on it. It shows active connections, open ports, network statistics, and routing information.

Although netstat is gradually being replaced by newer tools like ss, it's still widely used and available on most systems.

Option What It Does When to Use
-a Shows all sockets (open connections) When you want to see everything
-t Shows only TCP connections When checking web servers, SSH, etc.
-u Shows only UDP connections When checking DNS, streaming services
-l Shows only listening sockets When checking what services are running
-n Shows numerical addresses When you want IPs instead of hostnames
-p Shows the process using each socket When identifying which program is using a port
-r Shows the routing table When checking network routes
-i Shows network interface statistics When checking for packet errors or drops
-s Shows summary statistics by protocol When monitoring overall network performance

Practical Examples

# See all active connections and listening ports
netstat -a
# Lists everything connected or listening

# See TCP connections with program names and don't resolve names
netstat -tnp
# Good for seeing which programs are connecting where

# Check what's listening for connections on TCP
netstat -tln
# Shows all TCP ports open for connections

# See network interface statistics (errors, drops)
netstat -i
# Useful for identifying network hardware issues

# Check the routing table
netstat -r
# Shows routes similar to "ip route" but in different format

# View summary statistics to check for issues
netstat -s
# Good for spotting unusual network behavior at a glance

Understanding netstat Output

Think of netstat output like a call log for your computer - it shows who's calling whom, which lines are open, and how many calls have been made.

Active Connections

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.10:22         192.168.1.100:54678     ESTABLISHED

Breaking this down:

  • Proto: Protocol (tcp or udp)
  • Recv-Q/Send-Q: Data queued but not yet processed (high numbers indicate problems)
  • Local Address: Your IP and port - 0.0.0.0:22 means "listening on port 22 on all interfaces"
  • Foreign Address: Remote IP and port - the other end of the connection
  • State: Connection state - LISTEN means waiting for connections, ESTABLISHED means connected

From the above, we see:

  • SSH server (port 22) is running and listening for connections from anywhere
  • Someone from 192.168.1.100 is currently connected to our SSH server

Interface Statistics

Kernel Interface table
Iface   MTU  RX-OK RX-ERR RX-DRP RX-OVR  TX-OK TX-ERR TX-DRP TX-OVR Flag
eth0   1500  4823      0      0      0   4325      0      0      0 BMRU

This tells you how your network interfaces are performing:

  • RX-OK/TX-OK: Successfully received/transmitted packets
  • RX-ERR/TX-ERR: Packets with errors
  • RX-DRP/TX-DRP: Packets dropped (often due to congestion)
  • Flag: Interface status flags (B=broadcast, M=multicast, R=running, U=up)

Tips for Success

Common Mistakes to Avoid

Best Practices

Common Troubleshooting Techniques

Checking Connectivity Issues

# Check if interface has an IP address
ip addr show eth0
# Should show an IP address like 192.168.1.10/24

# Check if interface is actually up
ip link show eth0
# Should show state UP

# Check if you have a default route
ip route show
# Should have a "default via" entry

# Check if you can reach your gateway (router)
ping -c 4 $(ip route | grep default | awk '{print $3}')
# Should get responses from your router

# Check if DNS is working
ping -c 4 google.com
# If this fails but IP pings work, DNS is your problem

Finding What's Using Your Network

# Find programs listening for connections
sudo netstat -tulnp
# Shows all listening ports and what program is using them

# Find which connections are active
sudo netstat -tunp
# Shows all established connections and what programs are using them

# Check network usage by interface
netstat -i
# Look for high error or drop counts that might indicate problems