:)6/6[ZOROZOKY    4+:9:': This is used for obtaining protocol statistics and current active connections utilizing TCP/IP. Nowadays there are many Windows-based utilities that can do much more; yet in an emergency netstat is certainly better than nothing at all. Here follows the netstat options. C:\WINDOWS.000>netstat /? Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. interval Re-displays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop re-displaying statistics. If omitted, netstat will print the current configuration information once. C:\WINDOWS.000> In response to the netstat -e command the following packet and protocol statistics are displayed. This is a summary of events on the network since the last re-boot. C:\WINDOWS.000>netstat -e Interface Statistics Received Sent Bytes 2442301 1000682 Unicast packets 4769 3776 Non-unicast packets 113 4566 Discards 0 0 Errors 0 0 Unknown protocols 19 C:\WINDOWS.000>  4(:9:': This provides protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). This is relevant with Windows 95/98 etc, which uses NetBIOS for the upper layers of the OSI model. C:\WINDOWS.000>nbtstat /? Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval] ] -a (adapter status) Lists the remote machine’s name table given its name  6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM   -A (Adapter status) Lists the remote machine’s name table given its IP address. -c (cache) Lists the remote name cache including the IP addresses -n (names) Lists local NetBIOS names. -r (resolved) Lists names resolved by broadcast and via WINS -R (Reload) Purges and reloads the remote cache name table -S (Sessions) Lists sessions table with the destination IP addresses -s (sessions) Lists sessions table converting destination IP addresses to host names via the hosts file. RemoteName Remote host machine name. IP address Dotted decimal representation of the IP address. Interval Re-displays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop re-displaying statistics. C:\WINDOWS.000>  /6)54,/- This shows the entire TCP/IP configuration present in a host. It also has the additional versatility of interfacing with a DHCP server to renew a leased IP address. Ipconfig will return, amongst other things, the host’s IP address, its subnet mask and default gateway. C:\WINDOWS.000>ipconfig /? Windows 98 IP Configuration Command line options: /All - Display detailed information. /Batch [file] - Write to file or ./WINIPCFG.OUT /renew_all - Renew all adapters. /release_all - Release all adapters. /renew N - Renew adapter N. /release N - Release adapter N. C:\WINDOWS.000> An options often used is ‘ipconfig /all’. In the case of a multi-homed host, i.e. one with more than one network interface card (including dial-up modem) ‘ipconfig /all’ will display the details of each card. Note that ipconfig will list the generic name of the adapter. Therefore, a 3010 3Com US Robotics 56K modem is simply listed as a PPP adapter, while a Linksys Ethernet 10BaseT/10Base2 Combo PCMCIA card is listed as a generic Novell 2000 adapter, which it emulates. C:\WINDOWS.000>ipconfig /all Windows 98 IP Configuration Host Name . . . . . . . . . : COMPUTER100 DNS Servers . . . . . . . . : Node Type . . . . . . . . . : Broadcast NetBIOS Scope ID. . . . . . : IP Routing Enabled. . . . . : No WINS Proxy Enabled. . . . . : No NetBIOS Resolution Uses DNS : No :)6/6[ZOROZOKY   0 Ethernet adapter : Description . . . . . . . . : PPP Adapter. Physical Address. . . . . . : 44-45-53-54-00-00 DHCP Enabled. . . . . . . . : Yes IP Address. . . . . . . . . : 0.0.0.0 Subnet Mask . . . . . . . . : 0.0.0.0 Default Gateway . . . . . . : DHCP Server . . . . . . . . : 255.255.255.255 Primary WINS Server . . . . : Secondary WINS Server . . . : Lease Obtained. . . . . . . : Lease Expires . . . . . . . : 1 Ethernet adapter : Description . . . . . . . . : Novell 2000 Adapter. Physical Address. . . . . . : 00-E0-98-71-57-AF DHCP Enabled. . . . . . . . : No IP Address. . . . . . . . . : 207.194.66.100 Subnet Mask . . . . . . . . : 255.255.255.224 Default Gateway . . . . . . : Primary WINS Server . . . . : Secondary WINS Server . . . : Lease Obtained. . . . . . . : Lease Expires . . . . . . . : C:\WINDOWS.000>  =/4/6),- Winipcfg (Windows IP Configuration) provides the same information as ‘ipconfig /all’, but in a Windows format. Like ipconfig, it is capable to force a DHCP server into releasing and reissuing leased IP addresses. Figure 9.2 Windows IP configuration It can be invoked from the DOS prompt, or from the Windows ‘run’ command. Click the more details tab for an expanded view.  6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM   Figure 9.3 Winipcfg display (courtesy of Microsoft Corporation)  :8')+8U[:K This is often used to trace failures along a TCP/IP communications path. The spelling of the command varies slightly. For UNIX it is traceroute, for Windows it is tracert. The following figure shows the tracert options. C:\WINDOWS.000>tracert Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Options: -d Do not resolve addresses to hostnames. -h maximum_hops Maximum number of hops to search for target. -j host-list Loose source route along host-list. -w timeout Wait timeout milliseconds for each reply. C:\WINDOWS.000> Here follows a route trace from Perth, Australia, to a server in the USA. C:\WINDOWS.000>tracert www.idc-online.com Tracing route to www.idc-online.com [216.55.154.228] over a maximum of 30 hops: 1 169ms 160ms 174ms slip202-135-15-3-0.sy.au.ibm.net [202.135.15.30] 2 213ms 297ms 296ms 152.158.248.250 3 624ms 589ms 533ms sfra1sr1-2-0-0-5.ca.us.prserv.net [165.87.225.46] 4 545ms 535ms 628ms sfra1sr2-101-0.ca.us.prserv.net [165.87.33.185] 5 564ms 562ms 573ms 165.87.160.193 6 558ms 564ms 573ms 114.ATM3-0.XR1.SFO1.ALTER.NET [146.188.148.210] 7 574ms 701ms 555ms 187.at-2-10.TR1.SAC1.ALTER.NET [152.63.50.230] 8 491ms 480ms 500ms 127.at-6-10.TR1.LAX9.ALTER.NET [152.63.5.101] 9 504ms 534ms 511ms 297.ATM7-0.XR1.LAX2.ALTER.NET [152.63.112.149] 10 500ms 478ms 491ms 195.ATM9-0-0.GW2.SDG1.ALTER.NET [146.188.249.81] 11 491ms 564ms 584ms anet-gw.customer.ALTER.NET [157.130.224.154] 12 575ms 554ms 613ms www.idc-online.com [216.55.154.228] Trace complete. C:\WINDOWS.000> :)6/6[ZOROZOKY   As is often the case, the DOS approach is not the user-friendliest option. Notice the result when the same trace is done with TJPingPro. The same TCP/IP protocols viz. ARP and ICMP are still used, but now they are accessed through a third-party application program (TJPingPro) which accesses the TCP/IP stack through a WinSock interface. Figure 9.4 TJPingPro trace (courtesy of Top Jimmy Software) The most comprehensive tracing is, however, done via application programs such as Neotrace. The following figures give some of the results of a trace to the same location used for the previous two examples. Figure 9.5 NeoTrace display (courtesy NeoWorx Inc) . protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports. -e Displays Ethernet statistics C:WINDOWS.000>  4(:9:': This provides protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP) . This is relevant with Windows 95/98 etc, which uses NetBIOS. model. C:WINDOWS.000>nbtstat /? Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP) . NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R]