Lesson 9
Using Windows NT's Network-Related Commands and Utilities
Windows NT 4.0 and the Windows NT Resource Kit provide many useful command-line
tools for troubleshooting network problems. The following describes the most
important tools included with Windows NT Server 4.0 and the additional
command-line utilities provided in the Windows NT Resource Kit.
Windows NT Server 4.0's Built-In Networking Tools. You can use the command-line tools that come with Windows NT 4.0 to help solve many basic networking problems. Most of the tools are for TCP/IP and are likely to be familiar to UNIX users.
Address Resolution Protocol The arp (address resolution protocol) command lets you view the current contents of the arp cache on a server or workstation. arp -a displays the contents of the arp cache; arp -d and arp -s let you manually remove and add entries to the arp cache. With ping, you can use arp to determine whether a device is communicating on the network. If you ping a device in question, you should see a corresponding entry in the arp cache of either the device you're pinging, or that of the default gateway, if the device isn't on your local subnet.
Hostname The host name command returns the name of the system on which the command is executed. The name returned is the name specified in the DNS setup section of the TCP/IP configuration of the system, rather than the NetBIOS name.
Ipconfig The ipconfig command returns all the current TCP/IP, DNS, and WINS information for the system. Use ipconfig /all to display all the information, and just ipconfig to obtain abbreviated information.
The ipconfig command is also a quick way to get the MAC address of the NIC installed in the device. You can also use the ipconfig command to renew a DHCP address reservation, or release an address on a DHCP client using the /renew and /release parameters.
Nbtstat The nbtstat command is one of the most useful Windows NT networking tools, because it provides various information about NetBIOS names and their addresses. For example, if you know the NetBIOS name of a workstation and want to know its IP address, follow these steps:
1. Type net view \\machinename at the command prompt, where machinename is the NetBIOS name of the device. You receive a list of shares available on that machine, or the message "There are no entries in the list".
2. Type nbtstat -c to display the name and IP address of the machine specified in step 1. You need not specify a machine name because the result of the preceding name resolution is cached in the NetBIOS Name Cache, that you can view with the -c parameter.
You can also use the nbtstat -A ip_address command to determine what machine is registered to a given IP address. Note that this command requires an uppercase A parameter. When you issue this command, the server or workstation sends a name request to the IP address of the primary WINS server specified in the issuing device's TCP/IP WINS configuration page. The returned information is the contents of the WINS database for ip_address. This command is useful if you're trying to troubleshoot WINS problems.
Netstat The netstat
command performs many of the same functions as its UNIX counterpart. The netstat
a command displays all current TCP and UDP connections from the issuing device
to other devices on the network, as well as the source and destination service
ports, and in the case of TCP - the current state of the connection (for
instance, Established or Time-Wait). You can also use netstat -r to post a
listing of the routing table on a given machine.
The netstat -e command gives you statistics on your network interface. When combined with an interval parameter for example, netstat -e 10 the following information is updated every 10 seconds:
Interface Statistics Received Sent
Bytes 184763 125248
Unicast Packets 304 437
Non-unicast Packets 1419 1419
Discards 0 0
Errors a 0
Unknown Protocols 313
NOTE: The preceding information is useful if you're troubleshooting suspected network problems and want to determine whether the network interface is generating errors.
Ping The ping command is widely used for testing connectivity. This command sends an ICMP echo packet to the host or IP address you specify on the command line. For example, ping 200.200.1.1 sends an echo packet to IP address 200.200.1.1. If ping is successful, you see a series of replies similar to the following:
Reply from 200.200.1.1: bytes=32 time=l0ms TTL=32
Reply from 200.200.1.1: bytes=32 time=l0ms TTL=32
Reply from 200.200.1.1: bytes=32 time=l0ms TTL=32
Reply from 200.200.1.1: bytes=32 time=10ms TTL=32
If ping fails, you receive the following message:
Request timed out.
You can test whether a server's TCP/IP subsystem is working correctly with the
ping 127.0.0.1 command, also known as the loopback address. This is the
locaihost address, or the default hostname for that machine; this address and
hostname is installed by default when you install Windows NT's TCP/IP stack. A
successful ping indicates that this virtual address is alive, and that your
TCP/IP stack is functioning correctly.
Route The route utility lists a server's TCP/IP routing table and can add or delete static routes. You also can add persistent (static) routes that are maintained through shutdown and startup. To view the current routing table, type route print.
You can use the -p parameter to create a persistent route. The following example shows how to add a static route to a remote network and make it persistent:
route -p add 192.165.20.0 MASK 255.255.255.0 200.200.1.255 1
The trailing 1 indicates that the remote network is one
router hop (one pass through a router) away. The example routes to the remote
network 192.168.20.0 using the gateway/router address of 200.200.1.255. The
remote network has a subnet mask of 255.255.255.0.
Persistent routes are stored in the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes
of the Registry.
Tracert The tracert command lets you trace the path to a destination IP address, identifying all the intermediate hops between the source and destination. You can use the tracert command (a very powerful tool for determining how packets are traversing your network) to troubleshoot routing loops or routers that are not functioning, as well as discover timeout problems across the network.
The tracert command uses ICMP to find the path to the end station you specify. The following example, tracert EndStation, traces a path to a client called EndStation at IP address 172.16.12.1:
Tracing route to EndStation [172.16.12.1]
over a maximum of 30 hops:
1 181 ms 130 ms 130 ms 172.16.4.254
2 160 ms 131 ms 120 ms routera.mycompany.com [172.16.5.254]
3 151 ms 120 ms 120 ms routerb.mycompany.com [172.16.6.2541
4 160 ms 140 ms 140 ms 172.16.8.254
5 161 ms 140 ms 140 ms routerc.mycompany.com [172.16.9.254]
6 170 ms 141 ms 130 ms EndStation [172.16.12.1]
Trace complete.
In this example, the path to the EndStation client is six hops from the device where the command is initiated. The first hop is to the default gateway (172.16.4.254) on the subnet where the command was issued. Along the way, tracert does a DNS reverse-address lookup of each hop (unless you specify the -d parameter) to resolve IP addresses of intermediate hops to host names. If your router interfaces aren't configured in DNS, all you see are the addresses in lines 1 and 4 of the example.
A DNS reverse lookup is exactly as it sounds. Rather than resolve a known host name to an IP address, a reverse lookup resolves a known IP address to a host name.
In the following example, the EndStation client is unreachable from the source. The trace stops after the third hop. This could mean that either the end station is down, or the destination subnet isn't accessible from the source. The latter problem can be due to router problems or to an intermediate route filter of some type.
The best way to approach solving these kinds of problems is to determine what part of the path does work, and narrow the possible suspects as you go. A good troubleshooting technique with tracert is to connect to the last successful step along the path: in this case, routerb.mycompany.com and determine whether you can get to the destination from there.
If not, your problem is likely to be in a destination device or an intermediate router. You might need to run another trace from routerb to determine whether intermediate hops to the destination are failing.
Tracing route to 172.16.80.1
over a maximum of 30 hops
1 181 ms 130 ms 130 ms 172.16.4.254
2 131 ms 120 ms 120 ms routera.mycompany.com [172.16.5.254]
3 routerb.mycompany.com [172.16.6.254] reports:
Destination host unreachable.
Trace complete.
GetMac Getmac.exe is a simple utility that returns the MAC address of the machine on which it is run. The 3.51 version of GetMac works with Windows NT 4.0. GetMac is useful if you're having problems with ARP and need to know MAC addresses. GetMac returns the MAC address of each network protocol loaded on your machine, similar to the following:
E:\ getmac
Transport Address Transport Name
- - - - - - - - - - - - - - - - - - - - - - - - -
20-4C-4F-4F-50-20 \Device\NetBT_NDISLoopl
00-00-00-00-00-00 \Device\NetBT_NdisWan5
20-4C-4F-4F-50-20 \Device\Nbf_NDISLoopl
20-4C-4F-4F-50-20 \Device\NwlnkNb
NetWatch Netwatch.exe is a GUI-based utility, similar to Windows 95's Net Watcher, that lets you monitor user connections to shares on servers and clients. The 3.51 version of NetWatch works with Windows NT 4.0. You can also see what files a user has open on a given share.
Windows NT doesn't have the NetWare 3.x concept of user logon connections into each server; Windows NT attaches to domain resources as needed. This utility, however, tells you who's connected to which share on a given server or client, and which files they have open.
NSLookup Nslookup.exe serves the same function as its UNIX equivalent. The 3.51 version of Nslookup.exe works with Windows NT 4.0. You can use NSLookup to query DNS servers to determine the IP address of a specified host name, or the host name of a specified IP address.
The nslookup command sends the request to the address and subdomains defined in the DNS configuration portion of Windows NT's TCP/IP configuration screen. nslookup takes no parameters. When you enter the command, you're placed at the > prompt, where you enter the name or address you want to resolve.
SMBTrace The Smbtrace.exe command-line utility is similar to the UNIX etherfind command, except that smbtrace tracks Server Message Block (SMB) packets only.
SMBTrace is a real-time packet tracer that shows the SMB packets that are flowing to and from your system, which is useful for understanding the flow of SMB packets during file transfers and print jobs. By default, smbtrace captures incoming packets only. The /slow parameter captures both incoming and outgoing, and the /rdr parameter captures only outgoing packets. You can change the amount of information smbtrace displays with each packet by using the /verbosity:n parameter, where n is a number between 1 and 5, 5 being most verbose.