Simple example of how to use libnl and libev to monitor kernel netlink events. Beware, there's a lot of boiler plate code you might not need.

To build and use nlmon, you need the libnl and libev libraries. On Debian/Ubuntu and Linux Mint, the following command installs the required development libraries and their runtime equivalents:

sudo apt install libnl-route-3-dev libnl-3-dev libev-dev

Provided the code of this project is cloned to ~/nlmon, do:

cd ~/nlmon
gcc -o nlmon  nlmon.c -I/usr/include/libnl3 -lnl-3 -lnl-route-3 -lev

or type make to let it call GCC for you.

In one terminal window, run nlmon:

./nlmon -v

In another terminal window, create and delete a VETH pair:

sudo ip link add veth1 type veth peer name veth1-peer
sudo ip link del veth1

There should be output from nlmon in the first window:

./nlmon -v
nlmon: veth iface veth1 deleted
nlmon: veth iface veth1-peer deleted
nlmon: veth iface veth1-peer added
nlmon: veth iface veth1 added

This project is based on a deprecated external netlink plugin for the finit init system. It was developed by various people at Westermo over the years. It has since been replaced by a native plugin.

Brought back to life by Joachim Wiberg for use as an example of how to utilize libnl and libev.