ip-monitor

Monitor all network state changes

$ ip monitor

$ ip monitor [link|address|route|neigh|rule|maddress]

$ ip monitor file [path/to/file]

ip monitor [type] [options]

ip monitor watches for network state changes in real-time and reports them to stdout. It uses netlink sockets to receive kernel notifications about network configuration changes.
This is useful for debugging network issues, monitoring dynamic changes, and understanding how network configuration evolves over time. Multiple event types can be monitored simultaneously.

link

Monitor link state changes

Monitor address changes

Monitor routing table changes

Monitor neighbour/ARP table changes

Monitor policy routing rule changes

Monitor multicast address changes

Replay events from file (generated with rtmon)

Monitoring requires appropriate privileges to access netlink sockets. Output can be verbose on active systems. Events are reported in real-time but may be buffered.

ip monitor is part of iproute2, developed by Alexey Kuznetsov. The netlink interface it uses was introduced in Linux 2.2 and has been enhanced in subsequent kernel versions.

ip(8), rtmon(8), ss(8)