9
:)6/6[ZOROZOKY
 5HPKIZO\KY
When you have completed study of this chapter you should able to apply the
following utilities:
• Ping
• ARP
• NETSTAT
• NBTSTAT
• IPCONFIG
• WINIPCFG
• tracert
• ROUTE
 /TZXUJ[IZOUT
The TCP/IP utilities are discussed throughout the book. This section is designed to bring
them all together in one section for ease of reference, as they are very important in
network management and troubleshooting.
Most of the older utilities are DOS-based. However, more and more Windows-based
utilities are becoming available, many of them as freeware or shareware.
 6OTMVGIQKZ/TZKXTKZMXUVKX
‘Pinging’ is one of the easiest ways to test connectivity across the network and confirm
that an IP address is reachable. The DOS ping utility (ping.exe) uses ICMP to forward an
echo request packet to the destination address. The destination then responds with an
ICMP echo response packet. Although the test seems trivial at first sight, it is a powerful
diagnostic tool and can demonstrate correct operation between the Internet layers of two
:)6/6[ZOROZOKY


hosts across a WAN regardless of the distance and number of intermediate routers
involved.
Technically speaking, the ping utility can only ‘ping’ an IP address. This is due to the

fact that the ICMP messages are carried within IP datagrams, which require the source
and destination IP addresses in the header. Without this feature, it would have been
impossible to ‘ping’ across a router. If, therefore, the user does not know the IP address,
the name resolver on the local host system has to look it up e.g. via the domain name
system or in the hosts file.
The IP datagram, in turn, is transported by means of a network interface layer frame
(e.g. Ethernet), which requires, in its header, the MAC, addresses of the source and
destination nodes on the local network. If this is not to be found in the ARP cache, the
ARP protocol is invoked in order to obtain the MAC address. The result of this action
(the mapping of MAC address against IP address) is then stored in the ARP cache. The
easiest way to get an overall impression of the process is to capture the events described
here by means of a protocol analyzer.
If the IP address is known, the following format can be used:
• ping <IP Address> e.g. ping 192.100.100.4
Ping 192.100.100.255 will cause all hosts on network 192.100.100.0 to
respond and will cause unnecessary traffic

If the IP address is unknown, one of the following ways can be used to define the target
machine:
• ping <host name> e.g. ping computer1
This can be done provided computer1’s IP address has already been resolved
by NetBIOS
• ping <own machine> e.g. ping 127.0.0.1
This is a reserved IP address for loopback testing
• ping <own machine> e.g. ping localhost
This is a reserved name for loopback testing
• ping <domain name> e.g. ping www.idc-online.com
This will be resolved by the domain name system

There are several options available under the ping command, as shown below:

C:\WINDOWS.000>ping
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j
host-list] |
[-k host-list]]
[-w timeout] destination-list
5VZOUTY
• t Ping the specified host until stopped
To see statistics and continue – type
Control-Break
To stop – type Control-C
• a Resolve addresses to hostnames
• n count Number of echo requests to send
• l size Send buffer size
• f Set don’t fragment flag in packet
• i TTL Time to live

6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM


• v TOS Type of service
• r count Record route for count hops
• s count Time-stamp for count hops
• j host-list Loose source route along host-list
• k host-list Strict source route along host-list
• w timeout Timeout in milliseconds to wait for each reply

C:\WINDOWS.000>
The following examples show how some of the ping options can be applied:
• Ping 193.2.45.66 -t will ‘ping’ the specified IP address repetitively until
stopped by typing Ctrl-C

• Ping 193.2.45.66 -n 10 will ‘ping’ the specified IP address 10 times instead
of the default of 4
• Ping 193.2.45.66 -l 3500 will ‘ping’ the specified IP address with 3500 bytes
of data instead of the default of 32 bytes

Here are some examples of what could be learned by using the ping command.
Example 1: A host with IP address 207.194.66.100 is being ‘pinged’ by another host
on the same subnet, i.e. with the same NetID. In this example both addresses are
conventional class C addresses. Note that the screen display differs between operating
systems, even between Windows95 and Windows98, although the basic parameters are
the same.
The following response is obtained:
C:\WINDOWS.000>ping 207.194.66.100
Pinging 207.194.66.100 with 32 bytes of data:
Reply from 207.194.66.100: bytes=32 time<10ms TTL=128
Reply from 207.194.66.100: bytes=32 time=1ms TTL=128
Reply from 207.194.66.100: bytes=32 time=1ms TTL=128
Reply from 207.194.66.100: bytes=32 time=1ms TTL=128
Ping statistics for 207.194.66.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\WINDOWS.000>
From the result, the following can be observed:
• The ICMP message contained 32 bytes
• The average RTT (round trip time) to the target host and back is in the
vicinity of 1 millisecond
• The TTL (time to live) remaining in the IP header after its return is 128.
Since TTL is normally set at an initial value representing 2
5

(i.e. 32), 2
6

(i.e. 64) or 2
7
(i.e. 128), it can be safely assumed that the TTL value was not
altered, and hence there are no routers between the source and destination
hosts

Example 2: A host with IP address 207.194.66.101 now ‘pinged’. Although this host
is, in fact, nonexistent, it seems ‘legitimate’ since the NetIDs match. The originating host
will therefore attempt a ping, but a timeout will occur.
C:\WINDOWS.000>ping 207.194.66.101
Pinging 207.194.66.101 with 32 bytes of data:
:)6/6[ZOROZOKY


Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 207.194.66.101:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS.000>
Example 3. As before, but this time the NetID differs i.e. the target host is assumed to
reside on a different network. Since, in this case, no default gateway has not been
specified, the originating host does not even attempt to issue an ICMP message, and
immediately issues a ‘host unreachable’ response.

C:\WINDOWS.000>ping 208.194.66.100
Pinging 208.194.66.100 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Ping statistics for 208.194.66.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS.000>
The DOS ping command is not particularly ‘user friendly’. It is, for example, not
possible to ping a large number of hosts sequentially. There are, however, several
Windows-based Ping utilities available as freeware or shareware, of which TJPingPro is
an example.
The following example shows how a block of contiguous IP addresses can be pinged
with a single ‘click’, after setting up ‘start’ and ‘end’ IP addresses on the
options screen.

Figure 9.1
TJPingPro sequential scan (courtesy of Top Jimmy Software)

6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM


 '86
The arp utility (arp.exe) is used to display the arp cache which holds the IP to MAC
address translation of hosts on the local subnet. This utility is not to be confused with the
ARP (address resolution protocol) that actually determines the IP to MAC address
translation. The ARP utility can also be used to manually add entries to the cache, using

the -s option.
C:\WINDOWS.000>arp
Displays and modifies the IP-to-physical address translation tables used by address
resolution protocol (ARP).
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr]
-a Displays current ARP entries by interrogating the current
protocol data.
If inet_addr is specified, the IP and physical addresses for
only the specified computer are displayed. If more than one
network interface uses ARP, entries for each ARP table are
displayed.
-g Same as -a.
inet_addr Specifies an Internet address.
-N if_addr Displays the ARP entries for the network interface specified
by if_addr.
-d Deletes the host specified by inet_addr.
-s Adds the host and associates the Internet address inet_addr
with the physical address eth_addr. The physical address is
given as 6 hexadecimal bytes separated by hyphens. The
entry is permanent.
eth_addr Specifies a physical address.
if_addr If present, this specifies the Internet address of the interface
whose address translation table should be modified.
If not present, the first applicable interface will be used.
Example:
> arp -s 157.55.85.212 00-aa-00-62-c6-09 Adds a static entry.
> arp -a Displays the arp table.
The following shows a typical display in response to the arp -a command. Note the

third column, which indicates type. Entries in the arp cache can be entered manually as
static entries, but that poses a problem as IP addresses can be changed and physical
Network cards (and hence MAC addresses) can be swapped, rendering the stored IP to
MAC address mapping useless unless updated. For this reason the ARP protocol (not to
be confused with the utility by the same name) binds IP addresses and physical (MAC)
addresses in a temporary (dynamic) way. Dynamic entries are deleted from the cache
after a few minutes, if not used.
C:\WINDOWS.000>arp -a
Interface: 0.0.0.0 on Interface 0x1000002
Internet Address Physical Address Type
192.100.100.7 00-00-c6-f6-34-43 static
192.100.100.99 00-00-fe-c6-57-a8 dynamic
C:\WINDOWS.000>
:)6/6[ZOROZOKY


 4+:9:':
This is used for obtaining protocol statistics and current active connections utilizing
TCP/IP. Nowadays there are many Windows-based utilities that can do much more; yet in
an emergency netstat is certainly better than nothing at all. Here follows the netstat
options.
C:\WINDOWS.000>netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the
-s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display

per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to
specify a subset of the default.
interval Re-displays selected statistics, pausing interval seconds
between each display.
Press CTRL+C to stop re-displaying statistics. If omitted,
netstat will print the current configuration information once.
C:\WINDOWS.000>
In response to the netstat -e command the following packet and protocol statistics are
displayed. This is a summary of events on the network since the last re-boot.
C:\WINDOWS.000>netstat -e
Interface Statistics
Received Sent
Bytes 2442301 1000682
Unicast packets 4769 3776
Non-unicast packets 113 4566
Discards 0 0
Errors 0 0
Unknown protocols 19
C:\WINDOWS.000>
 4(:9:':
This provides protocol statistics and current TCP/IP connections using NBT (NetBIOS
over TCP/IP). This is relevant with Windows 95/98 etc, which uses NetBIOS for the
upper layers of the OSI model.
C:\WINDOWS.000>nbtstat /?
Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over
TCP/IP).
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r]

[-R] [-s] [S] [interval] ]
-a (adapter status) Lists the remote machine’s name table given
its name

6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM


-A (Adapter status) Lists the remote machine’s name table given
its IP address.
-c (cache) Lists the remote name cache including the IP
addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP
addresses
-s (sessions) Lists sessions table converting destination IP
addresses to host names via the hosts file.
RemoteName Remote host machine name.
IP address Dotted decimal representation of the IP address.
Interval Re-displays selected statistics, pausing interval seconds
between each display. Press Ctrl+C to stop re-displaying
statistics.
C:\WINDOWS.000>
 /6)54,/-
This shows the entire TCP/IP configuration present in a host. It also has the additional
versatility of interfacing with a DHCP server to renew a leased IP address.
Ipconfig will return, amongst other things, the host’s IP address, its subnet mask and
default gateway.
C:\WINDOWS.000>ipconfig /?

Windows 98 IP Configuration
Command line options:
/All - Display detailed information.
/Batch [file] - Write to file or ./WINIPCFG.OUT
/renew_all - Renew all adapters.
/release_all - Release all adapters.
/renew N - Renew adapter N.
/release N - Release adapter N.
C:\WINDOWS.000>
An options often used is ‘ipconfig /all’. In the case of a multi-homed host, i.e. one with
more than one network interface card (including dial-up modem) ‘ipconfig /all’ will
display the details of each card.
Note that ipconfig will list the generic name of the adapter. Therefore, a 3010 3Com US
Robotics 56K modem is simply listed as a PPP adapter, while a Linksys Ethernet
10BaseT/10Base2 Combo PCMCIA card is listed as a generic Novell 2000 adapter,
which it emulates.
C:\WINDOWS.000>ipconfig /all
Windows 98 IP Configuration
Host Name . . . . . . . . . : COMPUTER100
DNS Servers . . . . . . . . :
Node Type . . . . . . . . . : Broadcast
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No
:)6/6[ZOROZOKY


0 Ethernet adapter :
Description . . . . . . . . : PPP Adapter.

Physical Address. . . . . . : 44-45-53-54-00-00
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . :
DHCP Server . . . . . . . . : 255.255.255.255
Primary WINS Server . . . . :
Secondary WINS Server . . . :
Lease Obtained. . . . . . . :
Lease Expires . . . . . . . :
1 Ethernet adapter :
Description . . . . . . . . : Novell 2000 Adapter.
Physical Address. . . . . . : 00-E0-98-71-57-AF
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 207.194.66.100
Subnet Mask . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . :
Primary WINS Server . . . . :
Secondary WINS Server . . . :
Lease Obtained. . . . . . . :
Lease Expires . . . . . . . :
C:\WINDOWS.000>
 =/4/6),-
Winipcfg (Windows IP Configuration) provides the same information as ‘ipconfig /all’,
but in a Windows format. Like ipconfig, it is capable to force a DHCP server into
releasing and reissuing leased IP addresses.


Figure 9.2
Windows IP configuration

It can be invoked from the DOS prompt, or from the Windows ‘run’ command. Click
the more details tab for an expanded view.

6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM




Figure 9.3
Winipcfg display (courtesy of Microsoft Corporation)
 :8')+8U[:K
This is often used to trace failures along a TCP/IP communications path. The spelling of
the command varies slightly. For UNIX it is traceroute, for Windows it is tracert.
The following figure shows the tracert options.
C:\WINDOWS.000>tracert
Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
Options:
-d Do not resolve addresses to hostnames.
-h maximum_hops Maximum number of hops to search for target.
-j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each reply.
C:\WINDOWS.000>
Here follows a route trace from Perth, Australia, to a server in the USA.
C:\WINDOWS.000>tracert www.idc-online.com
Tracing route to www.idc-online.com [216.55.154.228] over a maximum of 30 hops:
1 169ms 160ms 174ms slip202-135-15-3-0.sy.au.ibm.net [202.135.15.30]
2 213ms 297ms 296ms 152.158.248.250
3 624ms 589ms 533ms sfra1sr1-2-0-0-5.ca.us.prserv.net [165.87.225.46]
4 545ms 535ms 628ms sfra1sr2-101-0.ca.us.prserv.net [165.87.33.185]
5 564ms 562ms 573ms 165.87.160.193

6 558ms 564ms 573ms 114.ATM3-0.XR1.SFO1.ALTER.NET
[146.188.148.210]
7 574ms 701ms 555ms 187.at-2-10.TR1.SAC1.ALTER.NET
[152.63.50.230]
8 491ms 480ms 500ms 127.at-6-10.TR1.LAX9.ALTER.NET
[152.63.5.101]
9 504ms 534ms 511ms 297.ATM7-0.XR1.LAX2.ALTER.NET
[152.63.112.149]
10 500ms 478ms 491ms 195.ATM9-0-0.GW2.SDG1.ALTER.NET
[146.188.249.81]
11 491ms 564ms 584ms anet-gw.customer.ALTER.NET [157.130.224.154]
12 575ms 554ms 613ms www.idc-online.com [216.55.154.228]
Trace complete.
C:\WINDOWS.000>
:)6/6[ZOROZOKY


As is often the case, the DOS approach is not the user-friendliest option. Notice the
result when the same trace is done with TJPingPro. The same TCP/IP protocols viz. ARP
and ICMP are still used, but now they are accessed through a third-party application
program (TJPingPro) which accesses the TCP/IP stack through a
WinSock interface.


Figure 9.4
TJPingPro trace (courtesy of Top Jimmy Software)
The most comprehensive tracing is, however, done via application programs such as
Neotrace. The following figures give some of the results of a trace to the same location
used for the previous two examples.



Figure 9.5
NeoTrace display (courtesy NeoWorx Inc)