'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- IP/MAC neighborhood utilities
- Package analysis tools
- Interface analysis tools
In this first chapter of the final section on network diagnostics, we focus on tools for analyzing the network access layer of the TCP/IP model. This layer is responsible for direct communication between devices on the same physical network, notably through the use of MAC addresses and physical network interfaces such as Ethernet cards or Wi-Fi interfaces.
The aim here is to provide administrators with practical tools to inspect, test and optimize this essential layer of low-level connectivity. These tools can be used to verify the proper operation of interfaces, troubleshoot network card configuration issues, or detect anomalies such as collisions, packet loss or link errors.
IP/MAC neighborhood utilities
Arp tool
One of the oldest diagnostic tools at the Network Access layer is the
arp command. Although increasingly replaced by modern alternatives such as ip neigh (which we'll discover shortly). Arp is still present on many systems to view or manipulate the ARP (Address Resolution Protocol) cache. This cache stores the mappings between IP addresses and MAC addresses known locally on a machine. In other words, it allows you to determine which physical (MAC) address corresponds to a given IP address on the local network.In practice, when a host wants to send a packet to an IP address within the same subnet, it must first know the target machine's MAC address. This mapping is handled by ARP, which broadcasts a request on the local network and receives a reply containing the corresponding MAC address. This result is then stored temporarily in a local table called the "ARP cache", to avoid repeating the requests for every new packet.
To view the contents of this cache and check the entries currently known to the machine, use:
arp -a
This command lists all locally registered IP/MAC mappings, across all interfaces. Each line provides the host name (if resolvable), the IP address, the corresponding MAC address and the Interface where the mapping is observed.
To filter the display to a specific IP address, simply specify it:
arp -a 192.168.1.5
This makes it easy to check whether a particular IP address is present in the cache, which can help diagnose communication failures between two hosts on the same network.
Likewise, to display only the ARP entries associated with a specific network interface (for example an Ethernet card named
eth0), you can use:arp -a -i eth0
This is especially useful in multi-interface environments (wired, wireless, VPN, etc.), where one host may have several network adapters.
The
arp command is not limited to read-only use. It can also be used to manually edit the ARP cache, an invaluable feature in certain advanced troubleshooting scenarios or when simulating specific conditions. For instance, you can manually add an IP/MAC mapping:arp -s 192.168.1.7 00:17:BC:56:4F:25 -i eth2
This command creates a static entry in the local ARP table, associating the IP address
192.168.1.7 with the MAC address 00:17:BC:56:4F:25 on the Interface eth2.If no interface is specified, the system automatically uses the first applicable one.You can also remove an entry from the ARP cache, either to correct an error or to force a rediscovery:
arp -d 192.168.1.7
This deletes the entry, ensuring that the next communication attempt triggers a fresh ARP request.
NOTE: The delete option also accepts an interface name, allowing you to target the removal of a specific entry more precisely.
In summary, the
arp tool provides low-level diagnostics, particularly useful in local networks where connectivity problems can often be traced back to incorrect or obsolete address resolution. However, on recent systems, particularly with modern Linux distributions, this tool is increasingly being replaced by the ip neigh command, from the iproute2 toolset, which offers similar functionality in a more unified framework.Ip neigh tool
On modern systems, notably recent Linux distributions, the
ip neigh command is the go-to tool for inspecting and managing mappings between IP and MAC addresses. This command is part of the iproute2 suite, which is gradually replacing older tools such as arp, providing a more consistent and flexible framework for diagnostics at the data link layer.The
ip neigh command query the local IP neighbor cache, which is equivalent to the ARP cache for IPv4 and the NDP (Neighbor Discovery Protocol) cache for IPv6. This cache stores known associations between IP addresses (v4 or v6) and MAC addresses, along with their status (valid, pending, expired...).The basic command to display the cache is:
ip neigh
This outputs a list of entries, showing the destination IP address, the relevant network interface, the associated MAC address (if available), and the entry's state (e.g.
REACHABLE, STALE, DELAY, FAILED...).Example output:
192.168.1.5 dev eth0 lladdr 00:17:BC:56:4F:25 REACHABLE
This line indicates that the machine knows of a valid mapping between IP address
192.168.1.5 and MAC address 00:17:BC:56:4F:25 via Interface eth0.You can also filter entries by criteria such as IP address, interface, or state. For example, to query only address
192.168.1.7:ip neigh show 192.168.1.7
Or to display all entries for interface
eth1:ip neigh show dev eth1
Beyond consultation,
ip neigh can also be used to manually edit the cache. For instance, to add a static entry:ip neigh add 192.168.1.7 lladdr 00:17:BC:56:4F:25 dev eth1 nud permanent
This permanently associates the IP address
192.168.1.7 with the specified MAC address on interface eth1. The nud permanent option (for Neighbor Unreachability Detection) ensures that the entry will not be automatically invalidated.Conversely, to delete a cache entry:
ip neigh del 192.168.1.7 dev eth1
This forces the system to re-resolve the mapping the next time it communicates with that address.
NOTE: The
ip neigh tool works for both IPv4 and IPv6. For IPv4, it interfaces with ARP; for IPv6, it interacts with NDP. This provides a unified, consistent approach to managing IP/MAC relationships across protocol families, making ip neigh the modern standard for neighbor management on Linux systems.Package analysis tools
To thoroughly analyze what is happening on a computer network, administrators need tools that can capture the packets exchanged between machines. Two utilities stand out as benchmarks:
tcpdump and Wireshark. These tools are essential for diagnosing abnormal behavior, auditing protocol exchanges, or studying network security by inspecting frame contents.ttcpdump: command-line analysis
tcpdump is a highly powerful command-line tool designed to capture and display packets traveling through a network interface. It operates in real time, and thanks to its lightweight design, can be used on systems without a graphical interface or with limited resources. It relies on the libpcap library, which provides hardware-independent low-level capture functions.A common use of
tcpdump is to monitor the network activity of a machine or network segment, filtering packets according to specific criteria. Results can be redirected to a file, allowing traffic to be archived for later analysis or replayed in another tool, such as Wireshark.The general command syntax is:
tcpdump -w <file.cap> -i <interface> -s <snapshot_length> -n <filters>
-wwrites captured packets to a file inlibpcapformat (extension.capor.pcap);-ispecifies the network interface to monitor (e.g.eth0,wlan0);-ssets the maximum amount of data captured per packet. Specifying0captures all packets;-ndisables DNS and service name resolution, improving performance.
Expression filters at the end of the command let you restrict captures to a subset of traffic. You can combine the keywords
host, port, src, dst, etc., to refine selection.Example: to capture HTTP packets (port 80) to or from the
192.168.25.24 server, and save them in a fichier.cap file:tcpdump -w fichier.cap -i eth0 -s 0 -n port 80 and host 192.168.25.24
The resulting file can later be analyzed in a graphical tool or replayed on another system.
Wireshark: advanced visual analysis
Wireshark, formerly known as Ethereal,is a complete network analysis program with a graphical interface. Unlike
tcpdump, it provides structured, detailed visualization of packets, including protocol dissection, flow graphs, traffic statistics, and interactive filters. It also relies on libpcap, which means it can open and process capture files generated by tcpdump.Wireshark is available on many operating systems, including Linux and Windows. Installing it requires administrator privileges to access the capture interfaces. Once launched, you can select a network interface from the Capture menu. Clicking Start begins real-time packet recording. The display is divided into three panes:
- the list of captured frames ;
- protocol-decoded details,
- raw hexadecimal data.
Wireshark excels in scenarios where you need to observe complex protocol behavior, reconstruct application dialogs (such as an HTTP or DNS session), or study service response times. It also supports highly specific display filters using its dedicated syntax (different from that of
tcpdump) to focus only on relevant packets.Complementary tools
It's important to note that
tcpdump and Wireshark are not interchangeable: each has its own strengths. tcpdump is better suited to command-line environments, automated scripts and remote server interventions, while Wireshark is ideal for detailed, interactive and educational traffic analysis.The two tools can be combined: a capture can be made on a remote system with
tcpdump, then the .cap file is transferred for analysis with Wireshark on a local machine. This approach is widely used in practice.Interface analysis tools
At the Network Access layer, it is often necessary to query and configure physical network interfaces in order to diagnose malfunctions, optimize performance, or verify connection integrity. One of the most powerful tools available under Linux for this purpose is
ethtool, a command-line utility that not only provides detailed technical information about an Ethernet interface, but also allows you to adjust some of its parameters in real time.View Interface specifications
A core feature of
ethtool is its ability to query an interface and display its current characteristics. This allows you to check:- link speed (e.g. 100 Mbit/s, 1 Gbit/s or 10 Gbit/s) ;
- negotiation mode (half duplex or full duplex) ;
- whether autonegotiation is enabled;
- the type of port (copper, fiber, etc.) ;
- link status (active or not) ;
- support for advanced features such as Wake-on-LAN.
This information is especially useful for diagnosing problems related to physical connectivity or mismatched negotiation settings between the host's network card and the equipment it connects to (switch, router, etc.).
To obtain this information, simply run:
ethtool enp0s3
This command outputs a detailed report on the
enp0s3 interface, a common naming convention on CentOS or RHEL-based systems.Dynamically modify Interface parameters
ethtool is not limited to observation: it also allows you to adjust certain interface parameters without rebooting the machine. This makes it possible, for example, to force a specific link speed or enable features according to the needs of the local network.The
-s option is used to dynamically configure parameters such as:- link speed (
speed), set explicitly (e.g. 1000 for 1 Gbit/s) ; - duplex mode (
duplex), eitherhalforfull; - enabling or disabling autonegotiation (
autoneg) ; - enabling of Wake-on-LAN (
wol) ; - port type.
Example 1: enable autonegotiation on an interface:
ethtool -s enp0s3 autoneg on
Example 2: enable the Wake-on-LAN feature (to allow the machine to wake up remotely via a magic packet):
ethtool -s enp0s3 wol p
In this example, the
p option specifies that wake-up will occur as soon as a Wake-on-LAN packet is detected. This setup is often used in enterprise environments to perform overnight updates or remote maintenance.Tool installation
It is important to note that
ethtool is not always installed by default. On Red Hat/CentOS distributions, it can be installed with the command:yum install -y ethtool
On Debian and Ubuntu, the equivalent command is:
sudo apt install ethtool
WARNING: in all
ethtool commands, the name of the network interface must be specified immediately after the option (as -s). Any syntax error in the placement of parameters will make the command invalid or ineffective.Quiz
Quiz1/5
net3025.1
Which command-line tool captures network traffic for real-time analysis?