Kahibaro
Discord Login Register
Previous
Up
Next

3.3.4 Networking tools (ip, ss, ping)

Table of Contents

Overview

In Linux, several command line tools allow you to inspect and manipulate network configuration and connections. At the intermediate level, three of the most important tools are ip, ss, and ping. They replace or complement many older tools and are available on virtually every modern distribution.

This chapter focuses on what these tools do, how they differ, and how to perform the most common day to day network inspection and troubleshooting tasks with them. Concepts like IP addressing, routing, and DNS themselves are covered in the other chapters of this section, so here we stay focused on practical usage of the tools.

The `ip` Command: A Modern Network Swiss Army Knife

The ip command is part of the iproute2 suite. It is the modern replacement for older commands such as ifconfig, route, and arp. With ip, you can inspect and change network interfaces, IP addresses, routes, and more.

ip commands have a common pattern:

ip <object> <action> <options>

The <object> is what you are working with, for example link, addr, or route. The <action> is usually show, add, del, flush, or similar.

Important: ip can modify the live network configuration. Commands like ip addr add or ip route del take effect immediately. You should test changes carefully and know how to revert them, especially on remote systems.

Viewing Network Interfaces with `ip link`

The link object deals with network interfaces at a low level. You typically use it to see which interfaces exist and what state they are in.

To list all network interfaces, including inactive ones, run: 

ip link show

You will see each interface with a number, name, state, MAC address, and some flags. A line might look like: 

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000

This tells you that eth0 is up, has a certain MTU, and is capable of broadcast and multicast.

To show just one interface, use: 

ip link show dev eth0

The dev keyword is very common in ip commands. It specifies which network device you are referring to.

You can also bring an interface up or down. This is very direct and affects connectivity immediately: 

sudo ip link set dev eth0 up
sudo ip link set dev eth0 down

On a system that relies on a network manager or systemd network configuration, using ip link set manually may conflict with those services. For persistent or policy driven changes, use the distribution's network configuration tools. Use ip for temporary or ad hoc changes and inspection.

Viewing IP Addresses with `ip addr`

The addr object deals with addresses assigned to interfaces. To see all addresses on the system, run: 

ip addr show

Typical output: 

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 ...
    inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 86393sec preferred_lft 86393sec
    inet6 fe80::a00:27ff:fe4e:66a1/64 scope link
       valid_lft forever preferred_lft forever

This shows both IPv4 and IPv6 addresses. The /24 part is the prefix length. It encodes the network mask. For IPv4 the relation between prefix length and mask is:

Prefix length and mask:
For IPv4, a prefix length of $n$ means the first $n$ bits of the address are fixed for the network, and the remaining $32 - n$ bits are for hosts.
For example, /24 corresponds to mask $255.255.255.0$.

To see addresses only on a given interface: 

ip addr show dev eth0

To add an additional IPv4 address temporarily: 

sudo ip addr add 192.168.1.50/24 dev eth0

To remove it: 

sudo ip addr del 192.168.1.50/24 dev eth0

These changes last only until reboot unless you also update your system's network configuration.

Inspecting Routing Tables with `ip route`

The route object shows and manipulates routes. Routes decide where packets go when they are not destined for the local machine.

To see the main routing table: 

ip route show

You may see something like: 

default via 192.168.1.1 dev eth0 proto dhcp metric 100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10

The default route is the route used when no more specific route matches. The via keyword indicates the next hop gateway.

To see routes for a specific table or IP version, you can add options. For example, IPv6 routes: 

ip -6 route show

To add a temporary route for a specific network: 

sudo ip route add 10.0.0.0/24 via 192.168.1.2 dev eth0

To delete that route: 

sudo ip route del 10.0.0.0/24 via 192.168.1.2 dev eth0

Again, persistent routing changes should be made through the appropriate configuration files or tools for your distribution.

Checking Neighbor Entries and ARP with `ip neigh`

The neighbor table stores link layer addresses associated with IP addresses, for example MAC addresses on an Ethernet segment. This is commonly known as ARP for IPv4.

View the neighbor table: 

ip neigh show

You may see: 

192.168.1.1 dev eth0 lladdr 00:11:22:33:44:55 REACHABLE

You can flush or manipulate entries, which is useful when you suspect ARP related problems: 

sudo ip neigh flush dev eth0

This forces the system to rediscover MAC addresses for peers.

The `ss` Tool: Inspecting Sockets and Connections

ss stands for "socket statistics". It is the modern replacement for netstat. It shows active connections, listening sockets, and various statistics about them. It gives a detailed view of what is happening at the TCP and UDP layer.

You normally use ss to answer questions like:

Which ports is this system listening on?
Which remote IP is connected to this service?
Is a process holding a connection in a particular TCP state?

Basic Usage of `ss`

The simplest use is: 

ss

By default, this shows established TCP connections. To make the output more specific and useful, you combine ss with options.

A very common pattern is: 

ss -tuln

This combination means:

t for TCP
u for UDP
l for listening sockets
n for numeric addresses instead of resolving names

This gives you an overview of which ports are open and listening on your machine.

Sample output: 

Netid State  Recv-Q Send-Q Local Address:Port  Peer Address:Port
tcp   LISTEN 0      128    0.0.0.0:22         0.0.0.0:*
tcp   LISTEN 0      128    [::]:22            [::]:*
udp   UNCONN 0      0      0.0.0.0:68         0.0.0.0:*

Here you can see SSH listening on port 22 on both IPv4 and IPv6 addresses.

Filtering by Protocol or State

You can filter ss output by protocol or TCP state. For example, only established TCP connections: 

ss -tn state established

Only listening TCP sockets: 

ss -tl

Only UDP sockets: 

ss -un

These filters help reduce noise and focus on the connections relevant to a particular troubleshooting task.

Showing Process Information with `ss`

One of the powerful features of ss is the ability to show which process owns a socket. For this you add -p: 

sudo ss -tulnp

You typically need sudo to see process details for all sockets. The output adds a column with process IDs and names: 

Netid State  Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp   LISTEN 0      128   0.0.0.0:22        0.0.0.0:*   users:(("sshd",pid=1010,fd=3))

This is invaluable when you want to know which program is using a particular port.

You can combine filters. For example, see which process is listening on TCP port 80: 

sudo ss -tlpn 'sport = :80'

The filter expression is surrounded by quotes to avoid shell interpretation. Here sport refers to source port.

Inspecting Connection States and Queues

For deeper troubleshooting, ss can show the state of connections and queue sizes. TCP connections pass through states such as SYN-SENT, ESTABLISHED, TIME-WAIT, CLOSE-WAIT.

To see connections in specific states: 

ss -tn state syn-sent
ss -tn state time-wait

If you suspect a backlog issue, you can look at the receive and send queues. They are the Recv-Q and Send-Q columns. Large or growing queues may indicate performance problems or misconfiguration.

The `ping` Utility: Testing Reachability

ping is a classic tool used to check whether a host is reachable over the network and to measure round trip time. It uses the ICMP protocol. Because of firewalls or security policies, some hosts may not respond to ping even though they are otherwise reachable.

Important: A successful ping indicates that ICMP packets can travel between the two hosts and that the target responds. It does not guarantee that higher level services like HTTP or SSH are working. A failed ping does not always mean the host is down, because ICMP might be blocked.

Basic `ping` Usage

To check reachability to a host by IP or hostname: 

ping 8.8.8.8
ping example.com

On most Linux systems, ping runs until you interrupt it with Ctrl + C. The output shows lines like: 

64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=15.2 ms

The time value is the round trip time. At the end, when you press Ctrl + C, ping prints statistics such as packet loss and average latency.

On some systems there is also ping6 or ping -6 for IPv6: 

ping -6 ipv6.google.com

Limiting the Number of Pings

When testing, you often want just a fixed number of packets. Use -c (count): 

ping -c 4 8.8.8.8

This sends exactly 4 echo requests then exits. The general relation is:

Ping count:
If you run ping -c N host, exactly $N$ ICMP echo requests are sent, and at most $N$ replies can be received, unless there is packet duplication or reordering in the network.

You can also change the interval between packets with -i. The default is 1 second. For example, send 10 pings at half a second intervals: 

ping -c 10 -i 0.5 8.8.8.8

Some systems require root privileges for very short intervals.

Using `ping` for Basic Troubleshooting

When you suspect a connectivity problem, ping helps you see whether packets are lost and roughly how long they take.

If everything works: 

ping -c 4 example.com

You will see four replies and 0% packet loss.

If the host is unreachable at the IP level, you may see messages like Destination Host Unreachable or Network is unreachable. If DNS is misconfigured, ping using a hostname may fail with a message about unknown host, but ping using an IP address might still work. This helps you distinguish between DNS problems and routing or connectivity problems.

If there is intermittent connectivity or packet loss, you may see some Request timeout lines among successful replies, and the summary will show nonzero packet loss.

Combining `ip`, `ss`, and `ping` for Troubleshooting

These tools are most powerful when you combine them logically during troubleshooting.

For example, if a web service is not reachable from another machine, you can use a sequence like:

  1. On the server, check that the interface and IP are correct:
ip addr show dev eth0
  1. Check that the default route and relevant routes exist:
ip route show
  1. Ensure the service is actually listening on the expected port:
sudo ss -tulnp | grep ':80'
  1. From the client or another host, test basic reachability:
ping -c 4 server.example.com

If ping fails, focus on routing or firewall issues. If ping works but ss shows no process listening on port 80, the service is down or misconfigured. If both ping works and ss shows a listening socket, then investigate firewalls, application level problems, or reverse proxies.

By understanding how to use ip, ss, and ping together, you gain a strong practical toolkit to diagnose many network issues on Linux systems.

Previous
Up
Next

Views: 10

Comments

Please login to add a comment.

Don't have an account? Register now!

© 2025 Kahibaro

Visitors: 5482 / 24h

Impressum / Imprint

Datenschutz / Data Policy