TCP / IP & Networking Tools
When dealing with TCP / IP and networking in general it is not only essential to have a general understanding of the main basic concepts of Networking and TCP / IP, but it is also a good idea to get to grips with some of the key troubleshooting tools that are provided with most Operating Systems to allow you to diagnose problems. The fact that TCP / IP is used by most Operating Systems as their main networking protocol means that even though these tools may have slightly different names or look slightly different, in general the same set of tools are provided for troubleshooting purposes. This page will run through some of the commonly available tools and give a brief description of how to use them and what information they can provide you.
Command Line Tools
Command line tools are used to troubleshoot many networking problems and with only a few tools you can quickly find out a lot of information about what is going on with the networking problems on your computers. As already stated, since the TCP / IP stack has been with us for a number of years and due to it's adoption by the Internet and most Operating System vendors it is a pretty good bet that a standard set of tools are available for whichever system you are currently using. Although some vendors may use slightly different names for there tools generally the names are all similar, the parameters that the commands use are the same and the output printed on the monitor are pretty much identical in most cases.
To use command line tools you just need to access a command prompt. In Microsoft Windows this can be achieved by opening the Start menu, clicking Run, typing cmd into the Open window and clicking OK. This will open a window giving access to a command prompt from which you can run these command line tools.
 |
Below is a list of some of the most commonly used network command line tools in, what I feel, is there order of importance. They give a wealth of information regarding some of the most basic aspects needed when communicating between multiple computers. The examples below are based on the Microsoft implementation of these tools.
IPConfig
IPConfig, or ipconfig.exe, is used to provide addressing information of your network connections. Generally it is the first place you start if have network connectivity problems in a TCP / IP network. It can firstly give a great deal of information about your network connections including the IP Address, whether the address has been manually set or obtained automatically, the address of the DHCP server if the address was obtained from one and any settings that may also have been set by the DHCP server like DNS and WINS server addresses, Default Gateways, Domain names and many other possible settings.
A full IPConfig display is shown below. The first section gives some information about the computers configuration. The main points to note here are the computer name is main-laptop and the Primary DNS suffix is SmithIT.PrivateNet. What this basically tells us is the full DNS name of this computer on my test domain, which is main-laptop.SmithIT.PrivateNet.
The next sections give information about any network connection this computer has. As you can see below the Broadcom network adapter is currently connected but the Intel Wireless adapter is currently disconnected, i.e. it is not connected to any wireless network. As network adapters have physical addresses whether connected or not we can see the physical address of both network adapters.
 |
| A Typical IPConfig /all output |
As the Intel Wireless adapter is disconnected it has no TCP / IP information configured but as we can see the Broadcom adapter, which is connected, shows all IP information that has been configured on that card. As the DHCP and Autoconfiguration settings are enabled we can see that the Broadcom adapter has been set to Obtain an IP address automatically and as there is a line telling us the DHCP Server is 10.0.11.20 we can see that the IP Address for this adapter, 10.0.11.32, has been issued by a DHCP server. We can also see that the DHCP server has issued IP Addresses for the Default Gateway, DNS servers and WINS servers and we can see when the lease for these credentials will expire, i.e. when they will have to be renewed by.
If the IP Address line is showing as 0.0.0.0 this would usually indicate that a DHCP server could not be contacted.
If the Subnet Mask line is showing as 0.0.0.0 this would tell us that the IP Address of this computer is already in use on another computer on your local network.
If the DHCP line is showing Dhcp Enabled.....: No, this tells us that the IP Address has been manually set.
If an APIPA Address has been issued the following output will be seen with an Address in the 169.254.x.x range. Note, there is no Default Gateway. This is because packets from APIPA addresses can not be routed.
 |
| IPconfig showing an APIPA set IP Address |
Below is a table giving the main parameters that can be used with the IPConfig command.
ipconfig |
This command displays the basic TCP / IP information for all network adapters connected to the computer. This includes IP Address, Subnet Mask, Default Gateway etc... |
ipconfig /all |
This command displays similar information to the standard ipconfig command only it gives all TCP / IP information associated with all network adapters connected to the computer. |
ipconfig /release (Adapter name) |
This command will clear all TCP / IP information associated with any network adapters that have been set to Obtain their IP Address automatically and disable them. It will also send out a DHCPRELEASE message to any configured DHCP server to remove it's association with that IP Address, returning the IP Address back to the IP Address pool of the DHCP server. If (Adapter name) is missing, i.e. just typing ipconfig /release on it's own, only the TCP / IP information for the specified adapter is released. |
ipconfig /renew (Adapter name) |
This command will attempt to renew all TCP / IP information associated with any network adapters that have been set to Obtain their IP Address automatically, if they are disabled it will re-enable them. If there is a DHCP server present it will attempt to contact that server to request IP information. If there is no DHCP server present the computer will assign an APIPA Address if this is supported. If (Adapter name) is missing, i.e. just typing ipconfig /renew on it's own, only the TCP / IP information for the specified adapter is renewed. Use this command to troubleshoot DNS resolution errors. |
ipconfig /displaydns |
This command will display the contents of the DNS Resolver Cache. The DNS resolver cache is an area in memory that holds any information the computer may hold on DNS Name to IP Address mappings. These mappings come from either the Hosts file, which is a file saved on the computer which maps DNS Names to IP Addresses, or from previously saved queries that have been made to a DNS server. |
ipconfig /flushdns |
This command will flush the contents of the DNS Resolver Cache, completely clearing any information in it, and then re-loading the local Hosts file. If you have DNS problems where an incorrect IP Address is mapped to an incorrect host, running this command would clear the incorrect entry from the Resolver Cache and the next time it is requested the computer will have to query a DNS server rather than using the previously incorrect stored entry. |
ipconfig /? |
This command will give a list of all IPconfig parameters available. |
Ping
Ping, which stands for Packet Inter-Network Gopher is used for checking TCP / IP connectivity. It can be used to check whether the TCP / IP stack on the local computer is working properly or it can be used to check connectivity between your computer and another host anywhere on the local network or the Internet.
Ping, or ping.exe, basically works by sending out a small packet of data, called an ICMP Echo request, to the specified remote computer. If the remote host receives the echo request it will send an Echo Reply packet back which will confirm connectivity to the host and can be used to tell us the time taken for the round trip of the data. By default Ping will send four ICMP echo requests and give the statistics of each with an average of time taken. An typical Ping output is shown below. As you can see the ping command can be used with the IP Address or the DNS name.
 |
| A Typical Ping output |
If you are unable to contact a host the packets will obviously not get through and you will receive no reply. So if a reply is not received in a specific amount of time, which is 4000 milliseconds (4 seconds) by default, the request times out indicating no connection to the remote host. The output when this happens is pictured below.
 |
| A Timed Out Ping output |
When using Ping to check connectivity problems between hosts you usually start at your end and slowly work towards the remote host. This is because there are a few Addresses that you can Ping which will tell you certain things.
• Firstly Ping 127.0.0.1 - This is the local loopback address. If you do not have connectivity with this address you need to check that you have TCP / IP correctly installed and setup on your computer.
• Next Ping the IP Address of the network card connected to your computer to check that the TCP / IP stack for that network card is set up correctly.
• Then Ping the IP Address of the Default Gateway / router. If you can ping this address it shows you have connectivity with the local subnet and that local subnet hardware is working correctly.
• At this point If the remote host is not on your subnet and packets have to be routed, either in house or over the Internet, you could try to Ping the router responsible for serving the remote hosts subnet. This may not be known but it would tell you if your data was successfully reaching the remote hosts subnet.
• Finally you would Ping the IP Address of the Remote host itself. If you can Ping the remote host then the actual data you are trying to send it is able to traverse the network, any connectivity problems must be software or application based.
Below is a table giving the main parameters that can be used with the Ping command.
ping (IP Address or Host Name) |
This command is used to check for connectivity between two hosts. The ping command needs to be followed by either the IP Address or Host Name of the host you are trying to check you can contact. Four ICMP Echo requests are sent out to the destination computer and you will receive a result of how many packets got to the destination and how long it took for each to get there, including an average. |
ping -t |
This command runs the same test as the normal ping command however it keeps sending ICMP packets until it is actually asked to stop by way of the operator pressing Ctrl + C. This way you are able to get a more accurate figure on the amount of packet loss between you and the remote host. |
ping -n (number) |
This command runs the same test as the normal ping command however the number of ICMP packets sent will correspond to the (number) value, instead of the default four. |
ping -l (size) |
This command runs the same test as the normal ping command however instead of sending ICMP packets with a default length of 32 bytes it will send data packets with the length specified in the (size) variable. |
ping -i (TTL) |
This command runs the same test as the normal ping command however instead of sending ICMP packets with a default Time To Live Value, the TTL value is set the same as the (TTL) variable. The TTL value basically means the amount of times the packets are allowed to cross from one network to another by way of some kind of routing. |
ping -f |
This command runs the same test as the normal ping command however using this parameter sets a special fragmentation flag on the packet which disallows routers to fragment the packet if the packet is larger than it's own Maximum Transmission Unit (MTU). If packets to a particular site or group of sites get dropped this command can be used in conjunction with the -l (size) parameter to check what the MTU for the routers on the route to the destination hosts are. This MTU value can then be set the same or slightly lower on your Network card. As the size of the packets sent from your network card will now no longer be higher than the lowest MTU value in the route to the destination, normal data packets should now get through. |
ping -? |
This command will give a list of all Ping parameters available. |
Tracert
The Tracert command, or tracert.exe, works in a similar way to the Ping command. What Tracert does is works out the route that data will take when traversing a network to get to a remote host. It does this by changing the value of the Time To Live (TTL) flag of the ICMP Echo request. The TTL value indicates the number of times that the data packet is allowed to cross from one network to another, commonly known as routing.
So Tracert first sends an Echo request to the remote host with a TTL of 1. When the data packet reaches the first router it removes one from this value. As, at this point, the TTL value is now 0 the router can not pass the packet on to the next part of the network so it sends an ICMP Time Exceeded message back to the originator of the Tracert. Tracert receives this message then sends out a new Echo request to the remote host but adds 1 on to the TTL value.
This process continues until the TTL value is high enough for the Echo request to reach the remote computer, which will then send back an Echo reply message. Tracert then uses the information in the Echo Reply and Time Exceeded Packets to display a list of routers the packets travel through to get to the destination host. A sample of a Tracert is shown below.
 |
| A Typical Tracert Output |
Tracert is mainly used to see where your data packets reach before they can go no further. This can help to detect and identify which remote router is not working correctly, which could be due to broken equipment or incorrect routing tables in remote routers. Some routers do not send Time Exceeded messages when the TTL value has been exceeded. In this situation the line for this hop in the route will be blank, show stars or say Request Timed Out.
As you can see by default Tracert will try to show the route the data packets take to a maximum of 30 Hops. This means that the packets will travel through a maximum of 30 routers. This default value can be over-ridden but it is very unlikely that the majority of your data packets will make more than 30 hops. As you can also see from the output the time taken for the packets to return jumps by 72 ms between hops 5 and 6. This is because the site which route has been traced is a US Site and this is the time taken for the data packets to traverse the Atlantic ocean. You can see that hop 5 is a UK router and hop 6 is a US router.
Below is a table giving the main parameters that can be used with the Tracert command.
tracert (IP Address or Host Name) |
This command is used to trace the route that data takes when being sent to a remote computer. The tracert command needs to be followed by by either the IP Address or Host Name of the remote computer you are trying to trace a route to. |
tracert -h (Maximum Hops) |
This command runs the same test as the normal tracert command however instead of using a default value of only trying 30 hops to get to the destination host you can set the total hops the packet is allowed to make, which will be the (Maximum hops) value. |
tracert -d |
This command runs the same test as the normal tracert command however it prevents the routers resolving their IP Address to names, which can save time running the trace route. |
tracert -? |
This command will give a list of all Tracert parameters. |
PathPing
PathPing, or pathping.exe, is a similar tool to Tracert in that it works out the route data packets take when traversing a network. The difference between Tracert and PathPing is that PathPing sends 100 packets, by default, to each router on the network it passes through and works out how many packets get lost to each connection. The following picture displays a typical PathPing output for the same web site as used in the previous Tracert pictures. You can see from the first part of the output that the route taken and destination are the same.
 |
| A Typical PathPing Output |
The second part of the output is the statistical display of how much packet loss is seen at each router. The entry to note here is the third hop, router 10.1.1.13. Of the 100 packets that were sent out to this router none of them were replied to. This tells us that either there is a problem with that particular router or the routing table for the router before it has an incorrect entry.
PathPing can also be used to troubleshoot sluggish networks connections. If a particular router is very busy routing traffic or having problems of some sort it may end up having to drop some packets to be able to keep up. In this situation the dropped packets will have to be resent from the host computer, causing an unnecessary delay. A PathPing through this router would show an unusually high percentage of packet loss.
Below is a table giving the main parameters that can be used with the PathPing command.
pathping (IP Address or Host Name) |
This command is used to count packet loss on the routers between your computer and a remote host to find which router in the path is causing problems. |
pathping -h (Maximum Hops) |
This command runs the same test as the normal pathping command however instead of using a default value of only trying 30 hops to get to the destination host you can set the total hops the packet is allowed to make, which will be the (Maximum hops) value. |
pathping -n |
This command runs the same test as the normal pathping command however it prevents the routers resolving their IP Address to names, which can save time running the pathping command. |
pathping -p (time) |
This command runs the same test as the pathping command however rather than using the default value of waiting 250 milliseconds between sending each consecutive ping the time waited between sending the ICMP packets can be set to the (time) variable. |
pathping -? |
This command will give a list of all PathPing parameters. |
ARP
ARP stands for Address Resolution Protocol and the program used here is arp.exe. The Address Resolution Protocol basically hold tables of IP Address and their physical address, usually referred to as Media Access Control (MAC) Address, for each network adapter. This is because hosts on an Ethernet network can only communicate with each other if they know each others physical address.
When hosts attempt to resolve IP Addresses to physical addresses an ARP packet is sent out, using a broadcast, which includes it's own credentials. As all hosts receive this packet the host it is intended for sends a reply back with it's own credentials and these results are stored in the ARP cache for a predetermined amount of time. A typical ARP output is shown below.
 |
| A Typical ARP Output |
ARP can also be used to remove stale records from the list, i.e. the IP Address has been reassigned but the ARP cache has for some reason not updated, or it can be used to add static entries to the cache. If static entries are added to the ARP cache they do not time out of the cache like dynamic entries do, they are only removed if the TCP / IP Protocol is restarted or if they are deleted from the cache.
Below is a table giving the main parameters that can be used with the ARP command.
arp -a |
This command is used to display the contents of the ARP cache tables for all of the network adapters attached to the computer. |
arp -a -N (IP Address) |
This command is used to display the contents of the ARP cache table for the network connection which is assigned to (IP Address), e.g. 192.168.2.1. |
arp -d (IP Address) |
The command deletes the entry resolving (IP Address) from the ARP cache tables. |
arp -s (IP Address) (MAC Address) |
This command is used to add a static entry into the ARP cache which will resolve the physical address of (Mac Address) to the network address of (IP Address) |
arp -? |
This command will give a list of all Arp parameters available. |
NETStat
NETStat, or netstat.exe, is a tool which is used for displaying a list of active TCP connections, ports which the computer is listening to, routing tables and statistics for the network connections. Below is a sample Netstat output which shows the TCP and UDP ports which the computer is monitoring.
 |
| A Typical NETStat Output |
Below is a table giving the main parameters that can be used with the NETStat command.
netstat -a |
This command is used to display all active TCP Connections. It will also list which TCP and UDP are currently being listened to. |
netstat -e |
This command is used to display the Ethernet statistics for all active TCP connections. |
netstat -n |
This command is similar to the netstat -a command except the results will be shown by IP Address and no name resolution is attempted. |
netstat -p (Protocol) |
This command shows any connections for the (Protocol) specified. This can include tcp, udp, tcpv6 and udpv6. |
netstat -s (Protocol) |
This command shows statistics for the (Protocol) specified. This can include tcp, udp, tcpv6 and udpv6. |
netstat -r |
This command is used to display the contents of the IP Routing table for the current host. |
netstat -? |
This command will give a list of all NETStat parameters available. |
NBTStat
NBTSTAT, or nbtstat.exe, can be used to display local and remote NetBIOS name tables (which is a table that resoles NetBIOS name to IP Address), the NetBIOS name cache and NetBIOS over TCP / IP statistics. It can also be used to add or remove entries from the NetBIOS name cache or purge it completely. Below is a sample NBTStat output.
 |
| A Typical NBTStat Output |
Below is a table giving the main parameters that can be used with the NBTStat command.
nbtstat -c |
This command is used to display the contents of the NetBIOS name cache, which is a table of NetBIOS names and their resolved IP Addresses. |
nbtstat -r |
This command is used to display NetBIOS name resolution statistics. It will show statistics for Broadcast and WINS resolution. |
nbtstat -R |
This command clears the NetBIOS name cache and then re-loads any items in the local LMHosts file which are preceded by #PRE tags. |
nbtstat -RR |
This command is similar to the nbtstat -R command however it also refreshes the NetBIOS name that it currently has registered for itself with the WINS server. |
nbtstat -s |
This command displays the NetBIOS client and server sessions, trying to resolve IP Addresses to names before returning the results. |
nbtstat -S |
This command is similar to the nbtstat -s command however no name resolution is attempted. The results are displayed by IP Address. |
nbtstat -? |
This command will give a list of all NBTStat parameters available. |
