ip-monitor

Monitor the whole network for state changes

$ ip [[mo|monitor]]

$ ip [[mo|monitor]] [link|address|route|neigh|rule|maddress|...]

$ ip [[mo|monitor]] [[f|file]] [path/to/file]

ip monitor [ all | LISTofOBJECTS ] [ file FILENAME | all ] [ label ] [ dev DEVNAME ]
LISTofOBJECTS := link | address | route | mroute | prefix | neigh | netconf | rule

all
    Monitor changes to all supported object types (default).

link
    Monitor network interface link status changes (up/down, speed, etc.).

address
    Monitor IPv4/IPv6 address additions, deletions, and modifications.

route
    Monitor unicast routing table changes.

mroute
    Monitor multicast routing table changes.

prefix
    Monitor prefix information (e.g., Router Advertisements).

neigh
    Monitor neighbor/ARP/NDP table updates.

netconf
    Monitor network configuration parameters (e.g., forwarding flags).

rule
    Monitor policy routing rule changes.

file FILENAME
    Dump output to the specified file instead of stdout.

label
    Prepend object type and device labels to output lines.

dev DEVNAME
    Limit monitoring to events on the specified device.

The ip monitor command from the iproute2 suite continuously listens to kernel Netlink messages and prints notifications about changes in network state. These include interface link status (up/down), IP address additions/removals, routing table updates, multicast routes, prefix advertisements (e.g., from Router Advertisements), neighbor/ARP table entries, network configuration parameters, and routing rules.

It provides real-time, event-driven monitoring without polling overhead, making it ideal for debugging dynamic networks, observing DHCP/WiFi events, tracking routing daemons (BGP/OSPF), or watching failover in high-availability setups. Output is human-readable, similar to ip link show or ip route, but only deltas.

By default, it monitors everything and runs forever until SIGINT (Ctrl+C) or SIGTERM. Supports filtering by object types, device, labeling output for clarity, or dumping to a file for offline review. Efficient and lightweight, it requires no special privileges for basic use but benefits from capabilities like CAP_NET_ADMIN for full access.

Unlike older tools like rtmon, it covers modern kernel features and integrates seamlessly with other iproute2 commands.

Runs indefinitely until manually terminated (Ctrl+C/SIGTERM). Can generate high output volume in busy networks. File output overwrites without warning. Limited to Netlink broadcasts; misses some userspace-only changes.

ip monitor all
Monitor everything.

ip monitor route label
Watch routes with labels.

ip monitor link address dev eth0 file /tmp/changes
Log eth0 links/addresses to file.

Handles SIGINT/SIGTERM to exit cleanly. Ignores others.

Part of iproute2 since early 2000s, developed by Alexey Kuznetsov et al. as a modern Netlink-based replacement for legacy tools like rtmon(8). Evolved with kernel networking features (e.g., netconf in 3.14+, rule support). Maintained in iproute2 releases.

ip(8), rtnetlink(7), netlink(7), ss(8)