Linux Networking: ip, nmcli, nmap, ss and More
Tested on: Ubuntu 24.04 LTS · Debian 12 · Fedora 40 — Last updated: June 2026
Linux networking is managed through a tightly scoped set of command-line tools. Know them well and you can configure interfaces, trace broken routes, interrogate DNS, audit open ports, and monitor live traffic — all without touching a GUI. This guide covers every essential tool: ip, nmcli, ss, nmap, ping, mtr, dig, ufw, and the bandwidth monitors that show you what's actually moving across the wire.
Prerequisites
- A Linux system running Ubuntu 24.04, Debian 12, or Fedora 40 (most commands apply universally)
- Basic terminal familiarity — you know how to open a shell and run commands with
sudo - The
iproute2package (pre-installed on all modern distros) - For scanning and monitoring tools:
sudo apt install nmap mtr iftop nethogs vnstatorsudo dnf install nmap mtr iftop nethogs vnstaton Fedora
The ip Command — Modern Replacement for ifconfig
The ip command from iproute2 replaces ifconfig, route, and arp. Those older tools from the net-tools package still work if installed, but they're unmaintained and blind to modern networking features like VRFs, network namespaces, and policy routing. Use ip exclusively.
Interface and Address Management
# Show all interfaces and their IP addresses:
ip addr show
ip a # short form
# Show a specific interface:
ip addr show eth0
ip addr show enp3s0 # predictable naming convention
# Show only running interfaces:
ip addr show up
# Add an IP address to an interface (temporary — lost on reboot):
sudo ip addr add 192.168.1.100/24 dev eth0
# Remove an IP address:
sudo ip addr del 192.168.1.100/24 dev eth0
# Bring an interface up or down:
sudo ip link set eth0 up
sudo ip link set eth0 down
# Show interface statistics — packets, errors, drops:
ip -s link show eth0Reading ip addr Output
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default
link/ether 00:15:5d:01:ca:05 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe01:ca05/64 scope link
valid_lft forever preferred_lft foreverUP,LOWER_UP— interface is administratively up and the physical layer has a carrier signalmtu 1500— maximum transmission unit; jumbo frames use 9000link/ether— MAC addressinet 192.168.1.100/24— IPv4 address with prefix length (24 = 255.255.255.0)scope global— routable address;scope linkmeans link-local onlyinet6 fe80::— auto-configured link-local IPv6; always present when IPv6 is enabled
Routes and Gateways
# Show the full routing table:
ip route show
ip r # short form
# Show only the default gateway:
ip route show default
# Output: default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.100 metric 100
# Add a static route (temporary):
sudo ip route add 10.0.0.0/8 via 192.168.1.1 dev eth0
# Add or replace the default gateway:
sudo ip route add default via 192.168.1.1
# Delete a route:
sudo ip route del 10.0.0.0/8 via 192.168.1.1
# Check which interface and gateway a packet would use for a destination:
ip route get 8.8.8.8
# Output: 8.8.8.8 via 192.168.1.1 dev eth0 src 192.168.1.100 uid 1000ip route get is underused and extremely useful — it shows exactly how the kernel would route a packet to any destination, including which source IP would be used.
nmcli — NetworkManager CLI
NetworkManager handles persistent network configuration on most desktop and server Linux installations. Changes made with raw ip commands are temporary; nmcli writes configuration that survives reboots.
# Show all configured connections:
nmcli connection show
# Show only active connections:
nmcli connection show --active
# Show device status:
nmcli device status
# Connect to Wi-Fi:
nmcli device wifi connect "NetworkName" password "yourpassword"
# List available Wi-Fi networks:
nmcli device wifi list
nmcli device wifi list --rescan yes # force a fresh scan
# Toggle Wi-Fi:
nmcli radio wifi off
nmcli radio wifi on
# Disconnect a device:
nmcli device disconnect wlan0Configure a Static IP with nmcli
# Find the connection profile name:
nmcli connection show
# NAME UUID TYPE DEVICE
# Wired connection 1 a1b2c3d4-... ethernet eth0
# Set static IP, gateway, and DNS:
nmcli connection modify "Wired connection 1"
ipv4.addresses "192.168.1.100/24"
ipv4.gateway "192.168.1.1"
ipv4.dns "1.1.1.1,8.8.8.8"
ipv4.method manual
# Apply the changes:
nmcli connection down "Wired connection 1"
nmcli connection up "Wired connection 1"
# To revert to DHCP:
nmcli connection modify "Wired connection 1" ipv4.method auto
nmcli connection up "Wired connection 1"Configure a Static IP with Netplan (Ubuntu Server)
Ubuntu Server uses Netplan when NetworkManager is not installed. Edit the file in /etc/netplan/ — the filename varies but is typically 00-installer-config.yaml.
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 192.168.1.100/24
routes:
- to: default
via: 192.168.1.1
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
dhcp4: false# Validate config before applying:
sudo netplan try
# Apply permanently:
sudo netplan applyss — Socket Statistics
ss replaces the deprecated netstat. It queries the kernel directly via netlink sockets, making it faster and more accurate than netstat for busy systems.
# Show all listening TCP and UDP ports with process names:
ss -tulpn
# Flags breakdown:
# -t TCP sockets
# -u UDP sockets
# -l listening sockets only
# -p show process name and PID
# -n numeric output (skip DNS/service name resolution)
# Show all connections including established:
ss -tapn
# Find what's using a specific port:
ss -tulpn | grep :80
ss -tulpn | grep :443
ss -tulpn | grep :3306 # MySQL
# Show summary of socket states:
ss -s
# Show connections to a specific remote host:
ss dst 192.168.1.50
# Show Unix domain sockets:
ss -x# Example ss -tulpn output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=982,fd=3))
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1024,fd=6))
tcp ESTAB 0 0 192.168.1.100:22 192.168.1.5:54213 users:(("sshd",pid=2341,fd=4))The Recv-Q and Send-Q columns show bytes waiting in the receive and send buffers. Non-zero values on a LISTEN socket indicate a backlog building up — the application isn't accepting connections fast enough.
ping, traceroute, mtr
# Basic connectivity test:
ping google.com
ping -c 4 google.com # send exactly 4 packets then exit
ping -i 0.2 google.com # flood-style: ping every 200ms
ping -s 1472 google.com # test large packet sizes (MTU debugging)
ping6 ipv6.google.com # test IPv6 connectivity
# traceroute — show every hop between you and the destination:
traceroute google.com
sudo traceroute -I google.com # ICMP mode (bypasses UDP filters)
traceroute -T -p 443 google.com # TCP mode on port 443
# mtr — combines ping and traceroute with live packet loss per hop:
mtr google.com # interactive TUI
mtr --report -c 20 google.com # 20-cycle report then exit
mtr --report-wide --no-dns google.com # skip reverse DNS lookups (faster)Use mtr instead of traceroute for diagnosing intermittent connectivity problems. Traceroute gives you a snapshot; mtr shows sustained packet loss rates per hop, so you can pinpoint exactly where packets are being dropped.
DNS Tools: dig, resolvectl, host
# dig — the definitive DNS debugging tool:
dig google.com # A record (IPv4)
dig google.com AAAA # IPv6 address
dig google.com MX # mail server records
dig google.com TXT # TXT records — SPF, DKIM, domain verification
dig google.com NS # authoritative nameservers
dig google.com SOA # start of authority
# Query a specific DNS server directly:
dig @8.8.8.8 google.com
dig @1.1.1.1 google.com
# Reverse lookup (PTR record):
dig -x 8.8.8.8
# Trace the full delegation path from root servers:
dig +trace google.com
# Clean short output — just the IP:
dig +short google.com
# Check DNS servers in use:
cat /etc/resolv.conf
resolvectl status | grep "DNS Servers"
nmcli dev show | grep IP4.DNS
# Flush the local DNS cache:
sudo resolvectl flush-caches
sudo systemd-resolve --flush-caches # older alias, same effectnmap — Network Scanning
nmap discovers hosts, open ports, running services, and OS versions. It's indispensable for auditing your own infrastructure. Only scan networks and hosts you own or have explicit written permission to test.
sudo apt install nmap # Debian/Ubuntu
sudo dnf install nmap # Fedora
# Scan a single host (top 1000 ports):
nmap 192.168.1.1
nmap -v 192.168.1.1 # verbose output
# Discover live hosts on a subnet without port scanning:
nmap -sn 192.168.1.0/24
# Scan specific ports:
nmap -p 22,80,443 192.168.1.1
nmap -p 1-10000 192.168.1.1
nmap -p- 192.168.1.1 # all 65535 ports (slow)
# Service and version detection:
nmap -sV 192.168.1.1
# OS detection (requires root):
sudo nmap -O 192.168.1.1
# Aggressive scan — OS + versions + scripts + traceroute:
sudo nmap -A 192.168.1.1
# Fast scan of common ports on a subnet:
nmap -T4 -F 192.168.1.0/24
# UDP scan (slow — be patient):
sudo nmap -sU -p 53,161,162 192.168.1.1
# Check if a specific port is open on multiple hosts:
nmap -p 22 192.168.1.0/24ufw and iptables Basics
Netfilter in the kernel handles packet filtering. iptables and nftables are the low-level interfaces. For day-to-day use, ufw (Ubuntu/Debian) and firewalld (Fedora/RHEL) are far more practical.
# Enable ufw and set default deny-incoming policy:
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow common services:
sudo ufw allow ssh # port 22
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 8080/tcp
# Block a port:
sudo ufw deny 3306
# Restrict access to a port by source IP:
sudo ufw allow from 192.168.1.0/24 to any port 3306
sudo ufw allow from 10.0.0.5 to any port 22
# Delete a rule:
sudo ufw status numbered
sudo ufw delete 3 # delete rule number 3
# Full status:
sudo ufw status verbose