Network Commands

Arp
The arp command lets you view and manage the Address Resolution Protocol (ARP) cache. In other words, arp displays and modifies the IP
address-to-MAC address translation tables used by the ARP protocol. In order for the arp command to be meaningful and helpful, you need to first
understand the purpose of the Address Resolution Protocol. As DNS translates between host names and IP addresses, ARP translates between
MAC addresses (Layer 2) and IP addresses (Layer 3). When a host attempts to communicate with another host on the same subnet, it must first
know the destination hosts MAC address. If there is no entry in the sending hosts ARP cache for the destination MAC address, ARP sends out a
broadcast (to all hosts in the subnet) asking the host with the target IP address to send back its MAC address. These IP-to-MAC mappings build up
in the ARP cache which the arp command lets you view and modify.
Be aware that the ARP cache is a tempting target for hackers. It can be vulnerable to cache poisoning attacks in which false entries are inserted
into the ARP cache, causing the compromised host to unknowingly send data (often unencrypted) to the attacker.
Arp for Windows

The default arp command syntax in Windows is:
arp -s inet_addr eth_addr [if_addr]
arp -d inet_addr [if_addr]
arp -a [inet_addr] [-N if_addr] [-v]
Arp command
switches (Windows)
Description
arp -a or arp -g
Displays both the IP and MAC addresses in the ARP cache for all network interfaces using ARP.
arp -d [inet_addr]
Deletes all entries from the ARP cache which causes ARP queries for local network hosts to be re-processed.
For example, arp -d 10.57.10.32.
arp -N [if_addr]
Displays the ARP entries for the network interface specified by [if_addr]. Used in conjunction with -a or -g.
For example: arp -a -N 192.168.20.15, where 192.168.20.15 is the IP address of your (or one of your) network
interfaces.
arp -s
Adds a static (permanent) entry to the ARP cache. This command is a countermeasure to ARP spoofing
attacks. For example, this command adds a static entry: arp -s 157.55.85.212 00-aa-00-62-c6-09.
arp -v
Displays current ARP entries in verbose mode. All invalid entries and entries on the loopback interface will be
shown. Used in conjunction with arp -a or arp -g.
[eth_addr]
Specifies a physical (MAC) address.
[if_addr]
If present, this specifies the Internet address of the interface on your computer whose address translation
table should be modified. Useful if your computer has multiple network interfaces. If not present, the first
applicable interface will be used.
[inet_addr]
Specifies an IP address entry in the ARP cache. Used in conjunction with -a or -g. For example, the
command arp -a 192.168.10.20 will query the cache to display the MAC address of host 192.168. 10.20.
.
Up to command list
Arp for Linux

The default arp command syntax in Linux is as follows:
arp [-evn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
Each complete entry in the ARP cache will be marked with the C (complete) flag. Permanent entries are marked with M (perManent) and published
entries have the P (publish) flag.
Note that arp is deprecated in Linux, as described here.
Arp command
switches (Linux)
Description
arp -a [hostname]or --all

[hostname]
Shows the entries of the specified hosts. If the [hostname] parameter is not used, all entries will be
displayed.
arp -d [ip_addr] or--
Removes the ARP cache entry for the specified host. arp -d * will delete all hosts in the cache (note the
delete [ip_addr]
space between -d and *).
arp -D or --use-device
Uses the hardware address associated with the specified interface.
arp -e
Shows the entries in default (Linux) style.
arp -f [filename] or--file

[filename]
Similar to the -s option, only this time the address info is taken from file that [filename] set up. The name of
the data file is very often /etc/ethers, but this is not official. If no [filename] is specified, /etc/ethers is used
as default.
arp -H or --hw-type
[type] or -t [type]
When setting or reading the ARP cache, this optional parameter tells arp which class of entries it should
check for. The default value of this parameter is ether (i.e. hardware code 0x01 for IEEE 802.3 10Mbps
Ethernet).
Selects an interface. When dumping the ARP cache only entries matching the specified interface will be
arp -i [int] or --device [int] printed. For example, arp -i eth0 -s 10.21.31.41 A321.ABCF.321A creates a static ARP entry associating
IP address 10.21.31.41 with MAC address A321.ABCF.321A on eth0.
arp -n or --numeric
Shows IP addresses instead of trying to determine domain names.
arp -s [hostname]
[hw_addr] or --set
[hostname]
Manually creates a static ARP address mapping entry for host [hostname] with the hardware address set
to[hw_addr].
arp -v
Uses verbose mode to provide more details.
.
Up to command list
FTP
Specified in RFC 959, FTP (File Transfer Protocol) does what its name implies: it is used for transferring files between hosts on TCP/IP networks.
One common use of FTP is to upload updated web content to web servers. Although it can be utilized in a command line interface, there are
several graphical clients for FTP that are very popular and capable. Examples of these GUI clients include FileZilla, FireFTP, WS_FTP, SmartFTP,
andWinSCP. Additionally modern browsers such as Firefox or Internet Explorer can be used to download files from FTP servers.
FTP suffers from the same security-related flaws as telnet it does not support encryption or strong authentication. Therefore FTP should be used
with caution. It is recommended to transition to SFTP.
After you connect to an FTP server with the ftp command, you enter interactive mode wherein the prompt changes from C:\ or $ to ftp>.
FTP for Windows

In Windows the ftp command follows this syntax:
ftp [v] [n] [i] [d] [g] [s:[file_name]] [-a] [-A] [-w:[window_size]] [ftp_server]
FTP command options

(Windows)
Description
ftp -a
Specifies that any local interface can be used when binding the FTP data connection.
ftp -A
Logs in to the FTP server as an anonymous user.
ftp -b:[AsyncBuffers]
Overrides the default async buffer count of 3.
ftp -d
Enables debugging which displays all commands passed between the FTP client and the
FTP server.
ftp -g
Disables file name globbing. By default, globbing is on. Globbing permits the use of the
asterisk (*) and question mark (?) as wildcard characters in local file or path names.
ftp -i
Disables interactive prompting during multiple file transfers.
ftp -n
Suppresses the ability to log on automatically when the initial connection is made.
ftp -r:[RecvBuffers]
Overrides the default SO_RCVBUF size of 8192.
ftp -s:[filename]
Specifies a text file that contains FTP commands to run automatically after FTP starts.
ftp -v
Suppresses the display of FTP server responses.
ftp -w:[window_size]
Specifies the size of the transfer buffer (default window size is 4096 bytes).
ftp -x:[SendBuffer]
Overrides the default SO_SNDBUF size of 8192.
ftp /? or -?
Displays the help message.
ftp>! [command]
Runs the specified command on the local computer.
ftp>? or ftp>? [command]
Displays descriptions for FTP commands (identical to help).
ftp>append [local_file] [remote_file]
Appends a local file to a file on the remote host using the current file type setting.
ftp>ascii
Sets the file transfer type to ASCII (which is the default).
ftp>bell
Toggles a bell to ring after each file transfer command is completed (disabled by default).
ftp>binary
Sets the file transfer type to binary.
ftp>bye
Ends the FTP session with the remote host and exits FTP.
ftp>cd [remote_path]
Changes the working directory on the remote host.
ftp>close
Ends the FTP session with the remote server and returns to the command interpreter on the
local host.
ftp>debug
Toggles debugging (off by default). When debugging is on, each command sent to the remote
host is printed, preceded by the string >.
ftp>delete [remote_file]
Deletes files on the remote host.
ftp>dir or ftp>dir [remote_directory]

[local_file]
Displays a list of a remote directorys files and subdirectories. The output from this command
can be sent to[local_file].
ftp>disconnect
Disconnects from the remote host like close, but retains the FTP prompt.
ftp>get [remote_file] [local_file]
Copies a remote file to the local host using the current file transfer type.
ftp>glob
Toggles file name globbing (enabled by default). Globbing permits the use of wildcard
characters in local file or path names.
ftp>hash
Toggles number sign (#) printing for each data block transferred (disabled by default). The
size of a data block is 2,048 bytes.
ftp>help or ftp>help [command]
Displays descriptions for FTP commands (identical to -?).
ftp>lcd [local_directory]
Changes the working directory on the local host. By default, the current directory on the local
host is used.
ftp>literal [argument]
Sends arguments, verbatim, to the remote FTP server. A single FTP reply code is expected in
return.
ftp>ls or ftp>ls [remote_directory]

[local_file]
Displays an abbreviated list of a remote directorys contents. The output from this command
can be sent to[local_file].
ftp>mdelete [remote_files]
Deletes multiple files on the remote host.
ftp>mdir [remote_directories]
Displays a list of the remote directorys files and subdirectories.
ftp>mget [remote_files]
Copies multiple remote files to the local host using the current file transfer type.
ftp>mkdir [remote_directory]
Creates a remote directory.
ftp>mls [remote_directories]
Displays an abbreviated list of a remote directorys files and subdirectories.
ftp>mput [local_files]
Copies multiple local files to the remote host using the current files and subdirectories.
ftp>open {FTP_server] [port]
Connects to the specified FTP server.
ftp>prompt
Toggles prompting (enabled by default). FTP prompts during multiple file transfers to enable
you to selectively retrieve or store files; mget and mput transfer all files if prompting is turned
off.
ftp>put [local_file_name]
[remote_file_name]
Copies a local file to the remote host using the current file transfer type.
ftp>pwd
Displays the current directory on the remote host.
ftp>quit
Ends the FTP session with the remote host and exits FTP.
ftp>quote [argument]
Synonym for the literal command.
ftp>recv
Copies a remote file to the local host using the current file transfer type (identical to get).
ftp>remotehelp orftp>remotehelp
[command]
Displays help for remote commands.
ftp>rename [file_name]
[new_file_name]
Renames remote files.
ftp>rmdir [remote_directory]
Specifies the name of the remote directory to delete.
ftp>send [local_file_name]
[remote_file_name]
Copies a local file to the remote host using the current file transfer type (identical to put).
ftp>status
Displays the current status of FTP connections and toggles.
ftp>trace
Toggles packet tracing (displays the route of each packet when running an FTP command).
ftp>type [ascii | binary]
Sets or displays the file transfer type. ASCII is the default.
ftp>user [username] [password]
Specifies a user to the remote host.
ftp>verbose
Toggles verbose mode (enabled by default). If on, all FTP responses are displayed; when a
file transfer completes, statistics regarding the efficiency of the transfer are also displayed.
.
Anonymously logs the user on to the FTP server named ftp.example.company.com:
ftp -A ftp.example.company.com
Logs the user on to the FTP server named ftp.example.company.com and runs the FTP commands contained in the file named commands.txt:
ftp -s:commands.txt ftp.example.company.com
Up to command list
FTP for Linux

In Linux the ftp command follows this syntax:
ftp [-pinegvd] [host [port]]
ftp [-v] [-d] [-i] [-n] [-g] [-k realm] [-f] [-x] [-u] [-t] [host]
Note that different Linux man pages show different options for FTP (reference: 1 and 2), so some of the options below may not work with your
Linux distribution. Also note that the BSD operating systems support different FTP options than Linux (reference: 1 and 2).
FTP command options (Linux)
Description
ftp -d
Enables debugging.
ftp -e
Disables command editing and history support if it was compiled into the ftp executable.
Otherwise, -e does nothing.
ftp -f
Causes credentials to be forwarded to the remote host.
ftp -g
Disables file name globbing.
ftp -i
Turns off interactive prompting during multiple file transfers.
ftp -k [realm]
When using Kerberos v4 authentication, gets tickets in realm.
ftp -m
By default FTP explicitly binds to the same interface for the data channel as the control channel
in passive mode (useful on multihomed clients). This option disables that behavior.
ftp -n
Restrains FTP from attempting auto-login upon initial connection. If auto-login is enabled, FTP
will check the.netrc file in the users home directory for an entry describing an account on the
remote machine. If no entry exists, FTP will prompt for the remote machine login name (default
is the user identity on the local machine), and, if necessary, prompt for a password and an
account with which to login.
ftp -p
Uses passive mode for data transfers. Allows for the use of FTP in environments where a
firewall prevents connections from the outside world back to the client machine. Requires that
the FTP server support the PASVcommand. This is the default now for all clients (FTP and
PFTP) due to security concerns using the PORT transfer mode. The flag is kept for compatibility
only and has no effect anymore.
ftp -t
Enables packet tracing.
ftp -u
Restrains FTP from attempting auto-authentication upon initial connection. If autoauthentication is enabled, FTP attempts to authenticate to the FTP server by sending
the AUTH command, using whichever authentication types are locally supported. Once an
authentication type is accepted, an authentication protocol will proceed by
issuingADAT (Authentication/Security Data) commands. This option also disables autologin.
ftp -v
The verbose option which forces FTP to show all responses from the remote server, as well as
report on data transfer statistics.
ftp -x
Causes the client to attempt to negotiate encryption (data and command protection levels
private) immediately after successfully authenticating.
ftp>! [command [args] ]
Invokes an interactive shell on the local machine. If there are arguments, the first is taken to be
a command to execute directly, with the rest of the arguments as its arguments.
ftp>$ [macro-name] [args]
Execute the macro [macro name] that was defined with the macdef command. Arguments are
passed to the macro unglobbed.
ftp>account [password]
Supplies a supplemental password required by a remote host for access to resources once a
logon has been successfully completed. If no argument is included, the user will be prompted
for an account password in a non-echoing input mode.
ftp>append [local_file] [remote_file]
Appends a local file to a file on the remote host. If [remote_file] is left unspecified, the local file
name is used in naming the remote file after being altered by any ntrans or nmap setting. File
transfer uses the current settings fortype, format, mode, and structure.
ftp>ascii
Sets the file transfer type to network ASCII. This is the default type.
ftp>bell
Enables a bell to sound after each file transfer command is completed.
ftp>binary
Set the file transfer type to support binary image transfer.
ftp>bye
Terminates the FTP session with the remote server and exits FTP. An end of file will also
terminate the session and exit.
ftp>case
Toggles remote computer file name case mapping during mget commands. When case is on
(default is off), remote computer file names with all letters in upper case are written in the local
directory with the letters mapped to lower case.
ftp>ccc
Terminates the FTP session with the remote server, and returns to the command interpreter.
Any defined macros are erased.
ftp>cd [remote_directory]
Changes the working directory on the remote host to the directory specified.
ftp>cdup
Changes the remote host working directory to the parent of the current remote machine working
directory.
ftp>[mode] [file_name]
Changes the permission modes [file_name] on the remote host to [mode]. See the page
on chmod for reference.
ftp>clear
Sets the protection level on data transfers to clear. If no ADAT (Authentication/Security Data)
command succeeded, then this is the default protection level.
ftp>close
Terminates the FTP session with the remote server and returns to the command interpreter. Any
defined macros are erased.
ftp>cprotect [protection_level]
Sets the protection level on commands to [protection_level]. The valid protection levels
are clear for unprotected commands, safe for commands integrity protected by cryptographic
checksum, and private for commands confidentiality and integrity protected by encryption. If
an ADAT command succeeded, then the default command protection level is safe, otherwise
the only possible level is clear. If no level is specified, the current level is printed. cprotect
clear is equivalent to the ccc command.
ftp>cr
Toggles carriage return stripping during ASCII type file retrieval. Records are denoted by a
carriage return/linefeed sequence during ASCII type file transfer. When cr is on (the default),
carriage returns are stripped from this sequence to conform with the UNIX single linefeed
record delimiter. Records on non-UNIX remote systems may contain single linefeeds; when an
ASCII type transfer is made, these linefeeds may be distinguished from a record delimiter only
when cr is off.
ftp>delete [remote_file]
Deletes the file on the remote host.
ftp>debug [debug_value]
Toggles debugging mode. If an optional [debug_value] is specified it is used to set the

debugging level. When debugging is on, ftp prints each command sent to the remote machine,
preceded by the string `>.
Prints a listing of the directory contents in the directory [remote_directory] and, optionally,
sends the output to[local_file]. If interactive prompting is on, FTP will prompt the user to verify
ftp>dir [remote_directory] [local_file] that the last argument is indeed the target local file for receiving dir output. If no directory is
specified, the current working directory on the remote machine is used. If no local file is
specified, or local-file is -, output comes to the terminal.
ftp>disconnect
A synonym for the close option.
ftp>form [format]
Sets the file transfer form to [format]. The default format is file.
ftp>get [remote_file_name]
[local_file_name]
Retrieves [remote_file], stores it on the local host, and optionally renames it to the
provided [local_file_name]. If the local file name is not specified, the file is given the same
name it has on the remote host, subject to alteration by the current case, ntrans,
and nmap settings. The current settings for type, form, mode, and structure are used while
transferring the file.
ftp>glob
Toggles file name expansion for mdelete, mget, and mput. If globbing is turned off with glob,
the file name arguments are taken literally and not expanded.
ftp>hash
Toggles hash sign (#) printing for each data block transferred. The size of a data block is 1024
bytes.
ftp>help or ftp> help [command]
Prints the help message for all commands or just for the [command] specified.
ftp>idle [seconds]
Sets the inactivity timer on the remote server to the number specified by [seconds].
If [seconds] is omitted, the current inactivity timer is printed.
ftp>lcd [directory]
Changes the working directory on the local host. If no [directory] is specified, the users home
directory is used.
ftp>ls [remote_directory] [local_file]
Prints a listing of the contents of a directory on the remote host. If [remote_directory] is left
unspecified, the current working directory is used. The output of this command can be sent
to [local_file] instead of standard output.
ftp>macdef [macro_name]
Defines a macro. Subsequent lines are stored as the macro [macro_name]; a null line
(consecutive newline characters in a file or carriage returns from the terminal) terminates macro
input mode. There is a limit of 16 macros and 4096 total characters in all defined macros.
Macros remain defined until a close command is executed. The macro processor interprets $
and \ as special characters. A $ followed by a number (or numbers) is replaced by the
corresponding argument on the macro invocation command line. A $ followed by an i signals
that macro processor that the executing macro is to be looped. On the first pass $i is replaced
by the first argument on the macro invocation command line, on the second pass it is replaced
by the second argument, and so on. A \ followed by any character is replaced by that
character. Use the \ to prevent special treatment of the $.
ftp>mdelete [remote_files]
Deletes files on the remote host.
ftp>mdir [remote_files] [local_file]
Prints a listing of the directory contents in the directories specified and, optionally, sends the
output to [local_file].
ftp>mget [remote_files]
Performs a get for each file name specifed in [remote_files]. See glob for details on the
filename expansion. Resulting file names will then be processed according to case, ntrans,
and nmap settings. Files are transferred into the local working directory, which can be changed
with lcd; new local directories can be created with ! mkdir [directory].
ftp>mkdir [directory_name]
Creates a directory on the remote host.
ftp>mls [remote_files] [local_file]
Like nlist except that multiple remote files may be specified, and the [local_file] must be
specified. If interactive prompting is on, FTP will prompt the user to verify that the last argument
is indeed the target local file for receivingmls output.
ftp>mode [mode_name]
Sets the file transfer mode to [mode_name]. The default mode is stream mode.
ftp>modtime [file_name]
Shows the last modification time of the file specified on the remote host.
ftp>mput [local_files]
Performs the put command for each of the files specified. See glob for details on file name
expansion. Resulting file names will then be processed according to ntrans and nmap settings.
ftp>newer [file_name]
Gets the file only if the modification time of the remote file is more recent than the file on the
local host. If the file does not exist on the local host, the remote file is considered newer.
Otherwise, this command is identical to get.
ftp>nlist [remote_directory]
[local_file]
Prints a list of the files in a directory on the remote host. If [remote_directory] is left
unspecified, the current working directory is used. If interactive prompting is on, FTP will prompt
the user to verify that the last argument is indeed the target local file for receiving nlist output. If
no local file is specified, or if local-file is -, the output is sent to the terminal.
ftp>nmap [inpattern outpattern]
Sets or unsets the file name mapping mechanism. If no arguments are specified, the file name
mapping mechanism is unset. If arguments are specified, remote file names are mapped
during mput commands and putcommands issued without a specified remote target filename.
If arguments are specified, local file names are mapped during mget commands
and get commands issued without a specified local target file name. This command is useful
when connecting to a non-UNIX remote computer with different file naming conventions or
practices. The mapping follows the pattern set by [inpattern and outpattern] is a template for
incoming filenames (which may have already been processed according to
the ntrans and case settings). Variable templating is accomplished by including the sequences
$1, $2, , $9 in [inpattern]. Use \ to prevent this special treatment of the $ character. All
other characters are treated literally, and are used to determine the nmap [inpattern]variable
values. For example, given inpattern $1.$2 and the remote file name mydata.data, $1 would
have the value mydata, and $2 would have the value data. The outpattern determines the
resulting mapped file name. The sequences $1, $2 , , $9 are replaced by any value
resulting from the inpattern template. The sequence $0 is replace by the original file name.
Additionally, the sequence [seq1, seq2] is replaced by [seq1] if seq1 is not a null string;
otherwise it is replaced by seq2. For example, the command nmap $1.$2.$3 [$1,$2].
[$2,file] would yield the output filename myfile.data for input filenames myfile.data and
myfile.data.old, myfile.file for the input filename myfile, and myfile.myfile for the input
filename myfile. Spaces may be included in outpattern as in the example: nmap $1 sed s/
*$// > $1. Use the \ character to prevent special treatment of the $,'[,'[, and , characters.
ftp>ntrans [inchars [outchars]]
Sets or unsets the file name character translation mechanism. If no arguments are specified,
the file name character translation mechanism is unset. If arguments are specified, characters
in remote file names are translated during mput commands and put commands issued without
a specified remote target file name. If arguments are specified, characters in local file names
are translated during mget commands and get commands issued without a specified local
target file name. This command is useful when connecting to a non-UNIX remote computer with
different file naming conventions or practices. Characters in a file name matching a character
in[inchars] are replaced with the corresponding character in [outchars]. If the characters
position in [inchars] is longer than the length of [outchars], the character is deleted from the
file name.
ftp>open [host] [port]
Establishes a connection to the specified FTP server. An optional port number may be supplied,
in which case, FTP will attempt to contact the FTP server at that port. If the auto-authenticate
option is on (default), FTP will attempt to authenticate to the FTP server by sending
the AUTH command, using whichever authentication types which are locally supported. Once an
authentication type is accepted, an authentication protocol will proceed by
issuing ADAT commands. If the auto-login option is on (default), FTP will also attempt to
automatically log the user in to the FTP server.
ftp>open [host] [port] [-forward]
Same as ftp>open, but if the -forward option is specified, FTP will forward a copy of the users
Kerberos tickets to the remote host.
ftp>passive
Toggles passive data transfer mode off. In passive mode, the client initiates the data connection
by connecting to the data port. Passive mode is often necessary for operation from behind
firewalls which do not permit incoming connections, but may need to be disabled if you connect
to an FTP server which does not support passive operation.
ftp>private
Sets the protection level on data transfers to private. Data transmissions are confidentiality and
integrity protected by encryption. If no ADAT command succeeded, then the only possible level
is clear.
ftp>prompt
Toggles interactive prompting. Interactive prompting occurs during multiple file transfers to allow
the user to selectively retrieve or store files. If prompting is turned off (default is on),
any mget or mput will transfer all files, and any mdelete will delete all files.
ftp>protect [protection_level]
Sets the protection level on data transfers to [protection_level]. The valid protection levels are
clear for unprotected data transmissions, safe for data transmissions integrity protected by
cryptographic checksum, and private for data transmissions confidentiality and integrity
protected by encryption. If no ADAT commandsucceeded, then the only possible level is clear.
If no level is specified, the current level is printed. The default protection level is clear.
ftp>proxy [ftp_command]
Executes an FTP command on a secondary control connection. This command allows

simultaneous connection to two remote FTP servers for transferring files between the two
servers. The first proxy command should be open to establish the secondary control
connection. Enter the command proxy ? to see other FTP commands executable on the
secondary connection. The following commands behave differently when prefaced

by proxy: open will not define new macros during the auto-login process, close will not erase
existing macro definitions, get and mgettransfer files from the host on the primary control
connection to the host on the secondary control connection, andput, mput,
and append transfer files from the host on the secondary control connection to the host on the
primary control connection. Third party file transfers depend upon support of the FTP
protocol PASV command by the server on the secondary control connection.
ftp>put [local_file_name]
[remote_file_name]
Stores a local file on the remote host. If [remote_file_name] is left unspecified, the local file
name is used after processing according to any ntrans or nmap settings in naming the remote
file. File transfer uses the current settings for type, format, mode, and structure.
ftp>pwd
Displays the current working directory on the remote host.
ftp>quit
A synonym for ftp>bye.
ftp>quote [arg1] [arg2] []
The arguments specified are sent, verbatim, to the remote FTP server.
ftp>recv [remote_file_name]
[local_file_name]
A synonym for ftp>get.
ftp>reget [remote_file] [local_file]
Reget acts like get, except that if [local_file] exists and is smaller
than [remote_file], [local_file] is presumed to be a partially transferred copy
of [remote_file] and the transfer is continued from the apparent point of failure. This command
is useful when transferring very large files over networks that are prone to dropping
connections.
ftp>remotehelp orftp>remotehelp
[command_name]
Requests help from the remote FTP server. If [command_name] is specified it is supplied to
the server as well.
ftp>remotestatus [file_name]
Without [file_name] shows the status of the remote host. If [file_name] is specified, shows the
status of[file_name] on the remote host.
ftp>rename [from] [to]
Renames the file [from] on the remote host to the name specified in [to].
ftp>reset
Clears the reply queue. This command re-synchronizes command/reply sequencing with the
remote FTP server. Resynchronization may be necessary following a violation of the FTP
protocol by the remote server.
ftp>restart [marker]
Restarts the (?) immediately following get or put at the indicated marker. On UNIX
systems, [marker] is usually a byte offset into the file.
ftp>rmdir [directory_name]
Deletes a directory on the remote host.
ftp>runique
Toggles the storing of files on the local host with unique file names. If a file already exists with a
name equal to the target local file name for a get or mget command, a .1 is appended to the
name. If the resulting name matches another existing file, a .2 is appended to the original
name. If this process continues up to .99, an error message is printed, and the transfer does
not take place. The generated unique file name will be reported. Note that runiquewill not affect
local files generated from a shell command (see below). The default value is off.
ftp>safe
Sets the protection level on data transfers to safe. Data transmissions are integrity-protected by
cryptographic checksum. If no ADAT command succeeded, then the only possible level is
clear.
ftp>send [local_file] [remote_file]
A synonym for ftp>put.
ftp>sendport
Toggles the use of PORT commands. By default, FTP will attempt to use a PORT command
when establishing a connection for each data transfer. The use of PORT commands can prevent
delays when performing multiple file transfers. If the PORT command fails, FTP will use the
default data port. When the use of PORT commands is disabled, no attempt will be made to
use PORT commands for each data transfer. This is useful for certain FTP implementations
which do ignore PORT commands but, incorrectly, indicate theyve been accepted.
ftp>site [arg1] [arg2]
The arguments specified are sent, verbatim, to the remote FTP server as SITE commands.
ftp>size [file_name]
Displays the size of [file_name] on the remote host.
ftp>status
Shows the current FTP status.
ftp>struct [structure_name]
Sets the file transfer structure to [structure_name]. By default the stream structure is used.
ftp>sunique
Toggles the storing of files on the remote host under unique file names. The remote FTP server
must support the FTP protocol STOU command for successful completion. The remote server
will report a unique name. The default value is off.
ftp>system
Shows the type of operating system running on the remote host.
ftp>tenex
Sets the file transfer type to that needed to talk to TENEX machines.
ftp>trace
Toggles packet tracing.
ftp>type [type]
Sets the file transfer type to [type]. If no type is specified, the current type is printed. The
default type is networkASCII.
ftp>user [username] [password]

[account]
Identifies the user to the remote FTP server. If the password is not specified and the server
requires it, FTP will prompt the user for it (after disabling local echo). If an account field is not
specified, and the FTP server requires it, the user will be prompted for it. If an account field is
specified, an account command will be relayed to the remote server after the login sequence is
completed if the remote server did not require it for logging in. Unless FTP is invoked with autologin disabled, this process is done automatically on initial connection to the FTP server.
ftp>verbose
Toggles verbose mode. In verbose mode, all responses from the FTP server are displayed to
the user. In addition, when a file transfer completes statistics regarding the efficiency of the
transfer are reported. By default, verbose is on.
ftp>?
A synonym for help.
.
Up to command list
Hostname
If you are unsure of the host name of the computer you are working on, the hostname command will display it. In Linux and Unix you can
usehostname to configure the host name and associated options.
Hostname for Windows

Hostname command
(Windows)
hostname
Description
Prints the name of the current host where the name is the host name portion of the full computer
name.
Hostname for Linux

The hostname command syntax in Linux is as follows:
hostname [-v] [-a] [-d] [-f] [-A] [-i] [-I] [--all-ip-addresses] [--long] [-s] [-y]
hostname [-v] [-b] [-F filename] [--file filename] [hostname]
hostname [-v] [-h] [-V]
Hostname
command switches
(Linux)
Description
hostname [hostname]
Sets the host name.
hostname -a or -alias
Displays the alias name of the host (if used).
hostname -A or --allfqdns
Displays all FQDNs of the machine. This option enumerates all configured network addresses on all configured
network interfaces, and translates them to DNS domain names. Addresses that cannot be translated (i.e.
because they do not have an appropriate reverse DNS entry) are skipped.
hostname -b or -boot
Always set a hostname; this allows the file specified by -F to be non-existant or empty, in which case the default
hostname localhost will be used if none is yet set.

hostname -d or -domain
Displays the DNS domain name.
hostname -f or -fqdn or --long
Displays the fully qualified domain name.
hostname -F
[file] or --file [file]
Consults [file] for host name.
hostname -h or --help Displays a help message.

hostname -i or --ipaddresses
Displays the host IP address.
hostname -I or --allip-addresses
Displays all network addresses of the host. This option enumerates all configured addresses on all network
interfaces except the loopback interface and IPv6 link-local addresses. Unlike option -i, this option does not
depend on name resolution.
hostname -s or -short
Trims domain information from the display output.
hostname -v or -verbose
Verbose mode
hostname -V or -version
Displays the version information and then exits.
hostname -y or -yp or -nis [domain

name]
Displays the NIS domain name or sets a new NIS domain name with [domain name].
.
Up to command list
Ifconfig
The ifconfig command displays and configures the parameters for host network interfaces (e.g., IP address, subnet mask and default gateway) on
Linux and Unix. Its Windows counterpart is ipconfig. When used without arguments, ifconfig displays the current configurations for all network
interfaces (such as your NIC, wireless adapter, and loopback). Interface names are numbered starting at zero: eth0, eth1, wlan0, wlan1, etc.
Ifconfig options (Linux only)

The standard ifconfig command syntax is as follows:
ifconfig [interface or address_family type] options | address ...
Note that ifconfig is deprecated in Linux, as described here.
Ifconfig command
switches
Description
ifconfig
Displays details on all network interfaces.
ifconfig [interface]
The name of the interface. This is usually a driver name followed by a unit number; for example, eth0 for the
first Ethernet interface. Eth0 will usually be a PCs primary network interface card (NIC).
ifconfig [address_family]
To enable the interpretation of differing naming schemes used by various protocols, [address_family] is
used for decoding and displaying all protocol addresses. Currently supported address families
include inet (TCP/IP, default), inet6 (IPv6), ax25 (AMPR Packet Radio), ddp (Appletalk Phase
2), ipx (Novell IPX) and netrom(AMPR Packet radio).
ifconfig [interface]add
[address/prefixlength]
Add an IPv6 address to the [interface].
address [address]
Assigns the specified IP [address] to the specified [interface].
allmulti or -allmulti
Enables or disables all-multicast mode If selected, all multicast packets on the network will be received by
the interface. This enables or disables the sending of incoming frames to the kernels network layer.
arp or -arp
Enables or disables the use of the ARP protocol on this [interface].
broadcast [address]
Specifies the address to use to use for broadcast transmissions. By default, the broadcast address for a
subnet is the IP address with all ones in the host portion of the subnet address (i.e., a.b.c.255 for a /24
subnet).
ifconfig [interface] del

[address/prefixlength]
Remove an IPv6 address from the [interface].
ifconfig [interface] down
Disables the [interface].
ifconfig [interface] hw
[class] [address]
Sets the hardware (MAC) address of this [interface], if the device driver supports this operation. The
keywordmust be followed by the name of the hardware class and the printable ASCII equivalent of the
hardware address. Hardware classes currently supported
include ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom(AMPR NET/ROM).
io_addr [address]
Sets the start [address] in I/O space for this device.
ifconfig [interface] irq

[address]
Sets the interrupt line used by the network interface.
mem_start [address]
Sets the start address for shared memory of the interface.
ifconfig [interface] media

[type]
Sets physical port or medium type. Examples of [type] are 10baseT, 10base2, and AUI. A [type] value
of autowill tell the interface driver to automatically determine the media type (driver support for this
command varies).
ifconfig [interface] mtu

[n]
Sets the Maximum Transfer Unit (MTU) of an interface to [n].
Sets the multicast flag on the interface (should not normally be needed as the drivers set the flag correctly
multicast
themselves).
Sets the IP subnet mask for this interface. This value defaults to the standard Class A, B, or C subnet masks
netmask [mask_address] (based on the interface IP address) but can be changed with this command.
pointopoint or pointopoint
Enables or disables point-to-point mode on this interface
promisc or -promisc
Enables or disables promiscuous mode on the interface.
txquelen [n]
Sets the transmit queue length on the interface. Smaller values are recommended for connections with high
latency (i.e., dial-up modems, ISDN, etc).
ifconfig [interface] tunnel

Creates a Simple Internet Transition (IPv6-inIPv4) device which tunnels to the IPv4 [address] provided.
[address]
ifconfig [interface] up
Activates (enables) the interface.
.
For example, this command sets the IP address, subnet mask, and broadcast address for eth0:
ifconfig eth0 192.168.10.25 netmask 255.255.255.0 broadcast 192.168.10.255
Up to command list
Ipconfig
Ipconfig can display current TCP/IP network configuration values, update or release Dynamic Host Configuration Protocol (DHCP) allocated
leases, and display, register, or flush Domain Name System (DNS) names. Its Linux/Unix counterpart is ifconfig.
Ipconfig options (Windows only)

ipconfig command switches
Description
ipconfig
Displays details on the active network interface.
ipconfig /all
Displays more details on both active and inactive network interfaces, including MAC
address, DHCP server IP address, DNS server address(es), WINS server address(es),
and whether or not NetBIOS Over TCP/IP is enabled.
ipconfig
/allcompartments and/allcompartments /all
Shows information or detailed information (all) about all network compartments.
ipconfig /displaydns
Displays the contents of the DNS client resolver cache, which includes both entries
preloaded from the local Hosts file and any recently obtained resource records for name
queries. Similar to arp -a.
ipconfig /flushdns
Flushes (deletes) the contents of the DNS client resolver cache. Similar to arp -d.
ipconfig /registerdns
Initiates dynamic registration for the DNS names and IP addresses that are configured at
a computer.
ipconfig /release and/release6 [adapter]
Releases (deletes) the dynamic (from DHCP) IPv4 or IPv6 parameters of all network
interfaces (if no specific adapter name is specified. For example, ipconfig /release
LO* releases only those interfaces starting with Lo).
ipconfig /renew and/renew6 [adapter]
Initiates communication with a DHCP server and renews the dynamic IPv4 or IPv6
parameters of all or some network interfaces. For example, ipconfig /renew LO* renews
all interfaces starting with Lo.
ipconfig /setclassid and/setclassid6

[adapter]
Modifies the DHCP or DHCPv6 class id. Classes can be vendor-defined or user-defined
and are implemented by the DHCP administrator when certain clients need different
default gateway or DNS server parameters.
ipconfig /showclassidand /showclassid6

[adapter]
Displays the DHCP or DHCPv6 class id.
.
Up to command list
Nbtstat
Nbtstat is a Windows tool used to troubleshoot NetBIOS over TCP/IP name resolution problems. NetBIOS over TCP/IP is a networking protocol
that allows legacy computer applications relying on the NetBIOS protocol to be used on modern TCP/IP networks. Therefore, it is unlikely that
NetBIOS over TCP/IP will be utilized within your network nowadays.
Nbtstat can check the state of current NetBIOS over TCP/IP (NetBT) connections, view and update the NetBIOS name cache, and determine the
names registered with Windows Internet Name Service (WINS). If you are interested, nbtstat output is described on TechNet.
Do not confuse this command with netstat.
Nbtstat options (Windows only)

The standard nbtstat command syntax is:
nbtstat [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]
nbtstat command
switches
Description
nbtstat -a [remote
name]
Returns the NetBIOS name table and MAC address of the address card for the computer name specified.
nbtstat -A [remote IP
address]
Lists the same information as nbtstat -a when given the targets IP address.
nbtstat -c
Displays the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP
addresses.
nbtstat -n
Displays the NetBIOS name table of the local computer. The status of registered indicates that the name is
registered either by broadcast or with a WINS server.
nbtstat -r
Lists names resolved by broadcast and via WINS.
nbtstat -R
Purges and reloads the remote cache name table.
nbtstat -RR
Releases and then refreshes NetBIOS names for the local computer that is registered with WINS servers.
nbtstat -s
Displays NetBIOS client and server sessions, attempting to convert the destination IP address to a name.
nbtstat -S
Displays NetBIOS client and server sessions, listing the remote computers by destination IP address only.
[interval]
Redisplays selected statistics, pausing every [interval] seconds between each display. Press Ctrl+C to stop
redisplaying statistics.
.
Up to command list
Netstat
The netstat command displays the TCP/IP protocol statistics and active connections on the computer on which it was executed. Netstat is
particularly useful when you suspect that there may be unauthorized connections to your computer (such as when a possible malware infection
has occurred).Two popular graphical viewers for netstat are TCPEye and CurrPorts.
Netstat can be used to detect SYN floods that may be affecting a host. If you run a netstat command such as netstat -n -p TCP and you see many
connections in the SYN_RECV state, you know some anomaly is occurring.
Do not confuse this command with nbtstat.
Netstat for Windows

The standard netstat command syntax in Windows is:
netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]
Netstat command
switches (Windows)
Description
netstat
Shows the active connections for all outbound TCP/IP connections.
netstat -a
Displays a more comprehensive list of active connections and the ports on which the computer is listening
(includes UDP).
netstat -b
Displays the executable involved in creating each connection or listening port.
netstat -e
Displays Ethernet-related statistics.
netstat -f
Displays Fully Qualified Domain Names (FQDN) for foreign addresses. With this option you can check if
your PC is connected to suspicious websites.
netstat -n
Displays active TCP connections; addresses and port numbers are expressed numerically; no attempt is
made to determine host names.
netstat -o
Displays the owning process ID (PID) associated with each connection. You can look up a PID with the
Windows Task Manager.
netstat -p [proto]
Displays connection details for only a certain protocol, where [proto] can be TCP, UDP, TCPv6, or UDPv6.
With the additional -s option, [proto] can be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
netstat -r
Displays the hosts routing table.
netstat -s
Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6,
UDP, and UDPv6; the -p option may be used to specify a subset of the default.
netstat -t
Displays the current connection offload state.
[interval]
Specifies the length of time in seconds to wait before displaying fresh statistics.
.
Up to command list
Netstat for Linux

Note that netstat is deprecated in Linux, as described here.
Netstat command
switches (Linux)
Description
netstat -a or --all
Shows both listening and non-listening sockets.
netstat -A[family] or --
Specifies the address families for which connections are to be shown. [family] is a comma separated list of
protocol=[family]
address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using
the --inet, --unix (-x), --ipx, --ax25, --netrom, and --ddp options.
netstat -c or -continuous
Configures netstat to refresh the displayed information every second until stopped.
netstat -C
Prints routing information from the route cache.
netstat -e or --extend
Displays an increased level of detail. Can be entered as twice (as --ee) for maximum details.
netstat -F
Prints routing information from the forward information database (FIB).
netstat -g or --groups
Displays multicast group membership information for IPv4 and IPv6.
netstat -i or -interface=[name]
Displays a table of all network interfaces, or the specified [name].
netstat -l or --listening
Shows only listening sockets (which are omitted by netstat be default).
netstat -M or -masquerade
Displays a list of masqueraded connections (connections being altered by Network Address Translation).
netstat -n or --numeric
Show numerical addresses instead of trying to determine symbolic host, port or user names (skips DNS
translation).
netstat --numeric-hosts Shows numerical host addresses but does not affect the resolution of port or user names.
netstat --numeric ports
Shows numerical port numbers but does not affect the resolution of host or user names.
netstat --numeric-users Shows numerical user IDs but does not affect the resolution of host or port names.
netstat -N or --symbolic
Displays the symbolic host, port, or user names instead of numerical representations. Netstat does this by
default.
netstat -o or --timers
Includes information related to networking timers.
netstat -p or --program
Shows the process ID (PID) and name of the program to which each socket belongs.
netstat -r or --route
Shows the kernel routing tables.
netstat -s or --statistics
Displays summary statistics for each protocol.
netstat -t or --tcp
Filters results to display TCP only.
netstat -T or --notrim
Stops trimming long addresses.
netstat -u or --udp
Filters results to display UDP only.
netstat -v or --verbose
Produces verbose output.
netstat -w or --raw
Filter results to display raw sockets only.
netstat -Z or --context
Prints the SELinux context if SELinux is enabled. On hosts running SELinux, all processes and files are
labeled in a way that represents security-relevant information. This information is called the SELinux context.
.
Some common netstat commands are:
netstat -natp
netstat -t -listening
netstat -ntu
netstat -anp (netstat -anb on Windows)
netstat -ntulp
netstat -rne
netstat -anp | grep [port_number]
Using the table above you can figure out what each of these commands does.
Up to command list
Nslookup, Dig, and Host
NSlookup (name server lookup) is a DNS query tool. This means that nslookup checks DNS records, domain host aliases, domain host
services, and operating system information by querying DNS servers. Nslookup can also be used to perform DNS zone transfers and is useful
when performing network footprinting during ethical hacking efforts. It has two modes: interactive and noninteractive. Interactive mode queries
DNS servers for details about various hosts and domains. Noninteractive mode prints only the name and requested information for a host or
domain.
Although it is still available by default on Windows and Linux/Unix, nslookup has been deprecated and further use is discouraged. It has
effectively been replaced by its successors, the dig (Domain Information Groper) and host utilities. Unlike nslookup, they are not available
natively on Windows and must be installed manually. There is a host command in Windows PowerShell but that is something different. You can
install the Windows versions of dig and host by extracting them from BIND for Windows available here.
Dig is basically an improved version of nslookup. Host enables quick lookups of DNS server information and is used to find 1) the IP address of a
given domain name and 2) the domain name of a given IP address.
Nslookup for Windows

Nslookup command switches
(Windows)
Description
C:\>nslookup
Enters interactive mode; prompt changes from C:> to >.
C:\>nslookup [DNSserver]
Enters interactive mode using a particular DNS server.
C:\>nslookup [hostnameor IPaddress]
Queries DNS for the IP address of a particular host or vice versa.
C:\>nslookup [hostnameor IPaddress]

[DNSserver]
Queries DNS for the IP address of a particular host (or vice versa) using a particular DNS
server.
C:>nslookup -type=[type]
Queries for a particular type of DNS records, where [type] can be: A, ANY, CNAME, GID,
HINFO, MB, MG, MINFO, MR, MX, NS, PTR, SOA, TXT, UID, UINFO, WKS. DNS record
types are described here and here.
C:>nslookup -type=MX [example.com]
Queries for email records for domain example.com
>exit
Exits interactive mode (back to noninteractive mode).
>finger
Connects with the finger server on the current computer.
>help
Displays a short summary of subcommands.
>ls [example.com]
Lists information for a DNS domain.
>ls -a [example.com]
Lists canonical names and aliases.
>ls -d [example.com]
Lists all DNS records for example.com. Can be used to launch a zone transfer when
connected to the SOA for a DNS zone. These transfers can be blocked in the DNS
properties of the server.
>ls -t [type] [example.com]
Lists records of the given RFC record [type] (e.g., A ,CNAME, MX, NS, PTR, etc.)
>lserver
Changes the default server to the specified DNS domain.
>root
Changes the default server to the server for the root of the DNS domain name space.
>server
Changes the default server to the specified DNS domain.
>set
Changes configuration settings that affect how lookups function.
>set all
Prints the current values of the configuration settings.
>set class=X
Changes the query class. The class specifies the protocol group of the information.
>set [no]d2
Turns exhaustive Debugging Mode on or off. All fields of every packet are printed.
>set [no]debug
Turns Debugging Mode on or off.
>set [no]defname
Appends the default DNS domain name to a single component lookup request. A single
component is a component that contains no periods.
>set domain=NAME
Changes the default DNS domain name to the name specified.
>set ignore
Ignores packet truncation errors.
>set ixfrver=X
Current version to use in IXFR transfer request.
>set [no]msxfr
Use MS fast zone transfer.
>set port
Changes the default TCP/UDP DNS name server port to the value specified.
>set querytype=X
Changes the resource record type for the query.
>set [no]recurse
Tells the DNS name server to query other servers if it does not have the information.
>set retry=X
Sets the number of retries to X.
>set root=NAME
Changes the name of the root server used for queries.
>set [no]search
Appends the DNS domain names in the DNS domain search list to the request until an
answer is received. This applies when the set and the lookup request contain at least one
period, but do not end with a trailing period.
>set srchlist=N1[/N2//N6]
Changes the default DNS domain name to N1 and search list.
>set timeout=X
Changes the initial number of seconds to wait for a reply to a request.
>set type=X
Changes the resource record type for the query.
>set [no]vc
Specifies to use or not use a virtual circuit when sending requests to the server.
>set view
Sorts and lists the output of the previous ls subcommand or commands.
>view
Sorts and lists the output of the previous ls subcommand or commands.
.
Up to command list
Nslookup for Linux
The default nslookup command syntax in Linux is:

nslookup [-option] [name | -] [server]
Nslookup command
switches (Linux)
Description
$ nslookup
Enters interactive mode; prompt changes from $ to >.
$ nslookup
[hostname or IP address]
Queries DNS for the IP address of a particular host or vice versa.
>exit
Exits nslookup.
>host [server]
Looks up information for host using the current default server or using server, if specified. If host is an
Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and
does not have a trailing period, the search list is used to qualify the name.
>server [domain] or
lserver [domain]
Changes the default server to [domain]; lserver uses the initial server to look up information
about [domain], whileserver uses the current default server. If an authoritative answer cant be found, the
names of servers that might have the answer are returned.
>set
This command is used to change state information that affects the lookups.
>set all
Prints the current values of the frequently used options to set. Information about the current default server
and host is also printed.
>set class=[value]
Changes the query class to [value].
>set class=IN
Changes the query class to the Internet class.
>set class=CH
Changes the query class to the Chaos class.
>set class=HS
Changes the query class to the Hesiod class.
>set class=ANY
Changes the query class to wildcard.
>set debug ornodebug
Turn on or off the display of the full response packet and any intermediate response packets when
searching.
(Default = nodebug; abbreviation = [no]deb)
>set d2 or nod2
Turns debugging mode on or off. This displays more about what nslookup is doing.
(Default = nod2)
>set domain=[name]
Sets the search list to [name].
>set search ornosearch
If the lookup request contains at least one period but doesnt end with a trailing period, appends the
domain names in the domain search list to the request until an answer is received.
(Default = search)
>set port=[value]
Changes the default TCP/UDP name server port to [value].

(Default = 53; abbreviation = po)
>set querytype=[value]
Changes the type of the information query.

(Default = A record; abbreviations = q, ty)
>set type=[value]
Changes the type of the information query.

(Default = A record; abbreviations = q, ty)
>set recurse orno recurse
Tells the DNS server to query other servers if it does not have the information.
(Default = recurse; abbreviation = [no]rec)
>set retry=[number]
Sets the [number] of retries to attempt.
>set timeout=[number]
Changes the initial timeout interval for waiting for a reply to number seconds.
>set vc or novc
Always use a virtual circuit when sending requests to the server.

(Default = novc)
>set fail or nofail
Tries the next nameserver if a DNS server responds with SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
(Default = nofail).
.
Up to command list
Dig for Windows and Linux

The standard dig command syntax is as follows:
dig [@server] [options] [name] [type] [class] [+queryopt...]
Dig command switches
Description
dig
Displays the DNS root servers and the the IP address of your hosts DNS server.
@[server]
The name or IP address of the DNS server to query. If no [server] argument is

provided, dig consults/etc/resolv.conf and queries the DNS server(s) listed there. The reply from the
DNS server that responds is displayed in the command output.
[name]
The domain name to query.
[type]
Indicates which type of query is required, such as ANY, A, MX, SIG, etc. If no [type] argument is
supplied, dig will perform a lookup for an A record.
dig -b [address]
Sets the source IP address of the DNS query to [address]. This must be a valid address on one of
the hosts network interfaces or 0.0.0.0 or ::. An optional port may be specified by appending
#<port>.
dig -c [class]
Sets the query [class] (described in the nslookup for Linux options above). Default is IN (Internet).
dig -f [filename]
Configures dig to process the list of lookup requests in file specified.
dig -h
Prints a brief summary of digs command-line arguments and options.
dig -k [TSIG_key_file]
Signs the DNS queries sent by dig and their responses using transaction signatures (TSIG).
dig -m
Enables memory usage debugging.
dig -p [portnumber]
Configures the port number for dig to query. Of course, the default port is 53 for DNS.
dig -q [name]
Sets the query name to the [name] parameter value specified.
dig -t [type]
Sets the [type] of query to be performed. Default is A.
dig -x [addr]
Used for reverse lookups (IP address to host name, rather than vice versa).
dig -y[hmac:]name:key]
Signs DNS queries by specifying the TSIG key itself on the command line. hmac is the type of the
TSIG, default HMAC-MD5, [name] is the name of the TSIG key and [key] is the actual key. The key
is a base-64 encoded string, typically generated by dnssec-keygen.
dig +aaflag or+noaaflag
A synonym for +[no]aaonly.
dig +aaonly or+noaaonly
Sets or removes the aa flag in the query.
dig +additional or+noadditional
Displays or does not display the additional section of a reply. The default is to display it.
dig +adflag or+noadflag
Set or removes the AD (authenticated data) bit in the query. This requests the DNS server to return
whether all of the answer and authority sections have all been validated as secure according to the
security policy of the server. AD=1 indicates that all records have been validated as secure and the
answer is not from an OPT-OUT range. AD=0 indicates that some part of the answer was insecure
or not validated.
dig +all or +noall
Sets or clears all display flags.
dig +answer or+noanswer
Displays or does not display the answer section of a reply. The default is to display it.
dig +authority or+noauthority
Displays or does not display the authority section of a reply. The default is to display it.
dig +besteffort or+nobesteffort
Attempts to display the contents of messages which are malformed. The default is to not display
malformed answers.
dig +bufsize=[B]
Sets the UDP message buffer size advertised using EDNS0 to [B] bytes. The maximum and
minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up
or down appropriately. Values other than zero will cause an EDNS query to be sent.
dig +edns=# or+noedns
Specifies the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will
cause a EDNS query to be sent. +noedns clears the remembered EDNS version.
dig +cdflag or+nocdflag
Sets or removes the CD (checking disabled) bit in the query. This requests the server to not perform
DNSSEC validation of responses.
dig +cl or +nocl
Display or does not display the CLASS when printing the record.
dig +cmd or+nocmd
Toggles or untoggles the printing of the initial comment in the output identifying the version
of dig and the query options that have been applied. This comment is printed by default.
dig +commentsor +nocomments Toggle or untoggles the display of comment lines in the output. The default is to print comments.
dig +defname or+nodefname
Deprecated; treated as a synonym for +[no]search.
dig +domainname=[somename]
Set the search list to contain the single domain [somename], as if specified in a domain directive
in /etc/resolv.conf, and enable search list processing as if the +search option were given.
dig +dnssec or+nodnssec
Requests DNSSEC records be sent or not sent by setting the DNSSEC OK bit (DO) in the OPT
record in the additional section of the query.
dig +fail or+nofail
Try or do not try the next server if you receive a SERVFAIL. The default is to not try the next server
which is the reverse of normal stub resolver behavior.
dig +identify or+noidentify
Shows or does not show the IP address and port number that supplied the answer when
the +short option is enabled. If short form answers are requested, the default is not to show the
source address and port number of the server that provided the answer.
dig +ignore or+noignore
Ignores or does not ignore truncation in UDP responses instead of retrying with TCP. By default,
TCP retries are performed.
dig +multiline or+nomultiline
Prints or does not print records like the SOA records in a verbose multi-line format with humanreadable comments. The default is to print each record on a single line, to facilitate machine parsing
of the dig output.
dig +ndots=[D]
Sets the number of dots that have to appear in name to [D] for it to be considered absolute. The
default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement
is present. Names with fewer dots are interpreted as relative names and will be searched for in the
domains listed in the search or domain directive in/etc/resolv.conf.
dig +nsid or+nonsid
Include or exclude an EDNS name server ID request when sending a query.
dig +nssearch or+nonssearch
When this option is set, dig attempts to 1) find the authoritative name servers for the zone containing
the name being looked up and 2) display the SOA record that each name server has for the zone.
dig +onesoa or+noonesoa
Print only one (starting) SOA record when performing an AXFR. The default is to print both the
starting and ending SOA records.
dig +qr or +noqr
Prints or does not print the query as it is sent. By default, the query is not printed.
dig +question or+noquestion
Prints or does not print the question section of a query when an answer is returned. The default is to
print the question section as a comment.
dig +retry=[T]
Sets the number of times to retry UDP queries to server to [T] instead of the default, 2.
Unlike +tries, this does not include the initial query.
dig +search or+nosearch
Uses or does not use the search list defined by the searchlist or domain directive in resolv.conf (if
any). The search list is not used by default.
dig +short or+noshort
Provides or does not provide a terse (brief) answer. The default is to print the answer in a verbose
form.
dig
+showsearchor+noshowsearch
Performs or does not perform a search showing intermediate results.
dig +sigchase or+nosigchase
Chases or does not chase DNSSEC signature chains. Requires dig be compiled with
-DDIG_SIGCHASE.
dig +stats or+nostats
This query option toggles or untoggles the printing of statistics; i.e., when the query was made, the
size of the reply, and so on. The default behavior is to print the query statistics.
dig +tcp or+notcp
Uses or does not use TCP when querying name servers. The default behavior is to use UDP unless
an AXFR (full) orIXFR (incremental) query is requested, in which case a TCP connection is used.
dig +time=[T]
Sets the timeout for a query to [T] seconds. The default timeout is 5 seconds. An attempt to
set [T] to less than 1 will result in a query timeout of 1 second being applied.
dig +ttlid or+nottlid
Displays or does not display the TTL when printing the record.
dig +topdown or+notopdown
When chasing DNSSEC signature chains, performs or does not perform a top-down validation.
Requires dig be compiled with -DDIG_SIGCHASE.
dig +trace or+notrace
Toggle or untoggles tracing of the delegation path from the root name servers for the name being
looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to
resolve the name being looked up. It will follow referrals from the root servers, showing the answer
from each server that was used to resolve the lookup
dig +tries=[T]
Sets the number of times to try UDP queries to server to [T] instead of the default, 3. If [T] is less
than or equal to zero, the number of tries is silently rounded up to 1.
dig +trusted-key=####
Specifies a file containing trusted keys to be used with +sigchase. Each DNSKEY record must be
on its own line. If not specified, dig will look for /etc/trusted-key.key, then trusted-key.key in the
current directory. Requires dig be compiled with -DDIG_SIGCHASE.
dig +vc or +novc
Uses or does not use TCP when querying name servers. This alternate syntax to +[no]tcp is
provided for backwards compatibility. The vc stands for virtual circuit.
.
Here are some sample commands using dig.
Only displays the IP address for the domain:

dig http://www.kernel.org +short
Displays the email servers for the domain:
dig kernel.org MX +noall
Displays all available data for all domains listed in domains.txt:
dig -f domains.txt ALL +noall +answer
Attempts a zone transfer from the domain specified:
dig kernel.org AXFR
Up to command list
Host for Windows and Linux

The standard host command syntax is as follows:
host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
Host command
switches
Description
host -a
Equivalent to setting the -v option and asking host to make a query of [type] ANY.
host -c [class]
Specifies the DNS query class (described in the nslookup for Linux options above). Default is IN (Internet).
host -C
[zone_name]
Attempts to display the SOA records for [zone_name] from all the listed authoritative name servers for that zone.
The list of name servers is defined by the NS records that are found for the zone.
host -d or -v
Enables verbose output.
host -i
Specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC 1886. The
default is to use IP6.ARPA.
host -l
Enables list mode which makes host perform a zone transfer for [zone_name]. Transfer the zone printing out the
[zone_name]
NS, PTR and address records (A/AAAA). If combined with -a all records will be printed.
host -m
[zone_name]
Used to set the memory usage debugging flags [record], [usage] and [trace].
host -N [name]
Sets the number of dots that have to be in name for it to be considered absolute. The default value is that defined
using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are
interpreted as relative names and will be searched for in the domains listed in the search or domain directive
in /etc/resolv.conf.
host -r [name]
Specifies non-recursive queries. Setting this option clears the RD (recursion desired) bit in the query
which host makes. This should mean that the name server receiving the query will not attempt to resolve [name].
The -r option enables hostto mimic the behavior of a DNS server by making non-recursive queries and expecting to
receive answers to those queries that are usually referrals to other DNS servers.
host -R [number] Changes the number of UDP retries for a lookup.

host -s
Used to set the memory usage debugging flags [record], [usage] and [trace].
host -t [type]
Selects the DNS query type, where [type] can be CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query [type] is
specified, host automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but
if the -C option was given, queries will be made for SOA records, and if [name] is a dotted-decimal IPv4 address or
colon-delimited IPv6 address, host will query for PTR records.
host -T
Makes host use a TCP connection when querying a DNS server.
host -w
Configures host to effectively wait forever for a reply.
host -W [wait]
Makes host wait for [wait] seconds.
host -4
Forces host to only use IPv4 query transport.
host -6
Forces host to only use IPv6 query transport.
.
Up to command list
PathPing
PathPing is a Windows utility that combines features from ping and tracert. PathPing sends packets to each router (hop) on the way to a
destination over a period of time, and then computes the packets lost and the performance statistics for each hop. Like tracert, PathPing can
identify problematic network hosts. The destination can be specified by DNS name or IP address.
You can download a neat little PathPing desktop gadget (for Windows Vista or 7) from TechRepublic here. Youll have to rename
the PathPing.zip file to PathPing.gadget.
Two PathPing switches are apparently no longer supported on Windows 7: -R (RSVP test) and -T (Layer Two tag).
Pathping options (Windows only)

The standard PathPing command syntax is:
pathping [-g host-list] [-h max_hops] [-i address] [-n] [-p period] [-q num_queries] [-w timeout] [-4] [-6]
target_name
PathPing command switches
Description
pathping -g
Loose source route along host list.
pathping -h [number]
Maximum [number] of hops to search for target.
pathping -i [address]
Use the specified source [address].
pathping -n
Do not resolve addresses to hostnames.
pathping -p [milliseconds]
Wait period [milliseconds] between pings.
pathping -q [number]
[Number] of queries per hop.
pathping -w [milliseconds]
Wait timeout in [milliseconds] for each reply.
pathping -4
Force using IPv4.
pathping -6
Force using IPv4.
.
Up to command list
Ping
The ping (Packet InterNet Groper) command is arguably the most useful networking troubleshooting utility; it is definitely the simplest and most
used.Ping tests the online status of a host on an IP network and measures the total round-trip time (in milliseconds) for packets sent from the
source host to a destination host and back. Ping does this by sending Internet Control Message Protocol (ICMP) packets (usually). ICMP is a
protocol that works with IP to provide error checking and reporting functionality. Ping sends ICMP echo requests to a remote host. If the host is
able to respond, it replies with echo reply.
When you ping a destination name, the replies will tell you the hosts IP address, the number of bytes sent, round-trip time, and the packets Time
to Live (TTL). When you ping a destination IP address, it responds with all the above except for the host name (unless you provide the -a switch).
Ping doesnt just test connectivity it can also verify that TCP/IP is installed correctly and that DNS name resolution is working properly (see Part
1 of this blog post).
Standard ICMP pings do not utilize port numbers or use TCP or UDP; ICMP is a Layer 3 (Network layer) protocol. TCP and UDP operate at Layer
4, the Transport layer.
The ping command can be misused in a variety of denial of service attacks, such as the Ping of Death, Smurf attack, and Ping flood. However,
ICMP serves more functions than just enabling ping requests and replies. ICMP is important in several other ways for proper IP function (such as
MTU discovery, unreachable notifications, etc.) so disabling it altogether is not advised.
Ping for Windows

In Windows the ping command follows this standard syntax:
ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v ToS] [-r count] [-s count] [[-j host-list] | [-k hostlist]] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name
Ping command
switches
(Windows)
ping -a
Description
Specifies that reverse name resolution is performed on the destination IP address.
ping -f
Specifies that Echo Request messages are sent with the Dont Fragment flag in the IP header set to 1 (available
on IPv4 only).
ping -i [TTL]
Specifies the value of the TTL field in the IP header for Echo Request messages sent. The default is the default
TTL value for the host. The maximum [TTL] is 255.
ping -j [hostlist]
Specifies that the Echo Request messages use the Loose Source Route option in the IP header with the set of
intermediate destinations specified in [HostList] (available on IPv4 only). With loose source routing, successive
intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or
names in the host list is 9. The host list is a series of IP addresses (in dotted decimal notation) separated by
spaces.
ping -k [hostlist]
Specifies that the Echo Request messages use the Strict Source Route option in the IP header with the set of
intermediate destinations specified in [HostList] (available on IPv4 only). With strict source routing, the next
intermediate destination must be directly reachable (it must be a neighbor on an interface of the router). The
maximum number of addresses or names in the host list is 9. The host list is a series of IP addresses (in dotted
decimal notation) separated by spaces.
ping -l [size]
Specifies the length, in bytes, of the Data field in the Echo Request messages sent. The default size is 32. The
maximum size is 65,527.
ping -n [count]
Specifies the number of Echo Request messages sent. The default is 4.
ping -r [count]
Specifies that the Record Route option in the IP header is used to record the path taken by the Echo Request
message and corresponding Echo Reply message (available on IPv4 only). Each hop in the path uses an entry in
the Record Route option. If possible, specify a [count] that is equal to or greater than the number of hops
between the source and destination. The [count] must be a minimum of 1 and a maximum of 9.
ping -R
Specifies that the round-trip path is traced (IPv6 only).
ping -s [count]
Specifies that the Internet Timestamp option in the IP header is used to record the time of arrival for the Echo
Request message and corresponding Echo Reply message for each hop. The [count] must be a minimum of 1
and a maximum of 4. This is required for link-local destination addresses.
ping -S [SrcAddr]
Specifies the source address to use (IPv6 only).
ping -t
Specifies that ping continue sending Echo Request messages to the destination until interrupted. To interrupt and
display statistics, press CTRL+BREAK. To interrupt and quit ping, press CTRL+C.
ping -v [ToS]
Specifies the value of the Type of Service [ToS] field in the IP header for Echo Request messages sent (available
on IPv4 only). The default is 0. [ToS] is specified as a decimal value from 0 through 255.
ping -w [timeout]
Specifies the amount of time, in milliseconds, to wait for the Echo Reply message that corresponds to a given
Echo Request message to be received. If the Echo Reply message is not received within the time-out, the
Request timed out error message is displayed. The default [timeout] is 4000 (4 seconds).
ping -4
Specifies that IPv4 is used to ping. This parameter is not required to identify the target host with an IPv4 address.
It is only required to identify the target host by name.
ping -6
Specifies that IPv6 is used to ping. This parameter is not required to identify the target host with an IPv6 address.
It is only required to identify the target host by name.
.
Up to command list
Ping for Linux

Ping command
switches (Linux)
Description
ping -a
Audible ping.
ping -A
Adaptive ping (interpacket interval adapts to round-trip time).
ping -b
For pinging a broadcast address.
ping -B
Does not allow ping to change the source address of probes. The address is bound to the one selected
when pingstarts.
ping -c [count]
[deadline]
Stops after sending [count] ECHO_REQUEST packets. With [deadline] option, ping waits
for [count]ECHO_REPLY packets, until the timeout expires.
ping -d
Sets the SO_DEBUG option on the socket being used. Essentially, this socket option is not used by Linux
kernel.
ping -D
Prints the timestamp (Unix time + microseconds, as in gettimeofday) before each line.
ping -f
For every ECHO_REQUEST sent, a period (.) is printed, while for every ECHO_REPLY received a backspace is
printed. This provides a rapid display of how many packets are being dropped.
ping -F
Only for ping6. Allocates and sets a 20-bit flow label on ECHO_REQUEST packets. If the value is zero, the
kernel allocates a random flow label.
ping -i [interval]
Wait [interval] seconds between sending each packet. The default is to wait for one second between each
packet normally, or not to wait in flood mode (-f).
ping -I [interface]
Sets the source address to the specified interface, whether numeric IP address or name of device. When
pinging IPv6 link-local addresses this option is required.
ping -l [preload]
Sends [preload] number of packets and does not wait for replies. Only the super-user may select
a [preload] of more than 3.
ping -L
Suppress loopback of multicast packets (only applies if the ping destination is a multicast address).
ping -m
Uses [mark] to tag the packets going out.
ping -M [hint]
Selects path MTU discovery strategy. [Hint] may be either do (prohibit fragmentation, even local one), want (do
PMTU discovery, fragment locally when packet size is large), or dont (do not set DF flag).
ping -n
Specifies numeric output only. No attempt is made to look up symbolic names for IP addresses.
ping ->N
Sends ICMPv6 Node Information Queries (RFC 4620), instead of Echo Request.
ping -p [pattern]
Specifies up to 16 pad bytes (in hex) to fill out the packet you send. For example, -p ff will cause the sent
packet to be filled with all ones.
ping -q
Quiet output. Nothing is displayed except the summary lines at command startup time and when finished.
ping -Q [tos]
Sets Quality of Service-related bits in ICMP datagrams. [Tos] can be either decimal or hex number.
ping -r
Bypasses the normal routing tables and sends directly to a host on an attached interface. If the host is not on a
directly attached network, an error is returned.
ping -R
Records the route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the
route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Many hosts
ignore or discard this option.
ping -s [packet_size]
Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when
combined with the 8 bytes of ICMP header data.
ping -S [sndbuf]
Set the socket send buffer. If not specified, it is selected to buffer not more than one packet.
ping -t [TTL]
Sets the IP TTL to [TTL] seconds.
ping -T [timestamp]
[opt]
Sets special IP timestamp options. [Timestamp] option may be either tsonly (only
timestamps), tsandaddr(timestamps and addresses) or tsprespec host1
ping -U
Prints full user-to-user latency (the old behavior).
ping -v
Verbose command output.
ping -V
Shows version and exits.
ping -w [deadline]
Specifies a deadline (or timeout), in seconds, before ping exits regardless of how many packets have been sent
or received.
ping -W [timeout]
Time to wait for a response, in seconds. The option affects only timeout in absense of any responses,
otherwiseping waits for two RTTs.
.
Up to command list
Route
Route enables the manipulation and viewing of a computers routing table. In other words, it lets you add or remove entries in the routing table.
Route for Windows

In Windows the route command follows this syntax:
route [-f] [-p] [-4 or -6][Command [Destination] [mask] [Gateway] [<metric]] [if]]
Route command switches

(Windows)
Description
route -f
Clears the routing tables of all gateway entries. If this is used in conjunction with one of the
commands, the tables are cleared prior to running the command.
route -p
When used with the ADD command, makes a route persistent across boots of the system. By default,
routes are not preserved when the system is restarted.
route -4
Force using IPv4.
route -6
Force using IPv6.
route ADD
Adds a route.
route CHANGE
Modifies an existing route.
route DELETE
Deletes a route.
route PRINT
Prints a route
.
Adds a persistent route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1:
route add 10.41.0.0 mask 255.255.0.0 10.27.0.1
Up to command list
Route for Linux

The standard route command syntax in Linux is as follows:
route [options] [add or del] [-net or -host] address [modifiers]
Note that route is deprecated, as described here.
Route command
switches (Linux)
Description
route
Displays the hosts routing tables.
route -A [family]
[add]or route --[family]
[add]
Uses the specified address family with add or del. Valid families are inet (DARPA
Internet), inet6 (IPv6), ax25(AMPR AX.25), netrom (AMPR NET/ROM), ipx (Novell IPX), ddp (Appletalk
DDP), and x25 (CCITT X.25).
route -C or --cache
Operates on the kernels routing cache instead of the forwarding information base (FIB) routing table.
route -e or -ee
Uses the netstat-r format to display the routing table. -ee will generate a very long line with all parameters
from the routing table.
route -F or --fib
Operates on the kernels Forwarding Information Base (FIB) routing table (default behavior).
route -h or --help
Prints the help message.
route -n
Shows numerical IP addresses and bypass host name resolution.
route -v or --verbose
Enables verbose command output.
route -V or --version
Dispays the version of net-tools and the route command.
route add or del
Adds or delete a route in the routing table.
route [add or del] dev
Associates a route with a specific device. If dev [interface] is the last option on the command line, the
[interface]
worddev may be omitted.
route [add or del] [default]

gw [gw]
Routes packets through the specified gateway.
route [add or del] -host
Specifies that the target is a host (not a network).
route [add or del] -irtt [I]
Sets the initial round trip time (IRTT) for TCP connections over this route to [I] milliseconds (1-12000). This
is typically only used on AX.25 networks. If omitted the RFC 1122 default of 300ms is used.
route [add or del] -net
Specifies that the target is a network (not a host).
route [add or del] [-host

or -net] netmask [mask]
Sets the subnet [mask].
route [add or del] metric

[n]
Sets the metric field in the routing table (used by routing daemons) to the value of [n].
route [add or del] mod,

dyn, or reinstate
Install a dynamic or modified route. These flags are for diagnostic purposes, and are generally only set by
routing daemons.
route [add or del] mss

[bytes]
Sets the TCP Maximum Segment Size (MSS) for connections over this route to the number
of [bytes]specified.
route [add or del] reject
Installs a blocking route, which will force a route lookup to fail. This is used to mask out networks before
using the default route. This is not intended to provide firewall functionality.
route [add or del] window

[W]
Set the TCP window size for connections over this route to the value of [W] bytes. This is typically only
used on AX.25 networks and with drivers unable to handle back-to-back frames.
.
These examples should clarify the syntax of the route command.
Adds the normal loopback entry, using netmask 255.0.0.0 (class A net, determined from the destination address) and associated with the lo
device (assuming this device was previously set up correctly with ifconfig):
route add -net 127.0.0.0

Adds a route to the network 192.56.76.x via eth0. The Class C netmask modifier is not really necessary here because 192.* is a Class C IP
address. The word dev can be omitted here:
route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0
Adds a default route (which will be used if no other route matches). All packets using this route will be gatewayed through 192.168.100.1 for
interfaceeth0. The word dev can be omitted here.
route add default gw 192.168.100.1 dev eth0
Up to command list
Telnet
Telnet is a network protocol that allows for connections and user sessions on remote hosts. It is called a terminal emulator because it lets you
work on a remote host as if you were seated in front of it and using its monitor, keyboard, and mouse. A computer terminal is defined as an
electronic or electromechanical hardware device that is used for entering data into, and displaying data from, a computer or a computing system.
The input and output devices described above create a terminal environment, and telnet lets you mimic that environment on another computer
(also referred to as getting a shell on the remote host).
Any information security professional worth his salt will tell you that using telnet is not recommended as all logins, passwords and commands are
transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials and sensitive data of other users. The Secure
Shell (SSH) protocol has effectively replaced telnet; however, in closed, restricted networks where there is zero chance of an attacker performing
packet sniffing, telnet can be used. You should still make efforts to phase telnet out and replace it with SSH because it is a very important and
useful protocol to learn.
This page supposedly lists free telnet servers that you can connect to and practice on.
By running a telnet connection to the open ports on a host, you can view the banners that reveal which service is answering on those specific
ports. Many email, FTP, and web servers will respond to telnet connection requests with the name and version of their email, FTP, and web
software (such as Exchange, IIS, etc). If you want to grab the banner of a web server, type:
telnet <IPaddress> 80
HEAD/HTTP/1.0
Telnet is not installed by default on Windows Vista, 7, or 2008. To learn how to get telnet running on these operating systems, use the instructions
located on TechNet.
Telnet for Windows

The standard telnet command syntax in Windows is:
telnet [-a][-eescape_char][-flog_file][-luser_name][-tterm]host [port]
(where host specifies the NetBIOS name, fully qualified domain name, or IP address of the host with which you want to create a telnet connection,
and port specifies the TCP port on which you want to create a telnet connection. The default telnet port is 23).
Telnet command switches

(Windows)
Description
telnet [servername]
[portnumber]
Starts the telnet client and attempts to initiate a session with [servername] on [portnumber]. If
no [portnumber] is provided, the default port 23 is used.
telnet -a
Instructs telnet.exe to log on to the host using the credentials of the user who is currently logged on to
the client.
telnet -e [escape_char]
Specifies an escape character, which displays the telnet command prompt. The default escape
character is Ctrl+].
telnet -f [log_file]
Creates a client-side log file and turns on client-side logging for the current session.
The [log_file] parameter must consist of a path and file name.
telnet -l [user_name]
Instructs telnet.exe to log on to the host using the user account that is specified in [user_name]. The
user account specified in [user_name] must have Telnet logon rights on the host.
telnet -t [term]
Specifies the terminal type. The default terminal type is ANSI. Other valid terminal types include VT52,
VT100, and VTNT.
close or c
Closes an existing Telnet connection.
display
Use the display command to view the current settings for the telnet client. The display command lists
the current operating parameters. If you are in a telnet session (connected to a telnet server), to modify
the parameters, press CTRL+]. This escapes from the telnet session. (To return to the Telnet session,
press ENTER.)
display WILL AUTH
Enables NTLM authentication.
display WONT AUTH
Indicates that NTLM authentication is disabled, and that user IDs and passwords will be sent in
plaintext.
display WILL TERM TYPE

display WONT TERM TYPE
display LOCALECHO off
display LOCALECHO off
enter
Go to the connected session (if it exists).
open or o
Establish a telnet connection with a host computer or remote server. For example, o telnet.org 44 will
attempt to connect your computer to telnet.org using port 44.
quit or q
Exit telnet.
send
Sends commands to the telnet server.
send ao
Abort output command.
send ayt
Are you there? command.
send brk
Sends a break signal.
send esc
Sends the current escape character.
send ip
Interrupts the current process.
send synch
Performs the telnet synch operation.
set
Set the terminal type for the connection, turn on local echo, set authentication to NTLM, set the escape
character, and set up logging.

set bsasdel
Backspace will be sent as delete.
set crlf
Sets new-line mode; causes the RETURN key to send the combination of carriage return and line feed:
0x0D, 0x0A. When turned off, it sends only the carriage return character, 0x0D.
set delasbs
Delete will be sent as backspace.
set escape [character]
Specifies the [character] that will switch from telnet session mode to the telnet command mode. While
in telnet command mode, press ENTER to return to telnet session mode.
set localecho
Turns on local echo. All characters typed will be displayed on the local console. Remote Telnet servers
usually send each character typed back, so setting this option could result in duplicate characters
displayed for each one typed.
set logfile [name]
Specifies the [name] of the file to which the telnet log is written for this session. If you do not specify
the path of the file, it is created in your current directory. Specifying a log file also turns on logging. The
log file must be on your local computer.
set logging
Turns on logging for this session. If no log file is set, an error message is displayed.
set mode {console | stream}
Changes the mode of operation from console mode to stream mode. Setting the mode to stream turns
off the ANSI or other escape commands that attempt to control cursor placement or clearing the
screen. Setting the mode to console causes Telnet server to include ANSI or other escape commands
to control cursor positioning within a fixed window of x rows and y columns. Stream mode is useful
when you do not want the Telnet client to emulate a terminal. The output is sent as if there is no
terminal window with x rows and y columns. Some applications that use telnet for file transfer fail to
work correctly when console mode is enabled.
set ntlm
Turns on NTLM authentication.
set term {ansi | vt100 | vt52 |

vtnt}
Specifies the type of terminal you want telnet client to emulate. You should use the VT100 terminal
type if you are running normal command-line applications.
status
Determines whether the computer running the telnet client is connected.
unset
Turns off an option previously set by using the set command
.
Up to command list
Telnet for Linux

The standard telnet command syntax in Linux is:
telnet [-l user] [-a] host-name [port]
telnet [-8EFKLacdfrx] [-X authtype] [-b hostalias] [-e escapechar] [-k realm] [-l user] [-n tracefile] [host
[port]]
Telnet command
switches (Linux)
Description
telnet
Enters telnet command mode (prompt becomes telnet>).
telnet -a
Attemps automatic login to the remote host.
telnet -b [hostalias]
Uses bind to bind the local socket to an aliased address (see ifconfig --alias) or to the address of an
interface different from the one selected by connect.
telnet -c
Disables the reading of the users .telnetrc file. The .telnetrc file contains the setup information for a telnet
session. It is a hidden file in your home directory and must be readable by the user logging in.
telnet -d
Enables debugging at the socket level.
telnet -e [escape_char]
Sets the initial telnet escape character to [escapechar]. If [escapechar] is omitted, then there will be no
escape character.
telnet -E
Stops any character from being recognized as an escape character.
telnet -f
If Kerberos V5 authentication is being used, allows the local credentials to be forwarded to the remote host.
telnet -F
If Kerberos V5 authentication is being used, allows the local credentials to be forwarded to the remote host,
including any credentials that have already been forwarded into the local environment.
telnet -k [realm]
If Kerberos authentication is being used, requests that telnet obtain tickets for the remote host in
realm [realm]instead of the remote hosts realm.
telnet -K
Prevents automatic login to the remote host.
telnet -l [user]
When connecting to the remote host, if the remote host understands the ENVIRON option, then [user] will
be sent as the value for the variable USER. This option implies the -a option and may also be used with
the opencommand.
telnet -L
Specifies an 8-bit data path on output. This causes the BINARY option to be negotiated on output.
telnet -n [trace_file]
Opens [trace_file] for recording the trace information.
telnet -r
Specifies a user interface similar to rlogin. In this mode, the escape character is set to the tilde (~) character,
unless modified by the -e option.
telnet -x
Enables encryption of the data stream, if possible.
telnet -X [auth_type]
Disables the [auth_type] type of authentication.
telnet> close
Ends the session and closes the current connection.
telnet> display
Displays the telnet operating parameters.
telnet> environ
Changes the environment variables. Possibilities include:

.
define: defines an environment variable.
export: marks an environment variable for automatic export.
list: lists the current environment variables.
send: sends an environment variable.
undefine: undefines an environment variable.
unexport: dont mark an environment variable for automatic export.

?: prints help information.
telnet> logout
Forcibly logs out the remote user and closes the connection.
telnet> mode [mode]
Tries to enter line or character mode where [mode] is one of the following:
.
character: disables LINEMODE option (or disables obsolete line-by-line mode).
line: enables LINEMODE option (or enables obsolete line-by-line mode). These two require the LINEMODE
option to be enabled.
isig: enables signal trapping.
-isig: disables signal trapping.
edit: enables character editing.
-edit: disables character editing.
softtabs: enables tab expansion.
-softtabs: disables character editing
litecho: enables literal character echo.
-litecho: disables literal character echo.
?: prints help information.
telnet> open [port]
Connects to a host.
telnet> quit
Exits telnet.
telnet> send
Transmits special characters as defined below.

.
abort: sends Telnet Abort Process.
ao: sends Telnet Abort output.
ayt: sends Telnet Are You There.
brk: sends Telnet Break.
ec: sends Telnet Erase Character.
el: sends Telnet Erase Line.
eof: sends Telnet End of File Character.

eor: sends Telnet End of Record.
escape: sends current escape character.
ga: sends Telnet Go Ahead sequence.
getstatus: sends request for STATUS.
ip: sends Telnet Interrupt Process.
nop: sends Telnet No operation.
susp: sends Telnet Suspend Process.
synch: performs Telnet Synch operation.
?: displays send options.
telnet> set
Sets operating parameters as described below.

.
debug: enables debugging.
echo: character to toggle local echoing on/off.
escape: character to escape back to telnet command mode.
netdata: enables printing of hexadecimal network data (debugging).
options: enables viewing of options processing (debugging).
prettydump: enables output of netdata to user readable format (debugging).
rlogin: rlogin escape character.
termdata: enables (debugging) toggle printing of hexadecimal terminal data.
tracefile: the file to write trace information to.
?: display help information.
.
The following need localchars to be toggled true':
.
eof: character to cause an EOF.
flushoutput: character to cause an Abort Output.
interrupt: character to cause an Interrupt Process.
quit: character to cause an Abort process.
.
The following are for local editing in linemode:

.
autoflush: enables flushing of output when sending interrupt characters.
autosynch: enables automatic sending of interrupt characters in urgent mode.
crlf: enables sending carriage returns as telnet <CR><LF>
crmod: enables mapping of received carriage returns.
erase: character to use to erase a character.
forw1: alternate end of line character.
forw2: alternate end of line character.
inbinary: enables receiving of binary data.
kill: character to use to erase a line.
lnext: character to use for literal next.
localchars: enables local recognition of certain control characters.
outbinary: enables sending of binary data.
reprint: character to use for line reprint.
start: character to use for XON.
stop: character to use for XOFF.
skiprc: enable dont read ~/.telnetrc file.
susp: character to cause a Suspend Process.
worderase: character to use to erase a word.
telnet> slc
Changes the state of special charaters as follows:

.
check: Verify remote special character definitions.
export: Use local special character definitions.
import: Use remote special character definitions.
?: Print help information.
telnet> status
Prints connection status information.
telnet> toggle
Toggles operating parameters as follows:

.
autoflush: toggle flushing of output when sending interrupt characters.

autosynch: toggle automatic sending of interrupt characters in urgent mode.
binary: toggle sending and receiving of binary data.
crlf: toggle sending carriage returns as telnet <CR><LF>.
crmod: toggle mapping of received carriage returns.
debug: toggle debugging.
inbinary: toggle receiving of binary data.
localchars: toggle local recognition of certain control characters.
netdata: toggle printing of hexadecimal network data (debugging).
options: toggle viewing of options processing (debugging).
outbinary: toggle sending of binary data.
prettydump: toggle output of netdata to user readable format (debugging).
skiprc: toggle dont read ~/.telnetrc file.
termdata: toggle (debugging) toggle printing of hexadecimal terminal data.
telnet> unset
Unsets operating parameters; the opposite of telnet> set.
telnet> z
Suspends a telnet session.
telnet> !
Invokes a subshell.
telnet> ?
.
Up to command list
Traceroute and Tracert

Traceroute (tracert in Windows) is a network diagnostic tool for displaying the route (path) of packets and measuring their transit delays across an
IP network. Traceroute works by increasing the TTL value of each successive set of packets sent. The first set of packets has a hop limit value of
1, so they are not forwarded by the first router. The next set has a hop limit value of 2, so that the second router will send the error reply. This
continues until the destination host receives the packets and returns an ICMP Echo Reply message. In other words, the TTL value on each packet
increments by one after each hop is reached. Then the packet returns, ensuring that the response comes back explicitly from that hop (its name
and IP address are also displayed). Traceroute uses the returned ICMP messages to produce a list of routers that the packets have traversed.
The timestamp values returned for each router along the path are the delay (latency) values measured in milliseconds for each packet.
The traceroute/tracert tool will time out (indicated in the command output by an asterisk) when it encounters a firewall or a packet-filtering router.
Traceroute in Linux and Unix uses UDP by default, while tracert in Windows uses ICMP.
If you would like to try a graphical frontend for traceroute/tracert, you can try MTR and WinMTR.
Tracert options (Windows only)

The standard tracert command syntax is:
tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name
Tracert
command
switches
Description
tracert
[destination]
Traces the path to the host or IP address named [destination].
tracert -d
Prevents tracert from attempting to resolve the IP addresses of intermediate routers to their names (which can
speed up the display of tracert results).
tracert -h
[MaxHops]
Specifies the maximum number of hops in the path to search for the target (destination). The default is 30 hops.
tracert -j
[HostList]
Specifies that Echo Request messages use the Loose Source Route option in the IP header with the set of
intermediate destinations specified in [HostList]. With loose source routing, successive intermediate destinations
can be separated by one or multiple routers. The maximum number of addresses or names in the host list is 9.
The [HostList] is a series of IP addresses (in dotted decimal notation) separated by spaces.
tracert -w
[timeout]
Specifies the amount of time in milliseconds to wait for the ICMP Time Exceeded or Echo Reply message
corresponding to a given Echo Request message to be received. If not received within the time-out, an asterisk (*) is
displayed. The default time-out is 4000 (4 seconds).
tracert -R
Trace round-trip path (IPv6-only).
tracert -S
[srcaddr]
Source address to use (IPv6-only).
tracert -4
Force using IPv4.
tracert -6
Force using IPv6.
.
Up to command list
Traceroute options (Linux only)

Traceroute command
switches
Description
traceroute -A
Performs autonomous system (AS) path lookups in routing registries and prints results directly after the
corresponding addresses.
traceroute --back
Prints the number of backward hops when it seems different than the forward direction. This number is
guessed in the assumption that remote hops send reply packets with the initial TTL set to either 64, 128, or
255 (which seems a common practice). It is printed as a negative value in a form of -NUM .
traceroute -d
Enables socket level debugging (when the Linux kernel supports it).
traceroute -e
Shows the ICMP extensions (RFC 4884). The general form is CLASS/TYPE, followed by a hexadecimal
dump.
traceroute -f [N]
Sets the initial TTL to [N] hops.
traceroute -F
Sets the dont fragment bit.
traceroute -fwmark=[mark]
Sets the firewall [mark] for outgoing packets (since Linux kernel version 2.6.25). Firewall marks are
described here.
traceroute -g [gw_addr]
Tells traceroute to add an IP source routing option to the outgoing packet that tells the network to route the
packet through the specified [gw_addr] (most routers disable source routing for security reasons). In
general, several gateways are allowed (comma separated).
traceroute --help
traceroute -i [interface]
Specifies the [interface] through which traceroute should send packets. By default, the interface is selected
according to the routing table.
traceroute -I
[rawor dgram]
Uses ICMP ECHO for probes insteaf of UDP. Options are [raw] sockets or [dgram] ICMP sockets.
traceroute -m [max_ttl]
Specifies the maximum number of hops (i.e., the max TTL value). The default is 30.
traceroute -M [method]
Uses the specified [method] for traceroute operations. Default traditional UDP method has the
name default; ICMP (-I) and TCP (-T) have names icmp and tcp, respectively. Method-specific options can
be passed by -O.
traceroute --mtu
Discovers the maximum transmission unit (MTU) along the path being traced. Implies -F -N 1.
traceroute -n
Shows numerical IP addresses and bypasses attempts at host name resolution.
traceroute -N
[num_probes]
Specifies the number of probe packets sent out simultaneously. Sending several probes concurrently can
speed uptraceroute. The default value is 16. Note that if you use ICMP probes, some routers and hosts can
use ICMP rate throttling.
traceroute -O [option]
Specifies some method-specific [option]. Several options are separated by commas (or they use several O on the command line).
traceroute -p [port]
Sets the destination base UDP port number to [port]; default is 33434. For ICMP tracing, specifies the initial
ICMP sequence value (incremented by each probe). For TCP, specifies just the (constant) destination port to
connect to.
traceroute -P [proto]
Uses the raw packet of the specified protocol for tracerouting. The default protocol is 253 (RFC 3692).
traceroute -q
[num_queries]
Sets the number of probe packets per hop. The default is 3.
traceroute -r
Bypasses the normal routing tables and sends directly to a host on an attached network. If the host is not on
a directly attached network, an error is returned. This option can be used to ping a local host through an
interface that has no route through it.
traceroute raw -P [proto]
Sends raw packets of protocol [proto] (no protocol-specific headers are used, just the IP header only).
Implies -N 1.
traceroute -s [src_addr]
Specifies an alternative source address for the outgoing traceroute packets.
traceroute -sport=[port]
Chooses the source port to use. Implies -N 1.
traceroute -t [ToS]
Set the Type of Service [ToS] and Precedence value (0-255 decimal). Useful values are 16 (low delay) and 8
(high throughput). For IPv6, -t sets the Traffic Control value.
traceroute -T [opt]
Uses the TCP protocol for traceroute probes. Available options are: syn, ack, fin, rst, psh, urg, ece,
and cwr. If these options dont make sense to you, you should read my article on Nmap.
traceroute -T ecn
Sends SYN packets with TCP flags ECE and CWR (for Explicit Congestion Notification, RFC 3168).
traceroute -T
flags=[num]
Sets the flags field in the TCP header to [num].
traceroute -T info
Prints the TCP flags of the final TCP replies when the target host is reached. Determines whether an
application is listening the port.
traceroute -T mss=[num] Uses the value of [num] for maximum segment TCP header option (when SYN).
traceroute -T sack,
timestamps,
window_scaling
Uses the corresponding TCP header option in the outgoing probe packet.
traceroute -T sysctl
Uses current sysctl (/proc/sys/net/*) setting for the TCP header options above and ECN. Always set by
default, if nothing else is specified.
traceroute tcpconn
An initial implementation of the TCP method simply using the connect call, which does a full TCP session
opening. Not recommended for normal use because a destination application is always affected.
traceroute -U
Uses UDP datagrams with a constant destination port (default 53, DNS). Like the -T (TCP) option, this can
be intended to bypass firewall as well.
traceroute -UL
coverage=[num]
Uses UDP Lite datagrams for probes (with a constant destination port, 53) where [num] determines the
checksum coverage sent. See here for reference.
traceroute -V
Prints the version of traceroute.
traceroute -w [wait_time] Sets the time (in seconds) to wait for a response to a probe (the default is 5 seconds).
traceroute -z [sendwait]
Sets the minimal time interval between probes (default is 0). If the value is more than 10, then it specifies a
number in milliseconds, otherwise it is a number of seconds. Useful when some routers use rate-limiting for
ICMP messages.
traceroute -4 or -6
Explicitly forced IPv4 or IPv6. By default, the program will try to resolve the name given, and choose the
appropriate protocol automatically. If resolving a host name returns both IPv4 and IPv6
addresses, traceroute will use IPv4.
.
Up to command list
Whois
whois is a domain name query tool. Some of the information it provides on domain names includes: registered address, technical and DNS
contacts, contact email addresses, contact phone number, and the expiration date of the domain name registration.
Whois commands are commonly executed from network query-oriented websites, as described here. However, you can run whois from a
command line interface as well. Whois is easily available in Linux and Unix (may be available as jwhois), but must be installed manually on
Windows. Note that the version of whois published by Marco dItri of linux.it uses very different options from the standard whois/jwhois.
Whois for Windows

Whois command switches (Windows)
whois [domainname] [whois.server]
Description
Performs a whois query on [domainname] using the whois server specified.
.
Up to command list
Whois for Linux

Whois command switches
(Linux)
whois -a or --raw
Description
Disables reformatting of the query.
whois -c [file] or --config=[file] Uses [file] as a configuration file instead of jwhois.conf.

whois -d or --disable-cache
Disables reading from (and writing to) the cache.
whois -f or --force-lookup
Forces a query to be made to a host even if a current object is available from the cache.
whois -h [host] or -host=[host]
Overrides any hosts in the configuration file and queries [host] directly.
whois --help
whois -i or --displayredirections
Displays every step in a redirection (the default is to display only the last answer).
whois -n or -no-redirect
Disables redirection from one server to another.
whois -p [port] or --port=[port] Specifies a port number to use when querying a host. For example, whois --port=9103
[host]
10.20.30.31forces a test on this hosts port 9103
whois -r or --rwhois
Forces the query to use the rwhois protocol instead of HTTP or whois.
whois --rwhoisdisplay=[display]
Asks receiving rwhois servers to display the results in the specified [display] instead of the default
dump display.
whois --rwhois-limit=[limit]
Asks receiving rwhois servers to limit their responses to [limit] matches.
whois -s or --no-whoisservers
Disables the built-in support for whois-servers.net.
whois -v or --verbose
Outputs verbose debugging information while running. You can increase the verbosity by giving
several verbose commands to jwhois, such as -vv.
whois --version
Displays the version, authors and licensing information of whois.

Network Commands

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Network Commands

Încărcat de

Drepturi de autor:

Formate disponibile

Arp

Arp for Windows

Specifies a physical (MAC) address.

Arp for Linux

arp -a [hostname]or --all

arp -d [ip_addr] or--

space between -d and *).

Uses the hardware address associated with the specified interface.

Shows the entries in default (Linux) style.

arp -f [filename] or--file

Shows IP addresses instead of trying to determine domain names.

Uses verbose mode to provide more details.

FTP for Windows

FTP command options

Logs in to the FTP server as an anonymous user.

Overrides the default async buffer count of 3.

Disables interactive prompting during multiple file transfers.

Overrides the default SO_RCVBUF size of 8192.

Suppresses the display of FTP server responses.

Overrides the default SO_SNDBUF size of 8192.

Displays the help message.

Runs the specified command on the local computer.

ftp>? or ftp>? [command]

Displays descriptions for FTP commands (identical to help).

ftp>append [local_file] [remote_file]

Sets the file transfer type to ASCII (which is the default).

Sets the file transfer type to binary.

Changes the working directory on the remote host.

Deletes files on the remote host.

ftp>dir or ftp>dir [remote_directory]

ftp>get [remote_file] [local_file]

ftp>help or ftp>help [command]

Displays descriptions for FTP commands (identical to -?).

ftp>ls or ftp>ls [remote_directory]

Deletes multiple files on the remote host.

Displays a list of the remote directorys files and subdirectories.

Creates a remote directory.

Displays an abbreviated list of a remote directorys files and subdirectories.

ftp>open {FTP_server] [port]

Connects to the specified FTP server.

Displays the current directory on the remote host.

Synonym for the literal command.

Displays help for remote commands.

Renames remote files.

Specifies the name of the remote directory to delete.

Displays the current status of FTP connections and toggles.

ftp>type [ascii | binary]

Sets or displays the file transfer type. ASCII is the default.

ftp>user [username] [password]

Specifies a user to the remote host.

FTP for Linux

FTP command options (Linux)

Causes credentials to be forwarded to the remote host.

Disables file name globbing.

Turns off interactive prompting during multiple file transfers.

When using Kerberos v4 authentication, gets tickets in realm.

Enables packet tracing.

ftp>! [command [args] ]

ftp>$ [macro-name] [args]

ftp>append [local_file] [remote_file]

Enables a bell to sound after each file transfer command is completed.

Set the file transfer type to support binary image transfer.

Deletes the file on the remote host.

Toggles debugging mode. If an optional [debug_value] is specified it is used to set the