This is a document detailing various network diagnostics tools, most of which already available within your operating system, that can help troubleshoot network faults. It is not an exhaustive guide, but should cover all of the main areas and tools that you will need to effectively diagnose common issues. Some of these tools can be used to troubleshoot both WAN and LAN faults, where as others are used just for LAN faults.
For OSX users, there is an OS provided network utility tool with a handy GUI that contains a lot of the tools discussed in this document. This is available here: https://support.apple.com/en-gb/HT202790
This guide will cover how to use certain commands using IPv6 technology but it should be noted that for these commands to work both the source and target of your packets must be configured for IPv6. If your ISP (like most of them) does not allocate IPv6 addresses to you then you will find that they won’t work.
The tools we will be covering in this guide are:
What is it?
Ping, commonly considered to stand for Packet InterNet Groper, is one of the most common network diagnostic tools in use today. It works by sending an ICMP request to a target host and then waits for an ICMP reply. ICMP, or Internet Control Message Protocol, is one of the main protocols of the Internet and is used to send error messages or to indicate that a device is unreachable. Data is collected on how long the request to reply takes and then reported back. Usually there is also a statistical breakdown of this information, including a minimum, maximum and mean ICMP response time.
Using this tool can not only help determine whether a device is reachable from another device, but can also help identify latency and packet loss between the two devices. It can be used both locally on your internal network, and externally to test connectivity across the Internet.
When using ping it is important to remember that it can be blocked using Access Lists or other forms of configuration on the target device, so not getting a response does not necessarily mean that there is a fault.
How to use it
Ping is installed and usable by default as part of Windows and OSX. It is important to remember that some devices are set not to respond to ping for security purposes, so when conducting ping tests make sure that the device you are trying to reach is configured to respond to ping requests. For instance Windows Firewall is sometimes configured to block responses to ping.
Ping is typically used from the command prompt simply by using the command ping followed by the DNS name or IP address of the device that you wish to reach. Here is what a typical ping request looks like:
Here you can see we have pinged a very local device on 192.168.0.1 — “very” local because all of the responses have been replied to in just 1ms. When you are pinging devices across larger networks, you can expect this number to be larger. However if this number is too large, you could have identified a latency issue. You can see that all of the pings were sent with a standard 32 byte packet, with a TTL (Time To Live) of 64, which indicates that the ping has 64 hops before it expires i.e. it can hit 64 separate network devices before it gives up. At the bottom is the statistical breakdown of the results, indicating that there is no packet loss.
Here we have the ping command used across a WAN to ping an address on the Internet. As you can see the ping response times are much more varied. When pinging across the Internet, anything up to about 60-70ms is a reasonable expected response time. In this example you can see that a couple of the responses are considerably higher than this. If the response times are consistently high or erratic, you should investigate a potential latency or speed issue with your WAN connectivity. Similarly, if you are consistently getting dropped pings, you should look for potential problems that could be causing a break in communication.
Ping on OSX can be used by starting the Terminal program in the Applications/Utilities folder.
The command works very much the same as the Windows version, with one significant difference. On OSX the default setting is for ping to continue until you stop it by pressing CTRL X. An example of an OSX ping output is below:
The PING command will work as standard with IPv6 addresses – just substitute the IPv4 address for an IPv6 address.
If you want to resolve a DNS name to its IPv6 address and ping that, just add the -6 command to the ping line.
To get a full list of additional PING commands, simply type ping from the command prompt for a full list. Here is a breakdown of the most useful ones:
-a will give you the DNS reverse lookup of the IP address you are attempting to reach
-t will enable continuous ping so the ping will continue until cancelled instead of only doing the standard 4 attempts
-l x will increase the size of the pings in bytes, where x is the desired size
What is it?
Traceroute is diagnostic tool that displays the path and transit delays of a packet from your machine to a chosen IP address or DNS name on the local network or across the Internet. It breaks down each hop of a packet’s journey from source to destination, displaying IP and DNS information of each hop.
This comes in very handy when you have tried to ping a device but cannot get a response – the traceroute tool will help show you where the break in the path is happening.
How to use it
Traceroute is installed and usable by default as part of Windows and OSX.
Open a command prompt and type the command tracert followed by the IP address or DNS name that you wish to trace to. A typical traceroute output will look something like this:
Here you can see a simple traceroute to google.com that has been resolved and completed. The hops are numbered, with hop number 1 usually being your gateway IP address. Each step of the way is displayed, with the amount of time it took to reach each hop and the network address of that hop. This traceroute is complete, but if you using it to troubleshoot a broken path, the readout will start to timeout with asterisks. The last line before the timeouts is obviously where the packet is maybe getting stuck and might point you in the right direction of where the problem lies, at the very least requiring further investigation.
Tracert on OSX can be used by starting the Terminal program in the Applications/Utilities folder.
The command works very much the same as the Windows version. An example of an OSX ping output is below:
Note that OSX does not have a default limit of 30 hops like the Windows platform. This can be overridden with the –m flag command, enabling you to see (humorous) things like:
The tracert command will work as standard with IPv6 addresses – just substitute the IPv4 address for an IPv6 address.
If you want to tracert to a DNS name using IPv6, simply add the -6 command to the tracert line.
A full list of additional commands is available if you just type tracert from a command prompt. The most useful ones are detailed here:
-d is used if you do not want to resolve the DNS names of the IP addresses at each hop
-h x is used to specify the maximum number of hops to search for a target where x is the number of hops
What is it?
PathPing is a route tracing tool that combines elements and features of the previous two tools – PING and traceroute – with some additional information not provided by either of those. PathPing sends packets to each router on the way to a final destination over a period of time, and then computes results based on the packets returned from each hop. Essentially it is a traceroute with an extra statistics breakdown for each hop.
Since PathPing shows the degree of packet loss at any given router or link, you can pinpoint which of those routers or links might be causing network problems along the path between two devices. Where as traceroute tends to be more useful where a connection has broken down, PathPing tends to be more useful when there is a latency or slowness issue.
How to use it
Pathping is installed and usable by default as part of Windows, but unfortunately is not available as part of OSX. Simply type the command pathping followed by the IP address or DNS name you wish to run diagnostics to. A typical PathPing result will look something like this:
The top portion of the results are essentially the same as the traceroute, with each hop of the path represented by the IP and/or DNS name of the device at that hop.
The second portion of the results is the interesting and unique part of the PathPing:
In this easier to read version of the original results, you can see how each hop of the path is broken down and what stats are run against one. Each hop has important sets of tests run against it, shown in the Source to Here column and This Node/Link column. Each hop along the path has 100 pings tested to it, and these columns demonstrate if there is any loss. This particular example is very simple and doesn’t show any problems, but if you were running these tests along a broken path, the results would be much more revealing and would help you even further in finding out where the problem lies.
The pathping command will work as standard with IPv6 addresses – just substitute the IPv4 address for an IPv6 address.
If you want to pathping to a DNS name using IPv6, simply add the -6 command to the tracert line.
A full list of available additional commands is displayed if you simply type pathping from the command prompt. Here are the most useful:
-p x is used to define the time to wait between each ping where x is the number of milliseconds
-q x is used to define the number of pings to interrogate each hop with where x is the number of pings
-w x is used to define the wait time before each ping times out where x is the number of milliseconds
What is it?
Nmap, or Network Mapper, is command line based tool for network discovery, networking mapping and networking auditing, available for Windows and OSX. Essentially it use IP packets to determine was hosts, ports, services and IP addresses are available and open on a network, both LAN and WAN. It can also help determine other helpful pieces of information such as what operating systems are in use, what types and brands of network kit are deployed, and what applications are currently in use. It is an extremely helpful tool in scanning networks.
How to use it
The following guide contains screenshots from the Windows version, but the syntax and output for the OSX version are almost identical.
Nmap is a free, open source tool that is available for download at: https://nmap.org/download.html
After installation, nmap runs from command line by simply using the nmap x command where x is the IP address that you wish to scan, either a local LAN IP address or a WAN IP. A typical nmap output looks like this:
As you can see it gives some useful bits of information with regards to what is open and running. This application can be useful for spotting holes in networks, vulnerabilities, any situation where you think there is malicious intent going on. When using the utility in a LAN environment, the same scan can be done across an entire subnet at once, simply by typing the subnet in CIDR format.
Nmap does have IPv6 functionality built in and can be forced to utilise IPv6 with certain commands by adding -6 to the nmap line. However it must be noted that the nmap documentation does say that the IPv6 functionality is highly experimental and many of the commands won’t function effectively.
Of all of the tools in this guide, nmap has the most comprehensive bounty of additional commands to use. A full list of additional nmap commands is available simply by typing nmap from the command line. A compilation of the most useful ones are here:
–sP x is used to ping all IP addresses on a subnet to see which ones are up and responding, where x is the subnet in CIDR format
-O is used to determine what operating system the target host is running
-sL x is used to do a DNS query and reverse lookup of all of the IP addresses in a subnet, where x is the subnet in CIDR format
-Pn is used to check approximately 2000 common TCP and UDP ports to see if they are open and responding, whilst skipping the ping scan and assuming the host is up, which is useful if there is a firewall preventing ICMP replies
-v is used to toggle verbose mode for that particular scan, which gives you more feedback to what nmap is actually doing as it scans
It is also worth mentioning that nmap scans may take a long time, depending on the type of scan and target. At any time on the command window, press the down arrow key and it will tell you how far it is into its scan in percent.
What is it?
Netstat is a tool that displays very detailed information and statistics about the device you are using and how it is connected to the local and wider network. It can be used to retrieve inbound and outbound TCP connections, routing tables, and a number of network interface statistics.
Using netstat can be useful in finding out if requests on certain ports to certain destinations are succeeding or failing, interrogating statistics for inbound and outbound connections, and displaying the current route table for your device.
How to use it
Netstat is installed and usable by default as part of Windows and OSX.
It is run from a command prompt simply by typing netstat. A typical netstat result would look like this:
Each line of the output represents a request from your machine to a device beyond your machine, be it on the local network or the internet. Each request is broken into 4 columns.
The first column tells you the protocol of the entry.
The second column tells you the local address and port, which can either be the local IP address of the network interface (in this case 192.168.0.3) or the local IP address of a software-defined network interface (in this case the loopback default network IP 127.0.0.1). Essentially this second column is the source of each request.
The third column is the destination of the request as an external IP address or as the first part of the FQDN, along with the destination port.
The fourth column tells you the state of each request.
If you are having trouble with a connection to a certain device or website, this tool can be used to see if the connection is being established or not.
Here is an example of OSX netstat –rn output:
The netstat command will work with IPv6 addresses. To display the output for the IPv6 protocol, simply add –p ipv6 to the command line.
A full rundown of all netstat commands is available by typing netstat ? from a command prompt, but here is a rundown of the most useful ones:
-a is used to display the additional entries of ports and connections that are being listened to, as well as the usual established connections, and also displays information for UDP as well as TCP
-e is used to display statistics about your network connection
-f is used to convert all of the destination IP addresses into FQDN format where possible, and displays the full FQDN rather than just the first part, which is the default setting
-r is used to display the route table for your device
-n is used to display all results numerically and no attempt is made to determine FQDN, and can be used in conjunction with the other commands so –rn would display the route table in numerical terms only
What is it?
ARP, or Address Resolution Protocol, is a standard networking protocol that links network addresses to physical address, or to put it another way, IP addresses to MAC addresses. It is an essential part of how networks communicate.
ARP can be used as part of a troubleshooting process to see what other devices across the network are linked to the current device. This can be useful in identifying unknown devices that you think may be accessing your network maliciously, for instance if someone was connecting to your wireless connection without your permission you would check the ARP table of your router for unknown IP addresses.
How to use it
ARP is installed and usable by default as part of Windows and OSX.
It is run from a command prompt by using the arp –a command, a standard output of which will look something like this:
The interface address at the top is the local IP address of the machine you are currently on. The rest of the table details all of the network addresses that are currently connected to your machine. A lot of the entries in this example are not actual devices as this is a very simple setup, but you can see the router that the device is connected to at the top of the table in 192.168.0.1, with the router’s MAC address in the middle column.
FF-FF-FF-FF-FF-FF is a broadcast MAC address that is accepted by all devices by default.
ARP on OSX can be used by starting the Terminal program in the Applications/Utilities folder. The command syntax is exactly the same, but the output will look slightly different:
The arp command still exists in some form for the IPv6 protocol but the command you have to use has changed. To display the arp output for the IPv6 protocol, use the following command:
netsh int ipv6 show neighbors
A full list of ARP commands is available by simply typing arp at the command prompt. A summary of the most useful ones are here:
-a is used to display the ARP table for all network interfaces on the current machine
-n x is used to display the ARP table for a specified network interface where x is the interface address
flush is used to clear the current ARP table of the dynamic entries
What is it?
Ipconfig is a simple command line application that displays all of the current TCP/IP network settings on your machine, and is able to make a couple of basic changes. It is helpful when trying to determine why a machine is having problems connecting to a network, and for information purposes.
How to use it
Ipconfig is installed and usable by default in Windows. It is also used on OSX by default, but the command is different.
Simply type ipconfig from a command line to get the desired information. A typical ipconfig output would look something like this:
You will probably find that your machine has more network interfaces than you realised, and a lot of the information will display as being disconnected, but it will display the important information that you require, mainly your local IP address and the IP address of your gateway.
A common fault that is detected by using the ipconfig command is the IP address showing up as a 169.254.x.x address, where the first octet of your IP is displayed as 169.254.x.x. This 169.254.x.x address is an IP address reserved for the TCP/IP protocol and indicates that the machine is having difficult in obtaining an IP address correctly, which most of the time indicates a problem with DHCP.
Ipconfig on OSX can be used by starting the Terminal program in the Applications/Utilities folder. The ipconfig command under OSX has a different function to that of the one on Windows:
On OSX, the ipconfig command as we have been discussing in this section is actually called ifconfig so simply type ifconfig into Terminal to utilise it. The output is significantly different:
The ipconfig command will work by default and will display all IPv6 information using the normal commands, providing your machine and connectors are configured to use the IPv6 protocol.
A full list of additional ipconfig commands can be obtained by simply typing ipconfig ? from the command line. A summary of the most useful commands are here:
/all is used to display more in depth details about the TCP/IP and DHCP lease settings
/release is used to clear the current IP address settings
/renew is used to obtain new IP address settings after using the /release command
/flushdns is used to purge the DNS resolver cache
What is it?
Nslookup, or name server look up, is a command line tool used for querying the DNS zone files to obtain useful information such as domain names, IP addresses, or specific DNS records. This information can prove important when trying to query or troubleshoot problems across the Internet.
How to use it
Nslookup is installed and usable by default in Windows and OSX.
It is used and operated from the command line. It can be used in either non-interactive or interactive mode. Non-interactive mode is used by typing the nslookup command followed by the DNS name you wish to query, so nslookup www.google.com. Interactive mode is toggled by simply typing nslookup, which will then present you with a > prompt to signal it has been activated. From this prompt you can proceed to type in the DNS names and parameters that you wish to query. An example of a typical nslookup output is thus:
A simply DNS query on activereach.net shows the IP of the server address. Notice that the DNS server it uses is the DNS server that is configured on the Internet connection, not the operating system’s local DNS resolver library.
Nslookup on OSX can be used by starting the Terminal program in the Applications/Utilities folder. The command syntax is exactly the same, but the output will look slightly different:
The nslookup command will work with IPv6 addresses and requires no additional commands — as long as the host you are trying to look up is configured with IPv6, it will display the relevant information.
To view a full list of additional commands, simply type ? from within nslookup interactive mode. When using the additional commands, it is important to remember that not all DNS providers will allow full zone file queries for security purposes. To utilise the full set of services that nslookup has to offer, it is best to it in interactive mode.
When you have entered interactive mode, you can tell it to query different types of record by using the set q=x command where x is the type of record you wish to query, so to query an MX record you would:
9. Host (Mac only)
What is it?
The Mac specific host command is very similar to the nslookup command in that it is used to interrogate DNS information for a specific domain, but the output is much more detailed. The host command performs an extensive DNS lookup for whatever domain it is pointed to, which makes it much more useful than nslookup in many situations, whether to troubleshoot and discover DNS propagation issues or simply to get an actual IP address, CNAME, IPv6 address, or otherwise.
How to use it
Host is installed and usable by default as part of OSX, but unfortunately is not available as part of Windows. Simply type the command host followed by the DNS name you wish to interrogate. A typical host result will look something like this:
The host command will work with IPv6 addresses and requires no additional commands — as long as the host you are trying to look up is configured with IPv6, it will display the relevant information.
A full list of available additional commands is available here: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/host.1.html
but here are some commonly used helpful additions to the host command:
-a is used to provide a list of any and all DNS details of that domain thus providing an even more comprehensive lookup
-t is used to interrogate a specific type of record for that domain, so for example –t NS would give you the name servers, -t MX would be another example
-t a is used to provide you with the IP address of that domain
activereach specialises in helping companies with network security audits, local areas networking LAN and wide area networking WAN. Call us on 0845 625 9025 or contact us to find out more.