Network Commands in Windows and Linux

ARPDisplay or manipulate the ARP information on a network device or computer.


The finger command available in Unix / Linux variants allows a user to find sometimes personal information about a user. This information can include the last time the user logged in, when they read their e-mail, etc… If the user creates a .PLAN or other related file the user can also display additional information.


The hostname command displays the host name of the Windows XP computer currently logged into.


Ipconfig is a MS-DOS utility that can be used from MS-DOS and a MS-DOS shell to display the network settings currently assigned and given by a network. This command can be utilized to verify a network connection as well as to verify your network settings.

Windows 2000 users should use this command to determine network information.


Pathping is a MS-DOS utility available for Microsoft Windows 2000 and Windows XP users. This utility enables a user to find network latency and network loss.


Ping is one of the most commonly used and known commands. Ping allows a user to ping another network IP address. This can help determine if the network is able to communicate with the network.


The nbtstat MS-DOS utility that displays protocol statistics and current TCP/IP connections using NBT.


The net command is available in MS-DOS / Windows and is used to set, view and determine network settings.


The netstat command is used to display the TCP/IP network protocol statistics and information.


The nslookup MS-DOS utility that enables a user to do a reverse lookup on an IP address of a domain or host on a network.


The route MS-DOS utility enables computers to view and modify the computer’s route table.


The tracert command in MS-DOS / Windows or the traceroute command in Unix / Linux and variants is another commonly used network command to help determine network related issues or slowdowns. Using this command you can view a listing of how a network packet travels through the network and where it may fail or slow down. Using this information you can determine the computer, router, switch or other network device possibly causing your network issues.


The whois command available in Unix / Linux variants helps allow a user to identify a domain name. This command provides information about a domain name much like the WHOIS on network solutions. In some cases the domain information will be provided from Network Solutions.


The winipcfg command available in Windows allows a user to display network and network adapter information. Here, a user can find such information as an IP address, Subnet Mask, Gateway, etc…


UDP- User Datagram Protocol

The functionality of UDP should sound familiar. It is a connectionless, unreliable
transport service. It does not issue an acknowledgment to the sender upon the receipt
of data. It does not provide order to the incoming packets, and may lose packets or
duplicate them without issuing an error message to the sender. This should sound like
the IP protocol. The only offering that UDP has is the assignment and management of
port numbers to uniquely identify the individual applications that run on a network
station and a checksum for simplex error detection. UDP tends to run faster than TCP,
for it has low overhead (8 bytes in its header compared to TCP’s typical 40 bytes). It is
used for applications that do not need a reliable transport. Some examples are network
management, name server, or applications that have built-in reliability.
Multiplexing and Demultiplexing
UDP accepts data from the application layer, formats it (UDP header) with its
information, and presents it to the IP layer for network delivery. UDP will also accept
data from the IP layer and, depending on the port value, present it to the appropriate
application. As shown in the slide, UDP is responsible for directing the rest of the packet
(after stripping off its headers) to the correct process according to the port number
assigned in the UDP header. This process is called demultiplexing. There are many
different types of port numbers to indicate any application running on the network
station. UDP reads the Destination Port field of the UDP header (demultiplex) and gives
the data to the application. When the application (identified by the port number)
initializes, the station’s operating system works in conjunction with it and provides a
buffer area in which information may be stored. UDP will place the data in this area for
retrieval by the application. UDP does provide one error mechanism for ports that are
not valid. It can generate an ICMP Port Unreachable message to be sent to the
originator of the packet.

     UDP provides services like finer  ,Application control control over what data is being sent , No connection establishment and state, small header overhead.

·         Possible to have reliability in UDP if built in the application layer.

·         Provdes error detection on an end to end basis which is based on the end-end principle which states that functions provided on lower levelsl may be redundant or uselelss when compared to the cost of providing them on a higher level.


Routing Protocol: BGP (CCNP Notes)


It is the protocol of the internet.  It basically connects different AS networks.  Creates a TCP session on port  179. Routers between different AS exchange information on how to reach and are also called as edge routers or border routers. All routers within a single AS and participating in BGP must be configured in full mesh and each router must be configured as a peer to one another.(This creates a problem as number of routers increases quadtratically as router increases. A solution to this is

Any two routers that have opened a TCP connection to each other for the purpose of exchanging routing information are known as peers or neighbors.

EBGP peers are directly connected while IBGP peers are not directly connected.

Usually, the two EBGP speakers are directly connected (for example, over a wide-area network [WAN] connection). Sometimes, however, they cannot be directly connected. In this special case, the neighbor ebgp-multihop router configuration command is used.

Note: Multihop is used only for EBGP, but not for IBGP.


The BGP synchronization rule states that if an AS provides transit service to another AS, BGP should not advertise a route until all of the routers within the AS have learned about the route via an IGP.(Reason for this rule Is otherwise there is packet loss.  Turned off because if you are running BGP it will be on all the routers in the network)

·         Inter AS routing

·         Uses port 179 and TCP

·         Two types , eBGP and iBGp

·         Path Attributes and BGP routes.


BGP propagates the best path to its neighbors. The decision is based on the value of attributes (such as next hop, administrative weights, local preference, the origin of the route, and path length) that the update contains and other BGP-configurable factors. This section describes the following attributes and factors that BGP uses in the decision-making process:

  • AS_path Attribute
  • Origin Attribute
  • Next Hop Attribute
  • Weight Attribute
  • Local Preference Attribute
  • Multi-Exit Discriminator Attribute
  • Community Attribute

Slowest routing protocol. BGP is technically a distance routing protocol.

Wihout tuning BGP behaves just like RIP.


Open: Start the session

KeepAlive: Are u der???

Update Message: Network rechability exchanges

Notification: Something bad happened; close connection


Neighbour Tables: The connected BGP friends

BGP Table:  List of all BGP routes(can be very big)

Routing table: list of all best routes


Ibgp is used within the same AS and EBGP is used between diff AS

IBGP  relationship can form through the routers.

multihop. EBGP relationships between routers by default must be directly connected.

Two ways to get networks into BGP:

-Network command(Tells what networks to advertise)


BGP next Hop processing:

For EBGP peers: change next hop address on advertised routes

For IBGP peers : Do not change next hop address on advertised routes

Routing protocol-OSPF (CCNA, CCNP notes)


OSPF, or Open Shortest Path First, is a link-state, open-standard, dynamic routing protocol.  OSPF uses an algorithm known as SPF, or Dijkstra’s Shortest Path First, to compute internally the best path to any given route.


Once a router has exchanged hellos with its neighbors and captured Router IDs and cost information, it begins sending LSAs, or Link State Advertisements.  LSAs contain the RID and costs to the router’s neighbors.  LSAs are shared with every other router in the OSPF domain.  A router stores all of its LSA information (including info it receives from incoming LSAs) in the Link State Database (LSDB).

OSPF is different from EIGRP in that it uses areas to segment routing domains.  This helps partition routers into manageable groups if the layer 3 network begins to get large. It all starts with area 0.  Every OSPF network must contain an area 0, sometimes referred to as the backbone area and every additional area must be physically connected to area 0.  From there, other areas are optional.

Note that the SPF algorithm only runs within a single area, so routers only compute paths within their own area.  Inter-area routes are passed using border routers.

All link state databases must match within an OSPF area.  This means that the more OSPF-enabled routers are configured for the same area, the more LSA advertisements that must be sent out.  After you reach about 50 routers, the high levels of LSA traffic and numerous routing table entries can become a problem.  That is why Cisco recommends limiting an OSPF area to no more than 50-100 routers.



All link state databases must match within an OSPF area.  This means that the more OSPF-enabled routers are configured for the same area, the more LSA advertisements that must be sent out.  After you reach about 50 routers, the high levels of LSA traffic and numerous routing table entries can become a problem.  That is why Cisco recommends limiting an OSPF area to no more than 50-100 routers.

Router Roles

Internal: All interfaces in a single area (routers 1, 4, 5 in diagram above)

Backbone: At least one interface assigned to area 0 (routers 1, 2 ,3 in diagram above)

Area Border Router (ABR): Have interfaces in two or more areas (routers 2 and 3 in diagram above)ABRs contain a separate Link State Database, separating LSA flooding between areas, optionally summarizing routes, and optionally sourcing default routes.

Autonomous System Boundary Router (ASBR): Has at least one interface in an OSPF area and at least one interface outside of an OSPF area.


Each interface is assigned a cost value based purely on bandwidth.  The formula is:


Higher bandwidth means a lower cost.


OSPF Packet Types

Discovers neighbors and works as a keepalive.

Link State Request (LSR) 
Requests a Link State Update (LSU), see below.

Database Description (DBD) 
Contains a summary of the LSDB, including RIDs and sequence numbers.

Link State Update (LSU) 
Contains one or more complete LSAs.

Link State Acknowledgement (LSAck)
Acknowledges all other OSPF packets (except hellos). OSPF sends the five packet types listed above over IP directly, using IP port 89 with an OSPF packet header.  Multicast address is used if sending to all routers, address is used for sending to all OSPF DRs.


SPF works by mapping all paths to every destination on each router.  It uses the RID to identify hops along each path and uses bandwidth as a metric between those hops.  This whole system works really well when routers are connected with point-to-point links and OSPF traffic is simply sent using multicast address

It doesn’t work well, however, when a router is connecting to multiaccess networks like an Ethernet VLAN.  Multiaccess OSPF links require a Designated Router (DR) be elected to represent the entire segment.  Another router is then elected as the Backup Designated Router, or BDR.  On that specific multiaccess segment, routers only form adjacencies with the DR and BDR.

The DR uses type 2, network LSAs to advertise the segment over multicast address  The Non-Designated routers then use IP address to communicate directly with the DR.

1. When the OSPF process on a router starts up, it listens for hellos.  If it does not receive any within its dead time, it elects itself the DR.

2. If hellos are received before the dead time expires, the router with the highest OSPF priority is elected as the DR.  Next, the same process happens to elect the BDR. Note:  If a router’s OSPF priority is set to 0, it will not participate in the elections.

3. If two routers happen to have the same OSPF priority, the router with the highest Router ID will become DR.  The same is true for BDR.

Once a DR is elected, elections cannot take place again until either the DR or BDR go down.  This essentially means that there is no OSPF DR preemption if another router comes online with a higher OSPF priority.  In the case that the DR goes down, the BDR automatically is assigned the DR role and a new BDR election occurs.

Be aware that a router with a non-zero priority that happens to boots first can become the DR just because it did not receive any hellos when the OSPF process was started – even though it may have a low OSPF priority.

The default OSPF priority is 1 and Cisco recommends manually changing that on routers you want to become the DR and BDR.

Remember that DRs are only used on multiaccess links, so they are only significant on an interface level.  A router with two different interfaces connected to two different multiaccess links will have separate DR elections for each segment. To set the OPSF priority, use the ip ospf priority command on the interface connected to the multiaccess segment.  Values can be between 0-255.



Like EIGRP, OSPF supports the use of passive interfaces. The passive-interface interface command disables OSPF hellos from being sent out, thus disabling the interface from forming adjacencies out that interface


OSPF has strict rules around how areas connect and where they can be located.  More specifically, every area must be physically connected to area 0 and area zero must be ‘contiguous’ – meaning it cannot broken into multiple, connected area 0s.

Virtual links were developed as a band-aid to situations that temporarily must violate those requirements.  Virtual links connect areas that do not connect directly to area 0.  It can also connect two area 0s together!

Keep in mind that Cisco recommends virtual links be a temporary workaround to a short-term problem,  not a permanent design.

The diagram below illustrates an example when a virtual link could be used.  Let’s pretend Company ABC and Company XYZ just announced a merger and now their corporate networks must do the same.  In this case, both routers R1 and R2 have now become ABRs and the virtual link configuration will be applied to them. The command area area-number virtual-link router-id is applied to each ABR.

Note that the area used in the command is the transit area that the virtual link resides in.  Also, the RID identifies the RID of the OTHER router at the end of the link!

Stubby and not so Stubby Areas:

Stub areas are another way to simplify route information that gets advertised.  Area 2 in the diagram above shows an example.

The ABR in a stub area drops all external routes and instead uses a default route of (R3 in this example).  That is, they do not know about any non-OSPF route information outside their own area.

A Cisco proprietary version of a stub area is a Totally Stubby Area, or TSA.  TSAs do not accept any external routes from non-OSPF sources AND they do not accept routes from other areas within their OSPF autonomous system.  If a router needs to send traffic to a route outside of its own area, it sends the traffic using a default route.

ABRs use default routes in Stub and Totally Stubby areas.
Stubby areas are made into Totally Stubby Areas by appending the no-summary keyword.


TCP Dump commands and basic tutorial

After installing, check if tcpdump is installed successfully executing the below command

#>which tcpdump

Should return the binary location of the package installed


After confirming you can run tcpdump with various options passing to the command to check for the options

[root@ashwin ~]# tcpdump –help

tcpdump version 3.9.8

libpcap version 0.9.8

Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]

[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]

[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]

[ -W filecount ] [ -y datalinktype ] [ -Z user ]

[ expression ]

We will be capturing packets for 2 minutes and analyze for any issues with hosts connecting to and from.

Running the below command will capture all the packets transferring between the hosts through the Network Interface Cards and will be redirected to a file

tcpdump -n -i bond0 -e -vvv > output.log


Tcpdump commands
So back to tcpdump, to look at for example web traffic
Always remember that if you want to see the traffic as ASCII, just apply the argument ‘-A’ to tcpdump

I am assuming you are using eth0, -n turns off DNS.

tcpdump -i eth0 -n port 80

Now a little more fancy, using egrep – this will show all your web requests in real time!

tcpdump -i eth0 -A -n port 80 | egrep -i \(GET.\/\|POST.\/\|Host:\)

Did you know you can tcpdump for a subnet by just excluding the last octet?

tcpdump -i eth0 -n port 80 and host 10.0.5

You can see I used ‘and’ here to specify more filter, you can also use or
For example port 80 or port 81

If you forgot your pop3 password, but have it stored in the client

tcpdump -i eth0 -n port 110 -A | egrep -i \(user\|pass\)

This also applies to passwords for the web, I have used this a lot instead of the ‘forgot password’ mechanism.



DNS Interview Question

DNS Components
•  Domain Name Space and resource records
•  Name servers
•  Resolvers
Query Function Types
There are two types of queries issued: recursive and iterative.
Recursive queries received by a server forces that server to find the information
requested or post a message back to the querier that the information cannot be found.
Iterative queries allow the server to search for the information and pass back the best
information it knows about. This is the type that is used between servers. Clients used
the recursive query. This is shown in the slide.
Generally (but not always), a server-to-server query is iterative and a client-resolverto-server query is recursive.
Example DNS Database
Example DNS Database
•  Records in the database include:
•  A—host’s IP address
•  PTR—host’s domain name, host identified by its IP address
•  CNAME—host’s canonical name, host identified by an alias domain name
•  MX—host’s or domain’s mail exchanger
•  NS—host’s or domain’s name server(s)
•  SOA—Indicates authority for the domain
•  TXT—generic text record
•  SRV—service location record
•  RP—text name of the person responsible for the domain DNS
WHOIS Command
•  Enables you to get more information on domain names, networks, etc., on the
•  ://
•  “whois” (without the quotes).

Application Layer (HTTP,FTP,SMTP,DNS)

Application Layer


·         HTTP is a stateless  protocol

·         When all request are sent over the same TCP connection then it is called a persistent TCP connection and when request are sent over different TCP connections then is called non-persistent TCP connection

·         In persistent connection the server leaves the connection open and a whole web page can be received in the same connection. No need to wait for a response in this connection.

·         The get method is used when the browser request an object and the requested object is identified in the URL field.

·         The post method is used then the entity body will not be empty unlike get method where it is empty.

·         When the Head method is used the server responds with a HTTP message but leaves out the requested object. This is used mainly for debugging purposes.

·         The PUT method is used by applications to upload objects to the web server and the Delete method is used to delete objects from the web server.

·         In the HTTP message the Client uses the CONNECTION: close to tell the server it does not want to bother with the persistent connections. When the server uses the connection: Close it says that it is closing the connection.

·         The conditional GET statement is a request message that uses a GET message and has a IF MODIFIED SINCE: header line included.

·         The user agent field notifies the server which browser is being used.

·         HTTP sends its control information INBAND



·         Runs on top of TCP

·         FTP opens two connections control connection(sending control Information) and data connection(sending data)

·         FTP sends it control information OUTOFBAND

·         FTP maintains state.

·         Only one FTP file is sent in one data connection. To send multiple files multiple data connections are established.

·         Only one control connection is established throughout the session.

·         FTP commands are readable by people


·         Asynchronous communication

·         A line consisting of a single period indicates the end of message to the server.

·         SMTP uses persistent connections.

·         SMTP is basically a push protocol while HTTP is a PULL protocol. SMTP places restriction on the data while SMTP does not place restrictions on the data. HTTP encapsulates only one object while SMPT encapsulates the whole message.

·         The header line and body are separated by a blanlk line.

·         We cannot use SMTP to retrieve mails from a server as it is a push protocol and not a pull protocol.

·         POP3 there are three phases authorization,  transaction and update. IN POP3 u are given an option of either downloading and delte the mail or downloading and keep.

·         IMAP more features and more complicated than POP#. Allows the user to maintain remote folders.


·         DNS is a distributed database and an application layer protocol that allows host to query the distributed database.

·         DNS servers are UNIX machines that run on BIND server. DNS uses UDP and port no. 53

·         Different  Services are  host aliasing, Mail server aliasing, load distribution.

·         DNS distributed database stores resource records and there are different types of 4 types.