Using inbuilt Windows Commands for Network Troubleshooting

Hey Guys,

In most environments your desktop Operating System will probably be Windows so it’s useful to know the inbuilt network troubleshooting tools.

A summary of the commands in this post are:

• ping
• tracert
• pathping
• netstat
• telnet
• arp
• ipconfig
• nslookup
• resmon

Before we jump into the tools, I’d like to introduce redirection and filtering output. As in IOS you can output to files to allow you to snapshot the output easily, for example:

C:\Users\bruce>ping google.com > test

This will save the output into the file called test in your current working directory, please note, this will overwrite any existing text in the file. However >> will append to the current text

C:\Users\bruce>ping google.com >> test

You can also filter output much like grep in linux or an include statement in IOS
For example if you want to see the particular network socket state for a particular IP you could use:

C:\Users\bruce>netstat -n  | find "127.0.0.1"
  TCP    127.0.0.1:1051         127.0.0.1:19872        ESTABLISHED

These tools are useful for when you need to capture information for sharing or base lining or for finding targeted information in large groups of data

Ping

Ping uses ICMP Echo messages to test host connectivity – of course everyone knows this. However, let’s explore some of the switches and their uses.

-a

This will resolve an IP address for you when pinging for example:

C:\Users\bruce>ping -a 61.88.88.88
Pinging ns.optus.net.au [61.88.88.88] with 32 bytes of data:
Reply from 61.88.88.88: bytes=32 time=47ms TTL=249
Reply from 61.88.88.88: bytes=32 time=78ms TTL=249
Reply from 61.88.88.88: bytes=32 time=48ms TTL=249
Reply from 61.88.88.88: bytes=32 time=46ms TTL=249
Ping statistics for 61.88.88.88:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 46ms, Maximum = 78ms, Average = 54ms

-t

Continuous ping, I find this useful for a number of cases, an example of a few:

• Before reloading a host or a network device I set up a continuous ping to know when it is back online
• When deploying new access switches I will set up a continuous ping and plug into a few ports to test connectivity

-w (#number of seconds)

This allows you to set the timeout window. This is very useful for when you are fault finding links with large latency, for example, I once had a 3G connection that had up to 10 seconds latency so the standard timeout period made it look like 100% packet loss when it was actually just really bad latency.

-l (#packet size)

This allows you to specify the size of the ICMP payload, this is useful when using the Do Not Fragement Bit for figuring out the Maximum Transmission Unit (MTU). Also, note, that packet size in windows and packet size in IOS are two different things. Packet size in windows refers to the payload of the packet. Given that most IP networks support an MTU of 1500 Bytes then you must actually specify ping –l 1472 to send a 1500 byte packet on the wire (20 Bytes IP, 8 Bytes ICMP)

-f

Do not fragment bit

-r (1 to 9)

This is used to set the record route IP option in the header. I find this useful for finding asymmetric routing paths in the network

C:\Users\bruce>ping xx.xx.xx.5 -r 9
Pinging xx.xx.xx.5 with 32 bytes of data:
Reply from xx.xx.xx.5: bytes=32 time=50ms TTL=252
    Route: xx.xx.xx.199 ->
           xx.xx.xx.145 ->
           xx.xx.xx.6 ->
           xx.xx.xx.5 ->
           xx.xx.xx.5 ->
           xx.xx.xx.146 ->
           xx.xx.xx.143 ->
           xx.xx.xx.254

tracert

Tracert is Traceroute … it traces the route 😛

-d

I pretty much just use – d to only output IP Addresses and not use DNS resolution

pathping

I found pathping in a Microsoft textbook and I think it is useful for getting support staff to run this test. Pathping combines the operation of tracert and ping, it does this by performing a traceroute and then sending ICMP echo messages to each hop. It is a very useful tool for non-network engineering focused people to quickly identity the issue with a service.

C:\Users\bruce>pathping xx.xx.xx.xx
Tracing route to name [xx.xx.xx.xx]
over a maximum of 30 hops:
  0  name [xx.xx.xx.xx]
  1  name [xx.xx.xx.xx]
  2  name [xx.xx.xx.xx]
  3  name [xx.xx.xx.xx]
  4  name [xx.xx.xx.xx]

Computing statistics for 100 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           name [xx.xx.xx.xx]
                                0/ 100 =  0%   |
  1    0ms     0/ 100 =  0%     0/ 100 =  0%  name [xx.xx.xx.xx]
                                0/ 100 =  0%   |
  2   32ms     0/ 100 =  0%     0/ 100 =  0%  name [xx.xx.xx.xx]
                                0/ 100 =  0%   |
  3   32ms     0/ 100 =  0%     0/ 100 =  0%  name [xx.xx.xx.xx]
                                0/ 100 =  0%   |
  4   49ms     0/ 100 =  0%     0/ 100 =  0%  name [xx.xx.xx.xx]
Trace complete.

Netstat

Netstat is an incredibly useful tool, very handy for showing people it’s not the firewall it’s the fact their service isn’t even started that’s causing the issue 😀
It helps to understand the Socket States (Thanks Microsoft – http://support.microsoft.com/kb/137984):

• SYN_SEND Indicates active open.
• SYN_RECEIVED Server just received SYN from the client.
• ESTABLISHED Client received server’s SYN and session is established.
• LISTEN Server is ready to accept connection.
• FIN_WAIT_1 Indicates active close.
• TIMED_WAIT Client enters this state after active close.
• CLOSE_WAIT Indicates passive close. Server just received first FIN from a client.
• FIN_WAIT_2 Client just received acknowledgment of its first FIN from the server.
• LAST_ACK Server is in this state when it sends its own FIN.
• CLOSED Server received ACK from client and connection is closed.

Why is this useful? If you only see SYN_SEND chances are you are hitting a firewall or it’s a silent drop by an upstream routing device. However, if you see ESTABLISHED then life’s good!

-o

This shows the Process ID which you can find out by using Task Manager or tasklist in a command window. However, there is an easier way.

C:\Users\bruce>netstat -n -o
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    xx.xx.xx.xx:24965      131.181.196.36:80      ESTABLISHED     6896

-b

Print the process name, oh so convenient!

C:\Users\bruce>netstat -n -o
Active Connections
  Proto  Local Address          Foreign Address        State           
  TCP    xx.xx.xx.xx:24965      131.181.196.36:80      ESTABLISHED    
 [firefox.exe]

-r

Prints the hosts routing table.

-s

Prints IP, ICMP and TCP/UDP Statistics, a whole load of useful output in this one.

-e

Prints Ethernet (Interface) Statistics.

-f

Prints the Fully Qualified Domain Name in the netstat output

telnet

Despite have the obvious use of telneting to a device (but we all use SSH right … >_> <_<) you can also use it to see if a port is reachable to a host. You can also use it to just do some banner sniffing to see what a device is (more about this later … )

telnet (host) (port)

This will open up a tcp session to the host on the specified port, you can then use the previously discussed netstat tools to see whether the session is allowed or not.

arp

arp allows you to see the results in your arp cache, this can be really useful when fault finding connectivity on a firewall as the arp confirms that you have link reachablility.

-a

Shows all ARP entries

-d *

Deletes arp entries

ipconfig

Ipconfig is a classic tool, often used and loved.

/all

Get the mac address of the device you are on as well as see which DHCP server allocated you your address.

/flushdns

Flush your DNS resolutions, useful when you migrate servers and you can’t see them …

/displaydns

Look up those DNS resolutions

nslookup

Another classic tool, a friend at work advised me of,

Set d2

Gives you useful DNS output

C:\Users\bruce>nslookup
Default Server: name
Address: xx.xx.xx.xx

> set d2
> google.com
Server: name
Address: xx.xx.xx.xx

------------
SendRequest(), len 28
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
google.com, type = A, class = IN

------------
------------
Got answer (340 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 11, authority records = 4, additional = 4

QUESTIONS:
google.com, type = A, class = IN
ANSWERS:
-> google.com
type = A, class = IN, dlen = 4
internet address = 74.125.237.73
ttl = 15 (15 secs)
…
-> google.com
type = A, class = IN, dlen = 4
internet address = 74.125.237.72
ttl = 15 (15 secs)
AUTHORITY RECORDS:
type = NS, class = IN, dlen = 6
nameserver = ns2.google.com
ttl = 124 (2 mins 4 secs)
-> google.com
type = NS, class = IN, dlen = 6
nameserver = ns3.google.com
ttl = 124 (2 mins 4 secs)
ADDITIONAL RECORDS:
-> ns1.google.com
type = A, class = IN, dlen = 4
internet address = 216.239.32.10
ttl = 610 (10 mins 10 secs)
…
-> ns4.google.com
type = A, class = IN, dlen = 4
internet address = 216.239.38.10
ttl = 617 (10 mins 17 secs)
…
Addresses: 2404:6800:4006:802::1000
74.125.237.73
74.125.237.78
…
74.125.237.72

>

And Finally,

resmon

The Resource Monitor is an inbuilt GUI Windows application that is really useful for looking at all kinds of system usage (CPU, Memory and Network) it has pretty graphs and it allows you to filter by process. It is a nicer looking option than perfmon.

To run resmon just type “resmon” at the run command or windows launch textbox

Click the below imagine for an example screen shot:

resmonscreenie

Leave a Reply

Your email address will not be published. Required fields are marked *