Skip to content
My Docs

Routing And Gateway Problems

Category: Network Troubleshooting
Type: Network Tools & Commands
Generated on: 2025-07-11 01:37:46
For: Network Engineering, Administration & Technical Interviews

This cheatsheet provides a practical guide to troubleshooting routing and gateway issues using common network tools and commands. It covers syntax, examples, and troubleshooting scenarios for Linux, Windows, and macOS environments.

1. Tool Overview

ToolDescriptionWhen to Use
pingVerifies basic network connectivity by sending ICMP Echo Request packets to a target host. Useful for quickly checking if a host is reachable.Initial connectivity checks, verifying DNS resolution, gateway reachability.
traceroute / tracertTraces the route packets take to reach a destination, showing each hop along the way. Identifies routing loops, latency issues, and points of failure in the path.Identifying slow or failing network segments, mapping network paths, diagnosing routing problems.
netstatDisplays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Provides a comprehensive overview of network activity.Monitoring network traffic, identifying listening ports, verifying routing table entries, troubleshooting connection issues. (Partially replaced by ss on Linux)
ss(Linux only) Similar to netstat but provides more detailed information about socket statistics. Generally faster and more efficient than netstat.Replacing netstat for most use cases on Linux. Monitoring connections, socket states, and network statistics.
ip / ifconfig(Linux) ip is the modern command for managing network interfaces, routing tables, and addresses. ifconfig is deprecated but still commonly used. On Windows, use ipconfig. (macOS uses ifconfig with BSD extensions)Configuring network interfaces, viewing IP addresses, managing routing tables, bringing interfaces up or down.
routeManipulates the kernel’s IP routing tables. Allows adding, deleting, and modifying routes. (Often used in conjunction with ip on Linux)Adding static routes, modifying default gateways, troubleshooting routing issues.
tcpdump / WiresharkPacket sniffers that capture network traffic. tcpdump is a command-line tool, while Wireshark provides a GUI. Essential for in-depth analysis of network communication.Analyzing network protocols, diagnosing connection problems, identifying malicious traffic, capturing authentication credentials (use with extreme caution).
mtrCombines the functionality of ping and traceroute. Provides a continuous stream of ping data along the route to a destination. Excellent for identifying intermittent network issues.Diagnosing intermittent connectivity problems, monitoring network performance over time, identifying unstable network paths.
nslookup / digQuery DNS servers for information about domain names and IP addresses. Troubleshooting DNS resolution issues.Diagnosing DNS resolution problems, verifying DNS records, troubleshooting website access issues. dig is generally preferred for its richer feature set.
pathping(Windows only) Similar to mtr, combining ping and traceroute functionality.Diagnosing intermittent connectivity problems on Windows, monitoring network performance over time, identifying unstable network paths.

2. Basic Syntax

  • ping:

    Terminal window
    ping <hostname or IP address>

  • traceroute (Linux/macOS):

    Terminal window
    traceroute <hostname or IP address>

  • tracert (Windows):

    Terminal window
    tracert <hostname or IP address>

  • netstat:

    Terminal window
    netstat [options]

  • ss (Linux):

    Terminal window
    ss [options]

  • ip (Linux):

    Terminal window
    ip <object> <command> [options]

    Objects include: addr, link, route

  • ifconfig (Linux/macOS):

    Terminal window
    ifconfig <interface> [options]

  • ipconfig (Windows):

    Terminal window
    ipconfig [options]

  • route (Linux/macOS):

    Terminal window
    route [options]

  • tcpdump:

    Terminal window
    tcpdump [options] '<filter expression>'

  • mtr:

    Terminal window
    mtr <hostname or IP address>

  • nslookup:

    Terminal window
    nslookup <hostname or IP address>

  • dig:

    Terminal window
    dig <hostname or IP address>

  • pathping (Windows):

    Terminal window
    pathping <hostname or IP address>

3. Practical Examples

  • Ping a gateway to check basic connectivity:

    Terminal window
    ping 192.168.1.1  # Linux/macOS/Windows (replace with your gateway IP)

    Expected Output (Positive):

    PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
    64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.500 ms
    64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.450 ms
    ...

  • Trace the route to google.com:

    Terminal window
    traceroute google.com  # Linux/macOS
    tracert google.com     # Windows

    Example Output:

    traceroute to google.com (142.250.184.142), 30 hops max, 60 byte packets
     1  192.168.1.1  1.234 ms  1.000 ms  0.800 ms
     2  10.0.0.1  5.500 ms  6.000 ms  5.800 ms
     3  <ISP Router> 10.200 ms 11.000 ms 10.500 ms
     4  <Google Router> 25.000 ms 24.500 ms 25.200 ms
     5  142.250.184.142  26.000 ms 25.800 ms 26.500 ms

  • View the routing table (Linux):

    Terminal window
    ip route show

    Example Output:

    default via 192.168.1.1 dev wlan0 proto dhcp src 192.168.1.100 metric 600
    192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.100

  • View the routing table (Windows):

    Terminal window
    route print

    Example Output:

    ===========================================================================
    Interface List
     14...00 ff ff ff ff ff ......Wireless Network Connection
    ===========================================================================
    

    IPv4 Route Table
    ===========================================================================
    Active Routes:
          Network Destination        Netmask          Gateway       Interface  Metric
                0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.100     25
              192.168.1.0    255.255.255.0    On-link         192.168.1.100     281
            192.168.1.100  255.255.255.255    On-link         192.168.1.100     281
            192.168.1.255  255.255.255.255    On-link         192.168.1.100     281
              224.0.0.0        240.0.0.0    On-link         192.168.1.100     281
        255.255.255.255  255.255.255.255    On-link         192.168.1.100     281
    ===========================================================================
    Persistent Routes:
      None

  • View the routing table (macOS):

    Terminal window
    netstat -rn

  • Add a static route (Linux):

    Terminal window
    sudo ip route add 10.0.0.0/24 via 192.168.1.1

    This adds a route to the 10.0.0.0/24 network, using 192.168.1.1 as the gateway.

  • Add a static route (Windows):

    Terminal window
    route add 10.0.0.0 MASK 255.255.255.0 192.168.1.1

  • Capture traffic to a specific IP address (tcpdump):

    Terminal window
    sudo tcpdump -i eth0 host 192.168.1.100

    This captures all traffic on interface eth0 to or from 192.168.1.100. Requires root privileges.

  • Use mtr to monitor network performance:

    Terminal window
    mtr google.com

  • Query DNS for the IP address of google.com:

    Terminal window
    nslookup google.com
    dig google.com

4. Common Options

  • ping:

    • -c <count>: Send only count number of packets. e.g., ping -c 4 google.com
    • -i <interval>: Set the interval between packets in seconds. e.g., ping -i 0.5 google.com
    • -t <TTL>: Set the TTL (Time To Live) value. Useful for testing routing loops. e.g., ping -t 1 google.com
    • -s <size>: Specify the packet size in bytes. e.g., ping -s 1000 google.com

  • traceroute/tracert:

    • -m <max_hops>: Set the maximum number of hops. e.g., traceroute -m 20 google.com
    • -w <timeout>: Set the timeout for each hop in seconds. e.g., traceroute -w 2 google.com
    • -I: Use ICMP instead of UDP (traceroute). e.g., traceroute -I google.com
    • -d: Do not resolve hostnames (tracert). e.g., tracert -d google.com

  • netstat:

    • -a: Show all connections (listening and non-listening). e.g., netstat -a
    • -n: Do not resolve hostnames. e.g., netstat -an
    • -t: Show TCP connections. e.g., netstat -at
    • -u: Show UDP connections. e.g., netstat -au
    • -r: Display the routing table. e.g., netstat -rn
    • -i: Display interface statistics. e.g., netstat -i

  • ss:

    • -l: Show listening sockets. e.g., ss -l
    • -t: Show TCP sockets. e.g., ss -t
    • -u: Show UDP sockets. e.g., ss -u
    • -n: Do not resolve service names. e.g., ss -n
    • -p: Show the process using the socket. e.g., ss -p
    • -a: Show all sockets. e.g., ss -a

  • ip:

    • ip addr show: Display IP addresses.
    • ip link show: Display network interfaces.
    • ip route show: Display routing table.
    • ip addr add <address>/<prefix> dev <interface>: Add an IP address to an interface.
    • ip link set <interface> up: Bring an interface up.
    • ip link set <interface> down: Bring an interface down.

  • ifconfig:

    • <interface> <address>: Assign an IP address. e.g., ifconfig eth0 192.168.1.100
    • up: Bring an interface up. e.g., ifconfig eth0 up
    • down: Bring an interface down. e.g., ifconfig eth0 down
    • netmask <netmask>: Set the netmask. e.g., ifconfig eth0 netmask 255.255.255.0
    • broadcast <broadcast_address>: Set the broadcast address.

  • ipconfig (Windows):

    • /all: Display all configuration information. e.g., ipconfig /all
    • /release: Release the IP address for a specific adapter. e.g., ipconfig /release Ethernet
    • /renew: Renew the IP address for a specific adapter. e.g., ipconfig /renew Ethernet
    • /flushdns: Flushes the DNS resolver cache. e.g., ipconfig /flushdns

  • route:

    • add: Add a route. e.g., route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.1.1 (Linux)
    • del: Delete a route. e.g., route del -net 10.0.0.0 netmask 255.255.255.0 (Linux)
    • print: Print the routing table (Windows). e.g., route print (Windows)

  • tcpdump:

    • -i <interface>: Specify the interface to listen on. e.g., tcpdump -i eth0
    • -n: Do not resolve hostnames. e.g., tcpdump -n
    • -nn: Do not resolve hostnames or port names. e.g., tcpdump -nn
    • -v: Verbose output. e.g., tcpdump -v
    • -vv: More verbose output. e.g., tcpdump -vv
    • -w <file>: Write captured packets to a file. e.g., tcpdump -w capture.pcap
    • -r <file>: Read packets from a file. e.g., tcpdump -r capture.pcap
    • port <port_number>: Filter traffic by port. e.g., tcpdump port 80
    • src <host>: Filter traffic by source host. e.g., tcpdump src 192.168.1.100
    • dst <host>: Filter traffic by destination host. e.g., tcpdump dst 192.168.1.200
    • tcp: Filter TCP traffic. e.g., tcpdump tcp
    • udp: Filter UDP traffic. e.g., tcpdump udp
    • icmp: Filter ICMP traffic. e.g., tcpdump icmp

  • mtr:

    • -n: Do not resolve hostnames. e.g., mtr -n google.com
    • -r: Report mode (prints a summary after a fixed number of pings). e.g., mtr -r google.com
    • -c <count>: Number of pings to send in report mode. e.g., mtr -r -c 10 google.com

  • nslookup/dig:

    • <hostname>: Query for the IP address of a hostname. e.g., nslookup google.com
    • <IP address>: Query for the hostname associated with an IP address (reverse lookup). e.g., nslookup 8.8.8.8
    • -type=<record_type>: Specify the type of DNS record to query (e.g., A, MX, TXT). e.g., dig google.com MX
    • @<dns_server>: Specify the DNS server to use. e.g., dig @8.8.8.8 google.com

  • pathping (Windows):

    • -h <max_hops>: Maximum number of hops to search for the target. e.g., pathping -h 30 google.com
    • -g <hostlist>: Loose source route along the host list. e.g., pathping -g 192.168.1.1 10.0.0.1 google.com
    • -p <period>: Wait period in milliseconds between pings. e.g., pathping -p 200 google.com

5. Advanced Usage

  • Using tcpdump to capture specific types of traffic and save to a file for later analysis:

    Terminal window
    sudo tcpdump -i eth0 -w capture.pcap 'tcp port 80 or tcp port 443 and host 192.168.1.100'

    This captures HTTP and HTTPS traffic to/from 192.168.1.100 on interface eth0, saving the output to capture.pcap.

  • Combining ip route and ping to test connectivity through a specific route:

    Terminal window
    sudo ip route add 10.10.10.0/24 via 192.168.1.2  # Add a route
    ping -c 3 10.10.10.1                              # Ping a host on the new route
    sudo ip route del 10.10.10.0/24 via 192.168.1.2  # Remove the route

  • Using ss to find the process listening on a specific port:

    Terminal window
    ss -lntp 'sport = :80'

    This finds the process listening on TCP port 80.

  • Using mtr in report mode to diagnose intermittent network issues and save the output:

    Terminal window
    mtr -r -c 100 google.com > mtr_report.txt

    This runs mtr in report mode, sending 100 pings to google.com, and saves the output to mtr_report.txt for later analysis.

  • Using dig to troubleshoot DNS issues and verify DNSSEC validation:

    Terminal window
    dig +trace google.com  # Trace the DNS resolution process
    dig +dnssec google.com # Check DNSSEC validation

  • Using tcpdump to capture DNS queries:

    Terminal window
    sudo tcpdump -i any port 53

6. Troubleshooting Scenarios

  • Scenario: Cannot reach the internet.

    1. Check basic connectivity: ping 127.0.0.1 (loopback). If this fails, the network stack is broken.
    2. Check gateway reachability: ping <gateway_ip>. If this fails, the gateway is down or unreachable. Verify physical connectivity (cables, lights on the router).
    3. Check DNS resolution: ping google.com. If this fails, but ping 8.8.8.8 works, there’s a DNS problem. Check your DNS server settings.
    4. Trace the route: traceroute google.com or tracert google.com. This can identify where the connection is failing.
    5. Check routing table: ip route show (Linux) or route print (Windows/macOS). Make sure a default route is present. If not, add one: sudo ip route add default via <gateway_ip> (Linux) or route add 0.0.0.0 MASK 0.0.0.0 <gateway_ip> (Windows).

  • Scenario: Slow network performance.

    1. Identify the bottleneck: Use traceroute or mtr to see where latency is high.
    2. Check interface statistics: netstat -i or ifconfig (Linux/macOS) or ipconfig /all (Windows) to look for errors, dropped packets, or high utilization.
    3. Capture traffic: tcpdump to analyze network protocols and identify chatty applications.
    4. Check gateway performance: Ping the gateway and monitor latency and packet loss.

  • Scenario: Routing loop.

    1. Identify the loop: traceroute will show packets bouncing between the same routers. TTL values will decrement rapidly.
    2. Examine routing tables: Check the routing tables of the involved routers for conflicting or incorrect routes.
    3. Correct routing configuration: Adjust the routing tables to eliminate the loop. This often involves static routes or dynamic routing protocol configuration changes.

  • Scenario: DNS resolution issues.

    1. Verify DNS server settings: Check the DNS server configured on the client.
    2. Test DNS resolution: nslookup google.com or dig google.com. If this fails, try a different DNS server (nslookup google.com 8.8.8.8 or dig @8.8.8.8 google.com).
    3. Flush DNS cache: ipconfig /flushdns (Windows) or sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder (macOS) or sudo systemd-resolve --flush-caches (Linux with systemd-resolved).
    4. Check firewall rules: Ensure that DNS traffic (port 53) is allowed through the firewall.

  • Scenario: Intermittent connectivity issues.

    1. Use mtr or pathping: These tools provide a continuous stream of ping data and can help identify intermittent problems.
    2. Check logs: Examine system logs, router logs, and firewall logs for errors or warnings.
    3. Monitor network performance over time: Use network monitoring tools to track latency, packet loss, and bandwidth utilization.
    4. Check for hardware issues: Cables, network cards, and routers can fail intermittently. Try swapping components to isolate the problem.

7. Output Interpretation

  • ping:

    • time=<value> ms: Round-trip time in milliseconds. Lower values indicate better latency.
    • ttl=<value>: Time To Live. Indicates how many hops the packet has traversed. A lower TTL may indicate a longer path or routing issues.
    • Destination Host Unreachable: Indicates the destination host is unreachable. This could be due to a routing problem, firewall, or the host being down.
    • Request timed out: Indicates that the ping request timed out before receiving a response. This could be due to network congestion, packet loss, or a firewall.

  • traceroute/tracert:

    • Each line represents a hop in the path to the destination.
    • * * *: Indicates that a hop timed out. This could be due to network congestion, a firewall, or a router not responding to traceroute requests.
    • High latency at a particular hop indicates a potential bottleneck.

  • netstat/ss:

    • State: The state of the TCP connection (e.g., ESTABLISHED, LISTEN, TIME_WAIT).
    • Local Address: The IP address and port on the local machine.
    • Foreign Address: The IP address and port of the remote machine.
    • PID/Program name: The process ID and name of the process using the connection (requires root/administrator privileges).

  • ip route:

    • default via <gateway_ip>: The default gateway. All traffic destined for networks not explicitly listed in the routing table will be sent to this gateway.
    • <network>/<prefix> dev <interface>: A route to the specified network through the specified interface.

  • tcpdump:

    • The output shows the contents of each captured packet. Analyzing this output requires knowledge of network protocols. Wireshark provides a more user-friendly interface for analyzing packet captures.

  • mtr:

    • Loss%: Percentage of packets lost at each hop.
    • LnkID: Link ID
    • Snt: Number of packets sent
    • Last: Round-trip time for the last packet
    • Avg: Average round-trip time
    • Best: Minimum round-trip time
    • Wrst: Maximum round-trip time
    • StDev: Standard deviation of round-trip times.

  • nslookup/dig:

    • Address: The IP address associated with the hostname.
    • Non-authoritative answer: Indicates that the DNS server is not authoritative for the domain.
    • ANSWER SECTION: Shows the DNS records returned for the query.

8. Security Considerations

  • tcpdump: Capturing network traffic can expose sensitive data, such as passwords, authentication tokens, and confidential information. Use tcpdump with extreme caution and only capture traffic when necessary. Encrypt sensitive traffic whenever possible. Store capture files securely and delete them when they are no longer needed.
  • Adding static routes: Incorrectly configured static routes can disrupt network connectivity and create security vulnerabilities. Carefully plan and test any static route changes before implementing them in a production environment. Avoid adding static routes that conflict with dynamic routing protocols.
  • Modifying firewall rules: Incorrectly configured firewall rules can expose services to unauthorized access or block legitimate traffic. Carefully review and test any firewall rule changes before implementing them in a production environment. Follow the principle of least privilege and only allow the necessary traffic.
  • Using network monitoring tools: Network monitoring tools can provide valuable insights into network performance and security, but they can also be used to collect sensitive data. Implement appropriate security measures to protect network monitoring data from unauthorized access.
  • Remote Access: Securely configure remote access to network devices (routers, switches, firewalls) to prevent unauthorized access and configuration changes. Use strong passwords, multi-factor authentication, and encrypted protocols (e.g., SSH).
  • Monitor for Rogue DHCP Servers: Implement DHCP snooping on switches to prevent rogue DHCP servers from assigning incorrect IP addresses and gateway information.

9. Platform Differences

  • Linux: Uses ip (modern) and ifconfig (legacy) for interface configuration, route for routing table manipulation, ss (modern) and netstat (legacy) for network statistics. Requires sudo for many commands.
  • Windows: Uses ipconfig for interface configuration, route for routing table manipulation, netstat for network statistics, pathping instead of mtr. Requires administrator privileges for many commands. Uses tracert instead of traceroute.
  • macOS: Uses ifconfig (BSD-style) for interface configuration, netstat for network statistics, and similar command syntax to Linux for many commands. traceroute is preinstalled. ip is not a default command, but can be installed via brew install iproute2mac.
  • Packet capture: tcpdump is available on Linux and macOS. On Windows, you can use Wireshark (which includes dumpcap, a command-line packet capture tool).

This cheatsheet provides a foundation for troubleshooting routing and gateway problems. Remember to always consult the documentation for specific tools and commands for more detailed information. Always exercise caution when making changes to network configurations, and test changes in a non-production environment before deploying them to production.