Network Troubleshooting Commands

Any computer connected to a network needs to be able to process communication protocols. This requirement has the benefit of offering query commands that give live feedback on different utilities that operate the network. The commands that launch those enquirers provide very useful information for network troubleshooting.

This guide to network troubleshooting commands includes a number of utilities of which you are probably already aware. However, the aim of this guide is to provide information on how to get the best out of these free facilities.

Although network monitoring tools offer better automation, using free network commands helps the network administrator get a better understanding of how a network operates.

You will find out about:

  • Ping
  • Telnet
  • TraceRoute
  • ARP
  • IPConfig/IFConfig
  • Netstat

Ping

Ping exploits a feature in the Internet Control Message Protocol. ICMP was specified to provide status feedback on connections and packet transmissions. Ping uses these confirmation messages to measure roundtrip time (RTT) on a path to a target.

The utility sends a small packet to a given address and waits for a response from the target computer. By default, the tool can also detect if a destination is unreachable – if no response arrives, there is a problem. This tool sends a series of test packets, which are ICMP echo requests.

The ping command is available in all operating systems and it behaves in much the same way for all versions. The command requires a destination IP address in order to launch. to You can give a domain name instead, so that ping will check on the DNS system that you are using. This is because the command first has to go and retrieve the destination IP address for the target.

There are slight variations in the format of the command according to the operating system running it. However, the options on the command can be written in any order and the target address can appear anywhere after the command name.

Ping on Windows

On Windows, the Ping utility sends four requests by default that can be altered through a switch in the command. Each packet contains 32 bytes of data. Switches or options, on the utility, are preceded by a minus sign (“-”). The only parameter for the command is the target name, which can be an IP address or a domain name. If the device being tested as the destination is on a local network, the target name can be that device’s hostname.

Important options to try are:

  • ? Gives the list of options
  • a Resolve the IP address given to a hostname before sending echo requests
  • i <number> Maximum number of hops to cross when replying (TTL)
  • l <number> Size of data payload
  • n <number> Number of requests to send
  • t Continuous request issued until the user specifies to stop with Control-C
  • w <number> Timeout in milliseconds to wait for a response

Ping on Windows Server

There are a couple of differences between the implementation of Ping on Windows and Windows Server. On Windows Server, the character that precedes each option is a slash (“/”). For example, the command to get a list of options on Windows Server is ping /h instead of ping -h. The list of options with Windows Server is shorter than the Windows version. The -c (routing compartment identifier) and -p (ping a Hyper-V server) options do not exist in the Windows Server versions.

Ping on Linux

Ping is included in the iputils package. However, you probably won’t need to install this because it is pre-loaded in just about all Linux distros. The main difference between Ping on Linux and Ping on Windows is that the data payload on a Linux Ping request packet is 56 bytes long. The results report shows the total packet size, including the header length – on a packet with a 56-byte payload this will be 64 bytes.

The default status of Ping on Linux is the interactive mode, which a user on a Windows system would need to use the -t option. The utility will keep sending out echo requests until the user types Control-C. At that point, the facility produces a summary report for the number of requests that have been successfully completed.

Options are indicated by a minus sign (“-”), as with the Windows implementation. The Linux version of Ping has more options than the Windows version and the two implementations use different codes for the same options.

Here are some key options in the Linux Ping implementation.

  • a Audible Ping Makes a beeping noise when a response is received.
  • b Ping to a broadcast address
  • c <number> Number of requests to send
  • i <number> The number of seconds to wait before sending each request in the series
  • l <number> Send the specified number of packets without waiting for a response
  • n Numeric output only
  • t <number> Maximum number of hops to cross when replying (TTL)
  • w <number> Length of time until the Ping execution terminates
  • W <number> Timeout in milliseconds to wait for a response

Ping on macOS

Macs have a Ping utility built into the graphical user interface. This can be found in the Network Utility screen, which you can access through Apple Menu > About this Mac > System Report > Window.

The ping command is also available in a Terminal session. This is a very similar implementation to that found in Linux. However, some of the options are different.

  • a Audible Ping Makes a beeping noise when a response is received
  • A Audible Ping with a beep when the wait for response times out
  • b <interface> Bind the socket to the specified interface
  • c <number> Number of requests to send
  • C Prohibit the socket from using a cellular network interface
  • i <number> The number of seconds to wait before sending each request in the series
  • l <number> Send the specified number of packets without waiting for a response
  • L Suppress loopback of multicast packets
  • m <number> Maximum number of hops to cross on outbound request (TTL)
  • n Numeric output only
  • t <number> Length of time until the Ping execution terminates
  • T <number> Maximum number of hops to cross for a multicast packet (TTL)
  • W <number> Timeout in milliseconds to wait for a response

Ping output

The results of the echo requests are shown with the RTT for each request expressed in milliseconds (ms) and a summary of statistics for the batch. While the Windows version shows the RTT of each received response in whole milliseconds, the Linux version shows the time in milliseconds down to three decimal places. Other differences in the results records are that the Linux version shows a sequence number, which is called icmp_seq.

On Windows, the summary gives the minimum, maximum, and average speed of requests in the batch, which is a metric needed to judge jitter. It also gives the total number of packets sent and received, plus the number of lost packets and a percentage of packet loss.

Command Prompt

The summary report on Linux and macOS shows the mean deviation of all the test requests as well as the minimum, maximum, and average RTT.

The output for the summary is different according to the computer that is contacted. Some computers respond with IPv6 addresses. You can force IPv4 addresses only by specifying the option -4 in the command (/4 in Windows Server).

An IPv6 response does not include a TTL value. The TTL report on each line gives the remaining TTL on the received packet. This enables you to work out the number of nodes the response crossed by deducting the TTL figure in the results from the original TTL on the packet. Different operating systems use different TTL starting points.

  • Routers: 255
  • Windows: 128
  • Linux: 64
  • macOS: 64

By looking at the TTL number, you can work out the OS of the remote computer. For example, if the TTL on a response is 54, it is unlikely that the response passed through 74 routers, so you can deduce that the remote computer is running Linux or macOS.

Telnet

Ping works at the Network level. It doesn’t recognize the Session Layer concept of ports. However, Telnet is able to work with ports, so this is the easiest utility to use for a quick check on specific ports. Telnet is a remote terminal protocol and it is one of the oldest TCP/IP protocols. You don’t need to log into a remote computer in order to test whether a port is open with Telnet.

Telnet on Windows and Windows Server

Although Telnet is bundled into Windows, it isn’t instantly available – you have to enable it.

  1. Search for the Control Panel in the Start bar search field.
  2. Click on the Control Panel icon in the search results screen.
  3. Select to show Large Icons in the Control Panel window.
  4. Click on Programs and Features.
  5. Click on Turn Windows features on or off. A popup window will appear.
  6. Scroll down in the list of features and check the Telnet Client box.
  7. Click OK and wait for the installer to complete.

Telnet on Linux

Telnet is free but not always available on all distros of Linux. If you get the message “command not found,” issue the command:

sudo apt-get install telnet

Telnet on macOS

Telnet is not automatically available on macOS. However, it is possible to install it. First, in a Terminal session, install Homebrew:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Next, install Telnet:

brew install telnet

Check port availability with Telnet

Once you have Telnet working on your computer, you just need to run the telnet command giving the IP address of the computer you want to check followed by the number of the port that you want to check. For example:

telnet 216.58.211.46 80

Telnet will also accept a domain name instead of an IP address. If the screen goes blank, the port is open and contactable. Press Control-] to get out of the Telnet environment. If the computer is not contactable or if it is available but the nominated port is not open, you will get the message “Could not open a connection to the host.

TraceRoute

TraceRoute is the second most important network troubleshooting command after Ping. The two utilities derive from the same source: the Internet Control Message Protocol. Ping tells you whether the destination computer is contactable. A response from the target computer also confirms that the route to that computer is working. TraceRoute reports back on each router in the path to a given destination.

TraceRoute does a lot more work than Ping and so it takes longer to run. Essentially, TraceRoute is a Ping on each router in the path to a given destination.

The Time To Live (TTL) field in a packet header dictates the maximum number of hops that the packet can pass through in order to reach its destination. Each router that handles the packet decrements the TTL value by 1. If the resulting number is zero, the router doesn’t pass the packet on but reports back to the source of the packet that transmission has been terminated. TraceRoute uses this report to compile a record of the router’s IP address and the RTT for the transaction. For each router in the path, TraceRoute will send out three packets.

When TraceRoute receives back responses from its three tests to the first router on the path, it sends out another packet to the target computer but with a TTL of 2. This packet gets past the first router and reaches the second. The test is performed three times and is then repeated with a TTL of 3 so that it reaches the next router in the path. This cycle of incrementing the TTL by one for each pass eventually gets packets to the computer that was given as the target for the transmission. When this occurs, TraceRoute reports on the RTT for the three tests to that address and then ends. RTT figures are shown in milliseconds (ms).

Unlike Ping, TraceRoute doesn’t give any performance summaries either on each line or overall. The command can be launched with either an IP address or a domain name for the final destination. Giving a domain name also tests the domain name system used by the source computer.

The tests to each router in the path are run from a standing start – they don’t show incremental results. Thus, it is probable that the further the test reaches, the longer the RTT will be. However, it is possible that the RTT for a later router can be shorter than the speed recorded by a closer router in the route. This strange behavior is the result of variable performance on the route.

TraceRoute on Windows and Windows Server

On both Windows and Windows Server, the TraceRoute command is the same: tracert. It needs a destination address, which can be an IP address or a domain name. There are a small number of options with the utility and the Windows version has more available options (nine) than the Windows Server implementation (seven). Options are prefixed by a minus sign (”-”). The command can be run without any options. If there are options on the command line, they must all be written before the destination address.

Some important options are:

  • ? Help
  • d Do not resolve addresses to hostnames
  • h Maximum number of hops
  • w Timeout for each test (in milliseconds)
  • 4 Use IPv4 addresses (not available in Windows Server)
  • 6 Use IPv6 addresses (not available in Windows Server)

Each results line shows the test number, the three test results in whole milliseconds, and then the destination hostname and address. Failed tests are represented by an asterisk (“*”).

Command Prompt

TraceRoute on Linux and macOS

TraceRoute is available on macOS and Fedora Linux but not on Ubuntu or Manjaro. To install the command on Ubuntu, type:

sudo apt-get install traceroute

On Manjaro, type:

sudo pacman -Sy traceroute

The TraceRoute command in Linux and macOS is traceroute and it takes a destination address either as an IP address or as a domain name. All options come between the command and the destination address, which can be an IP address or a domain name. There is one option, packetlength, which appears after the destination address as a whole number without a label.

Apart from packetlength, the Linux version has 26 options and the macOS version has 25. Here are some of the most important.

  • help Help
  • d Enable socket-level debugging
  • m Maximum number of hops
  • q <number> Number of tests per hop
  • w Timeout for each test (in milliseconds)
  • 4 Use IPv4 addresses (not available in macOS)
  • 6 Use IPv6 addresses (not available in macOS)

Each results line shows the test number, the destination hostname, and IP address, and then all of the tests for that hop expressed in milliseconds down to three decimal places on Linux or whole numbers on macOS. As with the Windows version, failed tests are represented by an asterisk (“*”).

ARP

ARP stands for the Address Resolution Protocol. It maintains a mapping between IP addresses and the physical, or MAC, addresses of the related host. This service is used for the devices attached to your own network rather than to examine remote devices across the internet. ARP includes options to insert or update records into the ARP table and also a query tool. All of these utilities have the same command: arp.

On Windows, Windows Server, and macOS, the command to get a list of all address mappings on the network is arp -a. On Linux, the command is arp. If you only want to see the ARP details for one specific device, you can enter its IP address at the end of the command – such as:

arp -a 192.168.1.1

The output of the arp query will also tell you whether the IP address is static (which means it is fixed) or dynamic (which means it is reallocated periodically through DHCP).

IPConfig/IFConfig

IPConfig and IFConfig manage the IP address allocation of a host. They give you the address details for each of the network interfaces for the computer that you issue the command on. Although it concerns one computer, some of the details that the utility gives pertain to the network or subnet that the computer belongs to.

The command to query the IP address settings on a computer running Windows, Windows Server, and macOS is ipconfig. On Linux, the command is ifconfig.

The command will show you which network interfaces on the computer are active, give the MAC address and IP address of the computer and also give the subnet mask and gateway IP address.

Netstat

Netstat shows all open connections and active daemons on a computer., This is a useful tool if you want to check on a server whether an expected service is actually running. In that scenario, you would need to log into the server and run the commands on that computer.

The command for Netstat on Windows, Windows Server, Linux, and macOS is the same: netstat.

There are many options available for the command and they are different per operating system. Fortunately, the three most important options that are the only ones you are ever likely to use are the same on all four key operating systems. These are:

  • a Include server ports in the output, which are not included in the default output
  • n Show port numbers and does not translate to names or associated protocols
  • o Show active TCP connections with the process ID for each (not available on macOS)

Options can be combined, so it isn’t necessary to separate them and put a minus sign in front of each. The results show a long list, so it is better to pipe the output to a paging utility. Eg:

netstat -an | more

On Macs, the Netstat utility is also available on the Network Utility screen. You reach this feature through Apple Menu > About this Mac > System Report > Window.