This lesson covers fundamental networking concepts in Linux and essential command-line utilities for viewing and managing network configurations. These tools are critical for system administration and troubleshooting network connectivity issues.

Network Communication

• Network Interfaces: Hardware or virtual components that allow a computer to connect to a network (like a network card)

• Router: A device/server that connects different networks and routes traffic between them

• IP Address: A unique numerical identifier assigned to each device on a network (like a home address for computers)

Example Network Setup:

• Network A: 192.168.x.x (one subnet)

• Network B: 172.16.x.x (another subnet)

• Router in middle: Has interfaces on BOTH networks, allowing communication between them

The Loopback Device

• What it is: A special virtual network interface that exists on every computer

• Purpose: Allows a computer to communicate with itself internally

• IPv4 Address: 127.0.0.1

• IPv6 Address: ::1

• Hostname: Mapped to "localhost"

• Use Case: Testing network applications without external network access

Overview:

• Modern replacement for deprecated ifconfig and route commands

• Comprehensive tool for network configuration and management

• Uses "objects" to organize different functionalities

Important Limitation: ⚠️ Changes made with ip command are NOT persistent - they disappear after reboot!

To make permanent changes, edit configuration files at:

• Debian/Ubuntu: /etc/network/

• SUSE: /etc/sysconfig/network

• Red Hat/CentOS: /etc/sysconfig/network-scripts/

• Or use utilities like nmcli or nmtui

Purpose: Display and manage IP addresses

Commands:

ip address show # Full command

ip addr show # Medium shorthand

ip a show # Shortest shorthand

ip a # Show all addresses

What You'll See:

• Interface name (e.g., ens5, eth0, lo)

• State: UP or DOWN

• Link address: MAC address (hardware address)

• inet: IPv4 address

• inet6: IPv6 address

• Link-local address: Starts with fe80 - automatically configured for IPv6

Example Output Explained:

1: lo: <LOOPBACK,UP,LOWER_UP>

inet 127.0.0.1/8 # Loopback IPv4

2: ens5: <BROADCAST,MULTICAST,UP>

link/ether aa:bb:cc:dd:ee:ff # MAC address

inet 172.31.127.197/20 # IPv4 address/subnet

inet6 fe80::xxxx/64 # Link-local IPv6

Statistical Information:

ip -s addr # Show with statistics

ip -s a # Shorthand

Shows packet statistics: received (RX) and transmitted (TX) packets

Adding an IP Address:

sudo ip addr add 172.31.120.80/20 dev ens5

• add: Action to perform

• 172.31.120.80/20: IP address with subnet mask (CIDR notation)

• dev ens5: Network device to add it to

Result: Creates a secondary IP address (original becomes primary)

Removing an IP Address:

sudo ip addr del 172.31.120.80/20 dev ens5

Purpose: Display and modify network device attributes

Commands:

ip link show # Show all interfaces

ip link # Same as above ip l # Shorthand

ip -s link # Show with statistics

What You'll See:

• Interface names and states

• MAC addresses

• MTU (Maximum Transmission Unit)

• Device flags (UP, DOWN, PROMISC, etc.)

Bringing Interface Up/Down:

sudo ip link set ens5 up # Enable interface

sudo ip link set ens5 down # Disable interface

⚠️ Warning: Setting your current interface DOWN will disconnect you if remote!

Changing MTU (Maximum Transmission Unit):

sudo ip link set ens5 mtu 8000 # Set MTU to 8000 bytes

• MTU: Largest data packet a network device will accept

• Default is often 1500 (Ethernet) or 9001 (Jumbo frames)

Promiscuous Mode:

sudo ip link set ens5 promisc on # Enable

sudo ip link set ens5 promisc off # Disable

• Promiscuous Mode: Interface accepts ALL packets, not just those addressed to it

• Use Case: Network monitoring, packet sniffing, security analysis

• Normal Mode: Interface only accepts packets destined for its MAC address

Purpose: Display and manipulate the kernel routing table

Commands:

ip route show # Display routing table

ip route # Same as above ip r # Shorthand

Understanding Routing Table Output:

default via 172.31.0.1 dev ens5 172.31.112.0/20 dev ens5 proto kernel scope link src 172.31.127.197

First Entry Explained:

• default via 172.31.0.1: Default gateway (where packets go when no other route matches)

• dev ens5: Through which interface

Second Entry Explained:

• 172.31.112.0/20: Destination network

• dev ens5: Send through this interface

• proto kernel: Added by kernel

• scope link: Direct connection (no gateway needed)

• src 172.31.127.197: Use this source IP

Routing Table Purpose:

• Determines where to send network packets

• Like a GPS for network traffic

• Default route = "if you don't know where it goes, send it here"

Purpose: Investigate network sockets and view connection statistics

Replaces: The deprecated netstat command

What are Sockets?

• Endpoints for network communication

• Combination of IP address + port number

• Like a specific door (port) at a specific address (IP)

Common Command:

ss -tulnp

Flag Breakdown:

• -t: Show TCP connections

• -u: Show UDP connections

• -l: Show listening sockets (services waiting for connections)

• -n: Don't resolve hostnames (show IP addresses, faster)

• -p: Show process using the socket (requires sudo for all processes)

Output Columns Explained:

• Netid: Protocol (tcp, udp, etc.)

• State: Connection state (LISTEN, ESTAB, UNCONN, etc.)

• Recv-Q: Receive queue (data waiting to be processed)

• Send-Q: Send queue (data waiting to be sent)

• Local Address:Port: Your computer's address and port

• Peer Address:Port: Remote computer's address and port

• Process: Process name and PID using this socket

Example Output:

tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234))

Means: SSH daemon (sshd) is listening on port 22 for connections from any IP

Use Cases:

• See what services are running and on which ports

• Identify which process is using a specific port

• Troubleshoot network connectivity issues

• Security auditing (find unexpected listening services)

Purpose: Query DNS (Domain Name System) servers to resolve domain names to IP addresses

What is DNS?

• Translates human-readable names (google.com) to IP addresses (142.250.80.46)

• Like a phone book for the internet

Basic Command:

dig acloudguru.com

Output Sections Explained:

1. Header Section:

• Version information

• Query flags and response status

2. OPT PSEUDOSECTION:

• Advanced/extended DNS data

3. QUESTION SECTION:

• Shows what you asked for

;acloudguru.com. IN A

Asking: "What's the A (address) record for acloudguru.com?"

4. ANSWER SECTION (Most Important!)

acloudguru.com. 60 IN A 104.18.32.68

acloudguru.com. 60 IN A 104.18.33.68

Breaking it down:

• acloudguru.com: Domain queried

• 60: TTL (Time To Live) in seconds - how long to cache this answer

• IN: Internet class

• A: Address record type (IPv4)

• 104.18.32.68: The actual IP address

Multiple IPs = Load balancing across multiple servers

5. Statistics Section:

• Query time, server used, message size

Related Commands:

• nslookup: Simpler DNS lookup (less detailed)

• host: Even simpler, just shows the answer

Use Cases:

• Find IP address of a domain

• Troubleshoot DNS issues

• Verify DNS propagation

• Check mail server (MX) records

• Security research

Purpose: Test network connectivity to a host

How it Works:

1. Sends ICMP ECHO_REQUEST packets to target

2. Target responds with ICMP ECHO_RESPONSE

3. Measures round-trip time

Basic Commands:

ping google.com # Ping until stopped (Ctrl+C to stop) ping -c 4 google.com # Send only 4 packets

Output Explained:

PING google.com (142.250.80.46): 56 data bytes 64 bytes from 142.250.80.46: icmp_seq=0 ttl=116 time=12.3 ms 64 bytes from 142.250.80.46: icmp_seq=1 ttl=116 time=11.8 ms 64 bytes from 142.250.80.46: icmp_seq=2 ttl=116 time=12.1 ms

Line by Line:

• First line: What you're pinging and its resolved IP

• 64 bytes: Size of response packet

• from 142.250.80.46: IP responding

• icmp_seq=0: Sequence number (counts packets)

• ttl=116: Time To Live (hops remaining before packet dies)

• time=12.3 ms: Round-trip time in milliseconds

Statistics Summary:

--- google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss

round-trip min/avg/max/stddev = 11.8/12.1/12.3/0.2 ms

What This Tells You:

• Transmitted: Packets sent

• Received: Packets that came back

• Packet loss: Percentage lost (higher = network problems)

• min/avg/max: Fastest/average/slowest times

• stddev: Consistency of response times

Interpreting Results:

• Replies received: Network path is working

• Request timeout: No response (firewall blocking, host down, network issue)

• High packet loss: Network instability

• High/variable times: Network congestion or distance

Use Cases:

• Quick connectivity test

• Measure latency

• Detect packet loss

• Troubleshoot network issues

• Verify host is up and reachable

Network Interfaces

• Physical or virtual NICs that connect to networks

• Have MAC addresses (hardware) and IP addresses (software)

• Can be brought up/down, configured with multiple IPs

IP Addressing

• IPv4: 192.168.1.1 format (32-bit)

• IPv6: 2001:db8::1 format (128-bit)

• Subnet mask: Defines network size (CIDR notation: /20, /24)

Routing

• Determines path for network packets

• Default gateway: where to send unknown destinations

• Routing table: map of network destinations

Ports and Sockets

• Port: Number identifying a specific service (22=SSH, 80=HTTP)

• Socket: IP address + port combination

• Listening: Service waiting for connections

DNS

• Converts names to IPs

• Multiple record types (A, AAAA, MX, CNAME, etc.)

• TTL controls caching duration

A hardware or virtual component (network card/NIC) that allows a computer to connect to and communicate over a network. It has both a MAC address (hardware) and can be assigned IP addresses (software).

A special virtual network interface that allows internal communication within a host (computer talking to itself).

• IPv4 address: 127.0.0.1

• IPv6 address: ::1

• Hostname: localhost Used for testing network applications without external network access.

A device or server that connects different networks and routes traffic between them. It has network interfaces on multiple networks, allowing communication between those networks by forwarding packets to the correct destination.

A unique numerical identifier assigned to each device on a network, similar to a home address. It allows devices to be located and communicated with on a network. Comes in two versions: IPv4 (e.g., 192.168.1.1) and IPv6 (e.g., 2001:db8::1).

The hardware address of a network interface card (NIC), also called the link address. It's a unique identifier burned into the network hardware, typically shown as six pairs of hexadecimal numbers (e.g., aa:bb:cc:dd:ee:ff).

The ip command replaces two deprecated commands:

• ifconfig: For interface configuration

• route: For routing table management

  
  

  All their functionality is now consolidated in the ip command.

NO! Changes made with the ip command are temporary and will be lost when the system reboots. To make permanent changes, you must edit network configuration files or use tools like nmcli or nmtui.

• Debian/Ubuntu: /etc/network/

• SUSE: /etc/sysconfig/network

• Red Hat/CentOS/Fedora: /etc/sysconfig/network-scripts/

1. address (or addr, a): Manages IP addresses

2. link (or l): Manages device attributes

3. route (or r): Manages routing table

Objects organize different functionalities of the ip command. Each object (address, link, route, etc.) handles a specific aspect of networking, making the command modular and organized. You use: ip [object] [command]

ip address show # Full form

ip addr show # Medium shorthand

ip a show # Short form

ip a # Shortest

• Interface names (lo, ens5, eth0, etc.)

• Interface state (UP or DOWN)

• MAC address (link/ether)

• IPv4 address (inet)

• IPv6 address (inet6)

• Subnet masks (CIDR notation)

• Link-local addresses

ip -s address show

ip -s addr

ip -s a

The -s flag adds packet statistics showing received (RX) and transmitted (TX) packets.

A link-local address is an IPv6 address automatically configured for interfaces that support IPv6. It's only valid on the local network segment.

• Identifier: Starts with fe80::

• Purpose: Local network communication without manual configuration

• Example: fe80::a00:27ff:fe4e:66a1/64

sudo ip addr add 172.31.120.80/20 dev ens5

• add: Action to perform

• 172.31.120.80/20: IP with subnet (CIDR notation)

• dev ens5: Device/interface name Creates a secondary IP (original becomes primary).

sudo ip addr del 172.31.120.80/20 dev ens5

Replace add with del and specify the IP address and device to remove it.

• Primary: The first/original IP address assigned to an interface

• Secondary: Additional IP addresses added to the same interface

  
  

  An interface can have one primary and multiple secondary addresses. In ip a output, secondaries are labeled as such.

CIDR (Classless Inter-Domain Routing) notation indicates the subnet mask by specifying how many bits are used for the network portion:

• /20: First 20 bits are network, remaining 12 are host (4,096 addresses)

• /24: First 24 bits are network, remaining 8 are host (256 addresses)

• /32: Single host address

To display and modify network device attributes including:

• View interface states (UP/DOWN)

• View MAC addresses

• Change MTU (Maximum Transmission Unit)

• Enable/disable promiscuous mode

• Bring interfaces up or down

ip link show # Full form

ip link # Short form

ip l # Shortest

ip -s link # With statistics

sudo ip link set ens5 up # Bring interface up (enable)

sudo ip link set ens5 down # Bring interface down (disable)

⚠️ Warning: Don't disable the interface you're connected through remotely!

MTU (Maximum Transmission Unit): The largest data packet (in bytes) that a network device will accept.

sudo ip link set ens5 mtu 8000 # Set to 8000 bytes

• Common values: 1500 (standard Ethernet), 9001 (jumbo frames)

• Lower MTU = more packets, more overhead

• Higher MTU = fewer packets, more efficient (if supported)

Promiscuous mode: Makes the network interface accept ALL packets on the network, not just those addressed to it.

Commands:

sudo ip link set ens5 promisc on # Enable

sudo ip link set ens5 promisc off # Disable

Use cases:

• Network monitoring and analysis

• Packet sniffing/capture (Wireshark, tcpdump)

• Security analysis

• Network troubleshooting

Run ip link show and look for PROMISC in the interface flags:

2: ens5: <BROADCAST,MULTICAST,PROMISC,UP>

If you see PROMISC in the angle brackets, promiscuous mode is enabled.

Displays the kernel routing table, which determines where network packets are sent. Shows:

• Default gateway

• Network routes

• Which interface to use for each destination

• Source addresses for routes

The default route where packets are sent when no other specific route applies. It's the "gateway" to other networks (usually the internet).

default via 172.31.0.1 dev ens5

Means: "If you don't know where to send it, send it to 172.31.0.1 through ens5"

ip route show # Full form

ip route # Short form

ip r # Shortest

• 172.31.112.0/20: Destination network

• dev ens5: Send through interface ens5

• proto kernel: Route added by kernel automatically

• scope link: Direct connection, no gateway needed

• src 172.31.127.197: Use this as source IP address

Means: Traffic to 172.31.112.0/20 network goes directly through ens5 interface.

• Which interface to use

• Which gateway to send packets through

• Which networks are directly connected

• Where to send packets by default

Investigates network sockets and displays socket statistics, showing:

• Active connections

• Listening services

• Which ports are in use

• Which processes are using sockets Replaces the deprecated netstat command.

An endpoint for network communication, consisting of:

• IP address + Port number

  
  

  Like a specific door (port) at a specific address (IP). Example: 192.168.1.1:80 means port 80 at IP 192.168.1.1.

ss -tulnp

• -t: TCP connections

• -u: UDP connections

• -l: Listening sockets (services waiting for connections)

• -n: Don't resolve hostnames (show IPs, faster)

• -p: Show process using socket (needs sudo for all processes)

Shows all listening TCP/UDP services with their processes.

• tcp: Protocol is TCP

• LISTEN: State - waiting for connections

• 0: Receive queue size

• 128: Send queue size

• 0.0.0.0:22: Listening on all IPs, port 22

• 0.0.0.0:*: Accepting from any IP, any port

• users: Process sshd with PID 1234

Means: SSH daemon is listening on port 22 for connections from anywhere.

• LISTEN: Waiting for incoming connections

• ESTAB (ESTABLISHED): Active connection

• UNCONN (UNCONNECTED): UDP socket not connected

• TIME-WAIT: Connection closing, waiting for timeout

• CLOSE-WAIT: Remote end closed, local waiting to close

• TCP (Transmission Control Protocol):

  • Connection-oriented (establishes connection first)

  • Reliable (guarantees delivery, retransmits lost packets)

  • Ordered (packets arrive in sequence)

  • Examples: HTTP, SSH, FTP

• UDP (User Datagram Protocol):

  • Connectionless (no connection setup)

  • Unreliable (no delivery guarantee)

  • Unordered (packets may arrive out of order)

  • Faster, less overhead

  • Examples: DNS, streaming, gaming

• See what services/ports are listening

• Identify which process is using a specific port

• Find established connections

• Troubleshoot "port already in use" errors

• Security auditing (find unexpected services)

• Monitor network activity

The -n flag prevents hostname resolution (DNS lookups), showing raw IP addresses instead of names. This makes the command:

• Faster: No DNS lookups needed

• More reliable: Works even if DNS is broken

• More precise: Shows actual IPs, not potentially cached names

DNS (Domain Name System): Translates human-readable domain names (google.com) to IP addresses (142.250.80.46) that computers use.

• Like a phone book for the internet

• Allows using memorable names instead of numbers

• Essential for internet functionality

Performs DNS lookups to query DNS servers and resolve domain names to IP addresses. Shows detailed information about DNS records including:

• IP addresses for domains

• Mail servers (MX records)

• Name servers (NS records)

• TTL (caching duration)

• Query timing and statistics

The ANSWER SECTION - this contains the actual DNS resolution result (the IP address for the domain you queried).

;; ANSWER SECTION:

acloudguru.com. 60 IN A 104.18.32.68

• acloudguru.com.: Domain queried (dot at end is root)

• 60: TTL (Time To Live) - cache this for 60 seconds

• IN: Internet class (standard)

• A: Address record type (IPv4 address)

• 104.18.32.68: The actual IP address

Means: acloudguru.com resolves to 104.18.32.68, cache for 60 seconds.

TTL (Time To Live): Duration (in seconds) that a DNS record should be cached before checking again.

• Low TTL (60s): Frequently updated, less caching

• High TTL (86400s/1 day): Stable records, more caching

• Reduces DNS server load

• Affects how quickly DNS changes propagate

Multiple IPs indicate load balancing - traffic is distributed across multiple servers:

acloudguru.com. 60 IN A 104.18.32.68

acloudguru.com. 60 IN A 104.18.33.68

Benefits:

• Distribute traffic load

• Provide redundancy (if one server fails)

• Improve performance

• Increase capacity

1. Header: Version, flags, response status

2. OPT PSEUDOSECTION: Extended DNS data

3. QUESTION SECTION: What you asked for

4. ANSWER SECTION: The response (most important)

5. Statistics: Query time, server used, message size

An A (Address) record maps a domain name to an IPv4 address. It's the most common DNS record type.

• Example: google.com → 142.250.80.46

• For IPv6, use AAAA record instead

• nslookup: Simpler DNS lookup, less detailed

• host: Even simpler, just shows the answer

• dig: Most detailed, best for troubleshooting

For LFCA, focus on dig as it's most comprehensive.

Use cases:

• Find IP address of a domain

• Troubleshoot DNS resolution issues

• Verify DNS propagation after changes

• Check mail server (MX) records

• Investigate DNS configuration

• Security research (identify hosting)

• Diagnose website connectivity problems

Tests network connectivity to a host by:

1. Sending ICMP ECHO_REQUEST packets to target

2. Target responds with ICMP ECHO_RESPONSE

3. Measures round-trip time (latency)

   
   

   Confirms if a host is reachable and measures connection quality.

ICMP (Internet Control Message Protocol): A network protocol used for diagnostic and error messages.

• Not used for data transfer

• Used by ping and traceroute

• Reports errors (host unreachable, network down)

• Tests connectivity

• Works at network layer (Layer 3)

ping google.com # Ping until stopped (Ctrl+C)

ping -c 4 google.com # Send only 4 packets (-c = count)

ping 8.8.8.8 # Ping IP address directly

• 64 bytes: Size of response packet received

• from 142.250.80.46: IP address that responded

• icmp_seq=0: Sequence number (packet counter, starts at 0)

• ttl=116: Time To Live - hops remaining (started at 128 or 255)

• time=12.3 ms: Round-trip time - 12.3 milliseconds

Means: Successfully received response in 12.3ms from that IP.

TTL (Time To Live): Number of network hops (routers) a packet can pass through before being discarded.

• Each router decrements TTL by 1

• When TTL reaches 0, packet is dropped

• High TTL (116): Many hops remaining, far from timeout

• Low TTL (1-5): Close to expiring, many hops already traversed

• Helps prevent infinite routing loops

4 packets transmitted, 4 received, 0% packet loss

round-trip min/avg/max/stddev = 11.8/12.1/12.3/0.2 ms

• Transmitted: Packets sent

• Received: Packets that returned

• Packet loss: Percentage lost (0% = perfect, >5% = problems)

• min: Fastest response time

• avg: Average response time

• max: Slowest response time

• stddev: Standard deviation (consistency measure)

No response received from target. Possible causes:

• Host is down: Target computer is off or crashed

• Firewall blocking: ICMP packets being filtered

• Network issue: Routing problem, cable unplugged

• Wrong IP: Pinging non-existent address

• ICMP disabled: Target configured not to respond

Doesn't always mean host is down - could be firewall!

Packet loss: Percentage of packets sent that don't receive a response.

• 0%: Perfect connection

• 1-5%: Acceptable, minor issues

• 5-10%: Noticeable problems, needs investigation

• >10%: Serious network issues

• 100%: Complete communication failure

Causes: Network congestion, faulty hardware, poor wireless signal, routing issues.

Depends on distance and connection:

• <1 ms: Same local network (excellent)

• 1-30 ms: Same city/region (excellent)

• 30-50 ms: Same country (good)

• 50-100 ms: Different country (acceptable)

• 100-200 ms: International (acceptable for some uses)

• >200 ms: High latency (noticeable lag)

Lower is always better, especially for gaming/video calls.

Ping by domain (ping google.com):

• Tests both DNS resolution AND connectivity

• More realistic (how users access sites)

Ping by IP (ping 8.8.8.8):

• Tests only connectivity

• Bypasses DNS (useful if DNS is suspected issue)

• Faster (no DNS lookup delay)

If domain fails but IP works: DNS problem!

Press Ctrl+C (Control key + C key simultaneously). This sends an interrupt signal, stops the ping, and displays statistics summary.

High stddev: Inconsistent response times (jitter).

round-trip min/avg/max/stddev = 10/50/200/85 ms # High variance!

• Network instability

• Intermittent congestion

• Variable routing paths

• Wi-Fi interference

Low stddev: Consistent, stable connection (desirable).

Use ping to:

1. Verify connectivity: Can you reach the host?

2. Measure latency: How fast is the connection?

3. Detect packet loss: Is connection stable?

4. Test DNS: Domain name vs IP address

5. Identify network issues: Where does connectivity break?

6. Baseline performance: Normal vs problematic times

First step in most network troubleshooting!

sudo ip addr add 192.168.1.100/24 dev eth0

Remember: This is temporary and lost on reboot. For permanent, edit config files.

sudo ss -tulnp | grep :80

Or specifically for TCP:

sudo ss -tlnp | grep :80

Will show if anything is listening on port 80 and which process.

1. ping server.com: Can you reach it at all?

2. ping IP_ADDRESS: If domain fails but IP works = DNS issue

3. dig server.com: Verify DNS resolution

4. ip route: Check routing table

5. ip link: Verify interface is UP

6. ss -tulnp: Check if service is actually listening

Systematic approach from basic to specific!

sudo ss -tulnp | grep :8080

Or more specifically:

sudo ss -tlnp | grep :8080

The output will show the process name and PID in the last column.

sudo ip link set eth0 up

Verify with:

ip link show eth0

Look for <UP> in the output.

1. Test DNS lookup:

dig google.com

Check if you get IP addresses in ANSWER section.

1. Compare with known good DNS:

dig @8.8.8.8 google.com # Use Google's DNS

1. Test reverse lookup:

dig -x 8.8.8.8

If local dig fails but @8.8.8.8 works: Your DNS server is the problem.

Since ping works:

• Network connectivity: OK ✓

• DNS: OK ✓ (ping resolved domain)

Likely issues:

• Firewall blocking HTTP/HTTPS (ports 80/443)

• Web browser problem

• Proxy configuration issue

Check: Can you telnet google.com 80 or use curl http://google.com?

ip route | grep default

Or:

ip r | grep default

Output will show:

default via 192.168.1.1 dev eth0

The IP after "via" is your default gateway.

ip link show

Or

ip a

Both show all interfaces regardless of state. Look for state UP or DOWN in the output.

Hostname:

hostname

IP address:

ip a | grep inet

Or more specific:

ip -4 addr show scope global # IPv4 only

Combined info:

hostname -I # Shows all IP addresses

Essential commands:

• ip a - View IP addresses

• ip link - View/manage interfaces

• ip route - View routing table

• ss -tulnp - View listening services

• dig domain.com - DNS lookup

• ping host - Test connectivity

Key flags:

• -s for statistics

• -4 for IPv4 only

• -6 for IPv6 only

ip addr:

• Shows IP addresses (IPv4 and IPv6)

• Network layer (Layer 3)

• Includes subnet information

• Shows inet and inet6 entries

ip link:

• Shows interface states and MAC addresses

• Data link layer (Layer 2)

• Shows physical interface status (UP/DOWN)

• Shows link/ether (MAC) addresses

• No IP address information

Think: link = hardware, addr = network configuration.

Start with IP addresses if you suspect DNS issues:

1. Ping by IP: Tests pure connectivity

2. If IP works but domain fails: DNS problem

3. If both fail: Network connectivity problem

Start with domain names for general testing:

1. Tests the whole chain (DNS + connectivity)

2. More realistic (how services are actually accessed)

Rule of thumb: Use IPs to isolate DNS issues

Ping uses ICMP; services use TCP/UDP. Different protocols can be blocked separately:

• Firewall: Allows ICMP but blocks specific ports

• Service down: Host is up but service isn't running

• Port filtering: Router/firewall blocking application ports

• Service binding: Service listening on wrong interface/IP

Check with: ss -tulnp | grep port_number

sudo ss -tlnp | grep :22

If you see output with LISTEN state, SSH is listening.

No output = either:

• SSH not running

• Running on different port

• Not listening on queried interface

In ip a output:

• inet: IPv4 address (e.g., 192.168.1.1)

• inet6: IPv6 address (e.g., 2001:db8::1)

IPv4: Four numbers separated by dots (192.168.1.1) IPv6: Eight groups of hex separated by colons (2001:db8::1)

Most systems have both configured (dual-stack).

Scope link: Address is only valid on the local network link (local network segment).

• Link-local addresses (169.254.x.x for IPv4, fe80:: for IPv6)

• Can't be routed beyond local network

• Automatically configured

• Used for local network communication only

vs scope global: Routable address, can communicate anywhere.

dig domain.com:

• ONLY tests DNS resolution

• Shows what IP the domain resolves to

• Shows DNS server response

• No connectivity test

ping domain.com:

• Tests BOTH DNS resolution AND connectivity

• Verifies you can actually reach the host

• Measures response time

Use dig when you only care about DNS; use ping for full connectivity test.

1. Interface status: ip link show

2. IP configuration: ip addr show

3. Routing table: ip route

4. Connectivity test: ping gateway and ping 8.8.8.8

5. DNS test: dig problem-domain.com

6. Service status: ss -tulnp for relevant ports

This systematic information helps diagnose root cause quickly.

0.0.0.0:port or *:port:

• Listening on ALL interfaces

• Accepts connections from any IP

127.0.0.1:port:

• Only listening on loopback

• Only local connections accepted

• Not accessible from network

192.168.1.10:port (specific IP):

• Only listening on that specific interface/IP

• Only accepts connections to that IP

Security: Use 127.0.0.1 for local-only services, 0.0.0.0 for public services.

ip command changes are NOT persistent! They're lost on reboot. This is by design for safety.

To make permanent:

• Edit network config files directly, OR

• Use nmcli or nmtui tools

Temporary = ip command Permanent = config files

Process information for sockets owned by other users requires elevated privileges.

As normal user: Only see your own processes With sudo: See all processes system-wide

Always use: sudo ss -tulnp for complete information.

You disabled the network interface you were connected through!

• ip link set eth0 down disables the interface

• If you're connected via eth0 (SSH, etc.), you lose connection

• Can only fix with physical/console access

Prevention: NEVER disable your active connection interface remotely!

No! While technically "working," this indicates serious problems:

• Severe network congestion

• Overloaded router/server

• Very long physical distance (satellite)

• QoS deprioritization

• Failing network equipment

Applications will be very slow or timeout. Investigate cause immediately.

Possible causes:

1. DNS caching: Ping using old cached DNS, dig queries fresh

2. Multiple IPs: dig shows different IP than ping is using

3. Firewall: Blocking ICMP but not DNS

4. Recent DNS change: Propagation in progress

Solution:

• Clear DNS cache

• Ping the specific IP from dig

• Wait for full DNS propagation

Link-local IPv6 addresses (starting with fe80::) are automatically configured on IPv6-enabled interfaces:

• No manual configuration needed

• Always present on IPv6 interfaces

• Used for local network communication

• Normal and expected behavior

Not a problem - this is how IPv6 works by design.

sudo ss -tulnp | grep :port_number

Example for port 80:

sudo ss -tulnp | grep :80

Shows process and PID using that port.

Then decide: kill that process or configure service on different port.

Can ping gateway: Local network works ✓ Can't ping external: Routing/gateway issue ✗

Likely problems:

• Gateway not routing: Gateway isn't forwarding packets

• No default route: Check ip route for default entry

• Firewall on gateway: Blocking outbound traffic

• ISP issue: Internet connection down

Check: ip route to verify default gateway exists.

MTU mismatch: Your MTU (9001 - jumbo frames) is larger than what network supports (usually 1500).

Results in:

• Packet fragmentation

• Dropped packets

• Connection issues

Solution: Set MTU to match network:

sudo ip link set eth0 mtu 1500

Rule: MTU must match or be smaller than network supports.

Check routing table for default route:

ip route | grep default

Output:

default via 192.168.1.1 dev eth0

The interface after "dev" (eth0) is your primary/main interface used for internet.

ip a # View all IP addresses

ip link # View all interfaces

ip route # View routing table

ip -s link # Interface statistics

ss -tulnp # All listening services

dig domain.com # DNS lookup

ping host # Test connectivity

hostname -I # Show system IPs

sudo ip addr add IP/mask dev interface # Add IP

sudo ip addr del IP/mask dev interface # Remove IP

sudo ip link set interface up # Enable interface

sudo ip link set interface down # Disable interface

sudo ip link set interface mtu SIZE # Change MTU

sudo ip link set interface promisc on/off # Promiscuous mode

Remember: All temporary until reboot!

1. ip link # Is interface UP?

2. ip addr # Does it have an IP?

3. ip route # Is there a default route?

4. ping gateway_ip # Can reach gateway?

5. ping 8.8.8.8 # Can reach internet?

6. ping domain.com # Does DNS work?

7. dig domain.com # DNS resolution details

8. ss -tulnp | grep :port # Is service listening?

• 127.0.0.1: Loopback (localhost)

• 0.0.0.0: All interfaces/any address

• 169.254.x.x: Link-local (autoconfigured, no DHCP)

• 192.168.x.x, 10.x.x.x, 172.16-31.x.x: Private IPs

• fe80::: IPv6 link-local

• ::1: IPv6 loopback

• 22: SSH

• 80: HTTP (web)

• 443: HTTPS (secure web)

• 53: DNS

• 25: SMTP (email)

• 3306: MySQL

• 5432: PostgreSQL

• 6379: Redis

For LFCA, especially know: 22 (SSH), 80 (HTTP), 443 (HTTPS), 53 (DNS)

Layer 2 (Link): ip link - Hardware/interface level

Layer 3 (Network): ip addr, ip route, ping - IP addressing/routing

Layer 4 (Transport): ss - TCP/UDP ports and connections

Layer 7 (Application): dig - DNS (application protocol)

Troubleshoot bottom-up: link → IP → routing → services.

• Interface state DOWN: ip link shows <DOWN>

• No IP address: ip a shows no inet entry

• No default route: ip route has no default entry

• 100% packet loss: ping shows all packets lost

• No LISTEN state: ss shows no service on expected port

• NXDOMAIN: dig shows domain doesn't exist

• High packet errors: ip -s link shows many errors

• Request timeout: No response to ping

Format: ip [OPTIONS] OBJECT COMMAND

Objects (what to manage):

• address (a): IP addresses

• link (l): Interfaces/devices

• route (r): Routing table

Commands (what to do):

• show: Display info

• add: Add entry

• del: Delete entry

• set: Modify entry

Example: ip addr add = manage address, add entry

1. View network config: ip a, ip link, ip route

2. Test connectivity: ping, verify response

3. Check services: ss -tulnp, identify listening ports

4. DNS troubleshooting: dig, verify resolution

5. Add/remove IPs: ip addr add/del

6. Interface management: ip link set up/down

7. Identify network issues: Systematic troubleshooting

Practice these scenarios repeatedly!

✓ ip a - view IPs

✓ ip link - view interfaces

✓ ip route - view routes

✓ ss -tulnp - view services/ports

✓ dig domain - DNS lookup

✓ ping host - test connectivity

✓ Loopback = 127.0.0.1/::1

✓ Changes with ip are temporary

✓ Config files location for each distro

✓ Troubleshooting methodology

✓ Interpret command output

✓ Understand common port numbers

Master these and you're ready!

Viewing:

• Show all IPs: ip a

• Show interfaces: ip link

• Show routes: ip route

• Show listening services: sudo ss -tulnp

• DNS lookup: dig domain.com

• Test connectivity: ping host

Modifying:

• Add IP: sudo ip addr add IP/mask dev interface

• Remove IP: sudo ip addr del IP/mask dev interface

• Interface up: sudo ip link set interface up

• Interface down: sudo ip link set interface down

Troubleshooting:

• Test gateway: ping $(ip route | grep default | awk '{print $3}')

• Find process on port: sudo ss -tulnp | grep :PORT

• Check DNS: dig +short domain.com

• Quick connectivity: ping -c 4 8.8.8.8