TCP/IP Tools for Windows

Click here to view exercise as a PDF instead.

The purpose of this exercise is to introduce Windows command line tools that can be used to obtain Transmission Control Protocol/Internet Protocol (TCP/IP)-based network information. These tools are essential for troubleshooting, analyzing and investigating network issues.


This exercise will provide a brief introduction to tools with which to learn information about a TCP/IP host, an IP address, and public information about a domain. This exercise will employ both command line and Web-based tools.

Learning Objectives

In this exercise, you will employ Windows command line tools to determine a host's IP address and open ports, obtain domain information, and learn the route of a packet over a TCP/IP-based network.

Start your Windows VM and open a command prompt window. Then try the different utilities below.

Most Windows users are familiar with the ipconfig command, which lists the hosts (computer) name, network interface hardware (aka physical or Medium Access Control [MAC]) address, whether DHCP is in use, the host's IPv4 address (and subnet mask), default gateway (i.e., upstream router), DHCP server (if any), DNS server(s), and, if DHCP is in use, the date and time when the IP address lease expires. To obtain this information, use the ipconfig /all command.

Record your IP address, subnet mask, default gateway, and DNS servers.

The ping command is one of the most useful debugging tools on the Net. Its purpose is simply to determine where a host can connect to the network (and, secondarily, whether the host can communicate with a DNS server). Ping has many options, which can be found by using the /? switch. The most basic usage is shown below, by typing ping followed by a host name; by default, four pings are sent and then the program stops.

Choose some site on the Internet, ping it and record its IP address and whether it actually responds to the pings.

The nslookup command is used to obtain information from DNS name servers. Nslookup can be used to learn a host name based upon an IP address, an IP address based upon a host name, a domain e-mail and name servers, and additional information. A complete description is beyond the scope of this exercise.

In this example, the program is started by using the nslookup command. Once the program starts, the > character is the prompt.

  1. The first instruction is, which asks the program to report the IP address of that Internet host. (In the parlance of the DNS, this is an A-record.)
  2. The next instruction is set type=mx which change the query type to ask for the IP address(es) of the e-mail server(s). The next line,, is the domain about which to query. The response lists the mail exchange (or MX) records for the given domain.
  3. The next instruction, set type=soa, again changes the query type to obtain what is called start-of-authority information. The next line,, again specifies the domain for which to make the query.
  4. The  exit command is used to stop the program.

Perform the set of commands above for the domain of your choice and record the IP address of the Web server for that domain, as well as the mail servers for the domain.

The netstat command can provide a huge amount of information about the state of the TCP/IP network connections, including the state of TCP and UDP connections, the routing table, and processes associated with the TCP and UDP connections. In DOS, issue a netstat command; to learn more about netstat options, issue a netstat -h command.

In the example above, the netstat command is issued and shows the state of all TCP connections. The ESTABLISHED state indicates an active connection; although not shown above, CLOSE_WAIT and TIME_WAIT states indicate an application that is waiting to terminate or is idle, respectively, and a LISTENING state indicates a server application waiting for a connection to be made. Note that programs lists the name of the hosts and, where available, the name of the service port (e.g., http and pptp).

The netstat command can also be used to show the computer's routing table. A routing table tells the TCP/IP stack how to route and/or forward packets. The routing table can be displayed using the -r switch.


For an interesting test, do the following. Issue a DOS netstat command, as above. Then, open up a second DOS prompt or terminal window, and issue a telnet 80 command. This will attempt to open an HTTP (i.e., TCP port 80) connection to the host Go back to the first DOS prompt and issue the netstat command again, and you should be something like the following:

The screen shot above shows the "before" and "after" results from the netstat command. Note the last line of the second command; from using the nslookup command above, we know that is the IP address of

Knowing what TCP ports are open is good but that information alone has limited usefulness; in particular, we know that there are ports open but we don't know what process on the computer is accessing the service. For that information, use the -o switch.

The screen shot above shows the netstat -o output. The last column, labeled "PID," is the process identifier associated with each of the open ports.

The tracert command is used to display the route that packets take from this computer to another specified computer on the Internet. The screen shot below shows a tracert being executed to the host named Each line of the display represents one hop, or one router, on the path between this computer and the target host; in this case, there are fourteen hops between the two computers (meaning that there were thirteen intermediate routers between the two). Each line contains the IP address (and host name, if known) of the intermediate router, plus the time it took for each of three test packets to arrive at that router from this computer.

NOTE: The tracert program might fail to work on a particular computer because the Internet service provider might block the messages used by those programs. The result will usually be to see an asterisk (*) instead of the time and the intermediate IP address and host name will be missing.

Creative Commons License
CyberExplorations Exercises by Glenn S. Dardick is licensed under a Creative Commons Attribution 4.0 International License.