Master Linux Network Management: Essential Commands and Practical Examples

1. ifconfig

The ifconfig utility (from the net-tools package) displays and configures network interfaces.

ifconfig [interface] [down|up|options] [IP address]

Common options: down – deactivate the interface up – activate the interface mtu <bytes> – set the maximum transmission unit netmask <mask> – set the subnet mask add <address> – add an IPv6 address del <address> – delete an IPv6 address

Typical usage examples:

# Show all interfaces
ifconfig

# Bring eth0 down / up (equivalent to ifdown/ifup)
ifconfig eth0 down
ifconfig eth0 up

# Set MTU on eth0
ifconfig eth0 mtu 1500

# Assign a temporary IPv4 address
ifconfig ens33 192.168.10.20/24

# Create virtual alias interfaces (traffic still uses the primary NIC)
ifconfig ens33:0 192.168.10.21
ifconfig ens33:1 192.168.10.22

# Show a single interface
ifconfig eth0

2. ip

The ip command from the iproute2 suite supersedes ifconfig and provides a richer set of networking functions.

# Show all interfaces and their addresses
ip addr show   # or: ip a

# Show link‑layer status (no IP information)
ip link
ip -s link   # detailed statistics

# Show ARP/neighbor table
ip neighbour

# Bring an interface up or down
ip link set eth0 up
ip link set eth0 down

# Rename an interface temporarily
ip link set eth1 name mynet

# Add or delete a virtual (alias) address
ip addr add 172.16.100.100/16 dev eth0 label eth0:0
ip addr del 172.16.100.100/16 dev eth0 label eth0:0

# Assign or remove an IPv4 address
ip addr add 20.0.0.19/24 dev eth0
ip addr del 20.0.0.19/24 dev eth0

# Flush all addresses from a device
ip addr flush dev eth0

# Configure default gateway
ip route add default via 20.0.0.2 dev eth0

# Display routing table
ip route show

# Query a specific route (useful for debugging)
ip route get 20.0.0.19

# Change the default route
ip route add default via 20.0.0.196

# Monitor netlink events in real time
ip monitor all

3. ping

ping

sends ICMP echo requests to test host reachability.

ping [options] <hostname|IP>

-c <count>

– number of echo requests to send -i <interval> – seconds between packets -s <size> – payload size in bytes -w <deadline> – total time to wait before exiting

# Send five pings to Baidu
ping -c 5 www.baidu.com

4. route

The legacy route command manipulates the kernel IP routing table.

route [-nee]
route add [-net|-host] <target> netmask <mask> [gw <gateway>|dev <iface>]
route del [-net|-host] <target> netmask <mask> [gw <gateway>|dev <iface>]

Key parameters: add – create a new route del – remove an existing route -net – target is a network -host – target is a single host target – destination network or host netmask – subnet mask for the destination gw – gateway address dev – outgoing interface

Example operations:

# Add a host route
route add -host 192.168.1.3 gw 172.16.0.1 dev eth0

# Add a network route
route add -net 192.168.0.0 netmask 255.255.255.0 gw 172.16.0.1 dev eth0

# Add a default route
route add default gw 172.16.0.1

# Delete a route
route del -host 192.168.1.2 dev eth0
route del -net 10.20.30.40 netmask 255.255.255.248 dev eth0

To make routes persistent, add the commands to system start‑up scripts such as /etc/rc.local or the appropriate network configuration files ( /etc/sysconfig/network, /etc/sysconfig/static‑router).

5. lsof

lsof

(list open files) reports files opened by processes, which includes regular files, sockets, pipes, and device nodes.

-a               list all open files
-c <process>      list files opened by a specific process name
-u <uid>         list files opened by a user ID
-g <gid>         list files opened by a group ID
-d <fd>          list processes using a particular file descriptor
+D <dir>         recursively list files opened under a directory
-n               suppress hostname resolution
-i <criteria>    list network files matching criteria (e.g., tcp, udp, port, IP)
-p <pid>        list files opened by a specific PID

Example: list all network sockets owned by the SSH daemon:

lsof -i tcp -c sshd

6. netstat

netstat

(from net-tools ) displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. -a – show all sockets (listening and non‑listening) -n – display addresses numerically -p – show PID/program name (requires root) -l – show only listening sockets -t – TCP sockets -u – UDP sockets -r – routing table -i – interface list -g – multicast groups -s – network statistics

# Show all connections and listening ports
netstat -anpt

# Filter for sshd processes
netstat -anpt | grep sshd

7. ss

ss

(socket statistics) is a modern replacement for netstat. It queries kernel socket information via netlink, providing faster and more detailed output.

ss [options] [filter]

-t

– TCP sockets -u – UDP sockets -w – raw sockets -x – Unix domain sockets -l – listening sockets only -a – all sockets -n – numeric output (no DNS lookup) -p – show process owning each socket -e – extended information -m – memory usage -o – timer information

# List all listening ports
ss -l

# Show a summary of socket usage
ss -s

# Show processes owning sockets
ss -pl

# Show all TCP sockets
ss -at

# Show all UDP sockets
ss -au

# Show established SSH connections
ss -o state established '( dport = :ssh or sport = :ssh )'

# Show established HTTP connections
ss -o state established '( dport = :http or sport = :http )'

8. traceroute

traceroute

discovers the path packets take to a destination host, reporting each hop’s round‑trip time.

traceroute [options] <host|IP>

-d

– enable socket‑level debugging -f <ttl> – initial TTL (first hop) -g <gateway> – source‑routing gateways (max 8) -i <iface> – specify outgoing interface -I – use ICMP echo instead of UDP -m <max_ttl> – maximum TTL -n – numeric output (no DNS lookups) -p <port> – set UDP destination port -r – ignore routing table, send packets directly -s <src_ip> – set source IP address -t <tos> – set Type‑of‑Service field -v – verbose output -w <seconds> – per‑hop timeout -x – enable packet checksum verification

# Directly connected host
traceroute 20.0.0.25

# Trace to an external domain (e.g., Baidu)
traceroute www.baidu.com

9. nslookup

nslookup

queries DNS servers for name resolution. Install via yum -y install bind-utils on RHEL‑based systems.

nslookup <domain>

# Example lookups
nslookup www.baidu.com
nslookup www.google.com

# View DNS resolver configuration
cat /etc/resolv.conf

# View static host mappings
cat /etc/hosts

10. dig

dig

(Domain Information Groper) is another DNS lookup tool from the bind-utils package.

dig <domain>

# Query Baidu
 dig www.baidu.com

11. nmcli

nmcli

is the command‑line interface for NetworkManager, allowing creation, modification, activation and deletion of network connections. nmcli [OPTIONS] OBJECT { COMMAND | help } Common objects: con – connection profiles dev – devices (interfaces)

Typical workflow:

# List all saved connections
nmcli con show

# Show only active connections
nmcli con show --active

# Display details of a specific connection (e.g., eth0)
nmcli con show eth0

# Show device status
nmcli dev status

# Create a DHCP connection named "default"
nmcli con add con-name default type ethernet ifname eth0

# Create a static connection (no auto‑connect)
nmcli con add con-name static type ethernet ifname eth0 \
    autoconnect no ipv4.addresses 172.25.10.10/24 ipv4.gateway 172.25.10.254

# Activate a connection
nmcli con up static

# Modify DNS for a connection
nmcli con mod "static" ipv4.dns 172.25.10.254
nmcli con mod "static" +ipv4.dns 8.8.8.8   # add secondary DNS
nmcli con mod "static" -ipv4.dns 8.8.8.8   # remove a DNS entry

# Disable automatic DNS when using DHCP
nmcli con mod "system eth0" ipv4.ignore-auto-dns yes

# Create a bonding (team) interface
nmcli con add type bond con-name mybond0 ifname bond0 mode active-backup
nmcli con add type bond-slave ifname ens37 master bond0
nmcli con add type bond-slave ifname ens33 master bond0

# Bring up the slave interfaces first, then the bond
nmcli con up bond-slave-ens37
nmcli con up bond-slave-ens33
nmcli con up mybond0

12. tcpdump

tcpdump

captures network packets and prints them in a human‑readable form. It supports extensive filtering expressions.

tcpdump [options] [-c <count>] [-i <iface>] [-w <file>] [filter]

Important options (most are self‑explanatory): -i <iface> – capture on a specific interface -c <count> – stop after capturing a given number of packets -w <file> – write raw packets to a file (e.g., .pcap) -n – don’t resolve hostnames -vv – increase verbosity -s <snaplen> – set snapshot length (0 = full packet) -X – print packet contents in hex and ASCII

# Capture on the default interface
tcpdump

# Capture on eth0
tcpdump -i eth0

# Capture 1000 packets then stop
tcpdump -c 1000 -i eth0

# Capture traffic to or from 10.0.0.100
tcpdump host 10.0.0.100

# Capture TCP traffic on port 22 from a specific host
tcpdump tcp port 22 and src host 10.0.0.100

# Save 1000 packets to a file with immediate write
tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.pcap

# Complex example: capture all non‑SSH traffic from the 192.168.1.0/24 network on eth1
tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.pcap

13. arp

arp

manipulates the kernel ARP cache, allowing you to view, add or delete entries.

arp [-vn] [-i <iface>] -a                # display all entries
arp -d <host> [-i <iface>]               # delete an entry
arp -s <host> <hwaddr> [-i <iface>]      # add a static entry

Common usage:

# Show ARP cache (numeric output)
arp -n   # equivalent to: ip neigh

# Add a static binding (prevents ARP spoofing)
arp -s 10.0.0.6 00:0c:29:32:80:38

# Delete a specific entry
arp -d 10.0.0.6

# Publish a MAC address for a host on a given interface (useful for proxy ARP)
arp -i eth0 -Ds 10.0.0.2 eth1 pub

14. nmap

nmap

is a powerful network scanner used for security assessments, host discovery and service enumeration.

# Install nmap on RHEL/CentOS
yum -y install nmap

nmap [scan type] [options] <target>

Frequently used scan types and options: -sS – SYN (stealth) scan -sT – TCP connect scan (default) -sU – UDP scan -sF – FIN scan -sP – ICMP ping scan (host discovery only) -p <ports> – specify ports or port ranges -n – skip reverse DNS resolution -P0 – treat all hosts as alive (skip ping)

# Scan all TCP ports on localhost
nmap -sT 127.0.0.1

# Scan all UDP ports on localhost
nmap -sU 127.0.0.1

# Find HTTP servers (port 80) in a subnet
nmap -p 80 192.168.80.0/24

# Discover live hosts in a subnet (fast ping scan)
nmap -n -sP 192.168.80.0/24