Lesson 2: TCP/IP Utilities

Virtually every operating system with networking capabilities includes support for the TCP/IP protocols, and in most cases the TCP/IP stack includes an assortment of utilities that enable you to gather information about the various protocols and about the network. Traditionally, these utilities run from the command line, although graphical versions are sometimes supplied. In many cases, a program uses the same syntax, even on different operating systems. This lesson examines some of the most common TCP/IP utilities and the purposes for which they are used.

After this lesson, you will be able to

• Understand the functions of the primary TCP/IP utilities

Estimated lesson time: 20 minutes

Ping

Ping is the most basic of the TCP/IP utilities. Virtually every TCP/IP implementation includes a version of Ping; on UNIX systems, the program is called ping, on Microsoft Windows, it is Ping.exe. NetWare even includes a server-based version called Ping.nlm. Ping is a program that can tell you if the TCP/IP stack of another system on the network is functioning normally. The Ping program generates a series of Echo Request messages using the Internet Control Message Protocol (ICMP) and transmits them to the computer whose name or IP address you specify on the command line. The basic syntax of the Ping program is as follows:

ping target

The target variable contains the IP address or name of a computer on the network. You can use either DNS names or NetBIOS names in Ping commands. The program resolves the name into an IP address before sending the Echo Request messages, and it then displays the address in its readout. Most Ping implementations also have command-line switches that enable you to modify the operational parameters of the program, such as the number of Echo Request messages it generates and the amount of data in each message.

All TCP/IP computers must respond to any Echo Request messages they receive by generating Echo Reply messages and transmitting them back to the sender. When the pinging computer receives the Echo Reply messages, it produces a display like the following:

Pinging cz1 [192.168.2.10] with 32 bytes of data:

Reply from 192.168.2.10: bytes=32 time<10ms TTL=128
Reply from 192.168.2.10: bytes=32 time<10ms TTL=128
Reply from 192.168.2.10: bytes=32 time<10ms TTL=128
Reply from 192.168.2.10: bytes=32 time<10ms TTL=128

Ping statistics for 192.168.2.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

In the case of this Ping implementation (from Windows 2000), the display shows the IP address of the computer receiving the Echo Requests, the number of bytes of data included with each request, the elapsed time between the transmission of each request and the receipt of each reply, and the value of the Time To Live (TTL) field in the IP header. In this particular example, the target computer was on the same LAN, so the time measurement is very short—less than 10 milliseconds. When pinging a computer on the Internet, the interval is likely to be longer. A successful use of Ping like this one indicates that the target computer's networking hardware is functioning properly, as are the protocols, at least as high as the network layer of the OSI model. If the Ping test fails, one or both of the computers is experiencing a problem with its networking hardware or software.

Traceroute

Traceroute is a variant of the Ping program that displays the path that packets take to their destination. Because of the nature of IP routing, paths through an internetwork can change from minute to minute, and Traceroute displays a list of the routers that are currently forwarding packets to a particular destination. The program is called traceroute on UNIX systems, Tracert.exe by Windows, and Iptrace.nlm by NetWare.

Traceroute uses ICMP Echo Request and Echo Reply messages just like Ping, but it modifies the messages by changing the value of the TTL field in the IP header. The TTL field is designed to prevent packets from getting caught in router loops that keep them circulating endlessly around the network. The computer generating the packet normally sets a relatively high value for the TTL field; on Windows systems, the default value is 128. Each router that processes the packet reduces the TTL value by one. If the value reaches zero, the last router discards the packet and transmits an ICMP error message back to the original sender.

When you start the Traceroute program with the name or IP address of a target computer, the program generates its first set of Echo Request messages with TTL values of one. When the messages arrive at the first router on their path, the router decrements their TTL values to zero, discards the packets, and reports the errors to the sender. The error messages contain the router's address, which the Traceroute program displays as the first hop in the path to the destination. Traceroute's second set of Echo Request messages use a TTL value of two, causing the second router on the path to discard the packets and generate error messages. The third set of Echo Request messages have a TTL value of three, and so on. Each set of packets travels one hop farther than the previous set before causing a router to return error messages to the source. The list of routers displayed by Traceroute as the path to the destination is the result of these error messages. The following is an example of a Traceroute display:

Tracing route to www.abccorp.co.uk [173.146.1.1]
over a maximum of 30 hops:
  1   <10 ms     1 ms   <10 ms  192.168.2.99 
  2   105 ms    92 ms    98 ms  qrvl-67terminal01.epoch.net [199.24.67.3] 
  3   101 ms   110 ms    98 ms  qrvl.epoch.net [199.24.67.1] 
  4   123 ms   109 ms   118 ms  svcr03-7b.epoch.net [199.24.103.125] 
  5   123 ms   112 ms   114 ms  clsm02-2.epoch.net [199.24.88.26] 
  6   136 ms   130 ms   133 ms  sl-gw19-pen-6-1-0-T3.sprintlink.net [144.228.116.5]
  7   143 ms   126 ms   138 ms  sl-bb10-pen-4-3.sprintlink.net [144.232.5.117]
  8   146 ms   129 ms   133 ms  sl-bb20-pen-12-0.sprintlink.net [144.232.5.1]
  9   131 ms   128 ms   139 ms  sl-bb20-nyc-13-0.sprintlink.net [144.232.18.38]
 10   130 ms   134 ms   134 ms  sl-gw9-nyc-8-0.sprintlink.net [144.232.7.94]
 11   147 ms   149 ms   152 ms  sl-demon-1-0.sprintlink.net [144.232.173.10]
 12   154 ms   146 ms   145 ms  ny2-backbone-1-ge021.router.demon.net [195.173.173.121]
 13   230 ms   225 ms   226 ms  tele-backbone-1-ge023.router.demon.net [195.173.173.12]
 14   233 ms   220 ms   226 ms  tele-core-3-fxp1.router.demon.net [194.159.252.56]
 15   223 ms   224 ms   224 ms  tele-access-1-14.router.demon.net [194.159.254.245]
 16   236 ms   221 ms   226 ms  tele-service-2-165.router.demon.net [194.159.36.149]
 17   220 ms   224 ms   210 ms  www.abccorp.co.uk [173.146.1.1]
Trace complete.

In this example, Traceroute is displaying the path between a computer in Pennsylvania and one in the United Kingdom. Each of the hops contains the elapsed times between the transmission and reception of three sets of Echo Request and Echo Reply packets. In this trace, you can clearly see the point at which the packets begin traveling across the Atlantic Ocean. At hop 13, the elapsed times increase from approximately 150 to 230 milliseconds (ms) and stay in that area for the subsequent hops. This additional delay of only 80 ms is the time it takes the packets to travel the thousands of miles across the ocean.

Traceroute can be a handy tool for isolating the location of a network communications problem. Ping simply tells you whether or not a problem exists; it can't tell you where. A failure to contact a remote computer could be due to a problem in your workstation, in the remote computer, or in any of the routers in between. Traceroute can tell you how far your packets are going before they run into the problem.

Ifconfig and Ipconfig.exe

UNIX systems have a program called ifconfig (the name is derived from interface configuration) that you use to assign TCP/IP configuration parameters to a particular network interface. Running ifconfig with just the name of an interface displays the current configuration of that interface. Windows 2000 and Windows NT have a version of this program that omits the configuration capabilities, retains the configuration display, and goes by the name Ipconfig.exe. Windows Me, Windows 98, and Windows 95 include a graphical version of the utility, called Winipcfg.exe.

When you run Ipconfig.exe with the /all parameter at the Windows 2000 command line, you see a display like the following:

Windows 2000 IP Configuration
	 Host Name . . . . . . . . . . . . : cz2-w2ksvr
	 Primary DNS Suffix  . . . . . . . : zacker2.com
	 Node Type . . . . . . . . . . . . : Hybrid
	 IP Routing Enabled. . . . . . . . : Yes
	 WINS Proxy Enabled. . . . . . . . : No
	 DNS Suffix Search List. . . . . . : zacker2.com
Ethernet adapter Local Area Connection:
	 Connection-specific DNS Suffix  . :
	 Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI
For Complete PC Management NIC (3C905C-TX)
	 Physical Address. . . . . . . . . : 00-01-02-68-24-DD
	 DHCP Enabled. . . . . . . . . . . : No
	 IP Address. . . . . . . . . . . . : 192.168.2.2
	 Subnet Mask . . . . . . . . . . . : 255.255.255.0
	 Default Gateway . . . . . . . . . : 192.168.2.99
	 DNS Servers . . . . . . . . . . . : 199.224.86.15
	                                     199.224.86.16

Running the program with no parameters displays a limited list of configuration data. Running Winipcfg.exe (which you must do by finding the file in the \Windows directory and executing it, since there is no shortcut on the Start menu) produces a display like that shown in Figure 10.8.

Figure 10.8  The Windows 98 Winipcfg.exe utility

Both Ipconfig.exe and Winipcfg.exe have another function as well. These utilities are often associated with DHCP, because there is no easier way on a Windows system to see what IP address and other parameters the DHCP server has assigned to your computer. However, these programs also enable you to manually release IP addresses obtained through DHCP and renew existing leases. By running Ipconfig.exe with the /release and /renew command-line parameters or by using the Release, Renew, Release All, or Renew All buttons in Winipcfg.exe, you can release or renew the IP address assignment of one of the network interfaces in the computer or for all of the interfaces at once.

ARP

The Address Resolution Protocol (ARP) enables a TCP/IP computer to convert IP addresses to the hardware addresses that data-link layer protocols need to transmit frames. IP uses ARP to discover the hardware address to which each of its datagrams will be transmitted. To minimize the amount of network traffic ARP generates, the computer stores the resolved hardware addresses in a cache in system memory. The information remains in the cache for a short period of time (usually 2 to 10 minutes), in case the computer has additional packets to send to the same address.

Windows systems include a command-line utility called Arp.exe that you can use to manipulate the contents of the ARP cache. For example, you can use Arp.exe to add to the cache the hardware addresses of computers you contact frequently, thus saving a little time and network traffic during the connection process. Addresses that you add to the cache manually are static, meaning that they are not deleted after the usual expiration period. The cache is stored in memory only, however, so it is erased when you reboot the computer. If you want to pre-load the cache whenever you boot your system, you can create a batch file containing Arp.exe commands and execute it from the Windows Startup group.

Arp.exe uses the following syntax:

ARP [-a {ipaddress}] [-n ipaddress] [-s ipaddress hwaddress {interface}] [-d ipaddress {interface}]

• -a {ipaddress}  This parameter displays the contents of the ARP cache. The optional ipaddress variable specifies the address of a particular cache entry to be displayed.
• -n ipaddress  This parameter displays the contents of the ARP cache, where ipaddress identifies the network interface whose cache you want to display.
• -s ipaddress hwaddress {interface}  This parameter adds a new entry to the ARP cache, where the ipaddress variable contains the IP address of the computer, the hwaddress variable contains the hardware address of the same computer, and the interface variable contains the IP address of the network interface in the local system whose cache you want to modify.
• -d ipaddress {interface}  This parameter deletes the entry in the ARP cache that is associated with the computer represented by the ipaddress variable. The optional interface variable specifies the cache from which the entry should be deleted.

Netstat

Netstat is a command-line program that displays information about a TCP/IP computer's current network connections and about the traffic generated by the various TCP/IP protocols. On UNIX computers, the program is simply called netstat, and on Windows computers, it's called Netstat.exe. The command-line parameters differ for the various implementations of Netstat, but the information they display is roughly the same. The syntax for the Windows version of Netstat.exe is as follows:

NETSTAT [interval] [-a] [-p protocol] [-n] [-e] [-r] [-s]

• interval  Refreshes the display every interval seconds until the user aborts the command
• -a  Displays the current network connections and the ports that are currently listening for incoming network connections
• -p protocol  Displays the currently active connections for the protocol specified by the protocol variable
• -n  When combined with other parameters, causes the program to identify computers using IP addresses instead of names
• -e  Displays incoming and outgoing traffic statistics for the network interface, broken down into bytes, unicast packets, non-unicast packets, discards, errors, and unknown protocols
• -r  Displays the routing table, plus the current active connections
• -s  Displays detailed network traffic statistics for the IP, ICMP, TCP, and UDP protocols

Nbtstat.exe

Nbtstat.exe is a Windows command-line program that displays information about the NetBIOS over TCP/IP connections that Windows uses when communicating with other Windows computers on the TCP/IP LAN. The syntax for Nbtstat.exe is as follows:

NBTSTAT [-a name] [-A ipaddress] [-c] [-n] [-r] [-R] [-s] [-S] [-RR]

• -a name  Displays the NetBIOS names registered on the computer identified by the name variable
• -A ipaddress  Displays the NetBIOS names registered on the computer identified by the ipaddress variable
• -c  Displays the contents of the local computer's NetBIOS name cache
• -n  Displays the NetBIOS names registered on the local computer
• -r  Displays the number of NetBIOS names registered and resolved by the local computer, using both broadcasts and WINS
• -R  Purges the local computer's NetBIOS name cache of all entries and reloads the LMHOSTS file
• -s  Displays a list of the computer's currently active NetBIOS settings (identifying remote computers by name), their current status, and the amount of data transmitted to and received from each system
• -S  Displays a list of the computer's currently active NetBIOS settings (identifying remote computers by IP address), their current status, and the amount of data transmitted to and received from each system
• -RR  Sends Name Release requests to WINS, then starts Refresh

Telnet

The Telecommunications Network Protocol (Telnet) is a command-line client/server program that essentially provides remote control capabilities for computers on a network. A user on one computer can run a Telnet client program and connect to the Telnet server on another computer. Once connected, the user can execute commands on the other system and view the results. It's important to distinguish this type of remote control access from simple access to the remote file system. When you use a Telnet connection to execute a program on a remote computer, the program actually runs on the remote computer. By contrast, if you use Windows to connect to a shared drive on another computer and execute a program, the program runs on your computer.

Telnet was originally designed for use on UNIX systems, and is still an extremely important tool for UNIX network administrators. The various Windows operating systems all include a Telnet client. Windows 2000 and Windows NT have strictly command-line clients, but Windows Me, Windows 98, and Windows 95 have a semi-graphical client that still provides command-line access to servers, as shown in Figure 10.9. Only Windows 2000 has a Telnet server. This is because Windows is primarily a graphical operating system, and there isn't much that you can do on a Windows server when you are connected to it with a character-based client like Telnet.

Figure 10.9  Windows 98 has a graphical Telnet client.

FTP

The File Transfer Protocol (FTP) is similar to Telnet, but it is designed for performing file transfers instead of executing remote commands. FTP includes basic file management commands, which can create and remove directories, rename and delete files, and manage access permissions. FTP has become a mainstay of Internet communications in recent years, but it also performs a vital role in communications between UNIX computers, all of which have both FTP client and server capabilities. All Windows computers have a character-based FTP client, but FTP server capabilities are built into the Internet Information Server (IIS) application that is included with Windows 2000 Servers and Windows NT Servers. Generally speaking, Windows computers don't need FTP for communications on the LAN because they can access the shared files on other computers directly. On many UNIX networks, however, FTP is an important tool for transferring files to and from remote computers.

Exercise 10.2: TCP/IP Utilities

Match the utilities in the left column with the functions in the right column.