CLI Tools: ping, tracert, nslookup, netstat

Ping is the most fundamental network connectivity test tool. It works by sending Internet Control Message Protocol (ICMP) Echo Request packets to a target host and waiting for ICMP Echo Reply packets. The tool measures round-trip time (RTT) and packet loss, giving immediate insight into whether a host is reachable and how responsive the path is.

ICMP Echo Mechanism: - Ping sends an ICMP type 8 (Echo Request) to the destination IP address. - The destination, if reachable and configured to respond, replies with ICMP type 0 (Echo Reply). - Each packet has a sequence number and timestamp to track individual responses. - Default payload size is 32 bytes (Windows) or 56 bytes (Linux/macOS). Total packet size is 84 bytes (including 20 bytes IP header + 8 bytes ICMP header).

Default Behavior and Options: - Windows: sends 4 Echo Requests by default, waits 4 seconds for each reply. - Linux/macOS: sends continuous Echo Requests until interrupted (Ctrl+C). - Key options: - -n count (Windows) or -c count (Linux): specify number of packets. - -t (Windows): ping continuously until interrupted. - -l size (Windows) or -s size (Linux): specify packet size. - -i TTL (Linux) or -h TTL (Windows? Actually -i on Windows sets TTL? Windows uses -i for TTL, but -h is not used. Windows: -i TTL sets Time to Live. Linux: -t TTL sets TTL.) - -f (Linux): set Don't Fragment flag to test MTU.

Interpreting Ping Output: - Success: Replies show source IP, sequence number, TTL, and RTT in milliseconds. - Timeout: Request timed out indicates no Echo Reply received within timeout. - Destination Host Unreachable: An intermediate router could not forward the packet (no route). - TTL Exceeded: A router decremented TTL to 0 and discarded the packet, sending ICMP Time Exceeded. - Packet Loss: Percentage of packets not replied. High loss indicates congestion or link issues. - RTT variations: High jitter (variance in RTT) suggests network congestion or path changes.

Ping is Layer 3 (Network Layer) tool. It does not test higher-layer services (e.g., web server running). A successful ping only proves IP connectivity and ICMP response.

Tracert maps the path packets take from source to destination, listing each hop (router) along the way. It exploits the TTL field in the IP header.

How Traceroute Works: 1. Sends packets with TTL=1. The first router decrements TTL to 0, discards the packet, and sends ICMP Time Exceeded (type 11) back to source. The source records the router's IP address and RTT. 2. Sends packets with TTL=2. The first router decrements to 1, forwards; second router decrements to 0, sends Time Exceeded. Source records second hop. 3. Continues incrementing TTL until the destination is reached or a maximum hop count (default 30). - Windows tracert uses ICMP Echo Requests; Linux traceroute uses UDP packets to high ports (default 33434-33534) by default, or ICMP with -I option.

Output Interpretation: - Each line shows hop number, router IP/hostname, and three RTT measurements (if three probes per hop; default). - Asterisks (* * *) indicate no response from that hop (router may not send Time Exceeded, or it's filtered). - High RTT at a hop suggests congestion or slow link. - Changes in path (different IPs) indicate asymmetric routing or load balancing.

Common Options: - -d (Windows): do not resolve IP addresses to hostnames (speeds up). - -h maximum_hops (Windows) or -m max_ttl (Linux): set max hops. - -w timeout (Windows): set wait time per reply. - -I (Linux): use ICMP Echo instead of UDP. - -T (Linux): use TCP SYN to port 80 (useful when ICMP/UDP blocked).

Limitations: - Many routers are configured not to send ICMP Time Exceeded, resulting in asterisks. - Load-balanced paths may show multiple IPs per hop or inconsistent paths. - Firewalls may block ICMP or UDP probes entirely.

Nslookup queries Domain Name System (DNS) servers to resolve domain names to IP addresses or perform reverse lookups (IP to name). It operates in two modes: interactive and non-interactive.

Non-Interactive Mode: nslookup domain_name returns the IP address(es) associated with that domain, using the system's default DNS server. nslookup IP_address performs a reverse DNS lookup (PTR record).

Interactive Mode: Type nslookup alone to enter interactive mode. Then set options: - server <DNS_server_IP>: query a specific DNS server. - set type=<record_type>: query specific record types (A, AAAA, MX, NS, CNAME, PTR, SOA, etc.). - set debug: show detailed query and response messages. - ls -d domain: list all records in a zone (often restricted).

Common Record Types for Exam: - A: IPv4 address - AAAA: IPv6 address - CNAME: canonical name (alias) - MX: mail exchange server - NS: authoritative name server - PTR: pointer for reverse lookup - SOA: start of authority (zone metadata) - TXT: text records (SPF, DKIM, etc.)

Interpreting Output: - Non-authoritative answer: The responding server is not authoritative for the domain; it cached the record. - Authoritative answer: The server is the authoritative source. - Server: Address: shows which DNS server answered. - *** Can't find domain: Non-existent domain (NXDOMAIN) or no record of requested type. - DNS request timed out: Server did not respond.

Nslookup vs. Dig: On Linux/macOS, dig is more powerful. nslookup is deprecated on some systems but still widely used and exam-relevant.

Netstat displays network connections, routing tables, interface statistics, and protocol-specific information. It is used to monitor active connections, listening ports, and network performance.

Common Options: - -a: show all connections and listening ports. - -n: show IP addresses and port numbers numerically (no name resolution). - -o: show owning process ID (Windows). - -p protocol: filter by protocol (TCP, UDP, etc.). - -r: display routing table. - -s: per-protocol statistics. - -e: Ethernet statistics. - -b (Windows): show executable name (requires admin).

Output Fields (for active connections): - Proto: protocol (TCP, UDP). - Local Address: local IP and port. - Foreign Address: remote IP and port. - State: TCP connection state (LISTENING, ESTABLISHED, TIME_WAIT, CLOSE_WAIT, etc.). - PID: process ID (with -o).

Common TCP States (Exam Relevance): - LISTENING: Server is waiting for incoming connection. - ESTABLISHED: Active connection established. - TIME_WAIT: Connection closing, waiting for final packets. - CLOSE_WAIT: Remote side closed, local waiting to close. - SYN_SENT: Actively trying to establish connection.

Use Cases: - Check if a service is listening on expected port (e.g., netstat -an | findstr :80). - Identify suspicious connections (unusual foreign addresses). - View routing table (netstat -r or route print). - Monitor interface statistics (netstat -e) for errors and collisions.

Limitations: - On modern systems, ss (socket statistics) on Linux is faster and more detailed. - Netstat output can be overwhelming on busy servers; use filters.

These tools work at different OSI layers:

In troubleshooting, you combine them: ping to test basic connectivity, tracert to find where packets drop, nslookup to verify DNS resolution, and netstat to check if local services are listening or if connections are established.

In a large enterprise with multiple branch offices, a network engineer uses ping to verify connectivity to remote sites. A common scenario is when users report slow application performance. The engineer pings the application server and notices high RTT (e.g., 300 ms vs baseline 20 ms). Then runs tracert and discovers a specific hop with high latency (e.g., an MPLS router experiencing congestion). This identifies the need to upgrade the WAN link or implement QoS. In another scenario, a website is unreachable. Ping to the IP works but nslookup returns 'Non-existent domain'. This indicates a DNS issue—the domain's A record was deleted or the authoritative server is misconfigured. The engineer uses nslookup with set type=SOA to check the SOA record and finds the zone is expired. The fix is to update the DNS zone on the primary DNS server. For security monitoring, netstat is used daily to detect unauthorized connections. A server administrator runs netstat -anb (Windows) and sees an unknown process connecting to a foreign IP on port 4444. This triggers an incident response. The admin terminates the process and blocks the IP. In cloud environments (AWS/Azure), these tools are used from bastion hosts because direct ICMP may be blocked. Engineers use traceroute with TCP (-T) to bypass firewalls. In DevOps, netstat is used in scripts to verify that containers are listening on expected ports after deployment. Performance considerations: Ping with large packets (-l 1472) can test MTU issues. Tracert with -w 5000 (5 sec timeout) prevents long waits. Nslookup with timeout=5 prevents hangs. Netstat on high-traffic servers may consume CPU; use ss instead on Linux for efficiency. Misconfigurations: Forgetting to allow ICMP in firewall rules causes ping to fail, leading to false alarms. Using tracert without -d on slow links wastes time on reverse DNS. Nslookup without specifying a server may use a misconfigured local DNS, giving false negatives. Netstat without -n may take long to resolve names, and missing -b may not show process names, hindering malware detection.