Tools
Mississippi College
Computer Science
Dr. Bennet
This page lists some useful tools for investigating networks. Note that I avoid Windows as much as possible, so I'm more likely to get that wrong, or just be out-of-date.

Unix/Linux
Unix and the Internet were good friends long before Windows was born. A Unix-based system comes with a nice set of basic tools by default, and more advanced tools are easily added. Linux is a clone of Unix, and shares many of its advantages. You have access to a shell account on the Linux server sandbox.mc.edu. (Ask for an account if you don't have one.)

But, if you'd like your own, both Linux and the various BSD Unix distributions are available free. There are many choices. I like Fedora, but the Ubuntu Linux seems the most popular for workstations. It is possible to install Linux along with an existing Window system. One of the easiest ways is to install on a USB flash drive, which avoids having to repartition the main hard drive.

What's Your Number?
To find out what Internet address(es) your machine is using, you can use the ipconfig command on Windows, or ifconfig on Unix. In either case, you will learn the IP address(s) of the various network connections (“intefaces”) on your machine.
[bennet@m-mcc-csc-01456 ~]$ ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether bc:30:5b:9e:0c:fe brd ff:ff:ff:ff:ff:ff inet 10.27.2.212/16 brd 10.27.255.255 scope global dynamic enp0s25 valid_lft 22288sec preferred_lft 22288sec inet6 fe80::be30:5bff:fe9e:cfe/64 scope link valid_lft forever preferred_lft forever

My desktop has an Ethernet connection with an IP (the second interface, enp0s25), and the loop-back device lo. That later isn't a physical device, but just part of the OS that lets you send messages to yourself. Useful for testing.

Depending on your Linux distro, you may have to type the full name: /sbin/ifconfig instead of just ifconfig.

For Windows:

C:\Users\T W Bennet>ipconfig Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : mc.edu Link-local IPv6 Address . . . . . : fe80::6541:e3b3:f8ef:de6e%4 IPv4 Address. . . . . . . . . . . : 10.0.2.15 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.2.2 Tunnel adapter isatap.mc.edu: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : mc.edu Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:cef:7ac2:bf09:2bfe Link-local IPv6 Address . . . . . : fe80::cef:7ac2:bf09:2bfe%5 Default Gateway . . . . . . . . . : ::

This machine has an ethernet adaptor, which is given. The others, like loopback in the Linux list, are software objects, not real physical network interfaces. Windows created these unbidden; they appear to be related to network tunneling.

netstat
This command lists current connections to your computer. The Windows version comes standard, and appears to be a port of a Linux version. Here's my Windows one:
C:\Documents and Settings\bennet>netstat Active Connections Proto Local Address Foreign Address State TCP PC785018295244:1101 localhost:1102 ESTABLISHED TCP PC785018295244:1102 localhost:1101 ESTABLISHED TCP PC785018295244:1106 localhost:1107 ESTABLISHED TCP PC785018295244:1107 localhost:1106 ESTABLISHED TCP PC785018295244:1127 localhost:2005 ESTABLISHED TCP PC785018295244:2005 localhost:1127 ESTABLISHED TCP PC785018295244:5152 localhost:1104 CLOSE_WAIT TCP PC785018295244:1218 a96-7-66-10.deploy.akamaitechnologies.com:http TIME_WAIT TCP PC785018295244:1219 74.125.107.96:http ESTABLISHED

The Linux one is a lot longer, in large part because it includes the Unix connections, which are not actually network connections at all, but are connections between programs on the same machine.

[bennet@sandbox ~]$ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 sandbox.mc.edu:ssh bennet.mc.edu:51586 ESTABLISHED udp 0 0 localhost.localdomain:36643 localhost.localdomain:36643 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 9 [ ] DGRAM 5331752 /dev/log unix 2 [ ] DGRAM 6122578 @/com/ubuntu/upstart . . .
ping
The most basic testing tool sees if a message will reach another host, and if its reply will return. If successful, it also measures the round-trip time.
[bennet@bennet ~]$ ping www.google.com PING www.l.google.com (74.125.45.106) 56(84) bytes of data. 64 bytes from yx-in-f106.1e100.net (74.125.45.106): icmp_seq=1 ttl=54 time=25.2 ms 64 bytes from yx-in-f106.1e100.net (74.125.45.106): icmp_seq=2 ttl=54 time=26.0 ms 64 bytes from yx-in-f106.1e100.net (74.125.45.106): icmp_seq=3 ttl=54 time=24.9 ms 64 bytes from yx-in-f106.1e100.net (74.125.45.106): icmp_seq=4 ttl=54 time=25.1 ms ^C --- www.l.google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3091ms rtt min/avg/max/mdev = 24.994/25.360/26.069/0.446 ms

or

C:\Documents and Settings\bennet>ping www.google.com Pinging www.l.google.com [74.125.45.104] with 32 bytes of data: Reply from 74.125.45.104: bytes=32 time=27ms TTL=53 Reply from 74.125.45.104: bytes=32 time=26ms TTL=53 Reply from 74.125.45.104: bytes=32 time=26ms TTL=53 Reply from 74.125.45.104: bytes=32 time=26ms TTL=53 Ping statistics for 74.125.45.104: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 26ms, Maximum = 27ms, Average = 26ms

The Linux version will continue to send pings until killed, while the Windows sends four and stops. The Windows ping will use a different count by giving the option -n count. (Linux will also obey a count if given as -c count.)

traceroute
This program will discover the route to another host on the Internet.
traceroute to www.google.com (74.125.45.106), 30 hops max, 60 byte packets 1 rtr-mcc.mc.edu (10.27.0.1) 0.173 ms 0.154 ms 0.161 ms 2 64.66.69.73 (64.66.69.73) 2.728 ms 2.704 ms 2.783 ms 3 ge-6-19-12.car1.Houston1.Level3.net (4.69.135.53) 12.655 ms 12.633 ms 12.609 ms 4 ae-2-5.bar1.Houston1.Level3.net (4.69.132.230) 13.062 ms 13.040 ms 13.016 ms 5 ae-0-11.bar2.Houston1.Level3.net (4.69.137.134) 12.400 ms 12.409 ms 12.388 ms 6 ae-7-7.ebr1.Atlanta2.Level3.net (4.69.137.142) 33.086 ms 32.072 ms 32.038 ms 7 ae-11-51.car1.Atlanta1.Level3.net (4.68.103.2) 25.395 ms ae-21-52.car1.Atlanta1.Level3.net (4.68.103.34) 24.600 ms 24.700 ms 8 GOOGLE-INC.car1.Atlanta1.Level3.net (4.78.209.194) 24.724 ms 25.731 ms 24.712 ms 9 209.85.254.241 (209.85.254.241) 25.658 ms 209.85.254.243 (209.85.254.243) 25.633 ms 25.606 ms 10 209.85.253.141 (209.85.253.141) 37.443 ms 209.85.253.145 (209.85.253.145) 25.502 ms 25.439 ms 11 yx-in-f106.1e100.net (74.125.45.106) 25.183 ms 26.102 ms 26.120 ms

The three times after each name are three measurements of the round-trip time to the listed router.

Windows insists on calling it tracert, and its output has similar contents with nicer formatting.

Netcat
Netcat, with the actual command name of nc, simply makes a network connection, and then sends what you type. It can also operate as a server, send UDP packets and some other things. Here, I use nc to talk to the web server:
[bennet@bennet ~]$ nc www.mc.edu 80 HEAD / HTTP/1.0 User-Agent: Maxwell Smart HTTP/1.1 200 OK Date: Fri, 08 Jan 2010 23:08:19 GMT Server: Apache/2.2.14 (EL) X-Powered-By: PHP/5.2.11 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Vary: User-Agent,Accept Set-Cookie: PHPSESSID=qrspsuubdqlethhhrv4vrniqv3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Set-Cookie: bgcolor=F89926; path=/ Connection: close Content-Type: text/html

On Linux, this may be part of standard install, or it can be added through the add software menu. This claims to be a windows port; I haven't tried it. (But it's not a big program; can't be too hard to port.)

Wireshark
All the above tools are simple. This one isn't, and it's very powerful, and it's a GUI program. Wireshark is a network sniffer which will list whatever traffic it sees on an attached network, possibly including traffic that's none of your business. It displays all the control information used by the underlying network protocol so you can see its operation. On Linux, it's not usually part of a default install, but will be available under add software. For Windows, go here.

A useful companion is the text version of wireshark, called tshark.

[bennet@m-mcc-csc-01456 web2]$ tshark -i enp0s25 Capturing on 'enp0s25' 1 0.000000 10.27.2.212 -> 204.79.197.200 TCP 66 33816→443 [FIN, ACK] Seq=1 Ack=1 Win=1942 Len=0 TSval=4101471232 TSecr=796088288 2 0.257035 10.27.2.212 -> 73.251.28.254 OpenVPN 95 MessageType: P_DATA_V1 3 0.319994 10.27.2.212 -> 112.85.42.24 TCP 66 22→44437 [FIN, ACK] Seq=1 Ack=1 Win=247 Len=0 TSval=4101471552 TSecr=7525997 4 0.423880 10.27.2.212 -> 216.58.194.142 HTTP 356 HEAD /edgedl/release2/aqasjqqhk683ew8txtf145oecq1f6r13t8i0u728d3hwfy8qp9jjirctfw1irsytj9lp2cbhi8wm28kmh9gkz6693qjtwa7ptsu/15.86.0_win_SoftwareReporter.crx HTTP/1.1 5 0.424592 216.58.194.142 -> 10.27.2.212 TCP 66 80→44532 [ACK] Seq=1 Ack=291 Win=8576 Len=0 TSval=770004553 TSecr=4101471655 . . .
This program prints trace to the standard output stream, which makes it easy to capture and analyze with text-based tools and scripts. It is often prefable to Wireshark when looking for something specific, rather than just trying to get a picture of what's going on. It has a large number of options to control exactly what information is printed.

nmap
Whether or not something is a tradesman's tool or burglar's equipment often depends on whether it is being carried by a locksmith or a thief. The Network Mapper can certainly fall in either category. Its purpose is to determine what computers are attached to a network, what services they are provide and what OS is running on them. The network administrator can use it to test the effectiveness of firewalls and detect unauthorized servers and backdoors. On Linux, it can be added from the add software item. A Windows port is available from the NMap home page.