This page lists some useful tools for investigating networks. Note that I avoid Windows as much as possible, so I'm more likely to get that wrong, or just be out-of-date.

Unix and the Internet were good friends long before Windows was born. A Unix-based system comes with a nice set of basic tools by default, and more advanced tools are easily added. Linux is a clone of Unix, and shares many of its advantages. You have access to a shell account on the Linux server (Ask for an account if you don't have one.)

But, if you'd like your own, both Linux and the various BSD Unix distributions are available free. There are many choices. I like Fedora, but the Ubuntu Linux seems the most popular for workstations. It is possible to install Linux along with an existing Window system. One of the easiest ways is to install on a USB flash drive, which avoids having to repartition the main hard drive.

What's Your Number?
To find out what Internet address(es) your machine is using, you can use the ipconfig command on Windows, or ifconfig on Unix. In either case, you will learn the IP address(s) of the various network connections (“intefaces”) on your machine.
[bennet@m-mcc-csc-01456 ~]$ ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether bc:30:5b:9e:0c:fe brd ff:ff:ff:ff:ff:ff inet brd scope global dynamic enp0s25 valid_lft 22288sec preferred_lft 22288sec inet6 fe80::be30:5bff:fe9e:cfe/64 scope link valid_lft forever preferred_lft forever

My desktop has an Ethernet connection with an IP (the second interface, enp0s25), and the loop-back device lo. That later isn't a physical device, but just part of the OS that lets you send messages to yourself. Useful for testing.

Depending on your Linux distro, you may have to type the full name: /sbin/ifconfig instead of just ifconfig.

For Windows:

C:\Users\T W Bennet>ipconfig Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::6541:e3b3:f8ef:de6e%4 IPv4 Address. . . . . . . . . . . : Subnet Mask . . . . . . . . . . . : Default Gateway . . . . . . . . . : Tunnel adapter Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:cef:7ac2:bf09:2bfe Link-local IPv6 Address . . . . . : fe80::cef:7ac2:bf09:2bfe%5 Default Gateway . . . . . . . . . : ::

This machine has an ethernet adaptor, which is given. The others, like loopback in the Linux list, are software objects, not real physical network interfaces. Windows created these unbidden; they appear to be related to network tunneling.

This command lists current connections to your computer. The Windows version comes standard, and appears to be a port of a Linux version. Here's my Windows one:
C:\Documents and Settings\bennet>netstat Active Connections Proto Local Address Foreign Address State TCP PC785018295244:1101 localhost:1102 ESTABLISHED TCP PC785018295244:1102 localhost:1101 ESTABLISHED TCP PC785018295244:1106 localhost:1107 ESTABLISHED TCP PC785018295244:1107 localhost:1106 ESTABLISHED TCP PC785018295244:1127 localhost:2005 ESTABLISHED TCP PC785018295244:2005 localhost:1127 ESTABLISHED TCP PC785018295244:5152 localhost:1104 CLOSE_WAIT TCP PC785018295244:1218 TIME_WAIT TCP PC785018295244:1219 ESTABLISHED

The Linux one is a lot longer, in large part because it includes the Unix connections, which are not actually network connections at all, but are connections between programs on the same machine.

[bennet@sandbox ~]$ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 ESTABLISHED udp 0 0 localhost.localdomain:36643 localhost.localdomain:36643 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 9 [ ] DGRAM 5331752 /dev/log unix 2 [ ] DGRAM 6122578 @/com/ubuntu/upstart . . .
The most basic testing tool sees if a message will reach another host, and if its reply will return. If successful, it also measures the round-trip time.
[bennet@bennet ~]$ ping PING ( 56(84) bytes of data. 64 bytes from ( icmp_seq=1 ttl=54 time=25.2 ms 64 bytes from ( icmp_seq=2 ttl=54 time=26.0 ms 64 bytes from ( icmp_seq=3 ttl=54 time=24.9 ms 64 bytes from ( icmp_seq=4 ttl=54 time=25.1 ms ^C --- ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3091ms rtt min/avg/max/mdev = 24.994/25.360/26.069/0.446 ms


C:\Documents and Settings\bennet>ping Pinging [] with 32 bytes of data: Reply from bytes=32 time=27ms TTL=53 Reply from bytes=32 time=26ms TTL=53 Reply from bytes=32 time=26ms TTL=53 Reply from bytes=32 time=26ms TTL=53 Ping statistics for Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 26ms, Maximum = 27ms, Average = 26ms

The Linux version will continue to send pings until killed, while the Windows sends four and stops. The Windows ping will use a different count by giving the option -n count. (Linux will also obey a count if given as -c count.)

This program will discover the route to another host on the Internet.
traceroute to (, 30 hops max, 60 byte packets 1 ( 0.173 ms 0.154 ms 0.161 ms 2 ( 2.728 ms 2.704 ms 2.783 ms 3 ( 12.655 ms 12.633 ms 12.609 ms 4 ( 13.062 ms 13.040 ms 13.016 ms 5 ( 12.400 ms 12.409 ms 12.388 ms 6 ( 33.086 ms 32.072 ms 32.038 ms 7 ( 25.395 ms ( 24.600 ms 24.700 ms 8 ( 24.724 ms 25.731 ms 24.712 ms 9 ( 25.658 ms ( 25.633 ms 25.606 ms 10 ( 37.443 ms ( 25.502 ms 25.439 ms 11 ( 25.183 ms 26.102 ms 26.120 ms

The three times after each name are three measurements of the round-trip time to the listed router.

Windows insists on calling it tracert, and its output has similar contents with nicer formatting.

Netcat, with the actual command name of nc, simply makes a network connection, and then sends what you type. It can also operate as a server, send UDP packets and some other things. Here, I use nc to talk to the web server:
[bennet@bennet ~]$ nc 80 HEAD / HTTP/1.0 User-Agent: Maxwell Smart HTTP/1.1 200 OK Date: Fri, 08 Jan 2010 23:08:19 GMT Server: Apache/2.2.14 (EL) X-Powered-By: PHP/5.2.11 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Vary: User-Agent,Accept Set-Cookie: PHPSESSID=qrspsuubdqlethhhrv4vrniqv3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Set-Cookie: bgcolor=F89926; path=/ Connection: close Content-Type: text/html

On Linux, this may be part of standard install, or it can be added through the add software menu. This claims to be a windows port; I haven't tried it. (But it's not a big program; can't be too hard to port.)

All the above tools are simple. This one isn't, and it's very powerful, and it's a GUI program. Wireshark is a network sniffer which will list whatever traffic it sees on an attached network, possibly including traffic that's none of your business. It displays all the control information used by the underlying network protocol so you can see its operation. On Linux, it's not usually part of a default install, but will be available under add software. For Windows, go here.

A useful companion is the text version of wireshark, called tshark.

[bennet@m-mcc-csc-01456 web2]$ tshark -i enp0s25 Capturing on 'enp0s25' 1 0.000000 -> TCP 66 33816→443 [FIN, ACK] Seq=1 Ack=1 Win=1942 Len=0 TSval=4101471232 TSecr=796088288 2 0.257035 -> OpenVPN 95 MessageType: P_DATA_V1 3 0.319994 -> TCP 66 22→44437 [FIN, ACK] Seq=1 Ack=1 Win=247 Len=0 TSval=4101471552 TSecr=7525997 4 0.423880 -> HTTP 356 HEAD /edgedl/release2/aqasjqqhk683ew8txtf145oecq1f6r13t8i0u728d3hwfy8qp9jjirctfw1irsytj9lp2cbhi8wm28kmh9gkz6693qjtwa7ptsu/15.86.0_win_SoftwareReporter.crx HTTP/1.1 5 0.424592 -> TCP 66 80→44532 [ACK] Seq=1 Ack=291 Win=8576 Len=0 TSval=770004553 TSecr=4101471655 . . .
This program prints trace to the standard output stream, which makes it easy to capture and analyze with text-based tools and scripts. It is often prefable to Wireshark when looking for something specific, rather than just trying to get a picture of what's going on. It has a large number of options to control exactly what information is printed.

Whether or not something is a tradesman's tool or burglar's equipment often depends on whether it is being carried by a locksmith or a thief. The Network Mapper can certainly fall in either category. Its purpose is to determine what computers are attached to a network, what services they are provide and what OS is running on them. The network administrator can use it to test the effectiveness of firewalls and detect unauthorized servers and backdoors. On Linux, it can be added from the add software item. A Windows port is available from the NMap home page.