Lesson 2:TCPIP Utilities

Virtually every operating system with networking capabilities includes support for the TCP/IP protocols, and in most cases TCP/IP includes an assortment of utilities that enable you to gather information about the various protocols and the network. Traditionally, these utilities run from the command line, although graphical versions are sometimes supplied. In many cases, a program uses the same syntax, even on different operating systems. This lesson examines some of the most common TCP/IP utilities and the purposes for which they are used.

After this lesson, you will be able to

  • Understand the functions of the primary TCP/IP utilities

Estimated lesson time: 20 minutes


Ping is the most basic of the TCP/IP utilities. Virtually every TCP/IP implementation includes a version of it. On UNIX systems, the program is called ping, and in Microsoft Windows, it is PING.EXE. NetWare even includes a server-based version called PING.NLM. Ping can tell you if the TCP/IP stack of another system on the network is functioning normally. The ping program generates a series of Echo Request messages using the Internet Control Message Protocol (ICMP) and transmits them to the computer whose name or IP address you specify on the command line. The basic syntax of the ping program is as follows:

 ping target 

The target variable contains the IP address or name of a computer on the network. You can use either DNS names or NetBIOS names in ping commands. The program resolves the name into an IP address before sending the Echo Request messages, and it then displays the address in its readout. Most Ping implementations also have command-line switches that enable you to modify the operational parameters of the program, such as the number of Echo Request messages it generates and the amount of data in each message.

All TCP/IP computers must respond to any Echo Request messages they receive that are addressed to them by generating Echo Reply messages and transmitting them back to the sender. When the pinging computer receives the Echo Reply messages, it produces a display like the following:

 Pinging cz1 [] with 32 bytes of data: Reply from bytes=32 time<10ms TTL=128
Reply from bytes=32 time<10ms TTL=128
Reply from bytes=32 time<10ms TTL=128
Reply from bytes=32 time<10ms TTL=128 Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

In the case of this ping implementation (from Windows 2000), the display shows the IP address of the computer receiving the Echo Requests, the number of bytes of data included with each request, the elapsed time between the transmission of each request and the receipt of each reply, and the value of the Time To Live (TTL) field in the IP header. In this particular example, the target computer was on the same LAN, so the time measurement is very short—less than 10 milliseconds. When pinging a computer on the Internet, the interval is likely to be longer. A successful use of ping like this one indicates that the target computer's networking hardware is functioning properly, as are the protocols, at least as high as the network layer of the Open Systems Interconnection (OSI) model. If the ping test fails, one or both of the computers is experiencing a problem with its networking hardware or software.


Traceroute is a variant of the Ping program that displays the path that packets take to their destination. Because of the nature of IP routing, paths through an internetwork can change from minute to minute, and Traceroute displays a list of the routers that are currently forwarding packets to a particular destination. The program is called traceroute on UNIX systems, TRACERT.EXE by Windows, and IPTRACE.NLM by NetWare.

Traceroute uses ICMP Echo Request and Echo Reply messages just like ping, but it modifies the messages by changing the value of the TTL field in the IP header. The TTL field is designed to prevent packets from getting caught in router loops that keep them circulating endlessly around the network. The computer generating the packet normally sets a relatively high value for the TTL field; on Windows systems, the default value is 128. Each router that processes the packet reduces the TTL value by one. If the value reaches zero, the last router discards the packet and transmits an ICMP error message back to the original sender.

When you start the traceroute program with the name or IP address of a target computer, the program generates its first set of Echo Request messages with TTL values of 1. When the messages arrive at the first router on their path, the router decrements their TTL values to 0, discards the packets, and reports the errors to the sender. The error messages contain the router's address, which the traceroute program displays as the first hop in the path to the destination. Traceroute's second set of Echo Request messages use a TTL value of 2, causing the second router on the path to discard the packets and generate error messages. The Echo Request messages in the third set have a TTL value of 3, and so on. Each set of packets travels one hop farther than the previous set before causing a router to return error messages to the source. The list of routers displayed by traceroute as the path to the destination is the result of these error messages. The following is an example of a traceroute display:

 Tracing route to www.abccorp.co.uk [] over a maximum of 30 hops:
1 <10 ms 1 ms <10 ms
2 105 ms 92 ms 98 ms qrvl-67terminal01.epoch.net []
3 101 ms 110 ms 98 ms qrvl.epoch.net []
4 123 ms 109 ms 118 ms svcr03-7b.epoch.net []
5 123 ms 112 ms 114 ms clsm02-2.epoch.net []
6 136 ms 130 ms 133 ms sl-gw19-pen-6-1-0-T3.sprintlink.net []
7 143 ms 126 ms 138 ms sl-bb10-pen-4-3.sprintlink.net []
8 146 ms 129 ms 133 ms sl-bb20-pen-12-0.sprintlink.net []
9 131 ms 128 ms 139 ms sl-bb20-nyc-13-0.sprintlink.net []
10 130 ms 134 ms 134 ms sl-gw9-nyc-8-0.sprintlink.net []
11 147 ms 149 ms 152 ms sl-demon-1-0.sprintlink.net []
12 154 ms 146 ms 145 ms ny2-backbone-1-ge021.router.demon.net []
13 230 ms 225 ms 226 ms tele-backbone-1-ge023.router.demon.net []
14 233 ms 220 ms 226 ms tele-core-3-fxp1.router.demon.net []
15 223 ms 224 ms 224 ms tele-access-1-14.router.demon.net []
16 236 ms 221 ms 226 ms tele-service-2-165.router.demon.net []
17 220 ms 224 ms 210 ms www.abccorp.co.uk []
Trace complete.

In this example, traceroute is displaying the path between a computer in Pennsylvania and one in the United Kingdom. Each of the hops contains the elapsed times between the transmission and reception of three sets of Echo Request and Echo Reply packets. In this trace, you can clearly see the point at which the packets begin traveling across the Atlantic Ocean. At hop 13, the elapsed times increase from approximately 150 to 230 milliseconds (ms) and stay in that range for the subsequent hops. This additional delay of only 80 ms is the time it takes the packets to travel the thousands of miles across the Atlantic Ocean.

Traceroute can be a handy tool for isolating the location of a network communications problem. Ping simply tells you whether or not a problem exists; it can't tell you where. A failure to contact a remote computer could be due to a problem in your workstation, in the remote computer, or in any of the routers in between. Traceroute can tell you how far your packets are going before they run into the problem.

Because the configuration of the Internet is constantly changing, there is no guarantee that the route displayed by the traceroute program is completely accurate. The IP datagrams that execute each step of the traceroute process may in fact be taking different routes to the same destination, resulting in the display of a composite route between two points that doesn't actually exist.

Ifconfig and IPCONFIG.EXE

UNIX systems have a program called ifconfig (the name is derived from interface configuration) that you use to assign TCP/IP configuration parameters to a particular network interface. Running ifconfig with just the name of an interface displays the current configuration of that interface. Windows 2000 and Windows NT have a version of this program, IPCONFIG.EXE, which omits the configuration capabilities and retains the configuration display. Windows Me, Windows 95, and Windows 98 include a graphical version of the utility called WINIPCFG.EXE.

When you run IPCONFIG.EXE with the /all parameter at the Windows 2000 command line, you see a display like the following:

 Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : cz2-w2ksvr
Primary DNS Suffix . . . . . . . : zacker2.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : zacker2.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-01-02-68-24-DD
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

Running the program with no parameters displays a limited list of configuration data. Running WINIPCFG.EXE (which you must do by finding the file in the \Windows directory and executing it because there is no shortcut on the Start menu) produces a display like the one shown in Figure 10.8.

Figure 10.8  The Windows 98 WINIPCFG.EXE utility

Both IPCONFIG.EXE and WINIPCFG.EXE also have another function. These utilities are often associated with DHCP, because there is no easier way on a Windows system to see what IP address and other parameters the DHCP server has assigned to your computer. However, these programs also enable you to manually release IP addresses obtained through DHCP and renew existing leases. By running IPCONFIG.EXE with the /release and /renew command-line parameters or by using the Release, Renew, Release All, or Renew All buttons in WINIPCFG.EXE, you can release or renew the IP address assignment of one of the network interfaces in the computer or for all of the interfaces at once.


The Address Resolution Protocol (ARP) enables a TCP/IP computer to convert IP addresses to the hardware addresses that data-link layer protocols need to transmit frames. IP uses ARP to discover the hardware address to which each of its datagrams will be transmitted. To minimize the amount of network traffic ARP generates, the computer stores the resolved hardware addresses in a cache in system memory. The information remains in the cache for a short period of time (usually between 2 and 10 minutes), in case the computer has additional packets to send to the same address.

For more information about ARP and its function, see Lesson 1: TCP/IP Protocols, in Chapter 8, "TCP/IP Fundamentals."

Windows systems include a command-line utility called ARP.EXE that you can use to manipulate the contents of the ARP cache. For example, you can use ARP.EXE to add the hardware addresses of computers you contact frequently to the cache, thus saving time and network traffic during the connection process. Addresses that you add to the cache manually are static, meaning that they are not deleted after the usual expiration period. The cache is stored in memory only, however, so it is erased when you reboot the computer. If you want to preload the cache whenever you boot your system, you can create a batch file containing ARP.EXE commands and execute it from the Windows Startup group.

ARP.EXE uses the following syntax:

 ARP [-a {ipaddress}] [-n ipaddress] [-s ipaddress hwaddress {interface}] [-d ipaddress {interface}] 
  • -a {ipaddress}  This parameter displays the contents of the ARP cache. The optional ipaddress variable specifies the address of a particular cache entry to be displayed.
  • -n ipaddress  This parameter displays the contents of the ARP cache, where ipaddress identifies the network interface for which you want to display the cache.
  • -s ipaddress hwaddress {interface}  This parameter adds a new entry to the ARP cache, where the ipaddress variable contains the IP address of the computer, the hwaddress variable contains the hardware address of the same computer, and the interface variable contains the IP address of the network interface in the local system for which you want to modify the cache.
  • -d ipaddress {interface}  This parameter deletes the entry in the ARP cache that is associated with the computer represented by the ipaddress variable. The optional interface variable specifies the cache from which the entry should be deleted.

The ARP table of a Windows 2000 computer, as displayed by ARP.EXE, appears as follows:

 Interface: on Interface 0x1000003   Internet Address      Physical Address      Type          00-50-8b-e8-39-7a     dynamic          08-00-4e-a5-70-0f     dynamic 


Netstat is a command-line program that displays information about the current network connections of a computer running TCP/IP and about the traffic generated by the various TCP/IP protocols. On UNIX computers, the program is simply called netstat, and on Windows computers, it's called NETSTAT.EXE. The command-line parameters differ for the various implementations of Netstat, but the information they display is roughly the same. The syntax for the Windows version of NETSTAT.EXE is as follows:

 NETSTAT [interval] [-a] [-p protocol] [-n] [-e] [-r] [-s] 
  • interval  Refreshes the display every interval seconds until the user aborts the command
  • -a  Displays the current network connections and the ports that are currently listening for incoming network connections
  • -p protocol  Displays the currently active connections for the protocol specified by the protocol variable
  • -n  When combined with other parameters, causes the program to identify computers using IP addresses instead of names
  • -e  Displays incoming and outgoing traffic statistics for the network interface, broken down into bytes, unicast packets, nonunicast packets, discards, errors, and unknown protocols
  • -r  Displays the routing table plus the current active connections
  • -s  Displays detailed network traffic statistics for the IP, ICMP, TCP, and UDP protocols

The network connection listing displayed by NETSTAT.EXE on a Windows 2000 computer appears as follows:

 Active Connections   Proto  Local Address          Foreign Address        State   TCP    CZ6:epmap              CZ6.zacker1.com:0      LISTENING   TCP    CZ6:microsoft-ds       CZ6.zacker1.com:0      LISTENING   TCP    CZ6:1051               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:1070               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:2883               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3348               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3517               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3907               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3937               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3941               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3952               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3956               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:4062               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:6103               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:pop3               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:1365               CZ6.zacker1.com:pop3   TIME_WAIT   TCP    CZ6:1367               CZ6.zacker1.com:pop3   TIME_WAIT   TCP    CZ6:netbios-ssn        CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3846               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:3937               CZ10:1026              ESTABLISHED   TCP    CZ6:3941               CZ10:1232              ESTABLISHED   TCP    CZ6:3952               CZ10:1026              ESTABLISHED   TCP    CZ6:3956               CZ10:1232              ESTABLISHED   TCP    CZ6:4367               CZ6.zacker1.com:0      LISTENING   TCP    CZ6:4367               CZ10:netbios-ssn       ESTABLISHED   UDP    CZ6:ntp                *:*   UDP    CZ6:epmap              *:*   UDP    CZ6:microsoft-ds       *:*   UDP    CZ6:1026               *:*   UDP    CZ6:1039               *:*   UDP    CZ6:1046               *:*   UDP    CZ6:1193               *:*   UDP    CZ6:3938               *:*   UDP    CZ6:3939               *:*   UDP    CZ6:3953               *:*   UDP    CZ6:3954               *:*   UDP    CZ6:2677               *:*   UDP    CZ6:3879               *:*   UDP    CZ6:3942               *:*   UDP    CZ6:netbios-ns         *:*   UDP    CZ6:netbios-dgm        *:*   UDP    CZ6:isakmp             *:* 

The interface statistics display looks like this:

 Interface Statistics                            Received            Sent Bytes                     855899622      2031780028 Unicast packets              744616         1304524 Non-unicast packets           50810            1421 Discards                          0               0 Errors                            0               0 Unknown protocols             33220 


NBTSTAT.EXE is a Windows command-line program that displays information about the NetBIOS over TCP/IP connections that Windows uses when communicating with other Windows computers on the TCP/IP LAN. The syntax for NBTSTAT.EXE is as follows:

 NBTSTAT [-a name] [-A ipaddress] [-c] [-n] [-r] [-R] [-s] [-S] [-RR] 
  • -a name  Displays the NetBIOS names registered on the computer identified by the name variable
  • -A ipaddress  Displays the NetBIOS names registered on the computer identified by the ipaddress variable
  • -c  Displays the contents of the local computer's NetBIOS name cache
  • -n  Displays the NetBIOS names registered on the local computer
  • -r  Displays the number of NetBIOS names registered and resolved by the local computer, using both broadcasts and WINS
  • -R  Purges the local computer's NetBIOS name cache of all entries and reloads the LMHOSTS file
  • -s  Displays a list of the computer's currently active NetBIOS settings (identifying remote computers by name), their current status, and the amount of data transmitted to and received from each system
  • -S  Displays a list of the computer's currently active NetBIOS settings (identifying remote computers by IP address), their current status, and the amount of data transmitted to and received from each system
  • -RR  Sends name release requests to WINS, then starts refresh

Unlike the other utilities discussed in this section, the command-line parameters for NBTSTAT.EXE are case-sensitive.

The NetBIOS cache listing as displayed by NBTSTAT.EXE on a Windows 2000 computer appears as follows:

 Local Area Connection: Node IpAddress: [] Scope Id: []                   NetBIOS Remote Cache Name Table  Name              Type  Host Address  Life [sec]
—————————————————————————————————————————————————————— CZ10 <20> UNIQUE 345

The list of NetBIOS names registered by a computer looks like this:

 Local Area Connection: Node IpAddress: [] Scope Id: []            NetBIOS Remote Machine Name Table  Name    Type  Status
——————————————————————————————————————————— CZ6 <00> UNIQUE Registered ZACKER1 <00> GROUP Registered CZ6 <03> UNIQUE Registered CZ6 <20> UNIQUE Registered ZACKER1 <1E> GROUP Registered MAC Address = 00-D0-B7-AD-1A-7B


Nslookup (on UNIX systems) and NSLOOKUP.EXE (in Windows 2000 and Windows NT) are command-line utilities that enable you to generate DNS request messages and transmit them to specific DNS servers on the network. The basic syntax of NSLOOKUP.EXE is as follows:

 NSLOOKUP DNSname DNSserver 
  • DNSname  Specifies the DNS name that you want to resolve
  • DNSserver  Specifies the DNS name or IP address of the DNS server that you want to query for the name specified in the DNSname variable

The output generated by the program looks like the following:

 C:\>nslookup www.microsoft.com Server:  ns1-dlls.epoch.net Address: Non-authoritative answer: Name:    www.microsoft.akadns.net Addresses:,,, Aliases:  www.microsoft.com 

The advantage of Nslookup is that you can test the functionality and the quality of the information on a specific DNS server by specifying it on the command line. By running Nslookup with no command-line parameters, you can use the program in interactive mode, which lets you employ some of its many options.


The Telecommunications Network Protocol (Telnet) is a command-line client/server program that essentially provides remote control capabilities for computers on a network. A user on one computer can run a Telnet client program and connect to the Telnet server on another computer. Once connected, that user can execute commands on the other system and view the results. It's important to distinguish this type of remote control access from simple access to the remote file system. When you use a Telnet connection to execute a program on a remote computer, the program actually runs on the remote computer. By contrast, if you use Windows to connect to a shared drive on another computer and execute a program, the program runs on your computer.

Telnet was originally designed for use on UNIX systems, and it is still an extremely important tool for UNIX network administrators. The various Windows operating systems all include a Telnet client. Windows 2000 has a strictly command-line client, but Windows NT, Windows Me, Windows 95, and Windows 98 have a semigraphical client that still provides command-line access to servers, as shown in Figure 10.9. Only Windows 2000 and later versions have a Telnet server because Windows is primarily a graphical operating system, and there isn't as much that you can do on a Windows server when you are connected to it with a character-based client like Telnet.

Figure 10.9  Windows 98 has a graphical Telnet client


The File Transfer Protocol (FTP) is similar to Telnet, but it is designed for performing file transfers instead of executing remote commands. FTP includes basic file management commands that can create and remove directories, rename and delete files, and manage access permissions. FTP has become a mainstay of Internet communications in recent years, but it also performs a vital role in communications between UNIX computers, all of which have both FTP client and server capabilities. All Windows computers have a character-based FTP client, but FTP server capabilities are built into the Internet Information Service (IIS) application that is included with Windows 2000 Server and Windows NT Server products. Generally speaking, Windows computers don't need FTP for communications on a LAN because they can access the shared files on other computers directly. On many UNIX networks, however, FTP is an important tool for transferring files to and from remote computers.

Exercise 1: TCP/IP Utilities

Match the utilities in the left column with their functions in the right column.

  1. FTP
  4. Ping
  5. Telnet
  6. Netstat
  9. ARP.EXE
  10. Ifconfig
  1. Provides remote control access to a UNIX system
  2. Displays TCP/IP configuration on a Windows 98 system
  3. Creates cache entries containing IP and hardware addresses
  4. Configures the network interface on a UNIX system
  5. Tests communications between two computers
  6. Transfers files between two computers
  7. Displays network traffic statistics
  8. Lists the routers forwarding packets to a particular destination
  9. Releases and renews IP address assignments on Windows 2000
  10. Displays NetBIOS connection information

Lesson Review

  1. Which TCP/IP utility should you use to most easily identify which router on your internetwork is malfunctioning?
    2. Ping
    3. Traceroute
    4. Netstat
  2. Which of the following protocols does the ping program never use to carry its messages?
    1. Ethernet
    2. ICMP
    3. IP
    4. UDP
  3. Which of the following commands displays the routing table on the local computer?
    1. Arp –r
    2. Netstat –r
    3. Nbtstat –r
    4. Telnet –r
  4. Which command would you use to purge the local computer's NetBIOS name cache?
    1. Nbtstat –p
    2. Nbtstat –P
    3. Nbtstat –r
    4. Nbtstat –R

Lesson Summary

  • Ping is a utility that tests whether one TCP/IP computer can communicate with another one.
  • Traceroute is a program that displays the path that packets take through a network to reach their destinations.
  • IPCONFIG.EXE and WINIPCFG.EXE are Windows programs that display information about the computer's TCP/IP configuration and manipulate DHCP IP address assignments.
  • ARP.EXE enables you to view and modify the contents of the ARP cache maintained by a TCP/IP system.
  • Netstat displays information about a computer's TCP/IP connections and the traffic passing over them.
  • NBTSTAT.EXE displays information about NetBIOS connections and their traffic.
  • Nslookup enables you to transmit DNS requests to specific servers.
  • Telnet is a character-based terminal emulation program that provides remote control access to another computer on the network.
  • FTP is a file transfer utility that enables you to manage files and transfer them to and from a remote computer.

Network+ Certification Training Kit
Self-Paced Training Kit Exam 70-642: Configuring Windows Server 2008 Network Infrastructure
ISBN: 0735651604
EAN: 2147483647
Year: 2001
Pages: 105

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net