Network Diagnostic Tools

In my last post, I had covered the topic of troubleshooting and a little on the importance of troubleshooting, and we discussed built-in tools used to troubleshoot problems in Windows Systems. In this post, we are going to give some attention to the networking side of things. Networking plays a significant role in the world of IT, and it’s also essential for IT professionals to be well versed in the field of networking and to have a basic solid understanding of network troubleshooting; with the first rule of network troubleshooting being “Packets don’t lie.”

IT pros ought to be knowledgeable about several tools used to diagnose and troubleshoot various network issues. Although the use of specific tools can be subjective and at the engineer’s discretion, this post will discuss some of the well-known tools available that can be found in almost every operating system. These tools are available and accessed via the command line; we will discuss how to use them to diagnose common issues effectively. This post will use the Windows OS, but most of these tools can also be executed on different operating systems, though with slight differences. The tools we will be covering in this post are:

PING

The ping utility is one of the most widely used tools in networking; it helps diagnose issues like network connectivity and host reachability. The ping utility can be used to verify if your NIC (Network Interface Card) is working correctly and to test for DNS (Domain Name Service) issues. Using this tool can help determine whether a device is reachable from another device and help identify latency and packet loss between the two devices. It can be used locally on your internal network and externally to test connectivity across the internet.

When you ping any host (any network device, e.g., router, server, whether it is on your LAN or over the internet), it will the majority of the time send four ICMP (Internet Control Message Protocol) data packets (ICMP echo request) to the IP address of the host specified, if the host receives these packets, it then sends ICMP data packets (ICMP echo reply) back to us. These replies inform us about what’s happening with the host we pinged. Data on how long the reply takes is collected. Usually, there is a statistical breakdown of this information, including a minimum, maximum, and mean ICMP response time.

To use the ping utility, open the command prompt and type the command ping followed by the IP address or DNS name of interest.

We tested connectivity between our system and the ubiquitous google.com in the following ping test. We received replies from google.com with 0% loss telling us that our system can successfully reach and communicate with google.com. With the round-trip times measured in milliseconds, the minimum response time was 11 milliseconds, and the maximum response time was 17 milliseconds.

Of course, there are times when this might not be the case. You may get responses such as:

Users can also test if their network adapters are functioning correctly by pinging their computers via a loopback test- You type ping 127.0.0.1. This sends out signals back to your computer. If failed, this means there is a problem with your NIC.

To get a full list of additional ping subcommands ( aka switches, arguments, or options), type ping or ping /? on the command prompt for a full list; this can be different for different operating systems. Here is a breakdown of the most useful ones:
-a will give you the DNS reverse lookup of the IP address you are attempting to reach
-t will enable continuous ping, so the ping will continue until canceled instead of only doing the standard four attempts
-l x will increase the size of the pings in bytes, where x is the desired size
If you want to resolve a DNS name to its IPv6 address and ping that, add the -6 command to the ping line.

It is important to remember that some devices are set not to respond to ping for security purposes, so when conducting ping tests, make sure that the device you are trying to reach is configured to respond to ping requests. For instance, Windows Firewall is sometimes configured to block ping requests and responses.

If you ever want to test if you can access the internet or verify if your server/another host on the network is up and running, the ping utility is your number one go-to.

TRACEROUTE

This is another well-known tool that comes in very handy when you have tried to ping a device but cannot get a response. The traceroute utility is used to determine more specific information about the path to the destination host, which includes the route and hops a packet takes to reach the host. It helps to find bottlenecks such as why and where a connection is lagging.
A route towards a destination is made out of hops. Each hop is a device, most times a router, capable of routing and forwarding packets. Traceroute sends three ICMP data packets, and these packets ping each router on their way to the destination. Each router will send data packets back to our computer with information about the routers, such as their IP addresses and the RTT (round-trip times) from each of them.

To use the traceroute utility, open a command prompt and type the command tracert followed by the IP address or DNS name that you wish to trace to.

We can see that it takes ten hops to reach my destination (Google’s server: 142.251.41.46).
Each hop adds up delay time in ms (milliseconds), especially those hops with longer geographical distances.

The first column tells us the number of hops involved in the route to the destination; the following three columns are the RTT each data packet took to each point and back to the computer,
The last column tells us each router’s IP addresses and domain names (if available) and the final destination.
In some cases, you may find asterisks in the RTT columns – this could indicate that there’s something with that particular router or it most likely wasn’t just configured to return traceroute replies. However, the router still passed the data packets to the next hop.
With our TTL (Time To Live) as 30 – TTL is the given value to the data packets on how long they can live before being discarded. If data packets don’t reach their destination before 30 hops, they are dropped. Helps prevent a data packet from traveling endlessly around the internet trying to reach its destination.

In Windows machines, to use the traceroute utility, we input the command tracert; this is different from other operating systems, e.g., the command is traceroute for Linux/*nix based machines.

A full list of additional commands is available if you type tracert from a command prompt. The most useful ones are detailed here:
-d is used if you do not want to resolve the DNS names of the IP addresses at each hop
-h x is used to specify the maximum number of hops to search for a target, where x is the number of hops

The traceroute utility helps show routes taken by data if something goes wrong while trying to send data to a remote server or host in your local network. This tool can help show you where the break in the path is happening.

IPCONFIG

Gathering the necessary information about a system’s network configurations is one of the essential steps when troubleshooting network problems.
The ipconfig utility stands for IP configuration and is used in Windows OS. It is a command-line tool that displays the TCP/IP network configurations of the network adapters on a windows computer. It shows information such as IP address, subnet mask, default gateway.

To use the ipconfig utility, open a command prompt and type the command ipconfig

As we can see, the ipconfig gives out the basic network configuration for this computer (when used without arguments), such as:

To find out more about this command, type ipconfig -help or ipconfig /? in the command prompt. The most useful ones are detailed here:
Ipconfig /all displays the full TCP/IP configuration of your network adapters on your computer, e.g., MAC address, DNS server etc.

Ipconfig /displaydns to view contents of the DNS resolver cache. To make web browsing faster, computers keep a history of resolved domain names and their IP addresses that you visited.
Ipconfig /flushdns – to flush/clear DNS resolvers cache on the computer. Clearing the cache helps to access websites with updated IP addresses.
Ipconfig /renew – This command will renew the IP information for a specific adapter. Use it when you suspect that there is an IP address conflict.

This command can also be found in other operating systems. In Linux and macOS, the command is ifconfig (Interface Configuration) instead. Both display all current TCP/IP configurations for all currently connected networks. The ipconfig/ifconfig utilities are excellent tools in network troubleshooting.

NETSTAT

The Netstat utility is short for network statistics and is a command-line tool used to display current network connections and port activity on your computer. It displays very detailed information and statistics about the device you are using and how it is connected to the local and external network. It is a useful tool that shows what service may be running on your computer or server, and which ports are open. Netstat is available on various operating systems, but some option commands may differ.

To use this tool, open the command prompt and simply type the command netstat. A typical netstat command with no argument gives you: active TCP/UDP information, local IPv4/IPv6 and port number, foreign IPv4/IPv6 and port number, hostnames, the current state of the network connection (Established, Time-Wait, or Close-Wait)

Each request is broken into four columns.

To find out more about this command, type Netstat -? in the command prompt. The most useful ones are detailed:
-a displays active connections and which TCP/UDP ports are listening for a connection. Note that the IP address of all 0’s is our computer because that port is not listening on a specific IP address; it’s listening on all available IP addresses on all network interfaces. Open port numbers on our computer are either listening for a connection or have already established a connection. TIME_WAIT indicates that our system has closed the connection. The connection is being kept around so that any delayed packets can be matched to the connection and handled appropriately. The connections will be removed when they time out within four minutes.

-n same output but show only numbers and not names
-b displays which program is used to make this website
-f displays the fully qualified domain names of the address we are connected to.

Netstat is a fantastic tool for troubleshooting because it lets you see what ports are open and listening on your device and the remote servers that are creating a connection to your computer with the ports they are using.

NSLOOKUP

This tool involves DNS. As we all use the internet, we are indirectly using DNS. When we type the domain name of our favorite website on our browsers, the DNS will convert the name to a machine-readable IP address so that your packet can be forwarded correctly. Let’s say we want to visit google.com

The computer checks its DNS cache (we mentioned this earlier), which is a memory of recent DNS lookups. If it does not find the name on the cache, it will send the request (aka DNS query) to the DNS Server. The DNS server then sends back a DNS response with the resolved IP address. Enterprise networks usually use a local DNS server to convert their internal server IPs to names. The nslookup utility helps lookup information from DNS servers; it queries a DNS server about the domain name you’re interested in. It also helps perform a reverse lookup, where we have to look up the domain name of an IP address. The primary use of nslookup is for troubleshooting DNS-related problems.

To use this tool, open the command prompt, simply type the command nslookup and the domain name/IP address you wish to resolve. The nslookup will consult the configured DNS server directly

In the example above, we sent an nslookup query to the DNS server for the name linkedin.com. By default, nslookup will use the domain server currently configured for your system. You can switch DNS servers using the server name or server IP address option. We can see that the server returned two IPs that Linkedin is currently using for that domain name.

Some of the most common network troubleshooting issues revolve around (DNS) addressing resolution issues. The command nslookup (Name Server Look Up) is a way to determine if the configured DNS Server is resolving names. If it can’t translate a name, there is likely a DNS issue.

ROUTE

Route is a Windows command that displays and updates the network routing table. It shows all configured routes on your machine. It can also modify the local IP routing table entries by adding or deleting routes you can use on Microsoft Windows.

To use the route utility, open the command prompt, type route print, and press enter to view the routing table.

Note the interface number of the network interface that you re-added.

To find out more about this command type route in the command prompt.

When you are troubleshooting a “No Internet” issue, and you quickly figure out the path that the packet is taking is not going through your Internet Gateway. All your traffic is being re-routed somewhere else and you don’t know why, this tool can come in handy.

While the use of the route utility is limited in common situations where the host only has a single IP address with a single gateway, it is important in other situations where multiple IP addresses and multiple gateways are available.

ARP

ARP ( Address Resolution Protocol) is a standard networking protocol that helps to link network addresses to physical addresses ( IP addresses to MAC addresses). It is an essential part of how computers in networks communicate. The arp utility displays the IP-to-Physical address translation table used by the address resolution protocol.

To use this utility, open the command prompt, and run the arp –a command, a standard output of which will look something like this:

As we can see, this command displays the current ARP entries in the arp table.
The interface address at the top is the local IP address of the machine you are currently on. The rest of the table shows details of all of the network addresses that are currently connected to your machine. You can see the router that the device is connected to at the top of the table in 10.0.2..1, with the router’s MAC address in the middle column. Also, have another host with IP address 10.0.2.3 and its corresponding MAC address under the Physical Address column. The FF-FF-FF-FF-FF-FF is a broadcast MAC address accepted by all devices by default.

A full list of ARP commands is available by simply typing arp at the command prompt. A summary of the most useful ones are here:
-a is used to display the ARP table for all network interfaces on the current machine
-n x is used to display the ARP table for a specified network interface where x is the interface address
–flush is used to clear the current ARP table of the dynamic entries

ARP can be used as part of a troubleshooting process to see what other devices across the network are linked to the current device. It can be useful in identifying unknown devices that you think may be accessing your network maliciously, e.g., you can check your router’s arp table to verify the physical addresses of your devices connected to your network.

NMAP

This is a popular tool used by more experienced IT/network professionals. Nmap is an open-source tool for network exploration and security auditing. It makes it possible to rapidly scan a single host or large network with thousands of hosts and find relevant information about them. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap can be used to:

Nmap is a really handy tool to have in your arsenal. It is multi-platform, so it runs on various operating systems, including Windows, macOS, Linux, FreeBSD, etc. It’s already installed on most Linux/Unix-based distributions; for other operating systems, you’d have to download and install it. It is available for download at https://nmap.org/download.html. I switched to a Linux distro for this post to show how the tool works. For Linux/Unix-based distributions, you just have to execute the nmap command from any terminal, and that’s it.

The most famous type of scan is the Nmap ping scan (so-called because it’s often used to perform Nmap ping sweeps). It is used to find devices connected to your network. We use the command sudo nmap -sn 10.0.2.0/24

From the result, we have five active hosts on the network

To output the operating systems of hosts, we use the -O option

From the result, we discovered the operating system of the active host at IP address 10.0.2.5 to be Microsoft Windows 10. You can also view the discovered open ports on this host.

To gather information, Nmap scans the ports in the network by sending raw packets. The tool waits and listens for responses and determines whether a port is open, closed, or filtered by a firewall. Nmap uses several techniques, such as ICMP requests, TCP Connect (), TCP Reverse scanning, FTP bounce, etc.

A full list of additional nmap commands is available simply by typing nmap with no arguments on the command line. A compilation of the most useful ones are here:

–sP x is used to ping all IP addresses on a subnet to see which ones are up and responding, where x is the subnet in CIDR format
-O is used to determine what operating system the target host is running
-sL x is used to do a DNS query and reverse lookup of all of the IP addresses in a subnet, where x is the subnet in CIDR format
-Pn is used to check approximately 2000 common TCP and UDP ports to see if they are open and responding whilst skipping the ping scan and assuming the host is up, which is useful if there is a firewall preventing ICMP replies
-v is used to toggle verbose mode, which gives more detail to what nmap is actually doing as it scans.

SUMMARY

Being proficient in using network troubleshooting tools is a necessity for every network administrator. These tools discussed here are favorites among experienced IT professionals and should give you a good starting point for diagnosing and troubleshooting basic network connectivity issues.