ip-monitor

ip monitor [ OBJECT | all ]
Where OBJECT can be one of: link, address, route, neighbor, rule, mpls, vrf, netconf, nsid, xfrm, addrlabel.

all
    Monitor all supported network object types simultaneously.

link
    Monitors network interface link state, flags, and other properties.

address
    Monitors changes to IP addresses assigned to network interfaces (IPv4 and IPv6).

route
    Monitors modifications to the kernel's IP routing tables (IPv4 and IPv6).

neighbor
    Monitors changes in the neighbor cache (ARP entries for IPv4, NDP entries for IPv6).

rule
    Monitors modifications to policy routing rules.

mpls
    Monitors changes related to MPLS (Multiprotocol Label Switching) labels.

vrf
    Monitors changes to Virtual Routing and Forwarding (VRF) devices.

netconf
    Monitors changes to network-related sysctl parameters.

nsid
    Monitors network namespace IDs.

xfrm
    Monitors changes to IPsec policies and states.

addrlabel
    Monitors changes to address label policies.

ip-monitor is a utility from the iproute2 suite designed for real-time monitoring of network configuration changes on a Linux system. Unlike commands like ip link show or ip addr show which provide a static snapshot, ip-monitor continuously listens for kernel netlink events, displaying updates as they occur. This includes modifications to network interfaces (link state, flags), IP addresses (additions, deletions), routing table entries, neighbor cache (ARP/NDP), policy routing rules, MPLS labels, VRF devices, network namespace IDs, IPsec policies, and address labels. It's an invaluable tool for network troubleshooting, debugging, and automated scripting where immediate awareness of network state transitions is critical. By providing instant feedback on configuration alterations, ip-monitor helps administrators understand dynamic network behavior and quickly identify issues.

Root Privileges Required: ip-monitor typically requires root privileges to operate, as it interacts directly with kernel netlink sockets to receive real-time network events.
Voluminous Output: On systems with frequent network changes or high traffic, the output can be extensive and continuous, potentially flooding the terminal.
Ephemeral Data: It only provides real-time event notifications; it does not log historical changes or provide a snapshot of the current state at any given time.
Output Parsing: The output format is designed for human readability and might require careful parsing for automated scripts.

The output of ip-monitor mirrors the format of the ip show commands for the respective object types (e.g., ip link show, ip addr show). Each event is prefixed with an action keyword, such as New, Deleted, or Changed, indicating the type of modification that occurred.

ip-monitor operates by listening to events pushed by the Linux kernel via the Netlink socket interface. This allows it to receive immediate notifications of network state changes directly from the kernel, without needing to poll the system repeatedly.

ip-monitor is an integral part of the iproute2 utility suite, which was developed by Alexey Kuznetsov starting in the late 1990s. This suite was designed to be a modern replacement for older, less efficient, and sometimes redundant network configuration tools like ifconfig, route, and netstat. iproute2 leverages the Linux kernel's Netlink socket interface for more efficient and comprehensive network management. ip-monitor specifically provides a real-time view into these Netlink events, embodying the iproute2 philosophy of offering detailed, low-level control and visibility over the Linux networking stack. Its development tracked the evolution of Linux networking, ensuring it remains relevant for modern network configurations including advanced features like VRF, MPLS, and network namespaces.

ip(8), netlink(7), ss(8), dmesg(1), tcpdump(8)