WINDOWS IP COMMANDS

As Network Experts we need to be versatile and troubleshooting-savvy in our work environment.

In addition to having strong knowledge of networking protocols and commands on network

devices (routers, switches, firewalls etc) we need also to have very good knowledge of IP and other
networking related commands on end-point devices such as Windows computers, Linux servers
and workstations etc.

In this document we’ll list and describe the most useful and helpful IP Commands on Windows
operating system. Most of these commands (with some exceptions and variations) are also
available on Linux OS.

I have found myself most of times to start troubleshooting network and connectivity problems
from an end-point device first (computer, server etc) before moving on to the actual core network
devices for further investigation.

Having knowledge of the following IP commands will add a strong array of resources in your
troubleshooting resource.

Windows IP Commands

Let’s now examine the most popular Windows CMD commands (from the DOS prompt) that are
related to networking etc:

To get into command mode of windows PC just type cmd, then choose command prompt as shown
in the below screen.
ipconfig command

This is one of the most useful IP commands on Windows. It displays tons of useful information
about the current network settings on the machine such as IPv4 and IPv6 address of all network
interface cards (Ethernet adapters, WiFi adapters, virtual network adapters etc), MAC address,
default gateway, subnet mask, DNS server, DHCP information etc.

If you want to find the local IP address assigned to your computer or the MAC address of your
Ethernet Adapter (shown as “Physical Address” in the command output as shown in the picture
below), this is the quickest way to find this information.

Here is a screenshot example of what you can expect as output from ipconfig:
As shown above, you get information such as IPv4 and IPv6 address, MAC address, Default
Gateway, DNS Servers etc. Few information appears here as the laptop was connected to only
WiFi adapter.

Here are some different options of this command:

ipconfig /? : Displays all available options.

ipconfig /all : This will display output as shown on the screenshot above but for ALL network
connection adapters of the computer (Wired Ethernet, WiFi, Vmware adapters etc).

ipconfig /release : This will release the current IPv4 addresses which were assigned dynamically
from a DHCP server. If you specify also a connection name at the end, it will release only the IP
of that connection adapter.

ipconfig /release6 : Same as above but for the IPv6 address.

ipconfig /renew : This usually comes after the above command and is used to request a new IP
address from a DHCP server.

ipconfig /renew6 : Same as above but for the IPv6 address.

ipconfig /flushdns : This deletes the local DNS resolver cache of the computer. This cache stores
DNS entries of frequently accessed internet resources so that the computer will not query an
external DNS server every time you try to access an internet resource (website etc). This command
is useful when troubleshooting DNS connection problems.
ipconfig /displaydns : It shows the local DNS resolver cache entries as explained above.

ipconfig /registerdns : Refreshes all DHCP addresses and also communicates again with the
external DNS server to make sure its reachable etc. Very useful when troubleshooting DNS and
network connectivity problems of the local computer.

nslookup command

“nslookup” stands for “Name System Lookup” and is very useful in obtaining Domain Name
System (DNS) related information about a domain or about an IP address (reverse DNS lookup).

nslookup [domain name]: The most popular usage of this command is to find quickly the IP
address of a specific domain name (A-record) as shown below:

Example:

nslookup [Link]

nslookup [Link]

nslookup [Link]
As shown above, the “nslookup” command followed by a domain name will show you the IPv4
and IPv6 addresses (A records and AAAA records) assigned to the specific domain.

nslookup [IP Address]: This will perform a reverse-DNS lookup and will try to match the given
IP address in the command with its corresponding domain name.

Example:

nslookup [Link]

nslookup [Link]

As shown on the screenshot above, the IP address [Link] is mapped with the name “google-public-
[Link]”. You should note however that not all IP addresses are assigned to a domain
name so a lot of times you will not get any information from the command above.

There are several other interesting features of the nslookup command such as finding the
authoritative DNS servers of a domain, the SOA and MX records of a domain and much more.

ping command

Now let’s examine one of the most popular utilities related to network connectivity.

Probably the first command that every computer user runs on the command line when having
connectivity problems is the “ping” command.
This will quickly show you if can send and receive packets (icmp packets to be exact) from your
computer and hence shows whether you have network connectivity or not.

Note also that “ping” is useful for testing connectivity for both the local computer from where you
execute the command and also for a remote computer or server which you try to reach.

If for example you try to “ping” your local default gateway IP address and you get replies back
(icmp echo replies), this means your local computer is properly connected to the network.

Now, if you “ping” a remote server on the Internet and you get replies back, it means that the
remote server is properly connected to its network as well.

ping /? : Displays all available options as shown below:

ping [IP Address] : By default it will send 4 ICMP packets to the stated IP address.

Example:

ping [Link]

ping [Link]
As you can see from the screenshot above, pinging the IP [Link] and [Link] results in sending 4
packets and then receiving back 4 packets from that IP.

ping [hostname or domain] : When “pinging” a hostname or domain name, the command will
resolve first the name to IP address and then send the icmp packets to that IP.

Example:

ping [Link]
ping [IP address] -t :This will send ping packets (icmp echo requests) continuously to the target
IP.

ping -n 10 [IP address] :This will send 10 ping packets (icmp echo requests) to the target IP.

ping -l 1500 [IP address] :This will send ping packets (icmp echo requests) with size of 1500
bytes length to the target IP.

ping -a [IP address] :The -a switch tells the computer to try to find the hostname assigned to the
specific IP address and then ping the IP.

ping -6 [domain or IP] :The -6 switch tells the computer to send IPv6 packets to the target.

tracert command

“tracert” in Windows stands for “Trace Route”. In Linux, the same command is “traceroute”.

The command traces the path that a TCP/IP packet takes towards a destination target and shows
some information (if available) of the routing nodes within this path.

Just like the “ping” command, “tracert” sends also ICMP echo packets to the destination with
varying Time-to-Live (TTL) values.

tracert [domain or IP] : Traces the TCP/IP path to the specified destination target IP or domain.
Example:

tracert [Link]

As shown above, tracing the path to domain [Link] shows all the intermediary routing
nodes (with their hostname and IP address) until the final target destination.

When troubleshooting connection problems in a large network, you can use tracert to see where
the packets stop before reaching the target and focus your efforts to find the problem on the node
which does not route packets.

netstat command

Another important command is the Network Statistics (“netstat”) utility found in both Windows
and Linux OS.

It shows the established network TCP/IP connections of the local computer with remote hosts,
open ports on the machine, the process ID (PID) of each connection etc.

Personally I use this command mostly for security forensic purposes to identify if there are
backdoors running on the computer, malicious connections to external Command-and-Control
servers etc.
Here are some popular usages of this command:

netstat -ano : Displays all connections and listening ports (-a), addresses and ports in numerical
form (-n) and also the process ID of each connection (-o).

netstat -vb : Very useful to examine also which executable and which sequence created each
connection and each port.

Example:

C:\WINDOWS\system32>netstat –vb

If you perform this command on normal CMD mode, it will give out the above response that the
requested operation requires elevation. To elevate, run the command mode as an administrator.
As shown above, for each established connection you can see the executable
(e.g [Link], [Link] etc) that created the connection.

netstat -p tcp -f : The “-p tcp” switch will show only TCP connections and the “-f” switch will
show the FQDN name of each connection instead of just IP address.

Example:

C:\WINDOWS\system32>netstat -p tcp -f

route command

The “route” command is used to manipulate the local routing table of the computer. You can print
the current routing table, add new static routes, delete entries etc.

Personally, the way I use the “route” command is to add a permanent static route entry in a
computer. For example, there might be a specific network subnet which is not accessible via the
default gateway of the computer. Instead, this remote subnet might be accessible via a different
gateway IP. By adding a static route in the computer’s routing table you will be able to reach that
remote subnet from a different gateway.

route PRINT : Displays the current routing table of the computer

route ADD [Destination network] MASK [mask] [gatewayIP]: This adds a static route in the
table.

Example:

route ADD [Link] MASK [Link] [Link]

The above command will add a static route for destination subnet [Link]/24 via gateway
[Link]

arp command

ARP stands for “Address Resolution Protocol” and is one of the core networking protocols that
work in Layer 2 level and facilitate communication in a LAN.

The job of ARP is to find the physical address (MAC address) of the target and map it with its
corresponding Layer 3 IP address when communicating in a LAN. The ARP cache table stores
mappings of IP addresses with their corresponding MAC address.

arp -a : Displays all ARP cache mappings (IP to MAC address)

Example:

C:\WINDOWS\system32>arp -a

As you can see from above, the local computer has learned dynamically (type=dynamic) using the
ARP protocol two other local devices ([Link] and [Link]) and has stored their
MAC address (Physical Address) in the ARP table.

arp -d [IP address] : This will delete the arp entry for the specified IP address.

The above is useful when you changed hardware on a specific node (e.g you have changed the
default gateway router) and you want to remove old arp entries. Usually it’s not needed to do
anything in such a case but sometimes its required on some older computers.
LAB TASK:

1. Issue the command ipconfig /? capture the screen and briefly explain what it does.
2. Issue five subcommand in ipconfig, capture each screen and briefly explain what it does.
3. Issue the command nslookup [Use one domain address of your choice] capture the screen
and briefly explain what it does.
4. Issue the command nslookup [Use your public IP address, obtain it from google] capture
the screen and briefly explain what it does.
5. Issue the command ping /? capture the screen and briefly explain what it does.
6. Issue two subcommand in ping, capture each screen and briefly explain what it does.
7. Issue the command tracert [Use three different domain addresses of your choice] capture
the screen and briefly explain what it does.
8. Issue the command arp /? capture the screen and briefly explain what it does.
9. Issue the command route add a static route [Link] MASK [Link]
[Link] to your PC routing table.
10. Issue at least three subcommands in arp, capture each screen and briefly explain what each
does.

NOTE: Before issuing any command ping your registration number, then proceed as
directed. Save your document using your registration number eg. T24-03-5555555. Submit
to your CR before Saturday 7/6/2025.

Below sample screen shoot for T24-03-5555555 when issuing ping /? command: