ip cheat sheet

The purpose of the ip command on Linux is to show and alter network devices, interfaces, network routing, and tunnels. It can be used as a replacement of tools like arp, netstat, and route. As there is so much possible with this command, this cheat sheet tries to collect them for easier reference.

Basics

The main ip [more info] command uses subcommands and options. The last one is usually optional, unless you more information or details is needed.

Some of the primary subcommands include:

  • address - IP protocol information (replacement for ifconfig command)
  • link - Network device information
  • neighbour - ARP and NDISC information (replacement for arp command)
  • route - Routing table information (replacement for route command)

When using ip, you can use full names or abbreviated ones. In this cheat sheet the full names will be listed first and later replaced by their shorter versions. For example, ip link, ip li and ip l will all give the same output.

Subcommands

Subcommands define a particular area within networking, such as the physical link, addressing, or routing.

CommandShort versionGoalReplaces
ip addressip aShow IP address detailsifconfig
ip linkip lShow network link details (MAC)ifconfig
ip maddressip mShow multicast detailsnetstat -g
ip neighbourip nShow other systems on network segment (ARP)arp
ip routeip rDisplay routing informationnetstat -r or route
ip tcp_metricsip tcDisplay TCP caching information?

Options

Long optionShort optionWhat the option does
-details-dShow more detailed output, usually insightful for troubleshooting purposes.
-Numeric-NNumeric output, no conversion of names (e.g. ports)
-statistics-sShow statistics. The long format option can be abbreviated also by -stats.

Creating a shell script? Then we suggest using the long format option, as this improves the readability. For quick use of on the command-line consider using the short notation of the related option.

Network devices

Show the available network devices with subcommand link. It includes information like the name of the network interface, optional alias, MAC address, MTU size, and its state (up/down).

# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether ab:cd:ef:12:34:56 brd ff:ff:ff:ff:ff:ff
    altname enp0s18

To only show one interface, specify it:

ip link show ens18

Show statistics on a particular link, which is great to learn about errors and dropped packets.

# ip -stats link show ens18
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether ab:cd:ef:12:34:56 brd ff:ff:ff:ff:ff:ff
    RX:  bytes  packets errors dropped  missed   mcast           
    5108603572 20814332      0  789579       0       0 
    TX:  bytes  packets errors dropped carrier collsns           
    7504563480 10310495      0       0       0       0 
    altname enp0s18

Disable or enable an interface

To enable an interface, use the ‘up’ flag.

ip link set ens18 up

To disable, the ‘down’ flag.

ip link set ens18 down

Change your MAC address

Besides viewing information, the subcommands can also be used to make changes, like defining a new MAC address.

ip link set dev ens18 address aa:bb:cc:dd:ee:ff

ARP cache

To see the other devices on the same network segment, the neighbour replaces the functionality of the arp command.

Show ARP cache

Just use neighbour (or n) to see the ARP cache.

# ip neighbour
192.168.1.1 dev ens18 lladdr ab:cd:ef:12:34:56 STALE

Delete an ARP entry

To delete an entry listed with the neighbour subcommand, define the address and interface.

ip neigh del 192.168.1.1 dev ens18

IP and addressing

Most modern systems use IP to communicate with other systems. With the subcommand address the details regarding IP can be displayed, such as active IP addresses.

Show assigned IP address of the system.

ip address

Single device, which can come in handy with many aliases or VLANs.

ip address dev ens18

By type

Limit the output by specifying its type, such as a bridge or VLAN.

ip address show type bridge

For VLAN tagged interfaces:

ip address show type vlan

Multicast IP addresses

# ip maddr
1:	lo
	inet  224.0.0.1
	 inet6 ff02::1
	inet6 ff01::1
2:	ens18
	link  33:33:00:00:00:01
	link  01:00:5e:00:00:01
	link  33:33:ff:11:22:33
	link  01:80:c2:00:00:00
	link  01:80:c2:00:00:03
	link  01:80:c2:00:00:0e
	inet  224.0.0.1
	inet6 ff02::1:ff11:2233
	inet6 ff02::1 users 2
	inet6 ff01::1

TCP cache and metrics

The kernel maintains a cache of entries related to TCP connections. This cache can be displayed using the subcommand tcp_metrics. Great to see recent connections with devices outside the local network.

# ip tcp_metrics
91.92.93.94 age 433514.256sec cwnd 10 rtt 83061us rttvar 83061us source 192.168.1.123
213.212.211.210 age 75533.084sec cwnd 10 rtt 10746us rttvar 6480us source 192.168.1.123
142.143.144.145 age 9.396sec cwnd 10 rtt 9642us rttvar 9642us source 192.168.1.123

Routing table

Show network routing information

To find the default gateway on the network, use the route subcommand.

# ip route
default via 192.168.1.1 dev ens18 proto static 
192.168.1.0/24 dev ens18 proto kernel scope link src 192.168.1.123

Test routing for a specific IP address

# ip route get 192.168.2.123
192.168.2.123 via 192.168.1.1 dev ens18 src 192.168.1.123 uid 0 
    cache

Add a route

Define a default route on the ens18 interface.

ip route add default via 192.168.1.1 dev ens18

All traffic for our network should go via this newly defined gateway.

ip route add 192.168.1.0/24 via 192.168.1.1

Delete route

Delete a route for the defined network

ip route delete 192.168.1.0/24 via 192.168.1.1

Tips for improving default output

Colored output

Depending on the terminal, the colors might not be displayed by default. Enforce colors with the option -colors. It will highlight MAC addresses, IP addresses, interface status, and more.

ip -colored=always link

Since ‘always’ is the default, you can simplify and shorten this command:

ip -c link

Brief output

Less is more. Use -brief in a variety of subcommands.

# ip -brief link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 
ens18            UP             ab:cd:ef:12:34:56 <BROADCAST,MULTICAST,UP,LOWER_UP>

Brief output for IP addresses:

# ip -brief addr
lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens18            UP             192.168.1.123/24 fe80::be24:11ff:abcd:1234/64

Brief output to show ARP entries:

# ip -brief neighbour
192.168.1.1                             ens18            12:34:56:ab:cd:ef
192.168.1.2                             ens18            ab:cd:ef:12:34:56

Combining options and using columns

Sometimes the output may not look as good, like misaligned or lacking clarity. Combine the brief and colored options together with the column command to align all columns.

ip -br -c link | column -t

JSON

For automated processing of data, the option -json can be added before the subcommand. Combine it with jq to filter out exactly the information that you want.

Do you have other good ip one-liners that everyone should know?

Relevant articles using ip command

The following articles include an example on how to use ip and might be worth further exploring.

Liked this cheat sheet? There are more!

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon