Linux Networking with ip and ss: The Modern Toolkit
Replace ifconfig and netstat with ip and ss. Learn to inspect interfaces, routes, and sockets on modern Linux with clear examples.
What you'll learn
- ✓Why ip and ss replaced ifconfig and netstat
- ✓How to read interface, address, and route tables
- ✓How to inspect listening and established sockets
- ✓How to add a temporary route or alias
- ✓How to debug a connectivity problem from the box
Prerequisites
- •A Linux machine and basic shell familiarity
What and Why
For more than a decade the net-tools package (ifconfig, route, netstat, arp) has been deprecated in favor of iproute2 (ip, ss). On many distributions the old commands are not even installed. The newer tools are faster, more consistent, and expose Linux networking features that ifconfig never could: multiple addresses per interface, network namespaces, traffic control, policy routing.
If you maintain servers, ship containers, or run Kubernetes, learning ip and ss is no longer optional.
Mental Model
Linux networking is built in layers, and iproute2 reflects them. At the bottom you have devices (NICs, bridges, tun/tap). Above that, addresses are attached to devices. Above that, routes tell the kernel which next hop reaches which destination. Sockets sit on top: open ports owned by processes.
process (nginx, ssh)
| ss
v
socket (TCP/UDP port)
|
v
address (10.0.0.5/24)
| ip addr
v
device (eth0, wlan0, docker0) <-- ip link
|
v
route (default via 10.0.0.1) <-- ip routeip operates on the lower three layers; ss operates on sockets. Most subcommands accept short forms: ip a for ip address, ip r for ip route, ip l for ip link.
Hands-on Example
Show interfaces and their state:
ip link
ip -br link # brief, one line eachYou will see entries like eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> plus a MAC. UP means administratively enabled; LOWER_UP means the cable or radio is actually connected.
Show addresses:
ip addr
ip -br -c addr # brief and colored
ip -4 addr show eth0Add a temporary IP alias (lost on reboot):
sudo ip addr add 10.0.0.50/24 dev eth0
sudo ip addr del 10.0.0.50/24 dev eth0Toggle an interface:
sudo ip link set eth0 down
sudo ip link set eth0 up
sudo ip link set eth0 mtu 1400Show and edit routes:
ip route
ip route get 1.1.1.1 # which route would the kernel use?
sudo ip route add 10.10.0.0/16 via 10.0.0.254
sudo ip route del 10.10.0.0/16
sudo ip route replace default via 10.0.0.1 dev eth0ip route get is the single most useful debugging command in this set: it answers “if I send a packet to this address right now, what will Linux do?”
Inspect the ARP/neighbor table:
ip neigh
sudo ip neigh flush dev eth0Now switch to ss for sockets. The classic netstat replacement:
ss -tulnp # TCP/UDP, listening, numeric, with process
ss -tnp state established
ss -s # summary counts by state
ss -tn '( dport = :443 or sport = :443 )'-t TCP, -u UDP, -l listening, -n no DNS resolution (much faster), -p show owning process (needs root for other users’ sockets). The filter language is rich; you can match by ports, addresses, or socket state.
A quick triage sequence when “the service is down”:
ip -br addr # do I have an IP?
ip route get 1.1.1.1 # do I have a default route?
ss -tlnp | grep :8080 # is my app actually listening?
ss -tn state syn-sent # are outbound connects hanging?That ladder usually finds the problem in under a minute.
Common Pitfalls
Mixing ip changes with NetworkManager or netplan. Anything you set with ip at the command line lives only in the kernel and is lost on reboot or when the manager re-applies its config. For permanent changes, edit the right config file.
Forgetting -n on ss. Without it, every entry triggers a reverse DNS lookup and the command crawls on busy boxes.
Reading ss -l and assuming a service is reachable. Listening on 127.0.0.1:8080 is invisible from outside the host; listening on 0.0.0.0:8080 or [::]:8080 exposes it. The address column tells you which.
Adding a route without specifying the device when multiple interfaces could carry it. Use dev eth0 to be explicit.
Assuming MTU is symmetric. Path MTU issues often look like “small requests work but large responses hang”. ip link show shows your local MTU; PMTU discovery handles the rest, but firewalls that drop ICMP break it.
Practical Tips
Add alias ip='ip -c' to your shell rc to get color output by default.
ip monitor streams every link, address, route, and neighbor event as it happens. Run it in a tmux pane while bringing up a container to see the kernel’s view in real time.
Use network namespaces to experiment safely: sudo ip netns add test, sudo ip -n test link set lo up. Containers are essentially namespaces plus mounts.
ss -e -o adds inode and timer information. The timer column tells you when a TCP retransmission will fire, which is gold for diagnosing flaky links.
Pair ss with tcpdump -i eth0 port 8080 -nn when you need to see actual packets, not just socket state.
Wrap-up
ip and ss cover almost everything you used to do with ifconfig, route, arp, and netstat, and they expose features those tools never could. Memorize the four short forms (ip a, ip r, ip l, ss -tulnp) and you can diagnose most Linux networking problems without leaving the box.
Related articles
- Linux Linux Disk Management and LVM: A Hands-on Tutorial
Partition disks, build LVM volume groups, grow filesystems online, and recover safely. The Linux storage stack from physical disks to mounted paths.
- Linux Linux iptables Firewall Basics
Learn iptables tables, chains, and rules. Build a working host firewall, understand NAT, and avoid the most common mistakes that lock you out.
- Linux Linux Network Namespaces Tutorial
Hands-on guide to Linux network namespaces. Create isolated network stacks, connect them with veth pairs, and understand how containers get networking.
- Linux Linux Process Management Explained: ps, top, kill, and Beyond
Learn how Linux processes work, how to inspect them with ps and top, and how to control them with signals so your servers stay responsive.