Last Updated on March 5, 2022


In this article, we will go through some of the networking utilities for Windows that can be really helpful to troubleshoot network connectivity issues.

With the adoption of the DevOps culture, software developers are more involved in the operation and maintenance of production systems.  In other words, they are also responsible for maintaining, monitoring, and troubleshooting applications in production. This reality is becoming a trend in the industry.

For this reason, developers need to understand the specificities of the environment where their application is running. Since most applications require network connectivity, being able to troubleshoot the network stack is a skillset that developers need to have nowadays.

Now, let’s take a look at these network troubleshooting command-line utilities for Windows operating systems.

Networking utilities for Windows

1. ARP

In a Local Area Network (LAN), devices communicate with each other by using physical hardware addresses, also known as MAC Addresses (Media Access Control). For the most part, network switches forward traffic based on the device MAC address. A MAC address is a 48-bit number that hardware manufacturers use to uniquely identify their devices.  

Basically, in a network using IPv4 addresses, the Address Resolution Protocol (ARP) maps IP addresses to MAC addresses in order to know exactly where to send the Ethernet frames. Furthermore, this IP-MAC mapping is kept in the cache of the device as a table, and you can use the arp command-line to display that cache.

For IPv6 addresses, the Address Resolution Protocol (ARP) is replaced by the Neighbor Discovery Protocol (NDP), which does the exact same job of discovering the ling-layer addresses. However, IPv4 addresses are still largely used in LANs, so the arp command is still relevant today.

Practical arp options to remember

  • -a: Displays the current state of the arp table in the device cache.
  • -s <ip_address> <mac_address>: Adds a static arp cache entry to force the IP address provided to map to the provided MAC address.
  • -d <ip_address>: Deletes the mapping for the provided IP address on all network interfaces (NIC).

Examples

C:\Users\Username>arp -a

Interface: 10.0.0.4 --- 0x3
  Internet Address      Physical Address      Type
  10.0.0.1              12-34-56-78-9a-bc     dynamic
  10.0.0.255            ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static
C:\Users\Username>arp /?

Displays and modifies the IP-to-Physical address translation tables used by
address resolution protocol (ARP).

ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr] [-v]

  -a            Displays current ARP entries by interrogating the current
                protocol data.  If inet_addr is specified, the IP and Physical
                addresses for only the specified computer are displayed.  If
                more than one network interface uses ARP, entries for each ARP
                table are displayed.
  -g            Same as -a.
  -v            Displays current ARP entries in verbose mode.  All invalid
                entries and entries on the loop-back interface will be shown.
  inet_addr     Specifies an internet address.
  -N if_addr    Displays the ARP entries for the network interface specified
                by if_addr.
  -d            Deletes the host specified by inet_addr. inet_addr may be
                wildcarded with * to delete all hosts.
  -s            Adds the host and associates the Internet address inet_addr
                with the Physical address eth_addr.  The Physical address is
                given as 6 hexadecimal bytes separated by hyphens. The entry
                is permanent.
  eth_addr      Specifies a physical address.
  if_addr       If present, this specifies the Internet address of the
                interface whose address translation table should be modified.
                If not present, the first applicable interface will be used.
Example:
  > arp -s 157.55.85.212   00-aa-00-62-c6-09  .... Adds a static entry.
  > arp -a                                    .... Displays the arp table.

2. IPCONFIG

Ipconfig is probably the most famous of all networking utilities for Windows. In other words, it’s practically impossible to be in the IT world and be clueless about the ipconfig command. Basically, this command is mostly used to display or update the current IP configuration of the Windows machine.

Practical ipconfig options to remember

  • /all: Displays the full TCP/IP configuration for all adapters.
  • /release: Releases the current DHCP IP address for all network adapters.
  • /renew: Renews the TCP/IP configuration by requesting an IP address from the DHCP server.
  • /displaydns: Displays the current DNS resolver cache.
  • /flushdns: Flushes the current DNS resolver cache.

Example

C:\Users\Username>ipconfig /?

USAGE:
    ipconfig [/allcompartments] [/? | /all |
                                 /renew [adapter] | /release [adapter] |
                                 /renew6 [adapter] | /release6 [adapter] |
                                 /flushdns | /displaydns | /registerdns |
                                 /showclassid adapter |
                                 /setclassid adapter [classid] |
                                 /showclassid6 adapter |
                                 /setclassid6 adapter [classid] ]

where
    adapter             Connection name
                       (wildcard characters * and ? allowed, see examples)

    Options:
       /?               Display this help message
       /all             Display full configuration information.
       /release         Release the IPv4 address for the specified adapter.
       /release6        Release the IPv6 address for the specified adapter.
       /renew           Renew the IPv4 address for the specified adapter.
       /renew6          Renew the IPv6 address for the specified adapter.
       /flushdns        Purges the DNS Resolver cache.
       /registerdns     Refreshes all DHCP leases and re-registers DNS names
       /displaydns      Display the contents of the DNS Resolver Cache.
       /showclassid     Displays all the dhcp class IDs allowed for adapter.
       /setclassid      Modifies the dhcp class id.
       /showclassid6    Displays all the IPv6 DHCP class IDs allowed for adapter.
       /setclassid6     Modifies the IPv6 DHCP class id.


The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.

Examples:
    > ipconfig                       ... Show information
    > ipconfig /all                  ... Show detailed information
    > ipconfig /renew                ... renew all adapters
    > ipconfig /renew EL*            ... renew any connection that has its
                                         name starting with EL
    > ipconfig /release *Con*        ... release all matching connections,
                                         eg. "Wired Ethernet Connection 1" or
                                             "Wired Ethernet Connection 2"
    > ipconfig /allcompartments      ... Show information about all
                                         compartments
    > ipconfig /allcompartments /all ... Show detailed information about all
                                         compartments




3. PING

This famous command is useful to verify TCP/IP connectivity to a computer. The ping command sends an ICMP packet to a remote computer, waits for the echo-response, and calculates the time that it took to do the roundtrip.  

Moreover, the Internet Control Message Protocol (ICMP) is a layer-3 protocol used to diagnose IP connectivity issues. Therefore, it does not rely on any transport layer protocol like TCP or UDP. That makes it a very lightweight protocol.

Practical ping options to remember

  • <target>: Sends 4 echo requests messages to the specified target.
  • -n <count> <target>: Sends a specified number of echo requests messages.
  • -t <target>: Pings forever until you stop it manually (CTRL + C).

Examples

C:\Users\Username>ping google.com

Pinging google.com [172.217.13.78] with 32 bytes of data:
Reply from 172.217.13.78: bytes=32 time=6ms TTL=111
Reply from 172.217.13.78: bytes=32 time=5ms TTL=111
Reply from 172.217.13.78: bytes=32 time=5ms TTL=111
Reply from 172.217.13.78: bytes=32 time=5ms TTL=111

Ping statistics for 172.217.13.78:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 5ms, Maximum = 6ms, Average = 5ms
C:\Users\Username> ping /?

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] [-R] [-S srcaddr] [-c compartment] [-p]
            [-4] [-6] target_name

Options:
    -t             Ping the specified host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send.
    -l size        Send buffer size.
    -f             Set Don't Fragment flag in packet (IPv4-only).
    -i TTL         Time To Live.
    -v TOS         Type Of Service (IPv4-only. This setting has been deprecated
                   and has no effect on the type of service field in the IP
                   Header).
    -r count       Record route for count hops (IPv4-only).
    -s count       Timestamp for count hops (IPv4-only).
    -j host-list   Loose source route along host-list (IPv4-only).
    -k host-list   Strict source route along host-list (IPv4-only).
    -w timeout     Timeout in milliseconds to wait for each reply.
    -R             Use routing header to test reverse route also (IPv6-only).
                   Per RFC 5095 the use of this routing header has been
                   deprecated. Some systems may drop echo requests if
                   this header is used.
    -S srcaddr     Source address to use.
    -c compartment Routing compartment identifier.
    -p             Ping a Hyper-V Network Virtualization provider address.
    -4             Force using IPv4.
    -6             Force using IPv6.

You need to be aware of the fact that many devices on the internet are configured to ignore ping requests or to limit the number of ICMP responses they send. Therefore, if the ping command timeouts, it does not necessarily mean that there isn’t any connectivity between the 2 machines. That is to say, it really depends on the context of the test that you are doing, and the configuration of the target machine.

4. PATHPING

The pathping command is a more advanced ping command that sends multiple echo requests to the routers between the source and the destination. So, it’s a convenient command to check the latency in the network and determine if there is packet loss or not. In addition, this command also computes statistics for a specified timeframe and output the result in a tabular format.

Practical pathping options to remember

  • <target>: Sends echo requests to the network hops between the source and the destination. The maximum number of hops is 30 by default.
  • -h <count> <target>: regular pathping command with a specified maximum number of hops.
  • -n <target>: Displays only the IP addresses of the routers. Basically, there is no name resolution that will take place to display the names of the routers.

Examples

In the following example, you can notice that the routers between the source and the destination are not responding to echo requests. This explains the different asterisks (*) that you can see in the result, for instance.

:\Users\Username>pathping -n google.com

Tracing route to google.com [172.217.15.78]
over a maximum of 30 hops:
  0  10.0.0.4
  1     *        *        *
Computing statistics for 0 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           10.0.0.4

Trace complete.
C:\Users\Username>pathping /?

Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n]
                [-p period] [-q num_queries] [-w timeout]
                [-4] [-6] target_name

Options:
    -g host-list     Loose source route along host-list.
    -h maximum_hops  Maximum number of hops to search for target.
    -i address       Use the specified source address.
    -n               Do not resolve addresses to hostnames.
    -p period        Wait period milliseconds between pings.
    -q num_queries   Number of queries per hop.
    -w timeout       Wait timeout milliseconds for each reply.
    -4               Force using IPv4.
    -6               Force using IPv6.

5. TRACERT

Tracert is a network diagnostic command-line utility that displays the route hops between the source and the destination.

Basically, this command uses ICMP echo requests as well, like ping and pathping. However, tracert leverages the time to live field (TTL) of the packet, which is decremented by each router on its way to the destination. When the TTL value reaches 0, the router is supposed to return a Time Exceeded message that will be analyzed by tracert before moving to the next router.

Practical tracert options to remember

  • <target>: This is the regular tracert command where the maximum number of hops is 30.
  • -h <count> <target>: This is the same tracert command with a specified maximum number of hops.
  • -d <target>: Displays only the IP addresses of the routers. That means, there is no name resolution that will take place to display the names of the routers.

NB: Some routers will be displayed as asterisks (*) in the tracert result because they are configured to ignore ICMP echo requests with an expired TTL value for security reasons.

Examples

As shown in the pathping example, we can clearly observe the same thing here as well. The routers between the source and the destination are not replying to echo requests.

C:\Users\Username>tracert -d google.com

Tracing route to google.com [172.217.7.206]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     5 ms     5 ms     5 ms  172.217.7.206

Trace complete.
C:\Users\Username>tracert /?

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout]
               [-R] [-S srcaddr] [-4] [-6] target_name

Options:
    -d                 Do not resolve addresses to hostnames.
    -h maximum_hops    Maximum number of hops to search for target.
    -j host-list       Loose source route along host-list (IPv4-only).
    -w timeout         Wait timeout milliseconds for each reply.
    -R                 Trace round-trip path (IPv6-only).
    -S srcaddr         Source address to use (IPv6-only).
    -4                 Force using IPv4.
    -6                 Force using IPv6.

6. NETSTAT

Netstat is a very useful command that display information about:

  • Active TCP connections
  • All TCP and UDP ports on which the computer is listening
  • IPv4 statistics
  • IPv6 statistics

Practical netstat options to remember

  • -a: Displays all active TCP connections and the ports that are in listen mode (i.e for either TCP and UDP).
  • -n: Same command as netstat -a, except the fact that the IP addresses and ports are displayed in numerical form.
  • -o: Outputs all active TCP connections including the process ID that is using the connection.
  • -s: Displays IP statistics by protocol.

Examples

networking utilities for windows: netstat
Active connections from a temporary VM
C:\Users\Username>netstat \?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -f            Displays Fully Qualified Domain Names (FQDN) for foreign
                addresses.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -q            Displays all connections, listening ports, and bound
                nonlistening TCP ports. Bound nonlistening ports may or may not
                be associated with an active connection.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -t            Displays the current connection offload state.
  -x            Displays NetworkDirect connections, listeners, and shared
                endpoints.
  -y            Displays the TCP connection template for all connections.
                Cannot be combined with the other options.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.




7. NSLOOKUP

Nslookup is a command-line tool that can be useful when troubleshooting DNS issues. For instance, it offers a non-interactive mode for simple DNS lookups and an interactive mode for more complex queries.

Practical nslookup options to remember

  • <target>: Performs a DNS lookup for the specified target in order to get the IP Addresses (A records) of this domain name. If the specified target is an IP Address, it returns the name of the computer corresponding to that IP Address.
  • Press on enter: Just pressing on Enter key after nslookup, brings the interactive mode of the command line tool with more options
    • server <name>: Change the DNS server that will be used to perform the lookup.
    • Set type=<record_type>: Specifies the DNS record type to query during the lookup. The default record type is A, which corresponds to the IP Address information. For example, you can use “set type=MX” to retrieve the mail exchanger information.

Examples

C:\Users\Username>nslookup google.com
Server:  UnKnown
Address:  168.63.129.16

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4004:801::200e
          172.217.7.206
C:\Users\Username>nslookup
Default Server:  UnKnown
Address:  168.63.129.16

> set type=MX
> outlook.com
Server:  UnKnown
Address:  168.63.129.16

Non-authoritative answer:
outlook.com     MX preference = 5, mail exchanger = outlook-com.olc.protection.outlook.com

outlook-com.olc.protection.outlook.com  internet address = 104.47.13.33
outlook-com.olc.protection.outlook.com  internet address = 104.47.12.33
(root)  ??? unknown type 41 ???
>

8. ROUTE

The route command is used to view or update the content of the IP routing table of the device. Nevertheless, before modifying the routing table, you really need to make sure that you understand the layer-3 configuration of the network. For this reason, this command is more used by network or IT admins than application developers.

Practical route options to remember

  • print: Displays the content of the IP routing table.
  • add: Adds an entry in the routing table.
  • delete: Deletes an entry in the routing table.

9. NETSH

Netsh, also known as the network shell command, is a powerful utility used to display or modify the network configuration of a Windows computer (locally or remotely).

Basically, with this command-line tool, you can edit the LAN/WLAN configuration, Windows firewall, and routing settings.

Practical netsh options to remember

  • interface ip show
    • config: Displays the configuration of all network interfaces on the computer.
    • tcpconnections: Displays all TCP active connections.
    • udpconnections: Displays all ports where an application is listening for UDP connections.
  • advfirewall show currentprofile: displays the properties of the active firewall profile

Examples

C:\Users\Username>netsh advfirewall show currentprofile

Private Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Disable
RemoteManagement                      Disable
UnicastResponseToMulticast            Enable

Logging:
LogAllowedConnections                 Disable
LogDroppedConnections                 Disable
FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize                           4096

Ok.
C:\Users\Username>netsh /?

Usage: netsh [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]UserName] [-p Password | *]
             [Command | -f ScriptFile]

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
add            - Adds a configuration entry to a list of entries.
advfirewall    - Changes to the `netsh advfirewall' context.
branchcache    - Changes to the `netsh branchcache' context.
bridge         - Changes to the `netsh bridge' context.
delete         - Deletes a configuration entry from a list of entries.
dhcpclient     - Changes to the `netsh dhcpclient' context.
dnsclient      - Changes to the `netsh dnsclient' context.
dump           - Displays a configuration script.
exec           - Runs a script file.
firewall       - Changes to the `netsh firewall' context.
help           - Displays a list of commands.
http           - Changes to the `netsh http' context.
interface      - Changes to the `netsh interface' context.
ipsec          - Changes to the `netsh ipsec' context.
ipsecdosprotection - Changes to the `netsh ipsecdosprotection' context.
lan            - Changes to the `netsh lan' context.
namespace      - Changes to the `netsh namespace' context.
netio          - Changes to the `netsh netio' context.
ras            - Changes to the `netsh ras' context.
rpc            - Changes to the `netsh rpc' context.
set            - Updates configuration settings.
show           - Displays information.
trace          - Changes to the `netsh trace' context.
wfp            - Changes to the `netsh wfp' context.
winhttp        - Changes to the `netsh winhttp' context.
winsock        - Changes to the `netsh winsock' context.

The following sub-contexts are available:
 advfirewall branchcache bridge dhcpclient dnsclient firewall http interface ipsec ipsecdosprotection lan namespace netio ras rpc trace wfp winhttp winsock

To view help for a command, type the command, followed by a space, and then
 type ?.

10. PSPING from Sysinternals

PsPing is a command-line utility that is part of the Windows Sysinternals suite. You can download this tool from the Microsoft website

To summarize, Psping offers the possibility to do either an ICMP ping or a TCP ping. In addition, it also provides the ability to measure network latency and bandwidth. This tool is very useful to perform TCP pings when the target machine is configured to ignore ICMP pings.

Example

In the following example, we are doing a TCP ping on the RDP port on a temporary VM (i.e this VM does not exist anymore 😁).

C:\Users\Username\Downloads\PSTools>PsPing snakevm2.westus2.cloudapp.azure.com:3389

PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 13.66.209.53:3389:
5 iterations (warmup 1) ping test:
Connecting to 13.66.209.53:3389 (warmup): from 10.0.0.4:50407: 63.22ms
Connecting to 13.66.209.53:3389: from 10.0.0.4:50408: 69.20ms
Connecting to 13.66.209.53:3389: from 10.0.0.4:50409: 68.44ms
Connecting to 13.66.209.53:3389: from 10.0.0.4:50411: 66.71ms
Connecting to 13.66.209.53:3389: from 10.0.0.4:50412: 67.23ms

TCP connect statistics for 13.66.209.53:3389:
  Sent = 4, Received = 4, Lost = 0 (0% loss),
  Minimum = 66.71ms, Maximum = 69.20ms, Average = 67.90ms

Other networking utilities for Windows (Beyond command-line)

If you are someone who prefers working with a user interface, here are some interesting networking utilities for Windows that you can use to troubleshoot network issues.

TcpView tool from Sysinternals

TcpView is another interesting tool provided by the Windows Sysinternals suite. However, this one is not a command-line utility. TcpView a Windows program that lists all TCP and UDP ports opened on your system. It displays a subset of the information available through netsh or netstat. It’s just an alternative for people who like viewing information in a UI.

Wireshark

Wireshark is a free network protocol analyzer that you can use to troubleshoot network issues or analyze communication protocols. It offers a GUI that conveniently displays the information captured. This is the ultimate tool to use to see and analyze network packets in detail.

Zenmap

Zenmap is the official GUI for the famous open-source network exploration tool Nmap. Nmap is a popular tool that many IT security specialists use to conduct port scanning and penetration tests in the network. It’s a multi-platform command-line tool that is included in the Kali Linux toolbox. In a nutshell, Zenmap is just the GUI for Nmap, for people who prefer working with a user interface.

That’s it!

With all these networking utilities for Windows, you will be as equipped as a system administrator to get the job done like a pro. I recommend practicing with these tools in order to get familiar with them. This way, you will be ready to select the appropriate tool to investigate and troubleshoot issues depending on the scenario that you are facing.