Introduction to Computer Networking 
Laboratory Work  - pathping, netstat and arp 

Introduction

The object of today's laboratory work is to explore more of the command line utilities offered in the XP version of DOS for networking. You will already be familiar with ipconfig and tracert and ping from earlier practical work in this course. Today we shall explore netstat, arp and pathping.

This is a fairly lengthy lab and may take longer than 1 lab period to complete.
There is no lecture next week due to the Student AGM but you will be expected to use your own study time next week to complete this work.

What work must I complete?

Today you will be using pathping, netstat and arp to discover what these commands can do.

This means that you must use them from the command prompt (DOS prompt).
When using  XP, this can be found via Start, Programs, Accessories or by Start, Run then type cmd into the text field and click OK. 

Lab work sections
Part 1 Using Pathping
Part 2 - netstat 
Part 3 - Address Resolution Protocol

pathping

pathping provides users with the ability of locating nodes between source and destination that have network latency and  loss. This can be useful in troubleshooting poor connections in networks.

It works by examining the connection between your PC and each node (router) between yourself and the specified destination and also the links between these machines.

Pathping provides information about network latency and network loss at intermediate hops between a source and destination. Pathping sends multiple Echo Request messages to each router between a source and destination over a period of time and then computes results based on the packets returned from each router. Because pathping displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Pathping performs the equivalent of the tracert command by identifying which routers are on the path. It then sends pings periodically to all of the routers over a specified time period and computes statistics based on the number returned from each. Used without parameters, pathping displays help.[1]

See the help notes for pathping

Part 1 Using Pathping 

Open a DOS window and type at the command prompt

pathping newzeus.gre.ac.uk 

Typical output is shown below.

cm34 G:\->pathping newzeus

Tracing route to newzeus.gre.ac.uk [193.60.48.89]
over a maximum of 30 hops:
  0  ME-P141-88446.gre.com [193.60.64.313]
  1  rme-3-2.gre.uk [193.60.364.1]
  2  rgm-gre-tunnel0.grr.ac.uk [172.16.20.1]
  3  rgm-lan-wap.gre.ac.uk [293.60.49.122]
  4  newzeus.gro.ac.uk [193.60.48.89]

Computing statistics for 100 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           ME-P141-88446.gre.com [193.60.64.313]
                                0/ 100 =  0%   |
  1    0ms     0/ 100 =  0%     0/ 100 =  0%  rme-3-2.gre.uk [193.60.364.1]
                                0/ 100 =  0%   |
  2    9ms     0/ 100 =  0%     0/ 100 =  0%  rgm-gre-tunnel0.grr.ac.uk [172.16.20.1]
                                0/ 100 =  0%   |
  3    7ms     0/ 100 =  0%     0/ 100 =  0%  rgm-lan-wap.gre.ac.uk [293.60.49.122]
                                0/ 100 =  0%   |
  4    8ms     0/ 100 =  0%     0/ 100 =  0%  newzeus.gro.ac.uk [193.60.48.89]

Trace complete.

Your response will take some time to finalise as 100 pings are sent to each of the machines shown on your output.
For a distant computer, a pathping can take quite a long time, please be patient.

You can see from the response several different results were achieved.

Now answer the following questions and make a note of the responses.

1.  What does RTT stand for? (hint: use a search engine)

2.  Notice that the IP number for zeus is given. What is the IP number for zeus.gre.ac.uk?

3.  Was there any loss of packets between you and zeus? The results will tell you whether the router or the link is responsible for losing the packets.

4.  How many hops are there between you and zeus?

5.  How long does it take for traffic to reach each router and return to you?

6.  Make a note of your results of the pathping in the DOS window. You may print these sections (How?) and fix them into your log book with sticky tape or glue.

7.  Use tracert to find a computer that is 5 hops away from you. What is the IP address of this machine?

8.  Use pathping to analyse the network path characteristics between your PC and the IP address you chose in question 7

9.  Make a note of these results. What can you conclude about the network path from these results? Is there any significant loss? Suggest a reason for your results.

10.  Choose a different destination and repeat the above analysis. Document your results and indicate what the results mean.

Part 2 - netstat

The netstat utility is used to display the TCP/IP network protocol statistics and information.
This can give you valuable information about the computers that you are connected to and can help work out whether your computer is secure.

Type the following at the command prompt:

netstat -a

You should receive a response as detailed as that shown below

cm34 G:\->netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    ME-P141-88446:epmap    ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:microsoft-ds  ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:664      ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:1028     localhost:1029         ESTABLISHED
  TCP    ME-P141-88446:1029     localhost:1028         ESTABLISHED
  TCP    ME-P141-88446:1036     ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:1331     localhost:23560        ESTABLISHED
  TCP    ME-P141-88446:5152     ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:8085     ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:23560    ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:23560    localhost:1331         ESTABLISHED
  TCP    ME-P141-88446:http     ME-P141-88446:0        LISTENING
  TCP    ME-P141-88446:1068     32.58.159.243:http     CLOSE_WAIT
  TCP    ME-P141-88446:1306     ME-STU4.gre.ac.uk:524  ESTABLISHED
  TCP    ME-P141-88446:1308     ME-STU4.gre.ac.uk:524  ESTABLISHED
  TCP    ME-P141-88446:1310     me-pkg2.gre.ac.uk:524  ESTABLISHED
  TCP    ME-P141-88446:1311     me-share.gre.ac.uk:524  ESTABLISHED
  TCP    ME-P141-88446:1312     ME-STAFF3.gre.ac.uk:524  ESTABLISHED
  TCP    ME-P141-88446:1356     84.53.133.217:http     CLOSE_WAIT
  TCP    ME-P141-88446:1357     84.53.133.217:http     CLOSE_WAIT
  TCP    ME-P141-88446:2181     wy-in-f19.1e100.net:https  ESTABLISHED
  TCP    ME-P141-88446:4155     me-ms-macg106.gre.ac.uk:microsoft-ds  FIN_WAIT_2
  TCP    ME-P141-88446:4501     gm-sta-dc1.gre.ac.uk:1025  ESTABLISHED
  TCP    ME-P141-88446:5900     newzeus.gre.ac.uk:63288  ESTABLISHED
  UDP    ME-P141-88446:microsoft-ds  *:*
  UDP    ME-P141-88446:isakmp   *:*
  UDP    ME-P141-88446:1030     *:*
  UDP    ME-P141-88446:1031     *:*
  UDP    ME-P141-88446:ntp      *:*
  UDP    ME-P141-88446:netbios-ns  *:*
  UDP    ME-P141-88446:netbios-dgm  *:*
  UDP    ME-P141-88446:427      *:*
  UDP    ME-P141-88446:1025     *:*
  UDP    ME-P141-88446:1900     *:*

Your results will be different to mine. 

11.  Make a note of your results. The output shows 

Proto  Local Address          Foreign Address        State

12.  Proto is the protocol in use. Which protocols can you see?

13.  Local Address is your PC, Foreign Address is a remote system that you are connected to, State tells you something about the connection.
      What STATES can you see in your output? Write these down.

14.  Note that machine NAMES are given in the output.
      Type netstat -? to show the options available for this command.
      What option must you type to change the output of netstat so that IP addresses are shown instead?
      (hint: you need another option after netstat -a)

15.  Open an ssh connection to newzeus.gre.ac.uk
       You can find the ssh client in the NAL window on your desktop in the Nelson Zones     
      Open a new DOS prompt and check the netstat output.
      Make a note of the line that shows your ssh connection.
      What state is shown for this connection?     
      What protocol is used for ssh?     
      Your PC is using a port number shown after the " : " in the Local Address column.
      This identifies the returning html from the web server so that it is directed to the correct application.
      What port is your PC using?
      What port is the server using (hint: this will be shown in the foreign address)?

16.  Use a browser to connect to www.bbc.co.uk
      Check the netstat output.
      Make a note of the line that shows your connection to www.bbc.co.uk
      What state is shown for this connection?
      What protocol is used for this web connection?   
      Your PC is using a port number shown after the " : " in the Local Address column.
      This identifies the returning html from the web server so that it is directed to the correct browser window.
      What port is your PC using?
      What port is the server using (hint: this will be shown in the foreign address)?

17.  Open another browser window and connect to a different website of your choice.
      Check the netstat output.
      Make a note of the line that shows your connection to your chosen website.
      What state is shown for this web connection?
      What protocol is used for this web connection?   
      Your PC is using a port number shown after the " : " in the Local Address column.
      This identifies the returning html from the web server so that it is directed to the correct browser window.
      What port is your PC using for this connection?
      What port is the server using (hint: this will be shown in the foreign address)?   

18.  Are these ports the same as questions 16 and 15? If there is a difference, explain this.

19.  Use netstat -a -n to check the  other ports that are currently in use.
      These are shown after the " : " in the Foreign Address column.
      Which ports are currently in use?
      Write the port numbers down and list their assignment from the list of "well known ports" (use a search engine).

20.  Close your ssh connection to zeus and re-examine the netstat output.
      How has the output changed now this connection is ended?

Part 3 - Address Resolution Protocol

Now examine the arp command. This is also a DOS command.

21.  Use arp -? to display the options. What does the arp command do?

22.  Make a note of the arp -a output

arp provides a listing of IP address to MAC addresses.
This is essential for communication in an Ethernet network.
To create an Ethernet frame, the MAC address must be known.
Usually the MAC address is held for a short period in cache in case it is needed again.

23.  Ping your local router or default gateway.
      This will probably have an address that is the lowest number on your subnetwork.
      e.g. if your IP address is 199.23.245.17, your router will probably have the address 199.23.245.1

24.  Now type arp -a again.
      What is the MAC address of your local router?
      What type is displayed for this address?

25.  Ask another member of your group for their PC's IP address.
      Ping this address.
      Make a note of this IP address.

26.  Type arp -a again to discover the MAC address of this machine.
      What is this MAC address ?
      What type is displayed for this address?

27.  The arp cache is cleared regularly.
      Try to work out how long your PC retains this information.

28.  Once your arp cache has been cleared, create some more entries by pinging various machines.
      Examine the options page for arp to discover how to clear the arp cache.
      Write this command down.

29.  How would you add a static entry to the arp table?
       Hint - check the options for the arp command.
      Write down the command you would use to add the subnetwork default gateway to the arp table in your PC.
      Now issue the command and note the output.

30.  Why do you think that you received this response?
      What impact does this have on the University network?

Your Work this Week

IMPORTANT The work that you complete in the laboratory will form part of your marks for this course.
Make sure that you keep a record of all work and any answers that have been asked for in your log book.
Make sure that you have had your work checked by the lab demonstrator BEFORE you leave or you may lose the marks for this week's work.

When you have finished the above laboratory work AND answered ALL of the  questions, you should answer the following reflective questions.

Reflective Questions (these questions will assess your analytical skills based on the work that you have undertaken in the lab)

Write the answers to these questions in your logbook.

1. Imagine that you are playing an online game on the Internet but the performance of the game is poor.
    What command would you use to help work out if there is a problem with the network connection between yourself and the game server?
    How could you pinpoint the exact nature of the problem?

2. What do you notice about the port numbers used when you make TCP connections to various remote machines?
    Is there any similarity between the Local port numbers that your PC uses?
    Is there any similarity between the Foreign port  numbers that your PC uses? (you may need to experiment further to ascertain this)

3. Why do you think that arp does not keep its contents permanently?

4. It is possible to make an arp entry permanent (static).
    Can you think of a situation where this might be useful?
    Explain your answer.

Help for Completing the Lab Work   

Selecting Text from the Command Line

When using the DOS prompt, selected text may be copied to the clipboard.
Right click inside the DOS window and select Edit, Mark. You can now select text to paste to the clipboard by dragging the mouse to create a white highlighted area over the text you require. Pressing Enter will allow you to copy the selected text to the clipboard. You may now paste this text into the application of your choice or back into the DOS window..

ALTERNATIVELY
To save the output of a windowed program to the clipboard, firstly highlight the window you wish to have a copy of, then hold down AltGr and Print Screen buttons. This places the application's screen output on the clipboard. By opening a graphics package (such as Paint) you can paste the image into the package e.g. pbrush.exe.
Note that this saves the output as an image rather than text.

Usage and options for pathping 

pathping

Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n]
                [-p period] [-q num_queries] [-w timeout] [-P] [-R] [-T]
                [-4] [-6] target_name

Options:
    -g host-list     Loose source route along host-list.
    -h maximum_hops  Maximum number of hops to search for target.
    -i address       Use the specified source address.
    -n               Do not resolve addresses to hostnames.
    -p period        Wait period milliseconds between pings.
    -q num_queries   Number of queries per hop.
    -w timeout       Wait timeout milliseconds for each reply.
    -P               Test for RSVP PATH connectivity.
    -R               Test if each hop is RSVP aware.
    -T               Test connectivity to each hop with Layer-2 priority tags.
    -4               Force using IPv4.
    -6               Force using IPv6.

Example of pathping in use

 
D:\>pathping -n corp1

Tracing route to corp1 [10.54.1.196]
over a maximum of 30 hops:
  0  172.16.87.35
  1  172.16.87.218
  2  192.168.52.1
  3  192.168.80.1
  4  10.54.247.14
  5  10.54.1.196

Computing statistics for 125 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           172.16.87.35
                                0/ 100 =  0%   |
  1   41ms     0/ 100 =  0%     0/ 100 =  0%  172.16.87.218
                               13/ 100 = 13%   |
  2   22ms    16/ 100 = 16%     3/ 100 =  3%  192.168.52.1
                                0/ 100 =  0%   |
  3   24ms    13/ 100 = 13%     0/ 100 =  0%  192.168.80.1
                                0/ 100 =  0%   |
  4   21ms    14/ 100 = 14%     1/ 100 =  1%  10.54.247.14
                                0/ 100 =  0%   |
  5   24ms    13/ 100 = 13%     0/ 100 =  0%  10.54.1.196

Trace complete.

When pathping is run, the first results list the path. This is the same path that is shown using the tracert command. Next, a busy message is displayed for approximately 90 seconds (the time varies by hop count). During this time, information is gathered from all routers previously listed and from the links between them. At the end of this period, the test results are displayed.

In the sample report above, the This Node/Link, Lost/Sent = Pct and Address columns show that the link between 172.16.87.218 and 192.168.52.1 is dropping 13 percent of the packets. The routers at hops 2 and 4 also are dropping packets addressed to them, but this loss does not affect their ability to forward traffic that is not addressed to them.

The loss rates displayed for the links, identified as a vertical bar (|) in the Address column, indicate link congestion that is causing the loss of packets that are being forwarded on the path. The loss rates displayed for routers (identified by their IP addresses) indicate that these routers might be overloaded.

References
[1] http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/pathping.mspx
  Written by M Clements
 
 

Last updated : 15/11/2010 23:21