When a network stops working, you don't guess — you run commands and read the output. These six tools are the core of Windows network troubleshooting, and all of them appear on the CompTIA A+ exam. Learning them in order is the fastest way to build a real diagnostic workflow.

⚡ How to study this page

Don't just read — open a Command Prompt and run each command as you go. The output will look exactly like the exam scenarios. Type cmd in the Windows search bar to open it.

ipconfig — Check Your IP Configuration

ipconfig Start Here

ipconfig shows your computer's current IP address, subnet mask, and default gateway. It's almost always the first command you run when diagnosing a network problem — it tells you immediately whether you have a valid IP address or an APIPA address (169.254.x.x).

C:\>ipconfig
C:\>ipconfig /all— full details including DNS and MAC address
C:\>ipconfig /release— release current DHCP lease
C:\>ipconfig /renew— request a new IP from DHCP
C:\>ipconfig /flushdns— clear the local DNS cache
Sample output — ipconfig Ethernet adapter Ethernet:
   Connection-specific DNS Suffix:
   IPv4 Address. . . . . . : 192.168.1.25
   Subnet Mask . . . . . . : 255.255.255.0
   Default Gateway . . . . : 192.168.1.1
Device has no internet — run ipconfig first to confirm whether the IP is valid or 169.254.x.x (APIPA). A blank Default Gateway means the device can't route traffic off the local network.

ping — Test Connectivity

ping Most Used

ping sends test packets to a destination and measures the response. It tells you whether a device is reachable and how long packets take to get there. The sequence matters — ping loopback first, then your own IP, then the gateway, then an external IP, then a domain name. Each step isolates a different layer of the problem.

C:\>ping 127.0.0.1— loopback: tests the NIC itself
C:\>ping 192.168.1.25— your own IP: confirms TCP/IP stack
C:\>ping 192.168.1.1— default gateway: tests local routing
C:\>ping 8.8.8.8— external IP: tests internet (bypasses DNS)
C:\>ping google.com— domain name: tests DNS resolution
Sample output — ping 8.8.8.8 Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=14ms TTL=117
Reply from 8.8.8.8: bytes=32 time=13ms TTL=117

Ping statistics for 8.8.8.8:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Ping 8.8.8.8 succeeds but ping google.com fails — this is a classic DNS problem. The internet connection works, but DNS resolution is broken. This exact scenario appears frequently on the A+ exam.
⚡ The Most Important Ping Test on the A+ Exam

ping 8.8.8.8 works → ping google.com fails = DNS problem.

If an IP address works but a domain name doesn't, the internet connection is fine — DNS resolution is broken. Fix: try ipconfig /flushdns or change the DNS server to 8.8.8.8.

tracert — Trace the Route

tracert Path Diagnosis

tracert (Trace Route) shows every hop a packet takes on its way to a destination. Where ping just tells you if something is reachable, tracert tells you where along the path things are breaking down. Each line is one router the packet passed through, with response times.

C:\>tracert google.com
C:\>tracert 8.8.8.8
Sample output — tracert google.com Tracing route to google.com [142.250.72.14]:

 1   1ms   1ms   1ms   192.168.1.1 (your router)
 2   8ms   9ms   8ms   10.0.0.1 (ISP hop)
 3  12ms  11ms  13ms   72.14.232.1
 4  14ms  13ms  14ms   142.250.72.14 (destination)
Ping fails but you don't know where the problem is. Tracert shows you exactly which hop times out — if hop 1 (your gateway) fails, the problem is local. If it fails at hop 3, the problem is upstream with your ISP.

nslookup — Query DNS

nslookup DNS Diagnosis

nslookup (Name Server Lookup) queries DNS servers directly and shows what IP address a domain resolves to. It's the go-to tool when you suspect a DNS problem — you can query your default DNS server or specify a different one to compare results.

C:\>nslookup google.com— query default DNS server
C:\>nslookup google.com 8.8.8.8— query a specific DNS server
Sample output — nslookup google.com Server:   dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    google.com
Addresses: 142.250.72.14
Websites won't load but ping 8.8.8.8 works. Run nslookup to confirm whether your DNS server is resolving names correctly. If nslookup fails, DNS is definitely the issue.

netstat — View Active Connections

netstat Connections

netstat (Network Statistics) shows all active TCP connections and listening ports on your machine. It's useful for seeing what your computer is currently connected to, identifying unusual connections, and confirming which ports are open.

C:\>netstat— active connections
C:\>netstat -a— all connections and listening ports
C:\>netstat -n— show IP addresses instead of hostnames
C:\>netstat -b— show which program owns each connection
Sample output — netstat -n Proto  Local Address       Foreign Address      State
TCP    192.168.1.25:443   142.250.72.14:443    ESTABLISHED
TCP    192.168.1.25:80    151.101.1.140:80     ESTABLISHED
TCP    0.0.0.0:3389     0.0.0.0:0            LISTENING
You suspect a security issue, want to confirm which ports are open, or need to verify that a service is actually listening on the expected port number.

nbtstat — NetBIOS Name Resolution

nbtstat NetBIOS / Windows Names

nbtstat displays NetBIOS over TCP/IP statistics and name tables. It's used in Windows environments to troubleshoot name resolution issues when devices can't find each other by computer name on a local network. Less common than the others but it does appear on the A+ exam.

C:\>nbtstat -n— local NetBIOS name table
C:\>nbtstat -c— NetBIOS name cache
C:\>nbtstat -R— reload the LMHOSTS file / purge cache
Devices on a local Windows network can't find each other by computer name, even though IP connectivity works fine. nbtstat -n shows the local machine's registered NetBIOS names.

The Diagnostic Workflow — What Order to Run Them

On the exam (and in real life), commands are most useful when run in a logical order. Each step confirms one layer is working before moving to the next:

🔧 Standard Network Troubleshooting Sequence
1
ipconfig
Confirm you have a valid IP address. If you see 169.254.x.x, stop here — DHCP failed. Run ipconfig /release then /renew.
2
ping 127.0.0.1
Test the loopback address. If this fails, your network stack has a serious problem — reinstall TCP/IP.
3
ping [your default gateway]
Test local network connectivity. If this fails, you can't reach your router — check the cable or Wi-Fi connection.
4
ping 8.8.8.8
Test internet connectivity by IP. If this fails but step 3 works, the problem is your router or ISP — not your computer.
5
ping google.com
Test DNS resolution. If step 4 works but this fails, DNS is broken. Run ipconfig /flushdns or change your DNS server.
6
tracert / nslookup
If you still can't isolate the problem, use tracert to find which hop fails, or nslookup to query DNS servers directly.

Linux & macOS Network Commands

The Network+ and Security+ exams test Linux and macOS equivalents alongside Windows commands. In enterprise environments, servers and network devices almost always run Linux — knowing these commands is essential for both certifications and real-world IT work.

ip — The Modern Linux Network Tool

The ip command is the current standard on Linux, replacing the older ifconfig. It controls IP addresses, routes, and interfaces.

ip — Linux Interface and Routing Control
ip addr show# Show all interfaces with IP addresses (replaces ifconfig)
ip addr show eth0# Show a specific interface
ip route show# Show routing table (replaces route print)
ip route get 8.8.8.8# Show which interface/gateway traffic uses to reach a host
ip link set eth0 up# Bring an interface up
ip link set eth0 down# Bring an interface down
ip neigh show# Show ARP table (replaces arp -a)

ifconfig — Legacy Linux/macOS (still on many systems)

ifconfig — Interface Configuration
ifconfig# Show all active interfaces (macOS and older Linux)
ifconfig -a# Show all interfaces including inactive ones
ifconfig eth0# Show specific interface details
ifconfig eth0 down# Disable an interface

dig — DNS Lookup (Linux/macOS)

dig (Domain Information Groper) is the Linux/macOS equivalent of nslookup — and much more powerful. Security+ tests it for DNS reconnaissance and troubleshooting.

dig — DNS Query Tool
dig google.com# Standard A record lookup
dig google.com MX# Query mail exchange records
dig google.com ANY# Query all record types
dig @8.8.8.8 google.com# Query a specific DNS server (8.8.8.8)
dig -x 8.8.8.8# Reverse lookup — IP to hostname
dig +short google.com# Output just the IP address

ss — Socket Statistics (replaces netstat on Linux)

ss is faster than netstat and shows the same connection and port information. It's the current standard on modern Linux distributions.

ss — Socket Statistics
ss -tuln# TCP+UDP listening ports, no DNS resolution
ss -tulnp# Same + show process name and PID
ss -ta# All TCP connections (established + listening)
ss -s# Summary statistics — total connections by type

Windows vs Linux Command Equivalents

TaskWindowsLinux / macOS
Show IP addressipconfigip addr show / ifconfig
Flush DNS cacheipconfig /flushdnssudo systemd-resolve --flush-caches / sudo dscacheutil -flushcache (macOS)
Test connectivitypingping (runs until Ctrl+C by default)
Trace routetracerttraceroute
DNS querynslookupdig / nslookup
View open portsnetstat -ass -tuln / netstat -tuln
View routing tableroute printip route show / netstat -r
View ARP cachearp -aip neigh show / arp -n
Show MAC addressipconfig /allip link show / ifconfig
Test HTTPcurl (modern) / browsercurl / wget

arp — View and Manage the ARP Cache

The ARP (Address Resolution Protocol) cache maps IP addresses to MAC addresses on the local network. The arp command lets you view, add, and delete these entries. It's tested on both Network+ and Security+ — particularly in the context of ARP spoofing attacks.

arp — ARP Cache Commands
arp -a# Show all ARP cache entries (Windows/Linux/macOS)
arp -a 192.168.1.1# Show ARP entry for a specific IP
arp -d 192.168.1.1# Delete a specific ARP cache entry
arp -s 192.168.1.1 00-11-22-33-44-55# Add static ARP entry (Windows)
⚡ Security+ exam connection: ARP spoofing poisons the ARP cache — an attacker sends forged ARP replies linking their MAC to a legitimate IP. If you run arp -a and see two different IP addresses mapped to the same MAC address, that's a strong indicator of ARP spoofing in progress.

route — View and Modify the Routing Table

The routing table determines where a device sends packets destined for different networks. The route command is used on both Windows and Linux to display and modify it.

route — Routing Table Commands
route print# Display full routing table (Windows)
ip route show# Display routing table (Linux)
netstat -r# Display routing table (macOS/Linux)
route add 10.0.0.0 mask 255.0.0.0 192.168.1.1# Add static route (Windows)
ip route add 10.0.0.0/8 via 192.168.1.1# Add static route (Linux)
route delete 10.0.0.0# Remove a route (Windows)

curl and wget — Test HTTP/S Connectivity

While ping tests ICMP reachability, curl and wget test actual application-layer (HTTP/S) connectivity. They're used in Network+ and Security+ troubleshooting scenarios for web service verification, certificate checking, and API testing.

curl — HTTP/S Testing
curl https://example.com# Fetch a web page (shows HTML output)
curl -I https://example.com# Fetch headers only — check status code and TLS cert
curl -v https://example.com# Verbose — shows full TLS handshake and headers
curl -k https://example.com# Skip TLS certificate verification (testing only)
curl -o file.html https://example.com# Save output to a file
curl -x proxy:8080 https://example.com# Route through a proxy

tcpdump — Packet Capture (Security+ / Network+)

tcpdump is a command-line packet analyser for Linux and macOS. It captures live network traffic for analysis — the CLI equivalent of Wireshark. It's a core Security+ tool for network forensics and incident response, and appears directly in Network+ troubleshooting scenarios.

tcpdump — Common Usage
tcpdump -i eth0# Capture all traffic on interface eth0
tcpdump -i eth0 host 192.168.1.1# Capture traffic to/from specific host
tcpdump -i eth0 port 443# Capture HTTPS traffic only
tcpdump -i eth0 tcp# Capture TCP traffic only
tcpdump -w capture.pcap# Write capture to file for Wireshark analysis
tcpdump -r capture.pcap# Read and analyse a previously saved capture
tcpdump -n -i eth0# No DNS resolution — show raw IPs (faster)
⚡ Security+ exam tip: tcpdump and Wireshark capture files use the .pcap format. In incident response scenarios, a packet capture is considered volatile evidence — it should be collected early. Wireshark is the GUI version; tcpdump is the CLI version. Both analyse the same .pcap files.

nmap — Network Scanner (Security+ / Network+)

nmap (Network Mapper) scans networks to discover hosts and open ports. It's a fundamental tool for both network administration and security assessments — and one of the most commonly referenced tools on the Security+ exam.

nmap — Common Scan Types
nmap 192.168.1.1# Scan a single host — discover open ports
nmap 192.168.1.0/24# Scan an entire subnet
nmap -sn 192.168.1.0/24# Ping scan only — discover live hosts, no port scan
nmap -p 22,80,443 192.168.1.1# Scan specific ports only
nmap -p- 192.168.1.1# Scan all 65535 ports
nmap -sV 192.168.1.1# Version detection — identify software and versions
nmap -O 192.168.1.1# OS detection
nmap -sS 192.168.1.1# SYN (stealth) scan — doesn't complete TCP handshake
⚡ Security+ exam tip: nmap is a dual-use tool — used by administrators for asset discovery and by attackers for reconnaissance. A SYN scan (-sS) is called a "stealth scan" because it never completes the three-way handshake, making it harder to detect in logs. Always get written authorisation before scanning networks you don't own.

Network+ and Security+ Exam Scenarios

A Linux administrator needs to check which process is listening on port 443. Which command shows this?
ss -tulnp — the -p flag adds process name and PID to the output. On older systems, netstat -tulnp does the same. On Windows, use netstat -ano and cross-reference the PID in Task Manager.
A security analyst runs arp -a and sees that two different IPs both resolve to the same MAC address. What does this indicate?
ARP spoofing / ARP poisoning. An attacker is broadcasting forged ARP replies to associate their MAC with multiple IP addresses — typically the default gateway — to intercept traffic (man-in-the-middle). Response: implement Dynamic ARP Inspection (DAI) on the switch.
You run traceroute google.com on Linux and see asterisks (***) starting at hop 3. What does this mean?
The router at hop 3 is not responding to ICMP TTL-exceeded messages — either it's filtering ICMP, or connectivity is lost there. Asterisks mean no response received within the timeout. It doesn't necessarily mean the route is completely broken — the destination may still be reachable if the router is just dropping ICMP.
A penetration tester needs to identify all live hosts on the 10.10.10.0/24 network without triggering port scan alerts. Which nmap command should they use?
nmap -sn 10.10.10.0/24 — the ping scan discovers live hosts using ICMP echo requests and TCP probes without scanning any ports, minimising noise in IDS logs.

Quick Reference Cheat Sheet

📋 Command Quick Reference
ipconfig
Show IP address, subnet mask, default gateway
ipconfig /all
Full details — DNS servers, MAC address, DHCP info
ipconfig /release
Release current DHCP lease
ipconfig /renew
Request a new IP from DHCP server
ipconfig /flushdns
Clear the local DNS cache
ping 127.0.0.1
Test loopback — confirms NIC and TCP/IP stack work
ping [gateway]
Test local network connectivity to router
ping 8.8.8.8
Test internet by IP — bypasses DNS entirely
ping google.com
Test DNS resolution — if this fails but 8.8.8.8 works, DNS is broken
tracert [destination]
Show every hop to destination — find where packets stop
nslookup [domain]
Query DNS server directly — confirm name resolution
netstat -a
Show all active connections and listening ports
nbtstat -n
Show local NetBIOS name table
arp -a
Show ARP cache — IP-to-MAC mappings on local network
route print
Show routing table (Windows) — see all network routes
ip addr show
Show interfaces and IPs (Linux — replaces ifconfig)
ip route show
Show routing table (Linux — replaces route)
ip neigh show
Show ARP/neighbour table (Linux — replaces arp -a)
ss -tuln
Show listening TCP/UDP ports (Linux — replaces netstat)
dig [domain]
DNS query tool (Linux/macOS — more powerful than nslookup)
traceroute [dest]
Trace route to destination (Linux/macOS — same as tracert)
curl -I [url]
Fetch HTTP headers — check status code and TLS certificate
tcpdump -i eth0
Capture live packets on interface (Linux/macOS)
nmap -sn 192.168.1.0/24
Ping scan — discover live hosts on subnet without port scanning

Key Takeaways

ipconfig is always step one — check if you have a valid IP before anything else
ping 8.8.8.8 works + ping google.com fails = DNS problem, not internet problem
tracert shows you exactly which hop in the route is failing
nslookup queries DNS directly — use it to confirm DNS is resolving correctly
netstat -a shows open ports and active connections on your machine
ipconfig /release → /renew is the fix when you have an APIPA (169.254.x.x) address
Linux uses ip addr, ss, and dig — the modern replacements for ifconfig, netstat, and nslookup
tcpdump -w capture.pcap saves packets for Wireshark analysis — key for Security+ incident response
nmap -sn discovers live hosts; nmap -sV identifies running services — fundamental recon and audit tool
Two IPs mapped to the same MAC in arp -a = ARP spoofing in progress
📚 Recommended Study Tools

Ready to practice these commands?

Set up a free VM lab on your laptop and run every command in a real Windows environment.

🖥️ Read the Home Lab Setup Guide 📖 Bestselling A+ Study Guide

Related Articles

What is SSH? What Is DNS? What Is DHCP? What Is APIPA? What Is a Default Gateway? What Is a Subnet Mask? What Is NAT? What Is a MAC Address? Common Port Numbers Networking Master Guide

Preparing for A+, Network+, or Security+?

See the books and practice exams that make the most difference.

See Best Study Resources →