Network Address Families (and related protocols)
Lists the address families, protocols, and purposes:


Information has been added to the Basics section.

e.g. Ethernet frames
Network Addresses

Properties of the various types of network addresses so they can be identified by sight: Note semi-unique features such as address length, and hopefully more unique features such as signatures and common notations. (See the section listing address families as a guide of what types of addresses will be covered by this section.)

This information may now have been added: see: numeric network addresses.

IPv6 is meant to a protocol with enough flexibility to serve as the key protocol for the worldwide Internet for many years to come. However, replacing IPv4 has been far from an overnight process.
IPv6 Adoption information
Wikipedia's article on IPv6: section on issues with IPv6 adoption provides some observations.
Cable modem support
For example, for cable modems, Wikipedia's article on IPv6: section on issues with IPv6 adoption says “The widely used DOCSIS 2.0 does not support IPv6. The new 'DOCSIS 2.0 + IPv6' standard also supports IPv6, which may on the cable modem side only require a firmware upgrade. It is expected that only 60% of cable modems' servers and 40% of cable modems will be DOCSIS 3.0 by 2011.” (Citations removed from quote.) That last sentence cites ABI Research info on DOCSIS 3.0 usage which says: “ABI Research expects that penetration of DOCSIS 3.0 will reach nearly 60% for in-use CMTS in 2011. Penetration will be slower for the larger installed base of CPE, reaching just under 40% in 2011.” To clarify that, CMTS refers to the servers of cable modem providers (based on comparison to Wikipedia's quote in the Wikipedia's article on IPv6: section on issues with IPv6 adoption), and CPE refers to the “customer premesis equipment” and so is referring to cable modems.
IPv4 expanded from the earliest implementations in multi-site test/research networks to being a platform on which the Internet was created. The primary issue with IPv4 was running out of publicly-accessable addresses that could be efficiently routed, and so IPv6 was touted as a replacement for IPv4.

The basic level of support is that those who do not know what IPX is might ask “What is IPX?”, and those who are familiar with IPX might also feel some inclination to ask “What is IPX?”? The reason that latter group may ask the question, even though they know the answer, is that they may try to imply the obscurity that they hope to be the fate of this protocol (that such people may be plenty happy to forget). IPX is gone by the wayside.

It had been historically significant. One advantage to IPX is that implementations may use up less resources. Namely IPX could be implemented with less memory, which was particularly important in the MS-DOS platform. The MS-DOS platform had been more prevelent during and closer to the days when IPX was more broadly supported.

(The concept of a “subnets” didn't exist with IPX, so a different “subnet” would be considered an entirely different network.) The key reason that IPX stopped being used was the lack of any implementation to be supporting routing of traffic to other networks.

[#addrusag]: Address reservations/uses
These sections document how addresses are rather commonly used. (Actually viewing and setting addresses is in the “Key Networking Technologies” section.)
[#kymainet]: Key Networking Technologies/Protocols
[#netistrc]: Key Network Infrastructure Protocols/Technologies
[#netadrsn]: Network Addressing
Plans/methods for Addressing
Determining what addresses to assign, and what address ranges (a.k.a. subnets) are optimal to use
Automatic Addressing
Manual Addressing
Information about how to perform the manual address assignments in various platforms
[#namtoadr]: Name Resolution
Name resolution may be even more important than routing: It may be used for internal communications even if thre are no Internet connections that are actively up. A lot of software uses name resolution, including security software. If users cannot authenticate, that may limit their ability to do anything even if routing to the Internet does work.
[#routtraf]: Routing traffic

See the section on Routing traffic to cover these topics:

Basic routing
Traffic forwarding
Basic forwarding (of network traffic)
[#tunltraf]: Tunneling Traffic
[#sshptfwd]: Creating a port forwarding rule using SSH
This is often a simple way to add encryption to traffic, even if the traffic is created (sent) or used (received) by software which does not support the method of encryption being used.
[#netldbal]: Load balancing of network traffic
[#drctsvrt]: Direct (Server) Return/Routing
Reducing the number of devices/processes that must handle return traffic.
Service Discovery
Other popular services
Connectivity testing

One option may be to verify whether a service is operational. If it is, then connectivity seems to exist. However, if the service does not respond, that may be an issue with connectivity or an issue with the specific service (or some combination thereof, such as a firewall in the middle blocking the traffic for a specific service).

An option may be to perform a network connectivity test. Most networked machines will have an ability to participate in such a test. Note, however, that software-based firewalls running on the hosts (e.g., running on the individual computers) may block such traffic.

Testing IP connectivity
Using ICMP(6) for basic testing

ICMP(6) may be used for testing. (There may currently be some additional related information in a section called “ICMP Messages” on the page about using a firewall.)

[#ping]: ping (and similar)
Basic popular operation

The most popular command is the ping command. For instance, ping

Then, press Ctrl-C to break. (Or, if the pre-determined amount of packets has been sent, ping may just quit on its own.)

There may be some variations. For instance. For example:

  • ping will run a test on an IPv4 address.
  • For an IPv6 address, Microsoft Windows may use ping 2001:db8::2 or ping -6 2001:db8::2 may also be used. So, with Microsoft Windows, a command like ping may attempt to intelligently decide whether to use the IPv6 stack or the IPv4 stack is preferred, and then use that. Using ping -6 or ping -4 will specify which stack is preferred.
  • In Unix, ping may be limited to IPv4 ICMP packets. To perform a similar action with IPv6 ICMP6 packets, a similar but different command called ping6 is used, on some variations of Unix. Whether IPv6 is handled by a command named ping6 or a command named ping may vary based on which TCP/IPv6 stack is being used. Since the stack that people typically use is generally going to be the stack built into an operating system (for modern day operating systems), the command to use varies based on which operating system is being used.
  • Both the Microsoft Windows and Unix implementations allow a specified amount of packets to be used, or an ongoing test where the program is not meant to stop after a certain amount of packets. This fact is the same for these implementations. What differs, though, is the default behavior. In Unix, the ping or ping6 command will run endlessly by default, until the program is stopped. A test of five packets may be done with “ ping -c 5 remoteSys ”. With Microsoft Windows, the default action is to run just four times. To send endlessly, use ping -t 5 remoteSys (as documented) (or, as undocumented but which works fine, “ping 5 remoteSys -t ”). To send a specific number of packets in Microsoft Windows, use ping -n 5 remoteSys
  • The keystroke combination to show statistics in ping for Microsoft Windows, which is Ctrl-Break, will stop the ping command in Unix. Microsoft Windows's version might also be more challenging to send over at least some network terminals. This is discussed further in the section about getting status reports from ping, but is also mentioned here in the list of quite notable differences.

In general, what you're looking for is a series of replies which look like there are no problems. (In Microsoft Windows, this looks like: “Reply from (an-IP-address): bytes=32, time=”... In OpenBSD, this looks something like “64 bytes from (an-IP-address): icmp_seq=#, ttl=#, time=”...)

Sometimes, the ping command might show the results of an error. This might be because the ping command received a packet that indicates that an error occured.

  • If you receive a reply from your computer's own IP address, along with the note of “Destination host unreachable.”, then that typically means that your computer was unable to get a response to NDP/IPv6 ARP/IPv4 in order to find the remote system's MAC-48 address.
  • For other errors, check out Flaphead's Blog on TechNet: What do PING results actually mean..?

IANA ICMP Parameters.

[#pingstat]: getting status reports

While the ping (or ping6), statistics may be shown. In Unix, Ctrl-\ (that is Control-Backslash) will work. e.g.: “162/162 packets, 0% loss, min/avg/ewma/max = 59.945/67.417/63.093/318.717 ms” In Microsoft Windows, the keystroke combination is Ctrl-Break, and may show results such as:

Ping statistics for
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = ##ms, Maximum = ##ms, Average = ##ms

In Microsoft Windows and Unix, the ping command shows a status report when the command ends. A status report can also be shown without ending the ping command (which may be nicer if the ping command is going to be sending multiple packets).

For Microsoft Windows, the status report can be seen with Ctrl-Break. (That is using the Pause/Break key.)

Unix does not print a status report with Ctrl-Break, but the ping command may support receiving a signal that causes ping to show a status line without interrupting a series of packets. For instance, in Debian, the manual page indicates the SIGQUIT signal, and using “kill -SIGQUIT PID” does the trick. In OpenBSD, that same command will terminate the ping command, but OpenBSD's manual page for ping says that SIGINFO may be used. Debian doesn't have a signal named SIGINFO (as shown by kill -l).)

Additional options for some ping implementation(s)

These can be found in Unix:

Audible ping

Unix ping supports ping -E which may be useful to get results when there is not a clear line of sight to the visual output display. For example, one may set a ping, and then walk behind the computer's monitor, and then hear whether unplugging a cable is affecting the ping command. ping -e will make a beep for each successful packet, instead of each unsuccessful packet.

Faster ping
Flood ping

Unix ping supports ping -f which causes it to print out a period for each packet received. It also prints out a backspace for each packet it gets back. It also does this at the highest speed that it can. As a result, a certain number of periods (possibly just one) may generate initially, but the backspaces should prevent more periods from showing up. Then, additional periods beyond the initial number represent a case where an outgoing packet was not matched by an incoming packet. (Hence, a dropped packet.)

(Note: The -f parameter here does differ from the -f option for ping for Microsoft Windows, which uses -f to set the IPv4 “Don't Fragment” flag.)


One option is the “flood ping”, like other Unix systems.

Another option is to set the interval. For example, to send 3 packets:

sudo ping -c 3 -i 0.1

Interval values can be made faster than that. Interval values of “-i 1.0” or slower do not require using superuser permission.

Cisco IOS can show some relatively quick ping results as well.

Other variations to note
WMIC PATH Win32_PingStatus WHERE "Address='domainNameOrIPaddress'" Get StatusCode

If successful, StatusCode will be 0. Otherwise, StatusCode won't be zero (and may be blank).

More details can be gathered:

WMIC PATH Win32_PingStatus WHERE "Address='domainNameOrIPaddress'" Get /FORMAT:VALUE

According to Microsoft, Windows Server 2003 (at least pre-SP1)'s ping WMI object supports IPv4 but not IPv6.

For more details on using WMI, see: WMI.

Cisco IOS

Note: standard Cisco IOS warning (for those unfamiliar with using IOS).

The client will show ! (an exclamation point) for packets that recevied an ECHO REPLY response, and . (a period) for packets that did not get received. If a packet gets an UNREACHABLE response via ICMP, then a U will show up instead of an exclmation point or a period.

Although Unix and Microsoft Windows both support aborting a ping command that can be aborted with Ctrl-C (and which can gather statistics, as noted by getting status reports from ping), Cisco decided not to follow the same trend with IOS. However, Ctrl-^ (Control-Shift-6) can abort a repeated ping.

ping repeat 4

Web page about ping notes that Michael John Muuss “wrote Ping in only one evening and was fond of saying he would have spent more time on it had he envisioned its future importance. At first a Unix-only diagnostic program, the tool is now part of almost every operating system.” At this point, though, Michael Muss is not expected to develop the program any further, because on November 20, 2000 he got too involved in a fatal automobile accident: page about Mr. Muuss called it a “multivehicle pileup”.

Alternative options

Be sure to also check out the section about “Traceroute (and similar)” and/or bandwidth testing.

[#tracert]: Traceroute (and similar)
Basic traceroute commands

Unix will use traceroute for Unix IPv4 and may use that same command, or a separate command called traceroute6 for IPv6. Microsoft Windows uses tracert (namely due to precedent used by earlier versions of Windows, so this name is a throwback to the days of concerns from when long filenames may not have been supported, or supported as well).

Old Unix/BSD versions may have used UDP to ports 33434 (which is reserved by IANA) through 33534 (totalling 101 UDP ports). However, many versions use ICMP. RFC 1393 - Traceroute Using an IP Option


Win NT, and newer operating systems derived from that (Windows 2000, Windows XP, and newer) has been released with this program. It starts out looking a bit similar to TraceRoute, but then it waits some amount of time that it decides (perhaps often this will be about 5 minutes, give or take thirty seconds) as it continues to re-test communications with the destination and any other device along the way that reduced the hop count (which generally means all routers). Then it provides a report. So, it is a bit like mtr but much slower to report.

[#mtracert]: mtr
Initially the name stood for “Matt's traceroute”, named after Matt Kimball who was the program's original author. However, a new maintainer started calling this “My traceroute”.

At the time of this writing, Wikipedia's page on MTR says, “No MTR-equivalent console application exists for Windows.” (e.g., Wikipedia's article on MTR (software), archived from September 5, 2016.)

However, there is: WinMTRCmd.


WinMTRCmd (As of this writing, WinMTRCmd source code and executable files (Latest version) is version 0.1, and comes zipped.)

WinMTRCmd.exe -h
shows help.

Specifying a remote hostname will run the program normally. The program seems to keep running until it reaches a desired number of success packets for each host. The default is ten.

Pressing X exits the program.

After receiving the desired number of packets from each remote destination, the program seems to essentially freeze up. The program can be stopped by pressing a key (like Enter or the space bar).

WinMTRCmd.exe -r

Report-only mode will complete the task and then show the final results.

GUI variations/clones

Some graphical versions do exist. For instance, the Wikipedia's article on MTR (software), “Fundamentals” section notes, “It normally works under the text console, but it also has an optional GTK+-based graphical user interface (GUI).”

BitWizard's MTR seems pretty slick.

There is also a clone, WinMTR, which is re-written from scratch. WinMTR uses a graphical interface to report numbers in a way that looks similar to mtr. This version may use up more screen space while not adding a lot of features, so the Linux version may be the better version to demonstrate if the hope is to see software to fall in love with.

[#cknetspd]: Bandwidth testing

This may currently be partially, but not fully, redundant with hardware testing: network speed.

Some available dedicated tools to be locally-installed

Gathers speed using ICMP. (Presumably this ICMP testing may be considered to be a “flood ping”.) This may be unique among the options listed here, because it doesn't require the remote end to do anything except respond to a fairly standard protocol. This does require that the remote end does respond to that protocol, so ICMP traffic needs to not be manipulated.

The following may not have been heavily tested/verified (so use at your own risk: run your own malware scans/etc.) : BWPing for Microsoft Windows (User Account Control will require that this be run as an Administrator). The maximum volume size is 4,294,967,295 bytes.

Example command line (modified from a batch file included with a distribution that used Cygwin):

bwping -r 1 -b 10240 -s 1468 -v 10000

Most of those parameters are required. The “ -r 2” causes a report every two seconds, and is optional (defaulting to -r 0” which just entirely disables such reporting.) The reporting is not necessarily strictly made within the specified timeframe: it may sometimes be made one second later than what is specified.

Chances are that the example shown above will complete in under two seconds. Results that complete too quickly have been shown to give rather skewed/inaccurate results. Running even longer tests may result in slightly higher speeds being reported. Some quick testing has shown that results that are almost two seconds long have been rather close to the results of even longer tests, so such numbers may be relatively useful indicators of speed. A result that reports taking at least 2 seconds to do should be somewhat reliable.

If the result did not take at least two seconds, try increasing the volume: “ -v 10000000 ” may be more appropriate, and presumably even higher numbers will be needed as network speeds increase over the years. (If there is one less zero, then the results may take under two seconds, and be noticeably less reliable. If there is one more zero, then it may take twenty seconds rather than two: another zero would take over 3 minutes to show any results.) Adding a zero may show some meaningful results.

It is normal for the total amount of packets sent, total number of packets received, total volume of bytes received, and total time, to all increase as the test runs. It does seem normal (from some experience) that the total number of received packets may be under smaller than the total number of packets sent. (This difference may be under 10%, and possibly much smaller, like 0.1% difference.)

If the speed seems to be rather close to what was placed on the -b portion of the command line, then try increasing that number. However, if the number is set to a value that is even one higher than the network speed, the test may fail (so much that even periodic reports aren't even showing up). For a 100Mbps connection, a value of 102400 works (but 102401 does not). In addition, if increasing the value of -b by a factor (such as a factor of 10, meaning that the number is raised to be ten times higher than it was), be sure to up the volume by a factor of 10.

Wikipedia's article on Ttcp says “ttcp is also available on Cisco IOS routers as a hidden command and can be set up as either the sender or receiver.” There is documentation on this: Cisco documentation on TTCP. ttcp for Windows (Zip file) may also exist.
Iperf (JPerf)

Apparently there is a program called Iperf, and a Java-based front-end called JPerf. (That's right: the front-end capitalizes it's name with a different style than the main program.) xjperf

Using home-grown solutions

(This section refers to using software that may be more generalized, rather than software specifically custom designed for network speed checks.)

e.g. use packet crafting (e.g. netcat) to transfer a file, and use pv to report the progress of partial results as the file is getting copied. (This may often require downloading the pv command.)

Using web services

These may typically only be good for measuring Internet speed. (If there are issues between two devices on a network that cannot communicate with each other, these issues might not be detected with such testing.)

Sites which do not require web add-ons
DSLReports Speed Test (a.k.a. Speed Test hyperlinks to some various versions. DSLReports Broadband Tests and Tools lists some tools, including these speed tests.

The and websites may be more well-known, as they appear simple and generally aesthetically attractive. They may, however, be less compatible with certain browsers (such as locked-down browsers in some security environments). Such situations may not be extremely common (which, depending on security mindset, may or may not be a good thing), but in such environments the websites end up being unable to perform the basic desired function (of reporting Internet speed).
Other solutions

Solution(s) in this section may not be open source.

QCheck, using IXIA's IxChariot technology
Microsoft's NT Testing TCP Tool

MSDN info on Microsoft's NT Testing TCP Tool states, “This information applies to Windows 2000 and later versions of Windows.” (However, it seems likely that the statement is meant to exclude Windows ME.) The software also has a more abbreviated name of “NTttcp”. This software supports various tests, including UDP (so, despite the software's name, this is not TCP specific). Download hyperlink for Microsoft's NT Testing TCP Tool.

[#netwatch]: “Network monitoring”/“Network sniffing”

Terms for this may include:

  • Network monitoring
    • This broad topic could include something as basic as bandwidth measurements, counting bytes. Or, it could include usage of the following terms.
  • Network Analysis / Network Analyzing
    • As Internet traffic uses “IP packets”, this could also commonly be called “packet analyzing”
    • using a “protocol analyzer”
  • Network Sniffing
    • As Internet traffic uses “IP packets”, this could also commonly be called “packet sniffing”
  • Deep Packet Inspection (“DPI”)
    • This refers to looking at more than just the protocol types and port numbers, and making decisions based on the payload's content

This can be useful when working with setting up the core network infrastructure, other basic network services, network features, and other tasks. In addition to troubleshooting, this may be useful for bandwidth monitoring and similar performance/usage logging, and auto-responding (alerting), etc.

Real-time monitoring

There are multiple options available. This overview may only cover some of them: if you are looking for more than what you find in one section, be sure to thoroughly check the descriptions of these resources. Don't rely just on the overly-broad categorizations, because there may be quite a bit of crossover.

The “visual reports” section may also be some fast way to quickly see activity. Many people may be satisfied with the information coming from these types of porgrams.

The most standard (and, therefore, widely supported) option is to use “ netstat -na ” to see what TCP ports and UDP ports are being used (including not only active TCP connections, but also simply listening for TCP traffic or UDP traffic). That is supported by Unix and modern Microsoft Windows.

Traditionally, the next most common tool has been tcpdump, which is described in the “Packet capturing software” section. This software, and similar software, can enable an administrator to get quite a few details. There is even the ability to save a copy of network traffic to a disk, which allows completely unrestricted flexibility for using various possible methods of traffic analysis. Other software can also perform such packet capturing.

Visual Reports

These may not have some of the options to be quite as detailed as the software that lets users see requested details, including entire packets.


Many people may appreciate iftop. Apparently it uses some version of the GPL. Screenshtos are shown on the project's home page. An OpenBSD port exists, which indicates the software may be fairly portable. Another product, IPTraf, also uses the GPL and may also support a real-time display as well as more options (according to a super-brief review of IPTraf). iptraf-ng is a fork.

The systat command in OpenBSD may have some advantages: licensing, and convenience (if it is pre-installed). It may show less information, but details may be available more quickly than trying to install some other software first. After running systat, numbers will switch to different screens. Screens 1 (systat ifstat), 4 (systat mbufs), 8 (systat states related to pf), and 0 (systat netstat) look particularly focused on networking. Screen 7 (systat vmstat) may also refer to network interface drivers, and there are some other command lines that can show information related to specific programs like pf. OpenBSD man page for systat provides some more details about information that can be gathered from this program.

Microsoft Windows

Starting with some version (probably Microsoft Vista?) Certainly by Windows 7, network monitoring is supported by Task Manager. There is a “Networking” tab on the Task Manager.

Continuing to discuss newer options (available in Windows 7, and probably in Windows Vista), another option may be to see the “Network” tab from the Resource Monitor. The Resource Monitor can easily be entered from the “Performance” tab of the Task Manager, so Task Manager may be a great place to start.

The Performance Monitor has multiple categories of counters that are related to networking. One category containscounters related to a network interface. Another category, found in Windows 7, is called ““TCPv4”.

Packet capturing software
Options for Unix and Microsoft Windows

TCPDump is included with many operating systems, by running a command called tcpdump (from a command line). This software may use the pcap library.

A version for Microsoft Windows is downloadable, and is called WinDump. It may use WinPcap. (It seems sensible that this may more specifically be using the WPcap.dll file/API that comes with WinPcap.)

TCPDump in Unix

To see a summarized report of all traffic coming in and out an interface, run:

sudo tcpdump -i if0

One may typically need to be a superuser to place the device in “promiscuous mode”, or simply to be interacting with a network card in a way that all traffic is being processed by the tcpdump program.

When remoting into a computer using SSH in order to view the resutls of the tcpdump command, the interesting results may be cluttered by information about the SSH traffic. It may be easily excluded as shown in the following example. The following example may print some more useful information, while eliminating the details about SSH traffic (on TCP port 22).

Perhaps the following is rather OpenBSD-specific, and not verified to function as intended. Further testing may be needed.)

sudo tcpdump -IpSni if0 tcp port not 22 and tcp


TShark, Wireshark (previously known as Ethereal)

[#obshrkno]: Sharks Unsupported on OpenBSD

WireShark used to be known as Ethereal.

OpenBSD CVS Attic: Makefile for Ethereal was updated before OpenBSD 3.6's release, with the following text:

Right during 3.5, it had more than a dozen remote holes being fixed, that we shipped with. Weeks later things have not improved, and there continue to be problems reported to bugtraq, and respective band-aids - but it is clear the ethereal team does not care about security, as new protocols get added, and nothing gets done about the many more holes that exist.

Maybe someone will at least privilege separate this one day, and then the OpenBSD stance with respect to this may change.

Encouraging people to run broken software by distributing packages with known security holes is not desired by any of us.

Until that stance changes, if it ever does, it looks like this is not going to be supported on OpenBSD.

For any of those who wish to play with fire, consider the security impact, and consider what alternatives may be available (such as capturing data with some other software, and perhaps viewing the captured data in a sandboxed environment). For those who may still wish to proceed, the following resources are not being recommended (and may not have been tested/verified by the author of this text), but might assist:

Building Wireshark on OpenBSD is a guide.

A port had been made, although the hyperlinks about to be provided are dated and the URLs for downloading the software have become hyperlink rot, so newer details may be needed. July 2007 announcement of Wireshark 0.99.6_4.1 for OpenBSD being released (unofficially, by a third party, Nikns) (made when OpenBSD 4.1 would have been the latest released version), an earlier announcement by Nikns Siankin of OpenBSD 0.99.5, discussion thread about Nikns's port. When {Puffy} Meets... Nikns's WireShark 0.99.6_4.1 from July 2007 (when OpenBSD 4.1 would have been the latest version).

Privilege seperating

Grumpy BSD Guy: Practgical Packet Analyssis is Good Fun provided three options for separating traffic. (Apparently these three options were being qutoed from a book.)

sudo tshark -w - | wireshark -k -i -
sudo dumpcap -w - | wireshark -k -i -
sudo tcpdump -e -s 65535 -i interfacename -w - | wireshark -k -i -

CompilingWireshark on OpenBSD indicates that providing read-access to the Berkeley Packet Filter (/dev/bpf?) devices is sufficient: root access is not needed. So if those devices are assigned to a group, and the group permissions get read access, then that'll work. web page about Wireshark may show the products popularity. It has been (and perhaps still is) listed as the number one application. If it is still very popular at the time of this reading, it is also likely to be listed at the top of the main page for Top Network Security Tools. This ranking is based on popularity, which can be based on factors such as ease of use (rather than having decent security).

This product is certainly not something to try to shove under a rug and intentionally strive to ignore. However, this guide may not provide many further details, influenced by a desire to place security concerns above ease of use.

Perhaps more in the short list at: Wikipedia's page called “Packet analyzer”, section called “Notable packet analyzers&rdequo;

Packet Capturing software for Microsoft Windows

There may be multiple methods for software to be able to access data. The web page for NirSoft SmartSniff and/or web page for NirSoft NetworkTrafficView may describe some of the methods.

At least some of these solutions may need a packet capture driver. (Other solutions may have limitations, as noted by Nirsoft's Smartsniff: Problems/Limitations

Note that these solutions need to be downloaded. See also the section of Real-time monitoring software for Microsoft Windows other than the WinPcap solutions.

TCPDump's home page, also the home page for libpcap, says “People with Windows distributions are best to check the Windows PCAP page for references to WinDUMP.” That page has hyperlinks to WinDump's site as well as information about some libraries (WPCAP.DLL and PACKET.DLL).
TShark, Wireshark (previously known as Ethereal)

In a discussion about WireShark not being available on OpenBSD, a post by Bryan Irvine noted, “I like ettercap.”

For C programmers, there is a “Programming with pcap” guide at

Raw socket support

This section covers drivers for capturing received packets, and possibly supporting outgoing packets (by capturing outgoing packets and/or sending outgoing packets). These may be the preferable drivers for the simple sake that they may provide more flexibility than drivers that simply support packet capturing. On the other hand, drivers that simply support packet capturing may be easier to implement in a more compatible fashion, so software authors may provide benefit by supporting one of the more limited APIs described in the section about Packet Capture implementations (drivers).

Here are further details about some of the drivers that may provide more support.

Some of these are commonly bundled with an operating system. For instance, OpenBSD may include the Berkeley Packet Filter support, while WinPcap may need to be downloaded for users of Microsoft Windows.

Options for Microsoft Windows
Raw socket support

Raw socket support is built into the operating system; no extra drivers are needed to support Raw socket support. The following software may utilize raw socket support.

Nirsoft's TrafficView

This allows for packet capture and traffic reporting. Reported traffic can include IPv4 addresses, which program is actively using an active connection, and data speeds.

Nirsoft's Network TrafficView: section about System Requirements discusses this a bit. With User Account Control (at least with Windows 7), software may need to be “Run As Administrator” to work. Additionally, when Nirsoft's Network TrafficVeiw is using this type of method for interacting with network traffic, this software “can only capture IPv4 TCP/UDP packets. It cannot capture other type of packets, like the other capture drivers.” Also, the web page notes that this software “doesn't work in all Windows systems, depending on Windows version, service pack, and the updates installed on your system. On some systems, Raw Sockets works only partially and captures only the incoming packets. On some other systems, it doesn't work at all.” Some further details may be provided by the Nirsoft SmartSniff packet sniffer: section about problems with raw socket support. (This software only provides any support for using raw socket support in Windows 2000 and XP and newer. Windows ME and older operating systems pre-dating Windows 2000 may not have raw sockets supported at all by this software of NirSoft's. At least some such software might be supported if using a different driver.)

GeoIP support

With version 1.55 of TrafficView, support was added for MaxMind's GeoIP data. Download (from GeoLite Free Downloadable Databases), and have that downloaded GeoLiteCity.dat.gz file be placed in the same location as TrafficView. Note that this might only be for IPv4 addresses, at the time of this writing, because it seems that IPv6 is in a different downloadable database (which TrafficView might not support yet?)

[#winpcap]: WinPcap (for Microsoft Windows)

Wayback Machine @ cache of WinPcap 2.1 beta notes says WinPcap “includes a kernel-level packet filter driver, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (WPcap.dll).”'s Relationship of WPCAP.DLL and PACKET.DLL explains the difference between those latter two components of WinPcap: “packet.dll provides a Win32-specific API for capturing *and* sending packets, just as the BPF driver on BSD, PF_PACKET sockets on Linux, DLPI on Solaris and HP-UX and some other flavors of UNIX, etc. provide APIs that are somewhat OS-specific for capturing and sending packets on those OSes.” “The routines with names beginning with "Packet" are the packet.dll routines; that's the packet.dll API.”

Notes on some older versions
Compatability notes for older versions of Microsoft Windows that use 16-bit code
Support for dial-up modems

A forum post noted, "Download WinPcap 3.1 beta 4. This is the newest version and is supposed to work with dial-up modems." On a side note, URL Snooper page stated, “if you use a dial-up modem, you will have to go through some extra steps to get URL Snooper to work. Visit the Streaming Media Recording Forum for more help on using URL Snooper and for general help on recording streaming media.”

Berkeley Packet Filter
a.k.a. BPF
PF_PACKET sockets on Linux
Relationship of WPCAP.DLL and PACKET.DLL mentions “PF_PACKET sockets on Linux”.
Relationship of WPCAP.DLL and PACKET.DLL mentions “DLPI on Solaris and HP-UX and some other flavors of UNIX”.
[#pktcpdrv]: Packet Capture implementations (drivers)

Note: These drivers may be bundled with one or more of the packet capturing software solutions. Therefore, this section may be often be skipped by those just seeking to capture data. This section is included for reference, though, since many/all of the solutions may refer to some of the implementations listed in this section.

Unix generally won't need extra drivers. Software that is designed to capture packets will work by placing a device into “promiscuous” mode. That may require running a program as a superuser.
[#netpcap]: pcap
For Unix-style operating systems
[#wpcapdll]: WinPcap's WPCap.dll

This comes bundled with WinPcap. (The section about WinPcap may have some further details.) Freeware for Microsoft Windows


Wikipedia's article on Wireshark: section called “Security” notes “As of Wireshark 0.99.7, Wireshark and tshark run dumpcap to do traffic capture. On platforms where special privileges are needed to capture traffic, only dumpcap needs to be set up to run with those special privileges: neither Wireshark nor TShark need to run with special privileges, and neither of them should be run with special privileges.”

manual page for dumpcap.

AirPcap has a “WinPcap Enhancements” section which links to AirPcap which appears to involve a (USB) device and a price of about $200 for the most basic solution. There are other pricier solutions offered as well.
Microsoft Network Monitor driver

Some of this information may be based on Nirsoft's Network TrafficView: section about System Requirements and Nirsoft SmartSniff packet sniffer: section about problems (about specific methods of accessing packets).

This has the advantage (over WinPcap) that it might come with the installation media of some Microsoft operating systems. It may also be downloaded. It is, however, supported on fewer platforms than WinPcap's WPCap.dll.

Microsoft Network Monitor 3 has been made available for download for x86, x64, and ia64 hardware platforms, for Windows Server 2003 SP2 and XP Service Pack 3 and XP 64-bit and newer (according to Microsoft's web site... perhaps it might work with older platforms, but they weren't listed as supported platforms).

Version 2.x works with Windows Server 2003 and is included with the installation media for Windows 2000 (according to Wayback Machine @'s cache of Microsoft's instructions for installing the Network Monitor Driver in Windows 2000) and the installation media for Windows XP (Windows XP SP2 Support Tools. TechNet: Windows Server 2003 documentation: NetCap Overview says, “If the Network Monitor Driver is not installed, NetCap installs it the first time the tool is run. To remove the driver, use netcap /remove.”

Nirsoft SmartSniff packet sniffer: section about problems (about specific methods of accessing packets) has this note (which might be specific to Nirsoft SmartSniff): “If WinPcap is installed on your system, and you want to use the Microsoft Network Monitor Driver method, it's recommended to run SmartSniff with /NoCapDriver, because the Microsoft Network Monitor Driver may not work properly when WinPcap is loaded too.”

Additional Monitoring software

This software might, or might not, use some of the above packet capturing drivers. (Further research may be needed to determine that.

Microsoft Windows

This section describes some software for Microsoft Windows. (See also the section about packet capturing software, as that section has some details about Microsoft Windows.)

Microsoft Network Monitor

Microsoft Download Center's section for Microsoft Network Monitor 3.4, MS KB 933741: Information about Network Monitor 3. Wikipedia's page on Microsoft Network Monitor says, “Originally versions of Network Monitor were only available through other Microsoft products, such as Systems Management Server (SMS). But now the fully featured product with public parsers is available as a free download.” The historical comment is evident by a page on Microsoft: Netcap Remarks refers to “the full version of Network Monitor (available with Microsoft Systems Management Server version 2.0)” citing that this software “can capture all the frames it detects.”

Network Monitor 3.4 requires Windows XP or newer.

MS KB 812953: How to use Network Monitor to capture network traffic

Netcap uses a network monitor driver. Using netcap /remove will stop that driver. Netcap Overview notes, among other things, “NetCap requries one of the following operating systems”: Windows Server 2003, XP Pro, or 2K. Additional pages related to NetCap include: Netcap Syntax, Netcap Examples, Netcap Remarks
URL Sniffing
Nirsoft's HTTPNetworkSniffer
This software is clearly documented to NOT be an HTTPS sniffer.
URL Snooper (by Mouser)

(The web page identifies this as “URL Snooper” while the program's installer identifies it as “URLSnooper”.)

URLSnooper gives out free licenses.

The software uses WinPCap. The software's home page mentions some details related to WinPCap. (Such details have been mentioned/relayed from the WinPCap section.)

Perhaps additional software may be found via: URL Finders.

[#lognetrf]: Logging, analyzing, and playing back network traffic

Many/all of the popular network monitoring software options have the ability to record network traffic. Some network infrastructure devices may also have the ability to capture network traffic so that the logs may be analyzed from another machine. So, it is unsurprising that's Easy TCPDUMP Tutorial notes “Wireshark can be used to read the logs captured by TCPdump too.”

libpcap file format
Dumpcap's manual page says, “Dumpcap's native capture file format is libpcap format, which is also the format used by Wireshark, tcpdump and various other tools.” (This may not be the only format supported by Dumpcap, but may be the default format.) WireShark's Wiki page about Libpcap File Format says, “The libpcap file format is the main capture file format used in TcpDump/WinDump, Wireshark/TShark, snort, and many other networking tools.” That Wiki page also provides more information about the file format.
Dumpcap's manual page notes support for this. Page on WireShark's site, about pcap/pcap-ng (from January 23, 2011) notes (among other details): “Currently there's limited support for pcap-ng, still considered experimental.”
Other platforms:
Some devices may support one or more formats that are not PCAP. (They may or may not support PCAP as well.) (Perhaps SonicWALL devices may capture in a format similar to Wireshark?)
[#ipcrftrf]: Packet crafting

Note that some operating systems may limit the ability for programs to send non-standard traffic. These limitations are intentional, as they make packet crafting more difficult. Making packet crafting more difficult can reduce the ease of certain types of network-based attacks, which is a key motivation for why these limits are often put in place. So, crafting non-standard packets may require working around these limitations (perhaps by gaining appropriate Administrator-style access, or perhaps by using a different network stack (which would commonly mean using a different operating system)).

(Some of this information may not have been tested by the author of this text. However, the information is being provided anyway, simply to be a convenient reference. Exploration may be helpful.)

Traffic that performs this feature may support the PCAP format, as described in the section about Logging network traffic.

Packet crafting software
Command line programs

Command line programs may include:


Wikipedia's page for Netcat refers to an address for the Netcat 1.10 (by _Hobbit_) home page as being the home page for Netcat. That home page shows some documentation that indicates the command line program is called “nc”. However, some implementations might use another command line executable filename, such as “netcat”, so Unix users may want to try running “which nc” and “which netcat” (or “apropos netcat” to see if there is anything pre-installed.

There is also the GNU Netcat project.

Nmap's Ncat
Nemesis can work for Unix types of platforms (including BSD and Linux), as well as Microsoft Windows. (The following is based on observations from doing some minimal reading.) This program seems to be pretty flexible, but also comes with some specialized programs that are designed to use certain protocols, offering less overall flexibility but being easier to use for specific protocols. Nemesis Documetnation lists the various programs.
Additional software

This simly provides some references to additional software (which might or might not have some sort of command line interface).

Wikipedia's article on “Packet crafting” mentions some additional names.

A program with a graphical interface may be Ostinato.

serverfault post about IGMP indicates that iperf can be used to subscribe to a multicast group: it appears that might be a method of sending packets.

Packet crafting software may simplify the process of using custom types of packets to perform certain tasks such as “packet injection”, where unexpected packets may be inserted into a conversation (perhaps as a method of packet forgery or packet spoofing, as part of an attack). However, not all uses are so malicious. (Wikipedia's article on “Packet injection”: “Uses” section has a short list of both malicious and benign uses.)

Communications (E-Mail)

See: messages (including the subsection about E-Mail).

Finding computers, service discovery
Methods may include:
Reviewing DNS entries and/or DHCP leases
Looking through a list of DNS entries (especially dynamically assigned DNS entries), or current DHCP leases, may reveal the names and/or addresses of devices on the network.
Browser service (Windows network neighborhood)
Uses NetBIOS? (see win2k rk for a program) Master Browser, etc. See: nbtstat Browstat.exe CIFS Browsing Protocol: ( MS KB 818092 has info on Browstat and Browsing Console (Browcon.exe).
File transfers (file serving/hosting/sharing)

TOOGAM's page of software relating to file transfers has some implementations. Some methods of sharing files may also be covered in the section about filesystems provided over networking.


See also information related to the system clock.

Setting the time is good so that the current time can be checked, logs with records of previous times may have accurate times, and protocols that rely on time comparisons can operate correctly. A key example of time being required, which may not be initially obvious, would be the network-based authentication implementations that rely on time. For example, some network authentication implementations may check to ensure that received communications have accurate information about when those communications were created. If a message indicates that that time the message was created at a specific time, which obviously would be an action that clearly took place in the past, but the specific specified time is a time identified as being in the future, then that message will be distrusted. (If one computer has a slow clock, its messages may appear to be coming from a time further in the past, but perhaps more condemningly, the slower computer may find that the replies from systems with accurate time end up looking like those messages are coming from the future.)

Systems of Time

There are various methods of keeping track of time, presumably the most famous of which is Solar Time. However, there are other methods including “International Atomic Time”, commonly abbreviated by the French initials “TAI” for “Temps Atomique International”, and various versions of “Universal Time”, such as the universal time which is coordinated, UTC. (The abbreviation was a compromise, as noted by Wikipedia. The US's National Institute of Standards and Techology's page with brief descriptions of time standards says was to “avoid appearing to favor any particular language”. The result also fit nicely with the naming pattern applied to other versions of Universal Time.) UTC has also been referred by the name Zulu Time. The difference between UTC and another time measurement, UT1 is called Delta Univeral Time 1, a.k.a. DUT1. GMT is similar/exact to UT1???. The “Global Positioning System” version of time is similar to TAI, but is offset by having GPS be ahead by 19 seconds, which is the amount of leap seconds that UTC recognized at the time of the “Global Positioning System (GPS) epoch”, which is midnight (00:00:00 UTC) on Sunday January 6, 1980. GMT: Wikipedia's page on UTC says: “Saying "GMT" often implies either UTC or UT1 when used within informal or casual contexts. In technical contexts, usage of "GMT" is avoided; the unambiguous terminology "UTC" or "UT1" is preferred. For some more information, see: Tycho (US Naval Observatory) page on Leap Seconds, GPS time info,

Time zone(s)
Although most of the world is synchronized with UTC, “local time” in a particular area is generally an offset by a certain number of hours, generally so that noon in the middle of the time zone will be the time when the sun is directly overhead. Most people are interested in seeing “local time”, yet using “local time” can cause some confusion when dealing with multiple time zones or multiple methods of keeping track of time within a time zone, notably due to changes to a location's local time due to daylight savings time implementations.
Checking time zone in Unix

Time zone files may be stored under /usr/share/zoneinfo/. A hyperlink to a time zone definition file may be located at /etc/localtime and may point to one of the time zone files stored in /usr/share/zoneinfo/.

Perhaps similar in nature: may want to check the kernel. To see the current setting, run the interactive command:

config -ef /bsd

(The reference to /bsd is a reference to the kernel being used. If the operating system was booted using a different file for the kernel, specify the kernel that is actually being used.)

In that program, run:


The number shown is the number of minutes to add to the system's clock time in order to get to UTC/GMT So when US/Pacific is GMT-8, that's -8 hours = -480 minutes so the desired output would be timezone 480.

FAQ 8: Time zone, FAQ 4: More time zone

Checking time zone in Microsoft Windows

Try one of the following:

systeminfo | find "Time Zone"

See also: control timedate.cpl

Perhaps see also:

WMIC timezone GET /ALL
[#seecurtm]: Checking the time

There are often clock programs available for a system. Commonly, the method of changing time will show what the current time is before the change takes effect.

[#rfc867]: There is a very old protocol specified by RFC 867: Daytime Protocol. This simple protocol involves creating a TCP connection to port 13 to have the time printed out in a fairly human-readable format. (For Unix, this is often implemented by inetd. For Windows, this may have a name such as the following seen in Windows Vista: “Simple TCPIP services (i.e. echo, daytime etc.)” (This may be found in an area where a user can “Turn Windows features on or off”, possibly accessed with the icon in the Control Panel which shows the names of some installed software and the ability to run an uninstaller for those programs.)

[#rfc868]: There is a similar protocol described by RFC 868: Time Protocol, a protocol which is sometimes called the “time server” protocol, which uses has port 13 (TCP or UDP) as its standard port. The time server “returns a 32-bit time value and closes the connection.” The value is the number of “seconds since midnight on January first 1900.” The RFC also specifies, “this base will serve until the year 2036”. This RFC, dated May 1983, does not specify what will happen after that year.

Some web sites may also show the time. Naturally, there is not a world-wide guarantee that every web site's clock will be accurate. There may be different implementations regarding how much the time is synchronized between the web server and the web client. However, even an unsynchronized time might be close enough for a person who is just wanting a general idea of the time. Examples may include: US Naval Observatory Master Clock, Google search for “time”, eBay Time.

Changing the time

Make sure the time zone is set desirably, as detailed in the next section.

Time synchronizing
Synchronize with private servers and/or public servers. See: Network-synchronized time.
Manual time set

See also: system clock. (Some/all of this information may be moved/merged to that section.)

Breifly: See if there is a date or time command. (Unix commands may have an unrelated time command: time is changed using the date command.)

In more detail: The operating system usually keeps track of time, using the assistance of the “system clock” and/or handling time offsets using support for time zones (except for more ancient operating systems which typically did not have substantial support for time zones). For more details about setting the system clock, see the section about the system clock, and more specifically the subsection about setting the system clock.

Using/Checking multiple local clocks

See also: system clock. (Some/all of this information may be moved/merged to that section.)

On some platforms, the system clock may be set to one time and using one time zone, while the operating system's internal clock may use a different time zone. Also, updating the time in the operating system, whether manually or through an automated process, may not change the system clock.


OpenBSD FAQ 8.24: clock differences of seconds (more than twenty), OpenBSD: Setting time zone info in the kernel describes using the config command to set the TIMEZONE kernel option: There is also a DST kernel option. OpenBSD man page for options: section on options related to operations has info on DST and TIMEZONE. The value of TIMEZONE will be the number of minutes to “add” to the local time to reach UTC: For time zones ahead (East) of UTC, this will be a negative number so that subtraction occurs to reach UTC. Examples include -540 for Tokyo (9 hours ahead of UTC, as noted by OpenBSD man page for options: section on options related to operations: section on TIMEZONE), 300 (for US/Eastern, which is 5 hours behind UTC as noted by OpenBSD FAQ 8.25: Setting information about the local time zone), and 480 for Pacific Standard Time (8 hours behind UTC). During the summer time (from a date in Spring through a date in Summer), daylight savings time may need to be specified in order to accurately calculate local time for that region. To do so, e.g. areas in Pacific Standard Time (8 hours behind UTC) may instead use Pacific Daylight Time (7 hours behind UTC). The way to express this is to set TIMEZONE to 480 and DST to 1.

Clean-up required?

(e.g. “ config -ef /bsd ” to show a “ukc>” prompt. From there, use the timezone command to specify the amount of minutes to add to UTC to get to UTC.

minutes behind UTC. and “ ukc> timezone 4800

timezone 800
e.g. OpenBSD: config

Scheduled time adjustments
Daylight savings time

This is often defined by data related to a time zone. (See support for time zones.)

A leap-year contains an extra day, whereas a leap second indicates the actual second. Since a leap second occurs only about once every 18 months, for most practical purposes the effect of a leap second can be dealt with by simply synchronizing with an external source. A leap year is simply a year which has one extra day, which is February 29th. That occurs every four years, with some exceptions when the year is the first one of a century (meaning that the last two digits of the year are both zero).
[#netsyntm]: Network-synchronized time
Viewing/Specifiying the list of peers

NTP servers.

Microsoft Windows
Finding peers

One or more of the following commands may show peers.

net time /QUERYSNTP
w32tm /query /peers

Similar commands may be used to set peers.

See also the section about handling interaction with other servers.

Syncronizing time (manually)
Microsoft Windows

If more information is needed, Microsoft KB Q816043.

Client interaction

To re-sync, one or more of the following may have the desired effect:

net time /SET
w32tm /resync
[#wintpflg]: Handling interaction with other servers

Set the peer list. (Directions for this may still be needed.)

Then, if remote system uses client mode, set sync flags. (This likely/always is NOT needed if remote system uses Windows.) Microsoft KB Q875424: Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003 provides details. If there are errors communicating with the time server, the document basically has a user try running something like the following:

w32tm/config /manualpeerlist:NTP_server_IP_Address,0x8 /syncfromflags:MANUAL
net stop w32time
net start w32time

The “,0x8” specifies to use Client mode. The “0x8” is documented by Microsoft KB Q875424: Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003.

Another option may be to change a registry entry:

C:\>reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer /v Enabled

   Enabled    REG_DWORD    0x0

C:\>reg DELETE HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer /v Enabled /f
The operation completed successfully.

C:\>reg ADD HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer /v Enabled /t REG_DWORD /d 1
The operation completed successfully.

C:\>reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer /v Enabled

   Enabled    REG_DWORD    0x0

C:\> also has a (which may use a graphical interface). (At the time of this writing, this utility has not been tested. This is not meant to be proactively recommended, at the time, but is simply being provided as an option to consider/review/test when dealing with time.)

[#openntpd]: OpenNTPD

OpenNTPD uses a configuration file which may or may not be sufficient. The first part of this quick guide is a making a simple configuration file that may be sufficinet. After backing up the existing file (if there is one), make sure /etc/ntpd.conf.local has a servers line. Also, if it is desired for this machine to serve time, have it listen for network traffic. The following will use a global pool and listen on all network ports:

The following will back up a /etc/ntpd.conf.local if it exists. (It will overwrite an older backup if it exists.)

Old method: sudo cp /etc/ntpd.conf.local /etc/ntpd.conf.local.orig
Newer method: [ -f /etc/ntpd.conf.local ] && cpytobak /etc/ntpd.conf.local
[ -f /etc/ntpd.conf.local ] && [ ! -f /etc/ntpd.conf.local.orig ] && sudo cp /etc/ntpd.conf.local /etc/ntpd.conf.local.orig

Then, the following sets the NTP configuration.

echo listen on \* | sudo -n tee -a /etc/ntpd.conf.local
echo servers | sudo -n tee -a /etc/ntpd.conf.local

There are more specific pools. For example, people in North America may want to use either or a pool that is dedicated to a specific nation, such as for Canadians and for people in the United States of America. A public website about the NTP Pool Time Servers lists the major/continental areas in hyperlinks that show lists of even more localized servers.

Now that the OpenNTPD program is configured so that uses the desired options when it starts with the specified configuration file, the next remaining task is to make sure that OpenNTPD does actually start up, and that the software does use the desired configuration file. Details may vary based on operating systems, and may be covered by the system startup guide.

Example: setting the software to automatically start in OpenBSD

With OpenBSD, the software may already be set to automatically start up: If the operating system's installation procedure asked about NTP support, and if it was desired, it is possible that /etc/rc.conf.local exists already and has the following content:

ntpd_flags=             # enabled during install

Users who are actually using OpenNTPD, which would be under OpenBSD, can use the following example commands:

The following will back up a /etc/rc.conf.local if it exists. (It will overwrite an older backup if it exists.)

sudo cp /etc/rc.conf.local /etc/rc.conf.local.orig
[ -f /etc/rc.local ] && cpytobak /etc/rc.local
[ -f /etc/rc.local ] && [ ! -f /etc/rc.local.orig ] && sudo cp /etc/rc.local /etc/rc.local.orig
echo ntpd_flags=\"-f /etc/ntpd.conf.local -s\" | sudo -n tee -a /etc/rc.conf.local

The above example will not literally work in any operating system that ignores /etc/rc.conf.local, although the concept is valid: other operating systems may vary slightly in detail, but still implement the same general concept. The example shown was designed to work well for OpenBSD. For details on how to do this with other operating systems, see: system startup: system startup configuration files (and system startup: automatically started files).

Users of “Portable OpenNTPD” will likely need to check how to modify the startup procedures of the operating system being used. The simple goal will be to run ntpd with the part shown between the quotation marks, not including any backslashes, in the above example command line.

Modifying the startup file does not cause the program to be immediately run. Check to see if any copies of ntpd are currently running. (See the guide to finding out what software is currently running.) If so, those may be copies of the program that were set before using a decent configuration file, which may explain why the system's clock might not be accurate yet. Worse, that software may be using the NTP TCP port, preventing correctly-configured software from being able to function. So, stop any such software that is currently running. (See the guide to adjusting what software is running.)

Run the software manually: “ sudo ntpd -f /etc/ntpd.conf.local -s


Perhaps use OpenNTPD Portable. (This works on several operating systems, although OpenBSD uses will likely just use OpenNTPD rather than the version with additions for portability.) OpenBSD FAQ 6.12.2: Comparing OpenNTPD to others refers to dtucker diary (entry number 52): Response to OpenNTPD critism which discusses some ways OpenNTPD differs from other implementations. The page notes, “If you want a small daemon that will do a decent job of keeping your clock in sync while running mostly unprivileged, then OpenNTPD may suit. If it does, great. If not, and you decide to use something else, that's fine too.”
Another option is software from
[#setim868]: Setting time with the Time Protocol

RFC 868: Time Protocol, like RFC 867: Daytime Protocol, documents a protocol which allows time to be transmitted over TCP. This may be sufficient when there's a desire to quickly get a fairly inexact idea of the current time, not being concerned about issues such as sub-second precision. Another aspect that may not be addressed very precisely is a concern about a precise time that is set with quite a bit of care being given to taking lag into account. These sorts of issues could cause some problems, but this may be good enough in many cases.

The Time Protocol of RFC 868 uses 32-bit numbers to communicate how many seconds have elapsed since the first second of the twentieth century with the GMT time zone. So, a value of 60 represents 12:01am GMT. As the last positive “signed” value would have ended in about 1968, the assumption is that values are unsigned and so should last until sometime in the year 2036. (4,294,967,295 seconds is 49,710 days (4,294,944,000 seconds) 6 hours, 6 hours (21,600 seconds), 28 minutes (1,680 seconds), and another quarter of a minute (15 seconds). If there are 365.25 days per year, that equates to 136 years = 49674 days, plus 36 more days, so Februrary 5, 2036, at 6:28am may be the time when this protocol becomes unusable without modification.)

OpenBSD's “manual page” for rdate refers to RFCs 868, and notes that RFC 868's protocol over TCP “is usually implemented as a built-in service of” inetd, “ or an RFC 2030 protocol SNTP/NTP server.”

[#sntp]: Simple Network Time Protocol (“SNTP”)
OpenBSD's “manual page” for rdate refers to RFCs RFC 2030: Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI. That RFC has been marked as obsolete by RFC 4330: Simple Network Time Protocol (SNTP) Version 4 for IPv4 which has been marked as obsolete by RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 4330 and 5905 note that SNTPv4 is backwards compatible with NTPv3 which is defined by RFC 1305: Network Time Protocol (Version 3) Specification, Implementation, and Analysis.
Manually setting time

Just as the rdate command can use the Time Protocol, other solutions could easily be developed that use the Daytime Protocol and/or one of the other methods of determining the current time.

Keeping time accurate

Using a network to synchronize clocks has become commonplace: TAI is a major world-wide standard of synchronized time, and it is determined using the average of multiple clocks, as described by Wikipedia's article on “International Atomic Time” (a.k.a. the French name of “Temps Atomique International”, and globally abbreviated as “TAI”).

Time servers
Public time servers
Setting up a private time server

See: Microsoft KB Q216734: How to configure an authoritative time server in Windows 2000, Microsoft KB Q314054: How to configure an authoritative time server in Windows XP both show editing the registry.


Perhaps see: logs.

Network-based authentication

This section is specifically about authenticating using resources located elsewhere on the network. This is listed as a popular service as this service may provide functionality that allows other services to start. The first requirement to authenticate users is generally a database of the users and their credentials: that is covered in the separate section in the area about users: user authentication.

[#netdtbas]: Databases (accessing databases via the network)

This section is about setting up a network-capable database server. (Creating the databases, and other interactions with the databases, such as filling in data, modifying data, backing up and restoring data, is information that goes into the section about using a network database.) That might be able to be done with some standard protocol(s). For information about client software, or software choices, see: database software section).

This section is simply about getting the SQL software installed, using existing database data (which may be stored in some files), and allowing the network traffic. For example, it covers attaching databases so that the databases may be visible to other SQL software. Whether the data in the database is the desired data is the type of thing more likely to be covered by the section about using a network database.

Basic steps: Install SQL server software Ensure there is a recent backup. Get databases online. This can be done by: Restoring saved databases. This can be done using the database server software, if compatible files are found. This can be done with the software, which may choose to communicate with the database software using some sort of protocol (possibly with a language such as SQL). Making new databases. Seeing that the databases are accessible See if the databases are available remotely. If they are, and if the database can be effectively used by remote software, checking whether it shows up locally is unnecessary. However, if it cannot be connected to remotely, a useful step may be seeing whether or not the database is database live/online/up/attached/used/in-use as reported by the local software. Modify the database. This may be done using a database language, which could perform functions such as adding a row. This may be done using software which modifies the data as desired. Ensure that the databases are going to be regularly backed up. Ensure that there is a recent backup, using the method that will be used long term (or a similar method, such as manually starting a pre-configured backup job which is scheduled). This will help to test that the data can be backed up easily using the desired software (although some aspects, such as making sure the backup software's scheduling works, may be most effectively tested after a certain time that makes sense according to the schedule).

Referencing the database

The following describes typical notation using Microsoft SQL Server on Microsoft Windows. (Further details will be provided regarding how this notation is typically used with other server software on that platform or on other platforms.)

There are basically four pieces of information which software typically asks for when it tries to interact with a database.

Machine hosting the database
May be a reference such as MachName or \\MachName. The latter syntax may look like a UNC, but do not mistake this SQL reference for an SMB reference. (SQL probably does not depend on SMB file sharing at all.)
Instance name

This name be referred to as a name (e.g. instanceName) or following the machine name which is followed by a backslash, e.g. MachName\instanceName or \\MachName\. That latter syntax may really look like a UNC, but do not mistake this SQL reference for an SMB reference. (SQL probably does not depend on SMB at all.)

For Microsoft SQL Server, there may be a separate service for each instance. For the free MS SQL Svr (which is called Microsoft SQL Server Express YYYY, where YYYY is a date reference, and which has formerly been known as the Microsoft Server Desktop Edition, perhaps more commonly known by its initials MSDE) may have only one server instance on the machine.

Database names
Each instance may (or will) have one or more databases which are “attached”. The raw files being used, which are the “.MDF” and “.LDF” files. Some databases may also use “.MDF” files.

The most common credentials are the ones for a “system administrator”: Most commonly (a standard (perhaps informal?), but de facto) the username is simple two letters: sa. The password may be separate: Some closed source software may use an sa password which is not intended to be used by end users.

Of these, the credentials is perhaps the least likely to be seen: Some software will even provide credential configuration information on a different graphical configuration screen than the screen that deals with network connectivity, although a lot of software will have this information near the other connection information. (This makes sense because of the logical similarity of the credentials and the other information used to connect, because that is the database-specific data that is needed to access an individual database.)

Working with the database over the network
List the databases available on a server (instance)
If the server responds but does not show this database
Make sure the database is online

If a specific database is not showing up on the network, it may be worthwhile to check whether or not that specific database is live/online/up/attached, in use by the server (instance).

Often this isn't something that ends up being required because a database may be brought online by the software which uses the database server. An installer (software designed to install other software) may offer to install a database server. The same installer may ask the user what database server to use, with an option being the server that can be installed by the installer. Once the installer knows what database to use, and after installing the database server if needed, the installer may then proceed to create that database (if it doesn't exist yet). However, it is good to be able to check whether a database is in use by the server, both as a troubleshooting step for networking and to be able to make a database come online after it is offline for some other reason.

The instructions for checking whether a database is in use by a database server may be a bit more specific to the implementation of the database server software. Further details are available, near instructions for backing up and restoring databases.

If it is not online on the expected server, double-check which server the data is supposed to be on.

If the database is online (visible locally when checking the server), there are a couple of checks to perform. One, which may be quicker and easier, is to check that the database client is properly requesting information from the desired database server. Other is to use the database server software to check the network settings that are being used by the database software; specifically ensure that the desired protocol is available. Note that there may be such network settings for a specific database.

Misc notes

Attaching the database is typically handled by the software that puts the database onto the SQL server, and so the person who administers the database won't need to worry about this step. To check this, software specific to the type of SQL server can be used to verify whether a database is attached.

However, the administrator of the database may wish to interact with the server software to determine whether the database is considered to be successfully attached, because having the database attached is

The database should be “attached” to the SQL server (or SQL server instance). If some software isn't seeing the database, check that the SQL server is running and that the specific database mentioned is in the list of attached databases.

Viewing the list of attached databases: The database is basically stored inside files which may be either “attached” or “detached”. There may be multiple methods of doing this, including using graphical tools. MS Q224071 may have some information about detaching a user database.

Some databases may not detach so easily. An attempt to detach the system databases may produce an error message such as “System databases master, model, msdb, and tempdb cannot be detached.” MS Q224071 may have details for: model, msdb (which requires model to be re-attached first), msdb, and tempdb.

Network protocols
DBM (???)
perhaps this isn't networkable?
Media specific

See: network connectors.