Back to Basics — TCP/IP Tools and Commands

Most client and server operating systems that support Transmission Control Protocol/Internet Protocol (TCP/IP) come with a suite of commands and tools that are designed to let you examine TCP/IP configuration information and diagnose and correct problems.

Using the arp Command

Using the arp command allows you to display and modify the Address Resolution Protocol cache, which is simple mapping of IP addresses to MAC addresses. Each time a computer’s TCP/IP stack uses ARP to determine the Media Control Access (MAC) address for an IP address, it records the mapping in the ARP cache so that future ARP lookups go faster.

ARP is sometimes useful when diagnosing duplicate IP assignment problems.

Using the hostname Command

The hostname command is the simplest of all the TCP/IP commands. It simply displays the computer’s host name

Using the ipconfig Command

Using the ipconfig command displays information about the computer’s TCP/IP configuration. It can also be used to update DHCP and Domain name System (DNS) settings

Display basic IP configuration

To display basic IP configuration for a computer, use the ipconfig command without any parameters

When you use ipconfig without parameters, the command displays the name of the adapter, the domain name used for the adapter, the IP address, the subnet mask, and the default gateway configuration for the adapter. This is the easiest way to determine a computer’s IP address

Display Detailed configuration information

You can display detailed IP configuration information by using an /all switch with the ipconfig command

Renewing an IP lease

If you are having an IP configuration problem, you can often solve it by renewing the computer’s IP lease. To do that we use ipconfig /switch

This command won’t work if you have configured the computer to use a static IP address

Releasing IP lease

You can release an IP lease by using an ipconfig /release then the DNS suffix and default gateway for the computer are blank, and the IP address and subnet mask are set to 0.0.0.0

After you release the DHCP lease, you can use an ipconfig /renew command to obtain a new DHCP lease for the computer.

Flushing the local DNS cache

We don’t do this command unless you are having DNS troubles. If you have been tinkering with your network’s DNS configuration, though, you may need to flush the cache on your DNS clients so that they will be forced to reacquire information from the DNS server. You can do that by using /flushdns switch.

Using the nbtstat command

nbtstat is a windows only command that can help solve problems with NetBIOS name resolution. We can use an -a switch to display the cached name table for a specified computer

Using the netstat Command

Using the netstat command displays a variety of statistics about a computer’s active TCP/IP connections. It is useful tool to use when you are having trouble with TCP/IP applications such as File Transfer Protocol (FTP), Hypertext Transport Protocol (HTTP) and so on

Displaying connections

If you run just netstat without any parameters, you get list of active connections

This list shows all the active connections on the computer and indicates the local port used by the connection, as well as the IP address and port number for the remote computer

You can specify the -n switch to display both local and foreign addresses in numeric IP form

Finally, you can specify the -a switch to display all TCP/IP connections and ports that are being listened to.

Displaying Interface Statistics

If you use -e switch, netstat displays various protocol statistics

The items to pay attention to in this output are the Discards and Errors. These number should be zero, or atleast clost to it. If they are not the network may be carrying too much traffic or connection may have a physical problem. If there is no physical problem, with connection, try segmenting the network to see whether the error and discard rates drop.

We can display additional statistics using an -s switch.

Using the nslookup Command

The nslookup command is most powerful tool for diagnosing DNS problems. If you are experiencing a DNS problem when you can access a resource by specifying the IP address but not its DNS name.

The simplest use of nslookup is to look up the IP address for a given DNS name.

Here is the output for the command nslookup google.com

Using nslookup subcommands

If you see nslookup without any arguments, the nslookup command enters the subcommand mode. In subcommand mode, you can enter various subcommands to set options or to perform queries. You can type ? to get the list of commands and use exit to come out of the subcommand mode.

Displaying DNS records

One of the main uses of nslookupis to examine your DNS configuration to make sure that it is set up properly.

1. At the command prompt type nslookup without any parameters
2. Type the subcommand set type=any
3. Type your domain name for the another prompt that is the result of the previous command — nslookup responds with the name servers for your domain
4. Use server command to switch to one of the domain’s name server. For example, server ns000.ns0.com — replies with message that indicates the new default server
5. Type your domain name again — This time nslookup responds by displaying the DNS information for your domain
6. Type exit to leave the nslookup program

Locating mail server for an email address

If you are having trouble delivering mail to someone, you can use nslookup to determine the IP address of the user’s mail server. Then you can ping command to see whether you can connect to the mail server. If not you can use the tracert command to find out where the communication breaks down

Start with nslookup and enter the command set type=MX then enter the domain portion of the user’s email address. For example, gmail.com

Explore DNS using nslookup

DNS does its whole name resolution thing so fast that it is easy to take it for granted.

1. Type nsloookup without any parameters and go to subcommand mode.
2. Now give the command as root — switches to one of the Internet’s 13 root servers and then displays the prompt
3. Type www.google.com — it sends query to the root server to ask whether it knows the IP address. The root server answers with a referral, meaning it does not know about, but you should try one of these servers because they know all about the com domain
4. Type server followed by the name or IP address of one of the com domain name serves
5. Type www.google.com again — it sends the query to the com server to ask whether it knows where the DNS exists. Try with other server if it responds it does not know. Finally, we might get the IP address of the domain name

Using the pathping Command

pathping command is unique to windows. It is sort of cross between ping command and tracert command, combining the features of both into one tool. When we run pathping it first traces the route to the destination address much the way tracert does. Then it launches into 25 second test of each router along the way gathering the statistics on the rate of data loss in each hop. The router has lot of hops, this helps in finding the unreliable hop. If we could not reach to the destination, then pathping can help you find it.

Using the -n switch causes to display to use numeric IP number only instead of DNS hostnames.

Using the ping Command

ping is probably the most basic TCP/IP command line tool. The main purpose is to determine whether you can reach another computer from your computer. It uses Internet Control Message Protocol (ICMP) to send mandatory ECHO_REQUEST datagrams to the specified host computer. When the reply is received back from the host, the ping command displays how long it took to receive the response.

By default, the ping command sends four packets to the specified host. It displays the result of each packet sent. Then it displays summary statistics: how many packets were sent, how many replies were received, the error loss rate, and the appropriate round-trip time

We can also ping the DNS name to determine the IP address for the specified host and then pings the host based on its IP address.

Using the route command

Using the route command displays or modifies the computer’s routing table. For a typical computer that has a single network interface and is connected to a local area network (LAN) that has a router, the routing table is pretty simple and is not often the source of network problems. If we have trouble accessing other computers or other networks, you can use the route command to make sure that a bad entry in the computer’s routing table is not the culprit

For a computer with more than one interface and that is configured to work as a router, the routing table is often a major source of trouble. Setting up the routing table properly is a key part of configuring a router to work

Displaying routing table

To display the routing table(both IPv4 and IPv6) in windows use route print command. In linux / unix you can just use route without any command line switches

For each entry in the routing table

• The destination IP address — Actually, this is the address of the destination subnet, and must be interpreted in the context of the subnet mask
• The subnet mask that must be applied to the destination address to determine the destination subnet
• The IP address of the gateway to which traffic intended for the destination subnet will be sent
• The IP address of the interface through which the traffic will be sent to the destination subnet
• The metric, which indicates the number of hops required to reach destinations via the gateway

Each packet that is processed by the computer is evaluated against the rules in the routing table. If the packet’s destination address matches the destination subnet for the rule, the packet is sent to the specified gateway via the specified network interface. If not, next rule is applied.

• The first rule is for packets sent to 255.255.255.255 with subnet mask 255.255.255.255. This special IP address is for broadcast packets. The rule specifies that these broadcast packets should be delivered to the local network interface.
• The next rule is for packets sent to 172.20.175.255 with the subnet mask 255.255.255.255. These are also broadcast packets and are sent to the local network interface
• The next rule is for packets sent to 172.20.160.1 with subnet mask 255.255.255.255. This is for packets that the computer is sending to itself via its own IP address. This rule specifies that these packets will be sent to the local loop back interface on 127.0.0.1
• The next rule is for packets sent to 172.20.160.0 with subnet mask 255.255.240.0. These packets are intended for the local subnet, They are sent to the subnet via the local interface at 172.20.160.1
• The next rule is for packets sent to the loopback address ( 127.0.0.0, subnet mask 255.0.0.0). These packets are sent straight through to the loop back interface 127.0.0.1
• The last rule is for everything else. All IP addresses will match the destination IP address 0.0.0.0 with subnet mask 0.0.0.0 and will be sent to the default gateway router at 10.0.0.1 via the computer network interface 10.0.0.142

Modifying the route table

The syntax for the route command for adding, deleting, or changing a route entry is

route [-p] command dest [mask subnet] gateway [-if interface]

-p makes the entry persistent. If you omit -p, the entry will be deleted the next time you reboot.

command Add, delete or change

dest The IP address of the destination subnet

mask subnet The subnet mask. If you omit the subnet mask, the default is 255.255.255.255 meaning that the entry will apply only to a single host rather than a subnet. You usually want to include the mask

gateway The IP address of the gateway to which packets will be sent

if interface The IP address of the interface through which packets will be sent. If your computer has only one network interface, you can omit this

Using the tracert/traceroute Command

The tracert/traceroute command is one of the key diagnostic tools for TCP/IP. It displays a list of all the routers that a packet must go through to get from the computer. Each one of these routers is called a hop

tracert makes three attempts to contact the router at each hop and displays the response time for each of these attempts. Then, it displays the DNS name of the router and the router’s IP address

To use tracert type the tracert command followed by the host name of the computer to which you want to trace the route.

Most likely you might get timeout in one of the hops. Timeouts are indicated by asterisks when you expect to see a time.

Understanding tracert — how it works

The key to tracert is a field that is a standard part of all IP packets called TTL, which stands for Time To Live. In most other circumstances, a value called TTL would be the time value not in IP packets. However, in an IP packet, the TTL value indicates how many routers a packet can travel through on its way to its destination. Every time a router forwards an IP packet, it subtracts one from the packet’s TTL value. When the TTL value reaches zero, the router refuses to forward the packet

The tracert command sends a series of special nessages called ICMP echo requests to the destination computer. The first time it sends this message, it sets the TTL value of the packet to 1. when the packet arrives at the first router along the path to the destination that router subtracts one from the TTL value, sees that the TTL values has becomes 0 so it sends a Time Exceeded message back to the original host. When the tracert command receives this Time Exchanged message, it extracts the IP address of the router from it, calculates the time it took for this message to return, and displays the first hop
Then the tracert command sends another echo request message this time with the TTL value set to 2. This message goes through the first router to the second router which sees that the TTL value has been decremented to 0 and then sends back a Time exceeded message. When tracert receives the Time Exceeded Message from the second router, it displays the line for the second hop. This process continues, each time with a greater TTL value, until the Echo request finally reaches the destination.

Unix/Linux uses slightly different set of TCP/IP messages and responses to accomplish the same result

Happy Learning!!