Network Command Tools: ping, ipconfig, nslookup, tracert

Ping (Packet Internet Groper) is the most basic network diagnostic tool. It tests reachability between a source and destination host by sending Internet Control Message Protocol (ICMP) Echo Request packets and waiting for Echo Reply packets. The name originates from sonar technology, where a pulse of sound is sent and an echo is listened for.

How Ping Works 1. The ping command constructs an ICMP Echo Request packet with a specific Type (8) and Code (0). 2. The packet is encapsulated in an IP datagram with the source IP (your host) and destination IP (target). 3. If the destination is on the same subnet, the packet is sent directly via ARP to determine the MAC address. If on a different subnet, it is forwarded to the default gateway. 4. The destination host receives the packet, checks its ICMP stack, and generates an Echo Reply (Type 0, Code 0). The reply is sent back to the source, swapping source and destination IPs. 5. The source receives the reply, calculates the round-trip time (RTT), and displays the result.

Key Parameters and Defaults - ping <hostname or IP> – Sends 4 Echo Requests (Windows) or unlimited until Ctrl+C (Linux/macOS). The exam focuses on Windows defaults. - -t – Pings continuously until stopped (Windows). - -n <count> – Specifies number of Echo Requests (Windows). - -l <size> – Sets packet size in bytes (Windows default: 32 bytes). - -a – Resolves IP addresses to hostnames (Windows). - Timeout: Windows waits 4 seconds for each reply; if no reply, it shows "Request timed out." - TTL (Time to Live): Default 128 on Windows, 64 on Linux/macOS. Each router decrements TTL by 1. If TTL reaches 0, the router sends an ICMP Time Exceeded message.

Interpreting Ping Output - Reply from <IP>: Success. Shows bytes, time in ms, TTL. - Request timed out: No reply within 4 seconds. Could indicate network congestion, firewall blocking ICMP, host down, or routing issue. - Destination host unreachable: A router has no route to the destination. This is an ICMP Destination Unreachable (Type 3) message from an intermediate router. - General failure: Typically a local configuration issue (e.g., no IP address).

Common Exam Traps - A successful ping to a local IP but failure to a remote IP often points to a default gateway problem. - Ping to 127.0.0.1 (loopback) tests the local TCP/IP stack. Failure indicates a protocol stack issue. - Ping to the host's own IP tests if the IP is properly bound to the network adapter. - Firewalls can block ICMP, causing false negatives. The exam may present a scenario where ping fails but other connectivity works (e.g., web browsing).

ipconfig is the primary command for viewing and managing IP configuration on Windows systems. It displays current TCP/IP network configuration values and can refresh DHCP leases and DNS caches.

Key Commands and Output - ipconfig – Displays basic information for all adapters: IPv4 address, subnet mask, default gateway. - ipconfig /all – Displays detailed info: MAC address, DHCP status, lease obtained/expires, DNS servers, WINS servers, etc. - ipconfig /release – Releases the DHCP lease for the specified adapter (or all if no adapter specified). The adapter loses its IP address. - ipconfig /renew – Renews the DHCP lease. The adapter requests a new IP from the DHCP server. This is a two-step process: broadcast DHCPDISCOVER, then DHCPREQUEST. - ipconfig /flushdns – Clears the DNS resolver cache. Useful when DNS changes are not being picked up. - ipconfig /displaydns – Displays the contents of the DNS resolver cache. - ipconfig /registerdns – Initiates dynamic DNS registration for the adapter's IP and hostname.

Exam Focus - The exam tests knowledge of which command to use in specific scenarios. For example, if a user cannot connect to the internet after obtaining a new IP from DHCP, you might use ipconfig /all to verify the default gateway and DNS servers. - ipconfig /release and ipconfig /renew are often tested together. The correct sequence is release first, then renew. - ipconfig /flushdns is used when a website resolves to an old IP after a DNS change.

Common Misunderstandings - Candidates often confuse ipconfig with ifconfig (Linux/macOS). The exam expects Windows-specific commands for Windows scenarios. - ipconfig /renew does not work if the DHCP server is unreachable; the system may fall back to Automatic Private IP Addressing (APIPA) (169.254.x.x).

nslookup (Name Server Lookup) is a command-line tool for querying DNS servers to obtain domain name or IP address mapping. It can perform both forward (hostname to IP) and reverse (IP to hostname) lookups.

Interactive vs. Non-Interactive Mode - Non-interactive: nslookup <hostname> or nslookup <IP>. Returns the IP for a hostname or the hostname for an IP. - Interactive: Type nslookup without arguments. Then use commands like server <DNS server IP> to change the DNS server, set type=<record type> (e.g., MX, A, AAAA, CNAME, NS), and exit to quit.

Key Output Interpretation - Name: The queried hostname. - Addresses: The IP address(es) returned. Multiple addresses indicate round-robin DNS or multiple A records. - Non-authoritative answer: The response came from a caching DNS server, not the authoritative server for the domain. - Aliases: CNAME records that point to the canonical name. - DNS request timed out: The DNS server did not respond within the timeout period. - *** server can't find <name>: NXDOMAIN: The domain does not exist.

Exam Scenarios - Use nslookup to verify DNS resolution when a user can access a website by IP but not by hostname. This isolates the problem to DNS. - Use nslookup <hostname> <DNS server IP> to query a specific DNS server, e.g., nslookup example.com 8.8.8.8. - Reverse lookup: nslookup <IP> returns the PTR record.

Common Exam Traps - Candidates might think nslookup can test all network connectivity; it only tests DNS. - A successful nslookup does not guarantee that the hostname is reachable via ping or other protocols; it only confirms DNS resolution.

tracert (Trace Route) on Windows (traceroute on Linux/macOS) maps the path packets take from the source to a destination. It works by sending ICMP Echo Requests (Windows) or UDP packets (Linux) with incrementing TTL values.

How Tracert Works 1. The source sends a packet with TTL=1 to the destination. The first router decrements TTL to 0, discards the packet, and sends an ICMP Time Exceeded message (Type 11, Code 0) back to the source. 2. The source records the router's IP address and RTT. 3. The source sends a packet with TTL=2. The first router decrements to 1 and forwards; the second router decrements to 0 and sends Time Exceeded. 4. This continues until the packet reaches the destination. The destination, seeing TTL=1, does not send Time Exceeded; instead, it sends an ICMP Echo Reply (Windows) or a Port Unreachable (Linux). 5. The trace stops when a reply is received from the destination or when the maximum TTL (default 30) is reached.

Key Parameters - tracert <hostname/IP> – Default max hops = 30. - -h <maxhops> – Specifies maximum number of hops. - -d – Do not resolve IP addresses to hostnames (faster). - -w <timeout> – Wait timeout in milliseconds for each reply.

Interpreting Output - Each line shows hop number, RTT for three probes (Windows sends three packets per TTL), and the router's IP/hostname. - Request timed out: Indicates a router that does not respond to ICMP (common for firewalls) or packet loss. - Destination unreachable: A router cannot forward the packet further. - High RTT at a particular hop may indicate congestion or a slow link.

Exam Focus - Use tracert to identify where packet loss occurs in the path. For example, if all hops after hop 5 show timeouts, the problem is at hop 5 or beyond. - Tracert uses ICMP on Windows; knowing this helps differentiate from traceroute on Linux (UDP). - The exam may ask which tool to use to determine the path to a remote server.

The exam also covers: - pathping: Combines ping and tracert. It sends packets and then analyzes packet loss at each hop over a period (default 300 seconds). Useful for identifying network congestion. - netstat: Displays network connections, routing tables, interface statistics, and listening ports. Key options: -a (all connections and listening ports), -n (numeric addresses), -o (owning process ID), -r (routing table). - nbtstat: Used for NetBIOS over TCP/IP. nbtstat -n shows local NetBIOS names, nbtstat -a <IP> displays the remote machine's NetBIOS name table.

Common Exam Scenarios - Use netstat to verify that a service is listening on a specific port (e.g., netstat -an | findstr :80). - Use nbtstat when troubleshooting legacy NetBIOS name resolution issues. - Use pathping when intermittent packet loss is suspected.

Command Syntax Reminders - Windows: tracert, pathping, netstat, nbtstat. - Linux/macOS: traceroute, netstat (or ss), nslookup (or dig), ifconfig (or ip addr).

The exam expects knowledge of the Windows commands primarily, but may present Linux scenarios.

A user reports being unable to access the internet. The help desk follows a systematic ping-based approach: 1. ipconfig /all reveals the IP is 169.254.x.x (APIPA), indicating DHCP failure. 2. ipconfig /release then ipconfig /renew fails, confirming the DHCP server is unreachable. 3. Ping the loopback succeeds, but pinging the default gateway (manually set to 192.168.1.1) fails. 4. Checking the switch port shows the link light is off. A cable tester reveals a broken pair. Replacing the cable restores connectivity.

In this scenario, the tools quickly isolated the problem to Layer 1 (physical). The help desk avoided unnecessary router or server checks.

A company migrates its web server to a new IP. Users can access the site by IP but not by hostname. The admin uses: - nslookup www.company.com – returns the old IP. - ipconfig /flushdns on a client, then nslookup again – still old IP. - Checking the DNS server's cache and zone file reveals the old A record. After updating the zone and clearing the cache, nslookup returns the new IP. Users can now browse.

This demonstrates the importance of understanding DNS caching at both client and server levels.

A remote office experiences slow application performance. The network engineer runs: - pathping remote-server.com – the output shows 10% packet loss at hop 5 and 20% loss at hop 6. - Further investigation reveals a saturated WAN link at hop 5. The engineer prioritizes traffic and increases bandwidth, resolving the issue.

Pathping's ability to calculate per-hop loss over time made it the ideal tool, as ping and tracert only show instantaneous results.