Network Commands Tutorial

Objective: Understanding and using of commands like ping, ipconfig, hostname, getmac,
arp, nslookup, netstat, tracert, route, pathping

I. ping
The ping command is one of the most often used networking utilities for detecting devices
on a network and for troubleshooting network problems.

You can use the ping command to test the availability of a networking device (usually a
computer) on a network.

When you ping a device you send that device a short message, which it then sends back (the
echo).

If you receive a reply then the device is working OK , if you don’t then:

• The device is faulty, disconnected, switched off, incorrectly configured

• Your network or the device you are working on is not working properly.

The general format is ping hostname or ping IPaddress.

Example

ping www.google.com or ping 216.58.208.68

The screen shot below shows how to use the command with an IP address.

It has been shown both a failed ping (192.168.0.1), and a successful ping (192.168.1.1)

1/21
Note: a failed ping results in a request timed out response, and a success results in
the reply from message with the round trip delay in milliseconds.

The screen shot below shows how to use the ping command with the computer name.

Although this is easier to use a computer name than the IP address, it is only good if it
works..
2/21
If it fails it is not conclusive as there is an extra stage called name resolution involved,
and that could be at fault.

Here is a quick video that takes you through the process.

https://youtu.be/eXfknbnPUGU

Using ping to troubleshoot home network problems

The most common use of the ping command is to troubleshoot and locate network
connectivity problems.

The general idea is to ping each network interface between your machine and the
destination machine.

When a ping fails it indicates a problem with that network segment.

To illustrate take a simple home network with a workstation and server separated by a
router (home router/hub).

If the problem was that the workstation (WS1) cannot connect to the server, then the
general procedure would be: On WS1

1. Ping loop back address 127.0.0.1 — tests own protocol stack.

3/21
 2. Ping IP2
3. Ping IP3
4. Ping IP4

If all pings work except the IP4 ping then we know that there is a problem on the network
between the router and server.

The ping command – Advanced Options

The ping command has various options (switches) which you can see by typing

ping /? at the command prompt

So for a continuous ping we type

ping IP address or name -t

e.g.

ping google.com -t

4/21
 Here is the result

Common Questions and Answers

Q- What is the localhost?

A- On all operating systems localhost is the name given to your local machine and is
resolved to the IP address 127.0.0.1.

Q- What is the Address 127.0.0.1?

A- This is known as the loopback address and is a special address assigned to your
network interface.

II. ipconfig

Another indispensable and frequently used utility that is used for finding network
information about your local machine like IP addresses, DNS addresses etc

Basic Use: Finding Your IP Address and Default Gateway

Type the command ipconfig at the prompt.

The following is displayed

5/21
 ipconfig has a number of switches the most common are:

ipconfig /all – displays more information about the network setup on your systems
including the MAC address.

ipconfig /release – release the current IP address

ipconfig /renew – renew IP address

ipconfig /? -shows help

ipconfig/flushdns – flush the dns cache

III. hostname

A very simple command that displays the host name of your machine. This is much
quicker than going to the control panel>system route.

IV. getmac

Another very simple command that shows the MAC address of your network interfaces

6/21
V. arp

This is used for showing the address resolution cache. This command must be used with
a command line switch arp -a is the most common.

Type arp at the command line to see all available options.

VI. nslookup

Used for checking DNS record entries.

It is used for querying the Domain Name System (DNS) to obtain domain name or IP
address mapping information

The main use of nslookup is for troubleshooting DNS related problems.

Nslookup can be use in interactive and non-interactive mode.

To use in interactive mode type nslookup at the command line and hit return.

You should get an nslookup command prompt.

7/21
To use in non-interactive mode type nslookup options at the command prompt.

Using Nslookup
To illustrate the use of nslookup we are going to use it to:

• Find the IP address of a host.

• Find the domain name of an IP address.
• Find mail servers for a domain.

These are probably the most common usage scenarios.

Finding The IP Address of an Host-

To find the ip address of a host e.g. www.steves-internet-guide.com type:

nslookup www.steves-internet-guide.com

at a command prompt.

8/21
for an interactive lookup:

Reverse Lookup IP address to domain name

Type nslookup IP address

9/21
 Find Mail Servers for a Domain
Type nslookup -querytype=mx domain name

General Usage Notes:

1. By default nslookup will use the domain server that is currently configured for your
system.

You can switch DNS servers using server name or server IP address option.

To switch to using the open dns server address 208.67.222.222 then go to an interactive
prompt and type:

server 208.67.222.222

2. You may notice that you get non authoritative answers.

10/21
 This is nothing to worry about as all it means is that the DNS server has already recently
resolved this query.

It can retrieve the results from cache, and doesn’t need to contact the authoritative name
server.

You can find out which name servers are responsible (authoritative) for a domain by
setting the query type to NS and entering the domain name as shown below:

VII. netstat

Used for displaying information about tcp and udp connections and ports.
The netstat command, meaning network statistics, is a Command Prompt command used
to display very detailed information about how your computer is communicating with other
computers or network devices.

11/21
Specifically, the netstat command can show details about individual network connections,
overall and protocol-specific networking statistics, and much more, all of which could help
troubleshoot certain kinds of networking issues.

Netstat Command Syntax

netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]

How to Read Command Syntax

Netstat Command List
Option Explanation
netstat Execute the netstat command alone to show a relatively simple list of all
active TCP connections which, for each one, will show the local IP address (your
computer), the foreign IP address (the other computer or network device), along
with their respective port numbers, as well as the TCP state.
-a This switch displays active TCP connections, TCP connections with the listening
state, as well as UDP ports that are being listened to.
-b This netstat switch is very similar to the -o switch listed below, but instead of
displaying the PID, will display the process's actual file name. Using -b over -
o might seem like it's saving you a step or two but using it can sometimes greatly
extend the time it takes netstat to fully execute.
-e Use this switch with the netstat command to show statistics about your network
connection. This data includes bytes, unicast packets, non-unicast packets,
discards, errors, and unknown protocols received and sent since the connection was
established.
-f The -f switch will force the netstat command to display the Fully Qualified Domain
Name (FQDN) for each foreign IP addresses when possible.
-n Use the -n switch to prevent netstat from attempting to determine host names for
foreign IP addresses. Depending on your current network connections, using this
switch could considerably reduce the time it takes for netstat to fully execute.
-o A handy option for many troubleshooting tasks, the -o switch displays the process
identifier (PID) associated with each displayed connection. See the example below
for more about using netstat -o.

12/21
 Netstat Command List
-p Use the -p switch to show connections or statistics only for a particular protocol.
You can not define more than one protocol at once, nor can you execute netstat
with -p without defining a protocol.
protocol When specifying a protocol with the -p option, you can use tcp, udp, tcpv6,
or udpv6. If you use -s with -p to view statistics by protocol, you can
use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.
-r Execute netstat with -r to show the IP routing table. This is the same as using the
route command to execute route print.
-s The -s option can be used with the netstat command to show detailed statistics by
protocol. You can limit the statistics shown to a particular protocol by using the -
soption and specifying that protocol, but be sure to use -s before -p protocol when
using the switches together.
-t Use the -t switch to show the current TCP chimney offload state in place of the
typically displayed TCP state.
-x Use the -x option to show all NetworkDirect listeners, connections, and shared
endpoints.
-y The -y switch can be used to show the TCP connection template for all connection.
You cannot use -y with any other netstat option.
time_interval This is the time, in seconds, that you'd like the netstat command to re-execute
automatically, stopping only when you use Ctrl-C to end the loop.
/? Use the help switch to show details about the netstat command's several options.

Netstat Command Examples

netstat -f

In this first example, we execute netstat to show all active TCP connections. However,
we want to see the computers that we're connected to in FQDN format [-f] instead of a
simple IP address.

13/21
Here's an example of what you might see:

Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:5357 VM-Windows-7:49229 TIME_WAIT
TCP 127.0.0.1:49225 VM-Windows-7:12080 TIME_WAIT
TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT
TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT
TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT
TCP 192.168.1.14:49230 TIM-PC:wsd TIME_WAIT
TCP 192.168.1.14:49231 TIM-PC:icslap ESTABLISHED
TCP 192.168.1.14:49232 TIM-PC:netbios-ssn TIME_WAIT
TCP 192.168.1.14:49233 TIM-PC:netbios-ssn TIME_WAIT
TCP [::1]:2869 VM-Windows-7:49226 ESTABLISHED
TCP [::1]:49226 VM-Windows-7:icslap ESTABLISHED

As you can see, there were 11 active TCP connections at the time netstat was executed in
this example. The only protocol (in the Proto column) listed is TCP, which was expected
because we didn't use -a.

You can also see three sets of IP addresses in the Local Address column—the actual IP
address of 192.168.1.14 and both IPv4 and IPv6 versions of the loopback addresses,
along with the port each connection is using. The Foreign Address column lists the
FQDN (75.125.212.75 didn't resolve for some reason) along with that port as well.

Finally, the State column lists the TCP state of that particular connection.

netstat -o

In this example, netstat will be run normally so it only shows active TCP connections, but
we also want to see the corresponding process identifier [-o] for each connection so that
we can determine which program on the computer initiated each one.

Here's what the computer displayed:

Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT 2948
TCP 192.168.1.14:49196 a795sm:http CLOSE_WAIT 2948
TCP 192.168.1.14:49197 a795sm:http CLOSE_WAIT 2948

You probably noticed the new PID column. In this case, the PIDs are all the same,
meaning that the same program on the computer opened these connections.

14/21
To determine what program is represented by the PID of 2948 on the computer, all you
have to do is open Task Manager, select the Processes tab, and note the Image
Name listed next to the PID we're looking for in the PID column.1

Using the netstat command with the -o option can be very helpful when tracking down
which program is using too big a share of your bandwidth. It can also help locate the
destination where some kind of malware, or even an otherwise legitimate piece of
software, might be sending information without your permission.

netstat -0 | findstr 28604

The above example is similar to what we've already looked at, but instead of displaying
all connections, we're telling the netstat command to show only the connections that are
using a specific PID, 28604 in this example.

A similar command could be used to filter out the connections with

a CLOSE_WAIT state, by replacing the PID with ESTABLISHED.

netstat -s -p tcp -f

In this example, we want to see protocol specific statistics [-s] but not all of them, just
TCP stats [-p tcp]. We also want the foreign addresses displayed in FQDN format [-f].

This is what the netstat command, as shown above, produced on the example computer:

TCP Statistics for IPv4

Active Opens = 77
Passive Opens = 21
Failed Connection Attempts = 2
Reset Connections = 25
Current Connections = 5
Segments Received = 7313
Segments Sent = 4824
Segments Retransmitted = 5
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:2869 VM-Windows-7:49235 TIME_WAIT
TCP 127.0.0.1:2869 VM-Windows-7:49238 ESTABLISHED
TCP 127.0.0.1:49238 VM-Windows-7:icslap ESTABLISHED
TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT
TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT
TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT

15/21
 As you can see, various statistics for the TCP protocol are displayed, as are all active
TCP connections at the time.

netstat -e -t 5

In this final example, netstat command is executed to show some basic network interface
statistics [-e] and so that these statistics continually updated in the command window
every five seconds [-t 5].

Here's what's produced on screen:

Interface Statistics
Received Sent
Bytes 22132338 1846834
Unicast packets 19113 9869
Non-unicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
Interface Statistics
Received Sent
Bytes 22134630 1846834
Unicast packets 19128 9869
Non-unicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
^C

Various pieces of information, which you can see here and that we listed in the -e syntax
above, are displayed.

The netstat command only automatically executed one extra time, as you can see by the
two tables in the result. Note the ^C at the bottom, indicating that the Ctrl+C abort
command was used to stop the re-running of the command.

VIII. tracert

The tracert command is a Command Prompt command that's used to show several details
about the path that a packet takes from the computer or device you're on to whatever
destination you specify.
16/21
You might also sometimes see the tracert command referred to as the trace route
command or traceroute command.

Tracert Command Syntax

tracert [-d] [-h MaxHops] [-w TimeOut] [-4] [-6] target [/?]

Tracert Command Options

Item Description
-d This option prevents tracert from resolving IP addresses to hostnames, often
resulting in much faster results.

17/21
 Tracert Command Options
- This tracert option specifies the maximum number of hops in the search for
h MaxHops the target. If you do not specify MaxHops, and a target has not been found by 30
hops, tracert will stop looking.
-w TimeOut You can specify the time, in milliseconds, to allow each reply before timeout using
this tracert option.
-4 This option forces tracert to use IPv4 only.
-6 This option forces tracert to use IPv6 only.
target This is the destination, either an IP address or hostname.
/? Use the help switch with the tracert command to show detailed help about the
command's several options.

Other less commonly used options for the tracert command also exist, including [-
j HostList], [-R], and [-S SourceAddress]. Use the help switch with the tracert command
for more information on these options.

Tracert Command Examples

tracert 192.168.1.1

In the above example, the tracert command is used to show the path from the networked
computer on which the tracert command is being executed by a network device, in this
case, a router on a local network, that's assigned the 192.168.1.1 IP address.

The result displayed on the screen will look something like this:

Tracing route to 192.168.1.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.254
2 <1 ms <1 ms <1 ms 192.168.1.1
Trace complete.

In this example, you can see that tracert found a network device using the IP address
of 192.168.1.254, let's say a network switch, followed by the destination, 192.168.1.1, the
router.

tracert www.google.com

With the tracert command shown above, we're asking tracert to show us the path from the
local computer all the way to the network device with the hostname www.google.com.

18/21
Tracing route to www.l.google.com [209.85.225.104]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.1.0.1
2 35 ms 19 ms 29 ms 98.245.140.1
3 11 ms 27 ms 9 ms te-0-3.dnv.comcast.net [68.85.105.201]
...
13 81 ms 76 ms 75 ms 209.85.241.37
14 84 ms 91 ms 87 ms 209.85.248.102
15 76 ms 112 ms 76 ms iy-f104.1e100.net [209.85.225.104]
Trace complete.

In this example, we can see that tracert identified fifteen network devices including our
router at 10.1.0.1 and all the way through to the target of www.google.com, which we
now know uses the public IP address of 209.85.225.104, one of Google's many IP
addresses.

Note: Hops 4 through 12 were excluded above just to keep the example simple. If you were
executing a real tracert, those results would all show up on screen.

tracert -d www.yahoo.com

With this tracert command example, we're again requesting the path to a website, this
time www.yahoo.com, but now we're preventing tracert from resolving hostnames by
using the -d option.

Tracing route to any-fp.wa1.b.yahoo.com [209.191.122.70]

over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.1.0.1
2 29 ms 23 ms 20 ms 98.245.140.1
3 9 ms 16 ms 14 ms 68.85.105.201
...
13 98 ms 77 ms 79 ms 209.191.78.131
14 80 ms 88 ms 89 ms 68.142.193.11
15 77 ms 79 ms 78 ms 209.191.122.70
Trace complete.

We can see that tracert again identified fifteen network devices including our router
at 10.1.0.1 and all the way through to the target of www.yahoo.com, which we can
assume uses the public IP address of 209.191.122.70.

As you can see, tracert didn't resolve any hostnames this time, which significantly sped
up the process.

19/21
 tracert -h 3 lifewire.com > z:\tracertresults.txt

In this last example of the tracert command in Windows, we're using -h to limit the hop
count to 3, but instead of displaying the results in Command Prompt, we'll use
the > redirection operator to send it all to a TXT file located on Z:, an external hard
drive.

Here are some example results of this last command:

Tracing route to lifewire.com [151.101.66.114]

over a maximum of 3 hops:
1 <1 ms <1 ms <1 ms testwifi.here [192.168.86.1]
2 1 ms 1 ms <1 ms 192.168.1.1
3 17 ms 16 ms 17 ms giantwls-64-71-222-1.giantcomm.net [64.71.222.1]
Trace complete.

IX. route

IP networks use routing tables to direct packets from one subnet to another. The
Windows Route utility allows you to view the device’s routing tables. To do so, simply
type Route Print.
The cool thing about the Route command is that it not only shows you the routing table, it
lets you make changes. Commands such as Route Add, Route Delete, and Route Change
allow you to make routing table modifications on an as needed basis. The changes that
you make can be persistent or nonpersistent, depending on whether you use the -P switch.

X. pathping

Earlier, we talked about the Ping utility and the Tracert utility. As you might have
guessed, the PathPing tool is a utility that combines the best aspects of Tracert and Ping.
Entering the PathPing command followed by a host name initiates what looks like a
somewhat standard Tracert process. Once this process completes however, the tool takes
300 seconds (five minutes) to gather statistics, and then reports latency and packet loss
statistics that are more detailed than those provided by Ping or Tracert.

20/21
21/21