Command-Line Tools: ping, traceroute, nslookup, dig, ipconfig, ifconfig, ip, arp, netstat, ss, and route
Key Takeaways
- ping tests reachability with ICMP, but a blocked ping does not always mean the host or service is down.
- traceroute and tracert show the path toward a destination and can reveal routing or hop-related loss.
- nslookup and dig test DNS resolution, record types, authoritative answers, and resolver behavior.
- ipconfig, ifconfig, and ip show local addressing, interface state, gateways, DNS settings, and lease information.
- arp, netstat, ss, and route help inspect neighbor resolution, active connections, listening ports, and routing tables.
Command-Line Troubleshooting Tools
Command-line tools help isolate where a problem exists: local host, name resolution, default gateway, routing path, remote service, or policy enforcement. The exam often asks for the best next tool based on a symptom.
Reachability and Path
| Tool | Common platforms | What it tests |
|---|---|---|
| ping | Windows, Linux, macOS | ICMP reachability, latency, packet loss |
| traceroute | Linux, macOS | Path toward a destination using TTL behavior |
| tracert | Windows | Windows path tracing |
| pathping | Windows | Combines path discovery with packet loss statistics |
Ping is useful but limited. A host or firewall may block ICMP while the application still works. Traceroute can show where packets stop, but routers may rate-limit or block traceroute responses. Use these tools as evidence, not absolute proof.
DNS Tools
| Tool | Best use |
|---|---|
| nslookup | Quick DNS lookup and resolver testing |
| dig | Detailed DNS queries, record types, authoritative servers, TTLs |
| host | Simple hostname lookup on many Unix-like systems |
DNS symptoms include users reaching an application by IP address but not by name, wrong records after a change, split-horizon DNS issues, expired TTL expectations, and only one resolver returning a bad answer.
Example decision: If https://portal.example.com fails but https://203.0.113.50 works, test DNS with nslookup or dig before replacing network hardware.
Interface and Address Tools
| Tool | Common platform | Useful output |
|---|---|---|
| ipconfig | Windows | IP address, mask, gateway, DNS, DHCP lease details |
| ipconfig /all | Windows | Detailed adapter configuration |
| ipconfig /release and /renew | Windows | DHCP lease release and renewal |
| ifconfig | Older Unix-like systems | Interface addresses and basic state |
| ip addr | Linux | Interface addresses and status |
| ip link | Linux | Link state, MAC address, MTU |
| ip route | Linux | Routing table and default gateway |
If one workstation cannot connect, check whether it has a valid IP address, subnet mask, default gateway, DNS server, and link state. An APIPA address in 169.254.0.0/16 on Windows usually suggests DHCP failure for that host or segment.
Neighbor, Socket, and Route Tools
| Tool | What it shows | Scenario |
|---|---|---|
| arp -a | ARP cache | Check IP-to-MAC resolution on local subnet |
| ip neigh | Linux neighbor table | Modern Linux equivalent for ARP and neighbor entries |
| netstat | Connections, listening ports, routes, interface stats | Find whether a service is listening or sessions exist |
| ss | Modern Linux socket statistics | Faster replacement for many netstat uses |
| route print | Windows routing table | Confirm default route or static routes |
| route | Unix-like routing table command | Inspect or change routes depending on platform |
When a client and server are on the same subnet, ARP matters. If a default gateway MAC address cannot be resolved, off-subnet traffic will fail. When a service is unreachable, netstat or ss can show whether the service is listening on the expected port and interface.
Symptom-to-Tool Matrix
| Symptom | First useful command |
|---|---|
| User has no IP address or wrong gateway | ipconfig /all, ip addr, or ip route |
| Hostname fails but IP works | nslookup or dig |
| Need to see where path stops | traceroute or tracert |
| Need to verify local neighbor resolution | arp -a or ip neigh |
| Need to see listening TCP ports | netstat or ss |
| Need to inspect default route | route print or ip route |
Common Traps
- Successful ping to a server does not prove the application port is open.
- Failed ping does not prove the server is down if ICMP is blocked.
- DNS cache can make one client behave differently from another.
- A correct IP address with the wrong subnet mask can still break local communication.
- Multiple default gateways on one host can create unpredictable routing.
A user can reach a web application by IP address but not by hostname. Which tool should be used first?
Match each command-line tool to its common troubleshooting use.
Match each item on the left with the correct item on the right
A Windows workstation has a 169.254.x.x address and cannot reach network services. What is the most likely direction to investigate?