This paper demonstrates the diagnostic utilities common to the TCP/IP protocol stack. This paper demonstates two distict concepts: The first concept is an increased understanding of the TCP/IP protocol stack and how it works; the second concept is how to use common TCP/IP utilities to diagnose network failures and congestion. Among the TCP/IP suite of diagnostic utilites are ping, traceroute, route, netstat, nbtstat, and arp.

DOS TCP/IP Utilities Help
UNIX TCP/IP Utilities Help


TCP/IP Utilities


Traceroute

     Traceroute (or tracert.exe) is used to trace the route packets travel through a TCP/IP network. Traceroute can be used to diagnose bottlenecks and broken network connections. Traceroute works by sending packets assigned to a destination host but designed to drop at each router until the host is finally reached. This allows the traceroute application to record each router that the packets cross.

     Each IP packet contains a field named TTL (Time To Live) which contains a value from 0 to 255. Each router (machine) receiving the packet looks at that value and subtracts 1 from it. This happens until the contents of the TTL field reaches the value 0 or 1. When the TTL field reaches 0, the router discards the packet. Such mechanism is needed, otherwise a packet could travel forever because it can't find 'its' recipient. When the router kills the packet, it send back a control message called ICMP (Internet Control Message Protocol) containing a message of Time Exceeded In Transit to the host which sent the packet.

     When traceroute sends a packet (usually it send 3 packets) the first time it sets the TTL value to 1. So, when the packet reaches the first router, it subtracts 1 from the TTL value which reaches 0, kills the packet, and sends back an ICMP message. Traceroute writes a timestamp value into the packet before sending it. When the receiving router send back the ICMP message, it writes that timestamp into the message. At this point, when traceroute receive the ICMP message it computes the difference between the timestamp information sent (found in the ICMP message) and the time the ICMP packet was received. The result is called round trip transit time (computed in milliseconds).

     Traceroute then sets the TTL value to 2 and sends another packet. The first router looks at the TTL value, subtracts 1 from it and forwards the packet (in fact 2-1=1). The second router now kills the packet (because 1-1=0). The second router then sends back an ICMP message. Next time traceroute set the TTL value to 3 and this cycle go on until the packet reaches the recipient host (its address is written into the packet). When the packet reaches the final host, its destination port number is: 33,434. The packet can't reach that port, because it doesn't exist. The destination host then sends back an ICMP message containing 'Port Unreachable'. Traceroute reads this and display 'trace complete'.

     In conclusion, traceroute sends out packets with the first packet's TTL starting at 1, knowing it will not reach its intended host (unless you are on a LAN). By intentionlly having these packets dropped by each router on the network route, it can receive an ICMP packet from each router, thus discovering its IP address and giving you the trace information. Traceroute increases the TTL as each ICMP 'Time Exceeded In Transit' is received, once it receives the ICMP packet 'Port Unreachable', it knows it has reached the host and the trace is complete.
Use traceroute or tracert.exe on a Windows machine to see the route or hops
your data takes to a host. Type:

	tracert www.yahoo.com

Notice that you are shown multiple domain names that your packets pass on
their way to the www machine on yahoo.com's network. These domain names are
actually routers on the internet which route your data to yahoo.com. You
can use the switch -d to instruct traceroute not to resolve hostnames. Each
router has an IP address which, without the -r switch, traceroute will
resolve to a hostname, this is time consuming and slows down the process.

	tracert -r www.yahoo.com

Packet Internet or Inter-Network Groper (PING)

     This utility verifies configurations and test IP connectivity between two computers. Ping sends ICMP request from the source computer, and the destination computer responds with an ICMP reply. More specifically, Ping sends ICMP ECHO_REQUEST packets to network hosts. A ping packet can be defined as "ECHO_REQUEST datagrams". Since Ping is a TCP/IP utility, you can use ping to verify that your system's TCP/IP stack is installed. Ping your own computer through its loopback address: 127.0.0.1. If all goes well, your system's TCP/IP stack is installed and functioning correctly.
Use Ping to test your TCP/IP stack is installed and functioning correctly
by pinging your own computer. Type:

	ping 127.0.0.1

Use Ping to test your network connection to another host on the internet
such as yahoo.com. Type:

	ping www.yahoo.com
     Ping can also be used to diagnose and discover other network information by using command line switches. You can use Ping to find the Maximum Transmission Unit (MTU) of your network and internet connection. You can also use Ping to experiment with the TTL settings in a packet as used with the traceroute mechanism.
Use Ping to test your networks MTU by setting the "Don't Fragment" flag in
the ping packet on its way to www.yahoo.com and varying the packets size.
The -f switch is the don't fragment flag, the -l switch is the buffer size
switch which is followed by the size of the packet in bytes. Type:

	ping -f -l 2000 www.yahoo.com
	ping -f -l 1400 www.yahoo.com
	ping -f -l 600  www.yahoo.com
	ping -f -l 300  www.yahoo.com

The first ping should return an error because a packet of 2000 bytes needs
to be fragmented by routers on the network path to www.yahoo.com. As you
reduce the size to find out at which size the routers will agree to the
packet size, the 1400 should most likely return an error also, the 600 as
well. The 300 should work. The average internet router's MTU is around 550.
You can move these numbers up and down until you find the maximum size packet
that the routers will accept without attempting to fragment them. This is
the setting your computer should have to send all data transmissions
efficiently across the internet.

-----------------------------------------------------------------------------

The following information is synonymous with the traceroute command above.
Reading it before this will make more sense and also make this feature of
PING more interesting and useful.

Use Ping to experiment with the TTL settings in an IP packet. First, use
traceroute to find out how many hops a packet takes from your computer to
www.yahoo.com (this is the number of routers on the path between you and
yahoo). Once you find the number, for example 12, set the TTL to 12 in a
ping to see if the packet reaches yahoo. The TTL is set with the -i switch
on the Ping utility. Type:

	ping -i 12 www.yahoo.com

Of course, your route may be more hops, say 20, or may be less, like 10.
Use traceroute to count them and set the 12 to whatever amount of hops
there are between you and the www machine on yahoo's network.

Now, set the TTL to one or two less than the amount you came up with, we
will use 10 for this example. Type:

	ping -i 10 www.yahoo.com

You will see lines of data such as:

	Reply from 206.132.254.41: TTL expired in transit.
	Reply from 206.132.254.41: TTL expired in transit.

The 206.132.254.41 is a router returning the ICMP control message Time
Exceeded In Transit as in traceroute. If you use the traceroute utility to
find this router, you will see that it is the 10th hop on the network
route to yahoo. This is the router where the TTL was too small and resulted
in the packet being dropped. When using tracert to find this router, don't
forget to use the -d switch so that you can see the IP address instead of
the hostname.

NETSTAT

     This utility displays the TCP/IP protocol session information. You can use netstat to view current TCP connections that your computer has. 
Use netstat to see all TCP connections and listening ports on your
computer. Type:

	netstat -a

You can use netstat with the -e switch to see ethernet statistics on your
local network as well. You must have an ethernet LAN for this option to
display any important information. Type

	netstat -e

You can use the -n switch in netstat to see IP addresses and port numbers
instead of hostnames and service types.

	netstat -n

You can use the -s switch (statistics) to see per-protocol statistics.
It can be combined with the -p switch (protcol) to see only staticstics
on a specific protocol instead on all protocols. When the -s and -p
switches are used, you can also specify the IP protocol as an argument
to the -p switch.

	netstat -s
	netstat -s -p TCP
	netstat -s -p UDP
	netstat -s -p IP


You can use the -p switch (protocol) to view connections of a specific
protocol. The choices are TCP and UDP. If combined with the -s switch to
view statistics, you can also use the IP protocol.

	netstat -p TCP
	netstat -p UDP

To see your system's routing table, use netstat with the -r switch (route),
this is similar to using the route command (route print).

	netstat -r

The last argument to the netstat command is the interval argument. It can
be used to refresh the netstat information based on the amount of seconds
you specify as the interval. To see the IP protocol statistics every 5
seconds, you would type:

	netstat -s -p IP 5

In the above example, use CTRL-C to break the interval and exit the netstat
utility.
     It is important to note that this utility is very useful. This utility can be used to find out what connections your computer has to other machines on a network. If you think you have some type of program accessing the internet without you knowing, such as a live update program or a trojan virus, use netstat to find out what connection are being made.


NBTSTAT

     Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). This utility displays the local NetBIOS name table, which is a table of user-friendly computer names mapped to IP addresses. This utility applies more to local area networks (LANs) than it does to the internet connections. Nbtstat is a Microsoft specific utility for its NetBIOS naming protocol for WORKGROUP LANs.

To see a remote machine's name table given its name, use the -a switch.
The name would be a workgroup assigned name. Type:

	nbtstat -a diamond

To see a remote machine's name table given its IP address, use the -A
switch. Type:

	nbtstat -A 192.168.1.1

To see your machines remote name cache including the IP addresses, use the
-c switch (cache). Type:

	nbtstat -c

To list local NetBIOS names, use the -n swich (names). To see a list of
names resolved by broadcast and via WINS, use the -r switch (resolved).
To see alist of sessions, use the -S switch (sessions) or the -s switch
(sessions); the difference is the uppercase S shows IP addresses and the
lowercase s converts the IP addresses into names by using the hosts file
located at "c:\windows\hosts".

To purge and reload the remote cache name table, use the -R switch
(reload). Type:

	nbtstat -R

ARP

     This utility displays and modifies the IP-to-Physical address translation tables used by address resolution protocol (ARP). This utility allows users to detect the Address Resolution Protocol (arp) cache and modify it if necessary. ARP is used for LANs to get a network interface address (MAC) of the NIC that uses the specified IP address.
To display the current ARP entries, use the -a switch (all). You can also
specify and argument to the arp command when combined with the -a switch.
The argument is the inet_addr or IP address of the specified computer.

	arp -a
	arp -a 192.168.1.1