Network Command-line utilities

Viewing configuration by using ipconfig /all

When you troubleshoot a TCP/IP networking problem, begin by checking the TCP/IP
configuration on the computer that is experiencing the problem. You can use the ipconfig
command to get host computer configuration information, including the IP address, subnet mask,
and default gateway.

Note

• For Windows 95 and Windows 98 clients, use the winipcfg command instead of
ipconfig.

When you use the ipconfig command with the /all option, a detailed configuration report is
produced for all interfaces, including any configured serial ports. With ipconfig /all, you can
redirect command output to a file and paste the output into other documents. You can also use
this output to confirm the TCP/IP configuration of each computer on the network or to further
investigate of TCP/IP network problems.

For example, if a computer is configured with an IP address that is a duplicate of an existing IP

address, the subnet mask appears as 0.0.0.0.

The following example shows the output of the ipconfig /all command on a computer that is
configured to use the DHCP server for automatic TCP/IP configuration, and WINS and DNS
servers for name resolution.

Windows 2000 IP Configuration

Node Type . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No

Ethernet adapter Local Area Connection:

Host Name . . . . . . . . . : host.grape-info.com

DNS Servers . . . . . . . . : 10.1.0.200
Description . . . . . . . . : 3Com 3C90x Ethernet Adapter
Physical Address. . . . . . : 00-60-08-3E-46-07
DHCP Enabled. . . . . . . . : Yes
Autoconfiguration Enabled . : Yes
IP Address. . . . . . . . . : 192.168.0.112
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 192.168.0.2
DHCP Server . . . . . . . . : 192.168.0.1
Primary WINS Server . . . . : 192.168.0.1
Secondary WINS Server . . . : 192.168.0.3
Lease Obtained. . . . . . . : Wednesday, September 02, 1998 10:32:13
AM
Lease Expires . . . . . . . : Friday, September 18, 1998 10:32:13 AM

If no problems appear in the TCP/IP configuration, the next step is testing the ability to connect
to other host computers on the TCP/IP network.
Refreshing configuration by using ipconfig /renew

When you troubleshoot a TCP/IP networking problem, begin by checking the TCP/IP
configuration on the computer that is experiencing the problem. If the computer is DHCP-
enabled and is using a DHCP server to obtain configuration, you can initiate a refresh of the
lease by using the ipconfig /renew command.

When you use ipconfig /renew, all network adapters on the computer that uses DHCP (except
those that are manually configured) try to contact a DHCP server and renew their existing
configuration or obtain a new configuration.

You can also use the ipconfig command with the /release option to immediately release the
current DHCP configuration for a host.

Note

• For Windows 95 and Windows 98 DHCP-enabled clients, use the release and renew
options of the winipcfg command instead of ipconfig /release and ipconfig /renew to
perform manual release or renewal of the IP configuration lease for a client.

Managing DNS and DHCP class IDs by using ipconfig

You can also use the ipconfig command to:

• Display or reset the DNS cache.

• Refresh registered DNS names.
• Display the DHCP class IDs for an adapter.
• Set the DHCP class IDs for an adapter.

Testing connections by using ping

The ping command helps to verify IP-level connectivity. When troubleshooting, you can use
ping to send an ICMP echo request to a target host name or IP address. Use ping whenever you
need to verify that a host computer can connect to the TCP/IP network and network resources.
You can also use ping to isolate network hardware problems and incompatible configurations.

It is usually best to verify that a route exists between the local computer and a network host by
first using the ping command and the IP address of the network host to which you want to
connect. Try pinging the IP address of the target host to see if it responds, as follows:

ping IP_address

You should perform the following steps when using ping:

1. Ping the loopback address to verify that TCP/IP is installed and configured correctly on
the local computer.

ping 127.0.0.1
 2. Ping the IP address of the local computer to verify that it was added to the network
correctly.

ping IP_address_of_local_host

3. Ping the IP address of the default gateway to verify that the default gateway is
functioning and that you can communicate with a local host on the local network.

ping IP_address_of_default_gateway

4. Ping the IP address of a remote host to verify that you can communicate through a router.

ping IP_address_of_remote_host

The ping command uses Windows Sockets–style name resolution to resolve a computer name to
an IP address, so if pinging by address succeeds, but pinging by name fails, then the problem lies
in address or name resolution, not network connectivity.

If you cannot use ping successfully at any point, confirm that:

• The computer was restarted after TCP/IP was installed and configured.
• The IP address of the local computer is valid and appears correctly on the General tab of
the Internet Protocol (TCP/IP) Properties dialog box.
• IP routing is enabled and the link between routers is operational.

You can use different options with the ping command to specify the size of packets to use, how
many packets to send, whether to record the route used, what Time-to-Live (TTL) value to use,
and whether to set the "don't fragment" flag. You can type ping –? to see these options.

The following example illustrates how to send two pings, each 1,450 bytes in size, to IP address
192.168.0.1:

C:\>ping -n 2 -l 1450 192.168.0.1

Pinging 192.168.0.1 with 1450 bytes of data:

Reply from 192.168.0.1: bytes=1450 time<10ms TTL=32

Reply from 192.168.0.1: bytes=1450 time<10ms TTL=32

Ping statistics for 192.168.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate roundtrip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 2ms

By default, ping waits 1,000 ms (1 second) for each response to be returned before displaying
the "Request Timed Out" message. If the remote system being pinged is across a high-delay link,
such as a satellite link, responses may take longer to be returned. You can use the –w (wait)
option to specify a longer time-out.

To view the Address Resolution Protocol

(ARP) cache

1. Open Command Prompt.

2. At the command prompt, type arp -a.

For example, if you recently used the ping command to test and verify connectivity from this computer to a host computer at IP
address 10.0.0.99, the ARP cache displays the following entry:

Interface: 10.0.0.1 on Interface 0x1

Internet Address Physical Address Type

10.0.0.99 00-e0-98-00-7c-dc dynamic

In this example, the cache entry indicates that the remote host computer at 10.0.0.99 resolved to a media access control address
of 00-e0-98-00-7c-dc assigned in the network adapter hardware of the remote computer. The media access control address is the
address that your computer used to physically communicate with this remote TCP/IP host on your network.

Notes

• To open a command prompt, click Start, point to All programs, point to Accessories, and
then click Command prompt.
• To minimize ARP broadcast traffic on your network, a cache of hardware-to-software
address mappings is maintained for future use. This cache contains the following two types
of entries:

• Dynamic ARP cache entries

These entries are added and deleted automatically during normal use of TCP/IP
sessions with remote computers. Dynamic entries age and expire from the cache if
not reused within 2 minutes. If a dynamic entry is reused within 2 minutes, it may
remain in the cache and age up to a maximum cache life of 10 minutes before being
removed or requiring cache renewal by using the ARP broadcast process.
• Static ARP cache entries

These entries are added manually by using the arp command with the -s option.
Static entries remain in the ARP cache until either the computer is restarted, or the
interface is reinitiated. Examples of some of the events that cause an interface to be
reinitiated are:
1. The interface is Disabled, and then Enabled.

2. The Repair feature is used.

3. The commands ipconfig /release and ipconfig /renew are given.

4. The computer awakes from a suspend or hibernation state.

5. You removed and replugged a network cable or moved a computer out of and back into wireless range.

6. ARP cache entries can be deleted manually by using the arp command with the -d option.

Example: arp -d 192.168.0.1

Removes ARP mappings for 192.168.0.1 on all interfaces.

The Address Resolution Protocol (ARP) allows a host to find the media access control address of
a host on the same physical network, given the IP address of the host. To make ARP efficient,
each computer caches IP–to–media access control address mappings to eliminate repetitive ARP
broadcast requests.
You can use the arp command to view and modify the ARP table entries on the local computer.
The arp command is useful for viewing the ARP cache and resolving address resolution
problems.

Troubleshooting NetBIOS names by using nbtstat

NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. TCP/IP provides many
options for NetBIOS name resolution, including local cache lookup, WINS server query,
broadcast, DNS server query, and Lmhosts and Hosts file lookup.

Nbtstat is a useful tool for troubleshooting NetBIOS name resolution problems. You can use the
nbtstat command to remove or correct preloaded entries:

• nbtstat –n displays the names that were registered locally on the system by programs
such as the server and redirector.
• nbtstat –c shows the NetBIOS name cache, which contains name-to-address mappings
for other computers.
• nbtstat –R purges the name cache and reloads it from the Lmhosts file.
• nbtstat –RR releases NetBIOS names registered with a WINS server and then renews
their registration.
• nbtstat –a name performs a NetBIOS adapter status command against the computer
specified by name. The adapter status command returns the local NetBIOS name table
for that computer plus the media access control address of the adapter.
• nbtstat –S lists the current NetBIOS sessions and their status, including statistics, as
shown in the following example:
• NetBIOS connection table
•
• Local name State In/out Remote Host Input Output
• ------------------------------------------------------------------
• CORP1 <00> Connected Out CORPSUP1<20> 6MB 5MB
• CORP1 <00> Connected Out CORPPRINT<20> 108KB 116KB
• CORP1 <00> Connected Out CORPSRC1<20> 299KB 19KB
• CORP1 <00> Connected Out CORPEMAIL1<20> 324KB 19KB
CORP1 <03> Listening

Displaying connection statistics by using netstat

You can use the netstat command to display protocol statistics and current TCP/IP connections.
The netstat –a command displays all connections, and netstat –r displays the route table plus
active connections. The netstat –e command displays Ethernet statistics, and netstat –s displays
per-protocol statistics. If you use netstat –n, addresses and port numbers are not converted to
names. The following shows sample output for netstat:

C:\>netstat -e
Interface Statistics

Received Sent
Bytes 3995837940 47224622
Unicast packets 120099 131015
Non-unicast packets 7579544 3823
Discards 0 0
Errors 0 0
Unknown protocols 363054211

C:\>netstat -a
Active Connections

Proto Local Address Foreign Address State

TCP myhost:1572 192.168.0.2:nbsession ESTABLISHED
TCP myhost:1589 192.168.0.2:nbsession ESTABLISHED
TCP myhost:1606 192.168.0.10:nbsession ESTABLISHED
TCP myhost:1632 192.168.0.11:nbsession ESTABLISHED
TCP myhost:1659 192.168.0.12:nbsession ESTABLISHED
TCP myhost:1714 192.168.0.13:nbsession ESTABLISHED
TCP myhost:1719 192.168.0.14:nbsession ESTABLISHED
TCP myhost:1241 192.168.0.15:nbsession ESTABLISHED
UDP myhost:1025 *:*
UDP myhost:snmp *:*
UDP myhost:nbname *:*
UDP myhost:nbdatagram *:*
UDP myhost:nbname *:*
UDP myhost:nbdatagram *:*
C:\>netstat -s
IP Statistics

Packets Received = 5378528

Received Header Errors = 738854
Received Address Errors = 23150
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 4616524
Output Requests = 132702
Routing Discards = 157
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
Fragments Created = 0

ICMP Statistics
Received Sent
Messages 693 4
Errors 0 0
Destination Unreachable 685 0
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echoes 4 0
Echo Replies 0 4
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0

TCP Statistics

Active Opens = 597

Passive Opens = 135
Failed Connection Attempts = 107
Reset Connections = 91
Current Connections = 8
Segments Received = 106770
Segments Sent = 118431
Segments Retransmitted = 461

UDP Statistics

Datagrams Received = 4157136

 No Ports = 351928
Receive Errors = 2
Datagrams Sent = 13809

Tracing network connections by using tracert

Tracert (Trace Route) is a route-tracing utility that is used to determine the path that an IP
datagram takes to reach a destination. The tracert command uses the IP Time-to-Live (TTL)
field and ICMP error messages to determine the route from one host to another through a
network.

How tracert works

The Tracert diagnostic utility determines the route taken to a destination by sending Internet
Control Message Protocol (ICMP) echo packets with varying IP Time-to-Live (TTL) values to
the destination. Each router along the path is required to decrement the TTL on a packet by at
least 1 before forwarding it. When the TTL on a packet reaches 0, the router should send an
"ICMP Time Exceeded" message back to the source computer.

Tracert determines the route by sending the first echo packet with a TTL of 1 and incrementing
the TTL by 1 on each subsequent transmission until the target responds or the maximum TTL is
reached. The route is determined by examining the "ICMP Time Exceeded" messages sent back
by intermediate routers. Some routers silently drop packets with expired TTLs and are invisible
to the Tracert utility.

The tracert command prints out an ordered list of the near-side interface of the routers in the
path that returned the "ICMP Time Exceeded" message. If the –d option is used, the Tracert
utility does not perform a DNS lookup on each IP address.

In the following example, the packet must travel through routers (192.168.0.2, 202.144.158.206,
202.144.159.195 and 202.144.129.2) to get to host 202.144.128.22. The default gateway of the
host is 192.168.0.2 and the IP address of the router on the 192.168.0.0 network is 192.168.0.2.

C:\>tracert 202.144.128.22
Tracing route to 202.144.128.22 over a maximum of 30 hops:
1 6 ms 2 ms 2 ms 192.168.0.2
2 4 ms 3 ms 4 ms 202.144.158.206
3 78 ms 78 ms 78 ms 202.144.159.195
4 78 ms 78 ms 78 ms 202.144.129.2
5 227 ms 163 ms 83 ms 202.144.128.220
Trace complete.

Troubleshooting with tracert

You can use the tracert command to determine where a packet stopped on the network. In the
following example, the default gateway has determined that there is not a valid path for the host
on 192.168.10.99. There is probably a router configuration problem or the 192.168.10.0 network
does not exist (a bad IP address).

C:\>tracert www.grape-info.com
Tracing route to www.grape-info.com [202.144.128.220]
over a maximum of 30 hops:
1 6 ms 2 ms 2 ms 192.168.0.2
2 4 ms 3 ms 4 ms gw.grape-info.com [202.144.158.206]
3 tpu-gw1.grape-info.com [202.144.159.195] reports: Destination net
unreachable.
Trace complete.

The Tracert utility is useful for troubleshooting large networks where several paths can be taken
to arrive at the same point.

Tracert command-line options

The tracert command supports several options, as shown in the following table.

tracert [–d] [–h maximum_hops] [–j host-list] [–w timeout] target_name

Option Description
–d Specifies that IP addresses are not resolved to host names.
–h Specifies the number of hops to allow in tracing a route to the host named in
maximum_hops target_name.
Specifies the list of router interfaces in the path taken by the Tracert utility
–j host-list
packets.
–w timeout Waits the number of milliseconds specified by timeout for each reply.
target_name Name or IP address of the target host.

Testing routers by using pathping

The pathping command is a route tracing tool that combines features of the ping and tracert
commands with additional information that neither of those tools provides. The pathping
command sends packets to each router on the way to a final destination over a period of time,
and then computes results based on the packets returned from each hop. Since the command
shows the degree of packet loss at any given router or link, it is easy to determine which routers
or links might be causing network problems. A number of options are available, as shown in the
following table.

Option Name Function

–n Hostnames Does not resolve addresses to host names.
Maximum
–h Maximum number of hops to search for target.
hops
–g Host-list Loose source route along host list.
–p Period Number of milliseconds to wait between pings.
–q Num_queries Number of queries per hop.
–w Time-out Waits this many milliseconds for each reply.
Attaches a layer-2 priority tag (for example, for IEEE 802.1p) to the
packets and sends it to each of the network devices in the path. This helps
-T Layer 2 tag in identifying the network devices that do not have layer-2 priority
configured properly. The -T switch is used to test for Quality of Service
(QoS) connectivity.
Checks to determine whether each router in the path supports the Resource
Reservation Protocol (RSVP), which allows the host computer to reserve a
-R RSVP test
certain amount of bandwidth for a data stream. The -R switch is used to
test for Quality of Service (QoS) connectivity.

The default number of hops is 30, and the default wait time before a time-out is 3 seconds. The
default period is 250 milliseconds, and the default number of queries to each router along the
path is 100.
The following is a typical pathping report. The compiled statistics that follow the hop list
indicate packet loss at each individual router.

D:\>pathping www.grape-info.com

Tracing route to www.grape-info.com [202.144.128.220]

over a maximum of 30 hops:
0 hoge.grape-info.com [192.168.0.24]
1 192.168.0.2
2 gw-dit.grape-info.com [202.144.158.206]
3 tpu-gw1.grape-info.com [202.144.159.195]
4 e0-0.tpu-br2.grape-info.com [202.144.129.2]
5 w3ext.grape-info.com [202.144.128.220]

Computing statistics for 125 seconds...

Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 hoge.grape-info.com [192.168.0.24]
0/ 100 = 0% |
1 3ms 0/ 100 = 0% 0/ 100 = 0% 192.168.0.2
0/ 100 = 0% |
2 4ms 0/ 100 = 0% 0/ 100 = 0% gw-dit.grape-info.com
[202.144.158.206]
13/ 100 = 13% |
3 140ms 0/ 100 = 0% 1/ 100 = 1% tpu-gw1.grape-info.com
[202.144.159.195]
0/ 100 = 0% |
4 126ms 0/ 100 = 0% 3/ 100 = 3% e0-0.tpu-br2.grape-info.com
[202.144.129.2]
0/ 100 = 0% |
5 155ms 0/ 100 = 0% 0/ 100 = 0% aw3ext.grape-info.com
[202.144.128.220]
Trace complete.

When pathping is run, you first see the results for the route as it is tested for problems. This is
the same path that is shown by the tracert command. The pathping command then displays a
busy message for the next 125 seconds (this time varies by the hop count). During this time,
pathping gathers information from all the routers previously listed and from the links between
them. At the end of this period, it displays the test results.

The two rightmost columns—This Node/Link Lost/Sent=Pct and Address—contain the most
useful information. The link between gw-dit.grape-info.com (hop 2), and tpu-gw1.grape-
info.com (hop 3) is dropping 13 percent of the packets. All other links are working normally.
The routers at hops 3 and 4 also drop packets addressed to them (as shown in the This
Node/Link column), but this loss does not affect their forwarding path.

The loss rates displayed for the links (marked as a | in the rightmost column) indicate losses of
packets being forwarded along the path. This loss indicates link congestion. The loss rates
displayed for routers (indicated by their IP addresses in the rightmost column) indicate that those
routers' CPUs might be overloaded. These congested routers might also be a factor in end-to-end
problems, especially if packets are forwarded by software routers.