Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

RHEL4 administration tools: ifconfig, arp, tcpdump and iptraf

Master network integration in your existing RHEL4 infrastructure with the use of command-line tools like ifconfig, arp, tcpdump and iptraf.

When deploying new Linux servers, moving existing servers or using Linux for routers and firewalls, there are often...

issues with network integration with existing infrastructure. The following tips are based upon Linux commands under Red Hat Enterprise Linux 4 (RHEL4).

More on RHEL4:
Setting up a network with Red Hat Enterprise Linux 4.0 

Installing Oracle10g on RHEL4

These helpful hints on working with arp, ipconfig, tcpdump and iptraf will offer examples of advanced commands for easing network integration problems commonly associated with network routing.

Clearing the arp cache speeds up 

The arp command is used to report, and if necessary configure the system's Address Resolution Protocol (arp) cache table. The arp cache provides mapping of the Internet Protocol version 4 address to the hardware address. The hardware address in most cases on Linux is the Ethernet Media Access Control (MAC) address. The MAC address is a 48-bit globally unique address that is assigned by the hardware vendor that manufactures the Ethernet card.

The mapping locations of IP addresses to MAC addresses are handled by the protocol integrated with the Linux kernel. The algorithm used by the protocol is a two-step process. After determining the appropriate interface to send the packet out on, the system will broadcast a message (an arp who-has message) asking for the machine that has that particular address. The appropriate machine will then respond with its MAC address. The system will then encapsulate the IP packet in an Ethernet packet, and send it to the appropriate system.

Generally, arp works correctly. But there are scenarios that require some advanced parameters.

If a server or workstation is turned up on an IP address that is already present in the network, you will need to fix this. You may need to clean up the arp cache on critical servers since the arp cache will contain an entry before clearing it. To clear the entry, use:

arp -d xxx.xxx.xxx.xxx

Where xxx.xxx.xxx.xxx is the IP address of the incorrect entry. For example:

arp -d

You may have to remove all the entries when troubleshooting. The following command executed as root can be used for this purpose:

for i in `arp -n | awk '{print $1}' | grep -v Address ; do arp -d $i; done

Fixing arp with tcpdump

For troubleshooting arp, tcpdump can prove quite useful. Tcpdump is an open source command-line tool for monitoring (sniffing) network traffic. A simple tcpdump arp in this example shows that is not responding with a MAC address and keeps asking for the MAC address:

[[email protected] ~]# tcpdump arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:03:36.543015 arp who-has tell
17:03:37.542425 arp who-has tell
17:03:38.543517 arp who-has tell
17:03:40.545290 arp who-has tell
17:03:41.545155 arp who-has tell

When using Linux as a router, you can also quickly identify the particular interface that is seeing a MAC address. The ARP command also reports the interface the MAC address is "located on."

Using Ifconfig to detect Linux network configuration problems

Ifconfig, a command-line utility which is used to get information about and make changes to Linux network interface, is often forgotten after initial network configuration. Yet it is very useful for troubleshooting. For example, looking at the errors on transmit and receive can point out physical problems such as bad cabling or loose connections.

A weakness with the command, is that it doesn't provide a timeframe for the errors. Therefore, you do not know if the errors that have been reported happened a few minutes ago or several months ago. To watch the error count in real time, the following command proves useful:

[[email protected] ~]# watch "ifconfig eth0 | grep errors"

Watch's default update is two seconds, so the previous command will run the ifconfig command every two seconds on the eth0 interface and print the lines containing the word errors. If you cannot watch the command all day waiting for something to happen, you can quickly grab the errors and an appropriate timestamp with:

[[email protected] ~]# watch "date >>errors; ifconfig eth0 | grep errors >>errors"


With the release of RHEL4, Red Hat decided to include the networking tool, iptraf, with the distribution. Iptraf pulls a lot of networking information together into a menu-driven utility that gives immediate feedback on networking statistics. The stastics that it tracks are TCP and UDP connections, network addresses and other useful information.

Figure 1 provides a breakdown of traffic by protocol and Figure 2 provides a breakdown of TCP connections.

While much of the information can be scripted using other commands such as netstat, ifconfig and arp, iptraf quickly pulls the information together and can present it in various forms depending on the information needed.

One of iptraf's capablilities is for identifying errors in IP packets in real time. You can quickly view the "General Interface Statistics" which will show when a packet that is incorrect at the IP layer is received.

Iptraf is also the key to troubleshooting when running routing or using firewall software on Red Hat. It allows you to view traffic in the context of where the traffic is coming from and where it is going.


The advanced used of common Linux commands, combined with tcpdump and iptraf, can assist Linux administrators in many of the difficulties that arise in network integration and network troubleshooting. They should be a part of every administrator's tool chest.

Dig Deeper on Linux servers