Last Updated on March 5, 2022
In this article, we will go through some of the networking utilities for Windows that can be really helpful to troubleshoot network connectivity issues.
With the adoption of the DevOps culture, software developers are more involved in the operation and maintenance of production systems. In other words, they are also responsible for maintaining, monitoring, and troubleshooting applications in production. This reality is becoming a trend in the industry.
For this reason, developers need to understand the specificities of the environment where their application is running. Since most applications require network connectivity, being able to troubleshoot the network stack is a skillset that developers need to have nowadays.
Now, let’s take a look at these network troubleshooting command-line utilities for Windows operating systems.
Networking utilities for Windows
In a Local Area Network (LAN), devices communicate with each other by using physical hardware addresses, also known as MAC Addresses (Media Access Control). For the most part, network switches forward traffic based on the device MAC address. A MAC address is a 48-bit number that hardware manufacturers use to uniquely identify their devices.
Basically, in a network using IPv4 addresses, the Address Resolution Protocol (ARP) maps IP addresses to MAC addresses in order to know exactly where to send the Ethernet frames. Furthermore, this IP-MAC mapping is kept in the cache of the device as a table, and you can use the arp command-line to display that cache.
For IPv6 addresses, the Address Resolution Protocol (ARP) is replaced by the Neighbor Discovery Protocol (NDP), which does the exact same job of discovering the ling-layer addresses. However, IPv4 addresses are still largely used in LANs, so the arp command is still relevant today.
Practical arp options to remember
- -a: Displays the current state of the arp table in the device cache.
- -s <ip_address> <mac_address>: Adds a static arp cache entry to force the IP address provided to map to the provided MAC address.
- -d <ip_address>: Deletes the mapping for the provided IP address on all network interfaces (NIC).
C:\Users\Username>arp -a Interface: 10.0.0.4 --- 0x3 Internet Address Physical Address Type 10.0.0.1 12-34-56-78-9a-bc dynamic 10.0.0.255 ff-ff-ff-ff-ff-ff static 18.104.22.168 01-00-5e-00-00-16 static 22.214.171.124 01-00-5e-00-00-fb static 126.96.36.199 01-00-5e-00-00-fc static 188.8.131.52 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static
C:\Users\Username>arp /? Displays and modifies the IP-to-Physical address translation tables used by address resolution protocol (ARP). ARP -s inet_addr eth_addr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr] [-v] -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as -a. -v Displays current ARP entries in verbose mode. All invalid entries and entries on the loop-back interface will be shown. inet_addr Specifies an internet address. -N if_addr Displays the ARP entries for the network interface specified by if_addr. -d Deletes the host specified by inet_addr. inet_addr may be wildcarded with * to delete all hosts. -s Adds the host and associates the Internet address inet_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies a physical address. if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Example: > arp -s 184.108.40.206 00-aa-00-62-c6-09 .... Adds a static entry. > arp -a .... Displays the arp table.
Ipconfig is probably the most famous of all networking utilities for Windows. In other words, it’s practically impossible to be in the IT world and be clueless about the ipconfig command. Basically, this command is mostly used to display or update the current IP configuration of the Windows machine.
Practical ipconfig options to remember
- /all: Displays the full TCP/IP configuration for all adapters.
- /release: Releases the current DHCP IP address for all network adapters.
- /renew: Renews the TCP/IP configuration by requesting an IP address from the DHCP server.
- /displaydns: Displays the current DNS resolver cache.
- /flushdns: Flushes the current DNS resolver cache.
C:\Users\Username>ipconfig /? USAGE: ipconfig [/allcompartments] [/? | /all | /renew [adapter] | /release [adapter] | /renew6 [adapter] | /release6 [adapter] | /flushdns | /displaydns | /registerdns | /showclassid adapter | /setclassid adapter [classid] | /showclassid6 adapter | /setclassid6 adapter [classid] ] where adapter Connection name (wildcard characters * and ? allowed, see examples) Options: /? Display this help message /all Display full configuration information. /release Release the IPv4 address for the specified adapter. /release6 Release the IPv6 address for the specified adapter. /renew Renew the IPv4 address for the specified adapter. /renew6 Renew the IPv6 address for the specified adapter. /flushdns Purges the DNS Resolver cache. /registerdns Refreshes all DHCP leases and re-registers DNS names /displaydns Display the contents of the DNS Resolver Cache. /showclassid Displays all the dhcp class IDs allowed for adapter. /setclassid Modifies the dhcp class id. /showclassid6 Displays all the IPv6 DHCP class IDs allowed for adapter. /setclassid6 Modifies the IPv6 DHCP class id. The default is to display only the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. For Release and Renew, if no adapter name is specified, then the IP address leases for all adapters bound to TCP/IP will be released or renewed. For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed. Examples: > ipconfig ... Show information > ipconfig /all ... Show detailed information > ipconfig /renew ... renew all adapters > ipconfig /renew EL* ... renew any connection that has its name starting with EL > ipconfig /release *Con* ... release all matching connections, eg. "Wired Ethernet Connection 1" or "Wired Ethernet Connection 2" > ipconfig /allcompartments ... Show information about all compartments > ipconfig /allcompartments /all ... Show detailed information about all compartments
This famous command is useful to verify TCP/IP connectivity to a computer. The ping command sends an ICMP packet to a remote computer, waits for the echo-response, and calculates the time that it took to do the roundtrip.
Moreover, the Internet Control Message Protocol (ICMP) is a layer-3 protocol used to diagnose IP connectivity issues. Therefore, it does not rely on any transport layer protocol like TCP or UDP. That makes it a very lightweight protocol.
Practical ping options to remember
- <target>: Sends 4 echo requests messages to the specified target.
- -n <count> <target>: Sends a specified number of echo requests messages.
- -t <target>: Pings forever until you stop it manually (CTRL + C).
C:\Users\Username>ping google.com Pinging google.com [220.127.116.11] with 32 bytes of data: Reply from 18.104.22.168: bytes=32 time=6ms TTL=111 Reply from 22.214.171.124: bytes=32 time=5ms TTL=111 Reply from 126.96.36.199: bytes=32 time=5ms TTL=111 Reply from 188.8.131.52: bytes=32 time=5ms TTL=111 Ping statistics for 184.108.40.206: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 6ms, Average = 5ms
C:\Users\Username> ping /? Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] [-R] [-S srcaddr] [-c compartment] [-p] [-4] [-6] target_name Options: -t Ping the specified host until stopped. To see statistics and continue - type Control-Break; To stop - type Control-C. -a Resolve addresses to hostnames. -n count Number of echo requests to send. -l size Send buffer size. -f Set Don't Fragment flag in packet (IPv4-only). -i TTL Time To Live. -v TOS Type Of Service (IPv4-only. This setting has been deprecated and has no effect on the type of service field in the IP Header). -r count Record route for count hops (IPv4-only). -s count Timestamp for count hops (IPv4-only). -j host-list Loose source route along host-list (IPv4-only). -k host-list Strict source route along host-list (IPv4-only). -w timeout Timeout in milliseconds to wait for each reply. -R Use routing header to test reverse route also (IPv6-only). Per RFC 5095 the use of this routing header has been deprecated. Some systems may drop echo requests if this header is used. -S srcaddr Source address to use. -c compartment Routing compartment identifier. -p Ping a Hyper-V Network Virtualization provider address. -4 Force using IPv4. -6 Force using IPv6.
You need to be aware of the fact that many devices on the internet are configured to ignore ping requests or to limit the number of ICMP responses they send. Therefore, if the ping command timeouts, it does not necessarily mean that there isn’t any connectivity between the 2 machines. That is to say, it really depends on the context of the test that you are doing, and the configuration of the target machine.
The pathping command is a more advanced ping command that sends multiple echo requests to the routers between the source and the destination. So, it’s a convenient command to check the latency in the network and determine if there is packet loss or not. In addition, this command also computes statistics for a specified timeframe and output the result in a tabular format.
Practical pathping options to remember
- <target>: Sends echo requests to the network hops between the source and the destination. The maximum number of hops is 30 by default.
- -h <count> <target>: regular pathping command with a specified maximum number of hops.
- -n <target>: Displays only the IP addresses of the routers. Basically, there is no name resolution that will take place to display the names of the routers.
In the following example, you can notice that the routers between the source and the destination are not responding to echo requests. This explains the different asterisks (*) that you can see in the result, for instance.
:\Users\Username>pathping -n google.com Tracing route to google.com [220.127.116.11] over a maximum of 30 hops: 0 10.0.0.4 1 * * * Computing statistics for 0 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address 0 10.0.0.4 Trace complete.
C:\Users\Username>pathping /? Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n] [-p period] [-q num_queries] [-w timeout] [-4] [-6] target_name Options: -g host-list Loose source route along host-list. -h maximum_hops Maximum number of hops to search for target. -i address Use the specified source address. -n Do not resolve addresses to hostnames. -p period Wait period milliseconds between pings. -q num_queries Number of queries per hop. -w timeout Wait timeout milliseconds for each reply. -4 Force using IPv4. -6 Force using IPv6.
Tracert is a network diagnostic command-line utility that displays the route hops between the source and the destination.
Basically, this command uses ICMP echo requests as well, like ping and pathping. However, tracert leverages the time to live field (TTL) of the packet, which is decremented by each router on its way to the destination. When the TTL value reaches 0, the router is supposed to return a Time Exceeded message that will be analyzed by tracert before moving to the next router.
Practical tracert options to remember
- <target>: This is the regular tracert command where the maximum number of hops is 30.
- -h <count> <target>: This is the same tracert command with a specified maximum number of hops.
- -d <target>: Displays only the IP addresses of the routers. That means, there is no name resolution that will take place to display the names of the routers.
NB: Some routers will be displayed as asterisks (*) in the tracert result because they are configured to ignore ICMP echo requests with an expired TTL value for security reasons.
As shown in the pathping example, we can clearly observe the same thing here as well. The routers between the source and the destination are not replying to echo requests.
C:\Users\Username>tracert -d google.com Tracing route to google.com [18.104.22.168] over a maximum of 30 hops: 1 * * * Request timed out. 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. 11 * * * Request timed out. 12 * * * Request timed out. 13 * * * Request timed out. 14 5 ms 5 ms 5 ms 22.214.171.124 Trace complete.
C:\Users\Username>tracert /? Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name Options: -d Do not resolve addresses to hostnames. -h maximum_hops Maximum number of hops to search for target. -j host-list Loose source route along host-list (IPv4-only). -w timeout Wait timeout milliseconds for each reply. -R Trace round-trip path (IPv6-only). -S srcaddr Source address to use (IPv6-only). -4 Force using IPv4. -6 Force using IPv6.
Netstat is a very useful command that display information about:
- Active TCP connections
- All TCP and UDP ports on which the computer is listening
- IPv4 statistics
- IPv6 statistics
Practical netstat options to remember
- -a: Displays all active TCP connections and the ports that are in listen mode (i.e for either TCP and UDP).
- -n: Same command as netstat -a, except the fact that the IP addresses and ports are displayed in numerical form.
- -o: Outputs all active TCP connections including the process ID that is using the connection.
- -s: Displays IP statistics by protocol.
C:\Users\Username>netstat \? Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval] -a Displays all connections and listening ports. -b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in  at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions. -e Displays Ethernet statistics. This may be combined with the -s option. -f Displays Fully Qualified Domain Names (FQDN) for foreign addresses. -n Displays addresses and port numbers in numerical form. -o Displays the owning process ID associated with each connection. -p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. -q Displays all connections, listening ports, and bound nonlistening TCP ports. Bound nonlistening ports may or may not be associated with an active connection. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default. -t Displays the current connection offload state. -x Displays NetworkDirect connections, listeners, and shared endpoints. -y Displays the TCP connection template for all connections. Cannot be combined with the other options. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.
Nslookup is a command-line tool that can be useful when troubleshooting DNS issues. For instance, it offers a non-interactive mode for simple DNS lookups and an interactive mode for more complex queries.
Practical nslookup options to remember
- <target>: Performs a DNS lookup for the specified target in order to get the IP Addresses (A records) of this domain name. If the specified target is an IP Address, it returns the name of the computer corresponding to that IP Address.
- Press on enter: Just pressing on Enter key after nslookup, brings the interactive mode of the command line tool with more options
- server <name>: Change the DNS server that will be used to perform the lookup.
- Set type=<record_type>: Specifies the DNS record type to query during the lookup. The default record type is A, which corresponds to the IP Address information. For example, you can use “set type=MX” to retrieve the mail exchanger information.
C:\Users\Username>nslookup google.com Server: UnKnown Address: 126.96.36.199 Non-authoritative answer: Name: google.com Addresses: 2607:f8b0:4004:801::200e 188.8.131.52
C:\Users\Username>nslookup Default Server: UnKnown Address: 184.108.40.206 > set type=MX > outlook.com Server: UnKnown Address: 220.127.116.11 Non-authoritative answer: outlook.com MX preference = 5, mail exchanger = outlook-com.olc.protection.outlook.com outlook-com.olc.protection.outlook.com internet address = 18.104.22.168 outlook-com.olc.protection.outlook.com internet address = 22.214.171.124 (root) ??? unknown type 41 ??? >
The route command is used to view or update the content of the IP routing table of the device. Nevertheless, before modifying the routing table, you really need to make sure that you understand the layer-3 configuration of the network. For this reason, this command is more used by network or IT admins than application developers.
Practical route options to remember
- print: Displays the content of the IP routing table.
- add: Adds an entry in the routing table.
- delete: Deletes an entry in the routing table.
Netsh, also known as the network shell command, is a powerful utility used to display or modify the network configuration of a Windows computer (locally or remotely).
Basically, with this command-line tool, you can edit the LAN/WLAN configuration, Windows firewall, and routing settings.
Practical netsh options to remember
- interface ip show
- config: Displays the configuration of all network interfaces on the computer.
- tcpconnections: Displays all TCP active connections.
- udpconnections: Displays all ports where an application is listening for UDP connections.
- advfirewall show currentprofile: displays the properties of the active firewall profile
C:\Users\Username>netsh advfirewall show currentprofile Private Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Disable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Ok.
C:\Users\Username>netsh /? Usage: netsh [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]UserName] [-p Password | *] [Command | -f ScriptFile] The following commands are available: Commands in this context: ? - Displays a list of commands. add - Adds a configuration entry to a list of entries. advfirewall - Changes to the `netsh advfirewall' context. branchcache - Changes to the `netsh branchcache' context. bridge - Changes to the `netsh bridge' context. delete - Deletes a configuration entry from a list of entries. dhcpclient - Changes to the `netsh dhcpclient' context. dnsclient - Changes to the `netsh dnsclient' context. dump - Displays a configuration script. exec - Runs a script file. firewall - Changes to the `netsh firewall' context. help - Displays a list of commands. http - Changes to the `netsh http' context. interface - Changes to the `netsh interface' context. ipsec - Changes to the `netsh ipsec' context. ipsecdosprotection - Changes to the `netsh ipsecdosprotection' context. lan - Changes to the `netsh lan' context. namespace - Changes to the `netsh namespace' context. netio - Changes to the `netsh netio' context. ras - Changes to the `netsh ras' context. rpc - Changes to the `netsh rpc' context. set - Updates configuration settings. show - Displays information. trace - Changes to the `netsh trace' context. wfp - Changes to the `netsh wfp' context. winhttp - Changes to the `netsh winhttp' context. winsock - Changes to the `netsh winsock' context. The following sub-contexts are available: advfirewall branchcache bridge dhcpclient dnsclient firewall http interface ipsec ipsecdosprotection lan namespace netio ras rpc trace wfp winhttp winsock To view help for a command, type the command, followed by a space, and then type ?.
10. PSPING from Sysinternals
To summarize, Psping offers the possibility to do either an ICMP ping or a TCP ping. In addition, it also provides the ability to measure network latency and bandwidth. This tool is very useful to perform TCP pings when the target machine is configured to ignore ICMP pings.
In the following example, we are doing a TCP ping on the RDP port on a temporary VM (i.e this VM does not exist anymore 😁).
C:\Users\Username\Downloads\PSTools>PsPing snakevm2.westus2.cloudapp.azure.com:3389 PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility Copyright (C) 2012-2016 Mark Russinovich Sysinternals - www.sysinternals.com TCP connect to 126.96.36.199:3389: 5 iterations (warmup 1) ping test: Connecting to 188.8.131.52:3389 (warmup): from 10.0.0.4:50407: 63.22ms Connecting to 184.108.40.206:3389: from 10.0.0.4:50408: 69.20ms Connecting to 220.127.116.11:3389: from 10.0.0.4:50409: 68.44ms Connecting to 18.104.22.168:3389: from 10.0.0.4:50411: 66.71ms Connecting to 22.214.171.124:3389: from 10.0.0.4:50412: 67.23ms TCP connect statistics for 126.96.36.199:3389: Sent = 4, Received = 4, Lost = 0 (0% loss), Minimum = 66.71ms, Maximum = 69.20ms, Average = 67.90ms
Other networking utilities for Windows (Beyond command-line)
If you are someone who prefers working with a user interface, here are some interesting networking utilities for Windows that you can use to troubleshoot network issues.
TcpView tool from Sysinternals
TcpView is another interesting tool provided by the Windows Sysinternals suite. However, this one is not a command-line utility. TcpView a Windows program that lists all TCP and UDP ports opened on your system. It displays a subset of the information available through netsh or netstat. It’s just an alternative for people who like viewing information in a UI.
Wireshark is a free network protocol analyzer that you can use to troubleshoot network issues or analyze communication protocols. It offers a GUI that conveniently displays the information captured. This is the ultimate tool to use to see and analyze network packets in detail.
Zenmap is the official GUI for the famous open-source network exploration tool Nmap. Nmap is a popular tool that many IT security specialists use to conduct port scanning and penetration tests in the network. It’s a multi-platform command-line tool that is included in the Kali Linux toolbox. In a nutshell, Zenmap is just the GUI for Nmap, for people who prefer working with a user interface.
With all these networking utilities for Windows, you will be as equipped as a system administrator to get the job done like a pro. I recommend practicing with these tools in order to get familiar with them. This way, you will be ready to select the appropriate tool to investigate and troubleshoot issues depending on the scenario that you are facing.