Network Command Line Tools PDF
Document Details
Uploaded by HappierStar
TU Dublin
Keith Smyth
Tags
Summary
This document provides an overview of network command-line tools, including ipconfig, ping, tracert, netstat, and nslookup, and their usage for fault finding in industrial networks. It includes explanations of the commands' functions, syntax, options, and outputs.
Full Transcript
Network Command Line Tools ↓ ipconfig, ping, tracert, netstat & nslookup TOOLS USED FOR FAULT FINDING Industrial Networks II Keith Smyth Updated Jan 2023 ipconfig (networking ut...
Network Command Line Tools ↓ ipconfig, ping, tracert, netstat & nslookup TOOLS USED FOR FAULT FINDING Industrial Networks II Keith Smyth Updated Jan 2023 ipconfig (networking utility) Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters. ↑ GIVES LIMITED INFO ipconfig (switch) /all Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. on Boot up /displaydns y Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers. ipconfig (common switches) /flushdns Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard SOMETHING You negative cache entries from the cache, as well as any other entries CHANG that have been added dynamically. /renew [adaptor] Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address ONE automatically. To specify an adapter name, type the adapter E RENEW name that appears when you use ipconfig without parameters. C:\>ipconfig Output ↳ ADAPTER C:\>ipconfig /all Output (output for other adaptors removed) MAC > - - ADDRESS USED BEFORE C:\>ipconfig /displaydns Output (output removed) C:\>ipconfig /flushdns ping (networking utility) The ping command is a very common method for troubleshooting the accessibility of devices. It uses a series of Internet Control Message Protocol (ICMP) Echo messages to determine: Whether a remote host is active or inactive. The round-trip delay in communicating with the host. Packet loss. ping (networking utility) The ping command first sends an echo request packet to an address, then waits for a reply. The ping is successful only if: The echo request gets to the destination, and The destination is able to get an echo reply back to the source within a predetermined time called a timeout. The default value of this timeout is two seconds on Cisco routers. (Can be changed on Cisco devices and most OS’s, -w switch) ping (networking utility) The command-line options of the ping utility and its output vary between different operating systems. Options may include: The size of the payload. >- DEFAULT PAYLOAD SIZE - 32 Bytes Count of ping requests. Limits for the number of network hops (TTL) that ping requests traverse. Interval between the requests and time to wait for a response. Many systems provide a companion utility ping6, for testing on Internet Protocol version 6 (IPv6) networks, which implement ICMPv6. C:\>ping /? Output C:\>ping /? Options PING - > OPTIONS C:\>ping /? Options contd. # Default time out on Cisco devices is 2 seconds, 4 seconds on MS windows C:\>ping /? -S options Important FOR Re -S switch Specifies the source address to use for the ping request. This may be useful when checking connectivity from a router with several interfaces, the –S switch allows you to specify the source of the ping request. What is happening here? PING TTL 5 google · com DECREMENTED TO 0. DID NOT REACH DESTINATION Security loopholes in ping ping flood To conduct a denial-of-service attack, an attacker may send ping requests as fast as possible, possibly overwhelming the victim with ICMP echo requests. This technique is called a ping flood. ping sweeps (Walking the range) Ping requests to multiple addresses, ping sweeps, may be used to obtain a list of all hosts on a network. NEED TO Tracert (networking utility) kno This diagnostic tool determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) echo Request or ICMPv6 messages to the destination with incrementally increasing time to live (TTL) field values. (Uses Ping) Each router along the path is required to decrement the TTL in an IP packet by 1 before forwarding it When the TTL on a packet reaches 0, the router drops the packet should return an ICMP time exceeded message to the source computer. Tracert (networking utility) This command determines the path by sending the first echo request message with a TTL of 1 and incrementing the TTL by 1 on each subsequent transmission until the target responds or the maximum number of hops is reached. The maximum number of hops is 30 by default and can be specified using the /h parameter. The path is determined by examining the ICMP time Exceeded messages returned by intermediate routers and the echo Reply message returned by the destination. Tracert (networking utility) Not all devices will reply with ICMP time exceeded messages. Some firewalls filter ICMP. ICMP is low priority on some devices. (if busy, drop ICMP) Windows sends ICMP echo requests. Receives ICMP time exceeded messages. Receives an ICMP echo reply from the final destination. IOS devices send UDP datagrams over port 33434. (configurable) Routers that don't return a time exceeded message for packets with expired TTL values and are invisible to the tracert command. A row of asterisks (*) will be displayed for that hop. Tracert (Switches available) Tracert (networking utility) iP ADD ↓ DT6 ICMP NOT ISP SENT Y ↳ REPLY FROM DESTINATION Tracert (-d switch [do not resolve IP addresses to hostnames] ) Performs three separate tests with the same TTL value netstat (networking utility) Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, this command displays active TCP connections. netstat (switches) * * * netstat (switches contd.) * netstat (networking utility) & LOOPBACK ADDRESS - S netstat (networking utility) -a Displays all connections and listening ports. 0 0 0 > - 0... Any 1P AND On THE DEVICE WITH THIS PORT Number netstat (networking utility) -a Displays all connections and listening ports. Each line of the output represents a different connection and shows the following information: The first column "Proto" shows that the protocol used for the connection is TCP. The second column "Local Address" shows the IP address and port number that the local machine is using for the connection. The IP address "0.0.0.0" indicates that the service is listening on all available IP addresses. The third column "Foreign Address" shows the IP address and port number of the remote machine that the local machine is connected to. The IP address "LAPTOP-1TFU8CHK" is the hostname of the machine, and the port number is "0" indicates that the remote machine is not connected. Netstat (networking utility) C:\Users\USER>netstat –a Part of the output Local Machine Active Connections The protocol used for the Proto Local Address Foreign Address State connection is TCP TCP 0.0.0.0:135 LAPTOP-1TFU8CHK:0 LISTENING The service is listening on TCP PORT 0.0.0.0:445 HostAm LAPTOP-1TFU8CHK:0 Connected LISTENING port 445 on all available IP TCP 0.0.0.0:5040 LAPTOP-1TFU8CHK:0 LISTENING addresses TCP 0.0.0.0:7680 LAPTOP-1TFU8CHK:0 LISTENING Remote Machine TCP 0.0.0.0:17500 LAPTOP-1TFU8CHK:0 LISTENING LAPTOP-1TFU8CHK" is TCP 0.0.0.0:49664 LAPTOP-1TFU8CHK:0 LISTENING the hostname of the TCP 0.0.0.0:49665 LAPTOP-1TFU8CHK:0 LISTENING machine TCP 0.0.0.0:49666 LAPTOP-1TFU8CHK:0 LISTENING Port number is "0" TCP 0.0.0.0:49667 LAPTOP-1TFU8CHK:0 LISTENING indicates that the remote machine is not connected. Netstat (networking utility) C:\Users\USER>netstat –a Part of the output 4th column Active Connections The fourth column "State" shows the current state of the Proto Local Address Foreign Address State connection. The state is TCP 0.0.0.0:135 LAPTOP-1TFU8CHK:0 LISTENING "LISTENING" which means the TCP 0.0.0.0:445 LAPTOP-1TFU8CHK:0 LISTENING service is waiting for incoming TCP 0.0.0.0:5040 LAPTOP-1TFU8CHK:0 LISTENING connections. TCP 0.0.0.0:7680 LAPTOP-1TFU8CHK:0 LISTENING From the output, it can be seen TCP 0.0.0.0:17500 LAPTOP-1TFU8CHK:0 LISTENING that the machine is running TCP 0.0.0.0:49664 LAPTOP-1TFU8CHK:0 LISTENING several services like MS-RPC, TCP 0.0.0.0:49665 LAPTOP-1TFU8CHK:0 LISTENING CIFS, and Remote TCP 0.0.0.0:49666 LAPTOP-1TFU8CHK:0 LISTENING Administration on different TCP 0.0.0.0:49667 LAPTOP-1TFU8CHK:0 LISTENING ports. These services are listening on all available IP addresses. Netstat (networking utility) What is Remote Procedure Call (RPC)? Remote Procedure Call is a software communication protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network's details. RPC is used to call other processes on the remote systems like a local system. A procedure call is also sometimes known as a function call or a subroutine call. What is CIFS (Common Internet File System) CIFS (Common Internet File System) is a Windows file sharing protocol that is based on the client-server programming model. Netstat (networking utility) C:\Users\USER>netstat -a It can also be observed that the Active Connections Part of the output services on ports 135, 445, 5040, 7680, 17500, 49664-49668 and Proto Local Address Foreign Address State 49670 are listening for incoming TCP 0.0.0.0:135 LAPTOP-1TFU8CHK:0 LISTENING connections. TCP 0.0.0.0:445 LAPTOP-1TFU8CHK:0 LISTENING. TCP 0.0.0.0:5040 LAPTOP-1TFU8CHK:0 LISTENING TCP 0.0.0.0:7680 LAPTOP-1TFU8CHK:0 LISTENING TCP 0.0.0.0:17500 LAPTOP-1TFU8CHK:0 LISTENING TCP 0.0.0.0:49664 LAPTOP-1TFU8CHK:0 LISTENING TCP 0.0.0.0:49665 LAPTOP-1TFU8CHK:0 LISTENING TCP 0.0.0.0:49666 LAPTOP-1TFU8CHK:0 LISTENING TCP 0.0.0.0:49667 LAPTOP-1TFU8CHK:0 LISTENING Netstat (networking utility) C:\Users\USER>netstat –a More of the output Additionally, it can be seen that Active Connections two services on ports 843 and Proto Local Address Foreign Address State 17600 are listening for incoming TCP 0.0.0.0:49668 LAPTOP-1TFU8CHK:0 LISTENING connections on the localhost IP TCP 0.0.0.0:49670 LAPTOP-1TFU8CHK:0 LISTENING address (127.0.0.1) TCP 127.0.0.1:843 LAPTOP-1TFU8CHK:0 LISTENING TCP 127.0.0.1:17600 LAPTOP-1TFU8CHK:0 LISTENING Also, there are several TCP 127.0.0.1:50151 LAPTOP-1TFU8CHK:50152 ESTABLISHED connections in an established TCP 127.0.0.1:50152 LAPTOP-1TFU8CHK:50151 ESTABLISHED state, meaning there is an active TCP 127.0.0.1:50154 LAPTOP-1TFU8CHK:50155 ESTABLISHED connection between the local TCP 127.0.0.1:50155 LAPTOP-1TFU8CHK:50154 ESTABLISHED machine and the remote machine TCP 169.254.178.81:139 LAPTOP-1TFU8CHK:0 LISTENING TCP 192.168.1.13:139 LAPTOP-1TFU8CHK:0 LISTENING on the specified ports. TCP 192.168.1.13:1025 13.69.109.131:https ESTABLISHED netstat (networking utility) -e Displays Ethernet statistics. This may be combined with the -s option. netstat (networking utility) -e Displays Ethernet statistics. This may be combined with the -s option. -s Displays per- protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; nslookup (networking utility) nslookup (from name server lookup) is a network administration command-line tool for querying the Domain Name System (DNS) to obtain the mapping between domain name and IP address, or other DNS records. (Wikipedia) nslookup (networking utility) Answer has come from a DNS cache on the local DNS server THE ANSWER COME FROM YOUR DNS CATCIE
