There are many command line tools that provide a user direct information concerning a system. These are built into the operating system itself, or are common programs that are used by system administrators and security professionals on a regular basis.

nmap

nmap is the command line command to launch and run the nmap utility. Nmap is a program developed by Gordon Lyon and has been the standard network mapping utility for Windows and Linux since 1999.

ping

Ping is a command that sends echo requests to a designated machine to determine if communication is possible. The syntax is ping [options] targetname/address. The options include items such as name resolution, how many pings, data size, TTL counts, and more. Figure B.1 shows a ping command on a Windows machine.

• Figure B.1   Ping Command

netstat

Netstat is a command used to monitor network connections to and from a system. Examples are the following:

netstat –a Lists all active connections and listening ports

netstat –at Lists all active TCP connections

netstat –an Lists all active UDP connections

And many more options are available and useful. Netstat is available on Windows and LINUX, but availability of certain netstat command switches and other netstat command syntax may differ from operating system to operating system.

tracert

Tracert is a Windows command for tracing the route packets take over the network. Tracert uses ICMP, so if ICMP is blocked, it will fail to provide information. Tracert provides a list of the hosts, switches and routers in the order that a packet passes by them, providing a trace of the network route from source to target. On Linux and macOS systems, the command with similar functionality is traceroute.

nslookup/dig

The DNS system is used to convert a name into an IP address. DNS is not a single system, but rather a hierarchy of DNS servers, from root servers on the backbone of the Internet, to copies at your ISP, your home router, and your local machine, each in the form of a DNS cache. To examine a DNS query for a specific address, you can use the nslookup command. Figure B.2 shows a series of DNS queries executed on a Windows machine. In the first request, the DNS server was with an ISP, while on the second request, the DNS server was from a VPN connection. Between the two requests, the network connections were changed, resulting in different DNS lookups.

• Figure B.2   nslookup of a DNS query

At times, nslookup will return a nonauthoritative answer, as shown in Figure B.3. This typically means the result is from a cache as opposed to a server that has an authoritative (that is, known to be current) answer, such as from a DNS server.

• Figure B.3   Cache response to a DNS query

While nslookup works on Windows systems, the command dig works on Linux systems. One difference is that dig is designed to return answers in a format that is easy to parse and include in scripts, a common trait of Linux command utilities.

ipconfig/ip/ifconfig

ipconfig (for Windows) and ifconfig (for Linux) are the command line tools to manipulate the network interfaces on a system. They have the ability to list the interfaces and connection parameters, alter parameters and refresh/renew connections. When having network connection issues, this is one of the first tools to use, to verify the network setup of the operating system and its interfaces. The ip command in Linux is used to show and manipulate routing, devices, policy routing and tunnels.

tcpdump

Tcpdump is a utility designed to analyze network packets either from a network connection or a recorded file. Tcpdump also has the ability to create files of packet captures, called pcap files. Tcpdump has the ability to perform filtering between input and output, making it a valuable tool to lessen data loads on other tools. An example of this is if you have a complete packet capture file that has hundreds of millions of records, but you are only interested in one server’s connections, you can make a copy of the pcap file containing only the packets associated with the server of interest. This file will be smaller and easier to analyze with other tools.

netcat

Netcat is the network utility designed for Linux environments. It has been ported to Windows, but is not regularly used in windows environments.

The actual command line command to invoke netcat is:

nc –options –address

The netcat utility is the tool of choice in Linux for reading from and writing to network connections using TCP or UDP. Like all Linux command line utilities, it is designed for scripts and automation. Netcat has a wide range of functions, for it acts as a connection to the network and can act as a transmitter, or a receiver, and with redirection it can turn virtually any running process into a server. It can listen on a port and pipe the input it receives to the process identified.