Netlink Monitoring with nlmon

April 14, 2026

Did you know you could capture netlink packets and view them in wireshark?

# modprobe nlmon
# ip link add type nlmon
# ip link set nlmon0 up

That’s it. Capture on the interface and remove it when done. This is great for figuring out exactly what ip is doing

# tcpdump -i nlmon0

Then you’ve got to be aware of netlink, rtnetlink, etc. It’s also got it’s own DLT