Skip to content

Quiz: Linux Networking Tools

← Back to quiz index

9 questions

L1 (6 questions)

1. What is the difference between an access port and a trunk port?

Show answer Access port carries one VLAN (untagged). Trunk port carries multiple VLANs (tagged with 802.1Q). Servers usually connect to access ports; switch-to-switch links are trunks.

2. How do you capture only DNS traffic with tcpdump?

Show answer tcpdump -i any port 53 -nn. Add -w dns.pcap to save for Wireshark analysis.

3. How do you add a static route on Linux?

Show answer ip route add 10.0.0.0/8 via 192.168.1.1 dev eth0. Persists across reboots only if added to /etc/network/interfaces, netplan, or NetworkManager config.

4. A server has two network interfaces but only one is reachable from the network. What are the most common causes?

Show answer 1. Missing or incorrect default gateway — only one default route exists, traffic exits the wrong interface.
2. Reverse path filtering (rp_filter=1) drops packets arriving on an unexpected interface.
3. Missing IP address or wrong subnet mask on the second interface.
4. Cable/switch port issue. Diagnose: ip route show for routing table, ip addr for interface config, ping from each interface explicitly (ping -I). *Common mistake:* Linux cannot use two interfaces simultaneously — it can, but requires correct routing (policy routing or separate routing tables per interface).

5. What does the ss command show that netstat does not, and why is ss preferred?

Show answer ss reads directly from kernel socket data structures (via netlink) instead of parsing /proc/net/tcp, making it much faster on servers with thousands of connections. ss also shows TCP state details (cwnd, rtt, retransmissions) with -i flag, socket memory usage with -m, and supports powerful filtering: ss -tn state established '( dport = :443 )'. netstat is deprecated on modern Linux. *Common mistake:* ss requires root privileges — ss works for unprivileged users for their own connections; root sees all.

6. What is the difference between TCP and UDP, and give one use case where UDP is clearly better than TCP?

Show answer TCP: connection-oriented, reliable, ordered delivery with congestion control. UDP: connectionless, no delivery guarantees, no ordering, no congestion control. UDP is better for DNS queries (single request-response, no connection overhead), real-time video/voice (late packets are useless, retransmission adds latency), and service discovery (broadcast/multicast not possible with TCP). *Common mistake:* UDP is always faster — TCP can achieve similar throughput; UDP avoids overhead but the application must handle packet loss.

L2 (3 questions)

1. Explain the difference between ip route, ip rule, and ip tables in the Linux networking stack. When does each apply?

Show answer ip route: defines routing table entries (where to send packets based on destination). ip rule: policy routing — selects which routing table to consult based on source IP, mark, or interface (multiple routing tables). iptables: packet filtering/mangling in netfilter — operates on packets traversing the network stack (filter, nat, mangle tables). Order: routing decision first, then netfilter hooks (PREROUTING, FORWARD, POSTROUTING). *Common mistake:* iptables handles routing — iptables handles filtering/NAT; the routing decision is made by the kernel's routing subsystem separately.

2. How do Linux network namespaces work, and how are they used in container networking?

Show answer A network namespace provides an isolated network stack: its own interfaces, routing tables, iptables rules, and /proc/net. Containers each get a namespace. A veth pair connects the container namespace to the host (or a bridge): one end inside the container, one end on the host bridge (docker0, cni0). Traffic between containers traverses the bridge; external traffic uses NAT (MASQUERADE) on the host. *Common mistake:* Network namespaces are Docker-specific — they are a Linux kernel feature used by all container runtimes (Docker, Podman, containerd, CRI-O).

3. You suspect packet loss between two hosts. Walk through your diagnosis using Linux networking tools.

Show answer 1. ping/mtr: measure loss rate and identify which hop drops packets.
2. tcpdump on both ends: compare sent vs received packets to locate the drop point.
3. ip -s link: check interface error/drop counters.
4. ethtool -S: check NIC-level statistics (rx_drops, rx_missed).
5. netstat -s/nstat: check protocol-level errors (TCP retransmissions, UDP receive errors).
6. Check dmesg for NIC ring buffer overruns or driver errors. *Common mistake:* Use traceroute — traceroute shows path but not packet loss rates; mtr is the better tool for this.