Networking on Linux.

Last modified : 17 September, 2024


This page talks about how the networking stack is set up on some Linux computers.

Device Enumeration.

The Linux kernel boots up and enumerates all devices attached to all the buses (e.g. PCI). The devices are recognized by some mechanism and appropriate device drivers are loaded in, so that the kernel can interface with the devices. The networking devices are enumerated in SysFS at /sys/class/net.

$ ls -al /sys/class/net
total 0
drwxr-xr-x.  2 root root 0 Sep 17 10:00 .
drwxr-xr-x. 84 root root 0 Sep  4 14:13 ..
lrwxrwxrwx.  1 root root 0 Sep  4 14:13 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx.  1 root root 0 Sep  4 14:13 wlp166s0 -> ../../devices/pci0000:00/0000:00:1d.0/0000:a6:00.0/net/wlp166s0

The devices are named so that across different boots, the name stays the same.

To find out which device driver was loaded for each interface, you can use ethtool. e.g.

$ ethtool -i wlp166s0 
driver: iwlwifi
version: 6.10.6-200.fc40.x86_64
firmware-version: 89.202a2f7b.0 ty-a0-gf-a0-89.uc
expansion-rom-version: 
bus-info: 0000:a6:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no

Also SysFS has a link to the driver for the device:

$ readlink /sys/class/net/wlp166s0/device/driver
../../../../bus/pci/drivers/iwlwifi

Bringing up the interface(s).

The kernel sends+receives Ethernet / 802.11 / (some equivalent) Layer 2 frames to+from the device driver. The device driver interfaces with the networking hardware and sends+receives those Layer 2 frames. To check statistics you can use the ip command. e.g.

$ ip -s link show wlp166s0 
2: wlp166s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether d2:5d:d0:e6:c8:5e brd ff:ff:ff:ff:ff:ff permaddr 8c:f8:c5:ed:92:fc
    RX:   bytes  packets errors dropped  missed   mcast           
    21506231662 18394460      0   14606       0       0 
    TX:   bytes  packets errors dropped carrier collsns           
     1289526154  3582885      0       0       0       0 

For more detailed statistics for wireless hardware, you can use $ iw dev wlp166s0 station dump.

Routing table.

The kernel uses routing tables to determine which interface should handle a connection. Routing tables map IP address ranges to specific interfaces. We can view the routing table using:

$ ip route show
default via 192.168.68.1 dev wlp166s0 proto dhcp src 192.168.68.59 metric 600 
192.168.68.0/22 dev wlp166s0 proto kernel scope link src 192.168.68.59 metric 600 

This routing table is populated by the kernel using (typically) DHCP. The DHCP client sends a request which is responded to by the DHCP server. $ nmcli device show can show the result of DHCP.

DNS

DHCP may also provide extra information for example DNS configuration.

$ resolvectl status
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (wlp166s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.68.1
       DNS Servers: 206.225.75.226 206.225.75.225 192.168.68.1

VPN

When a VPN connection is established, it typically modifies the routing table on your machine so that your traffic is routed through the VPN’s virtual interface rather than directly through your physical network interfaces (like eth0 or wlan0).

There are different types of VPNs, but two of the most common protocols used are:

All content on this website is licensed as Creative Commons-Attribution-ShareAlike 4.0 License. Opinions expressed are solely my own.