Network Tracer
Download TRACE.ZIP

Introduction Purposes What It Finds Disclaimer Install & Use Notes Glossary


TRACE.BAT is an MS-DOS batch process which uses standard network query utilities to work up a handy report on a given Internet address. It does so automatically and fairly quickly, in a simple format and in a logical sequence. It provides a report in plain text which it opens in Notepad when done. It gives some screen feedback while in process.

All the user needs is one of the following: an IP address, a hostname, an email address or a URL.

Because the Tracer performs extended domain registration lookups, encompassing the shared .COM, .NET and .ORG registries and more than 70 countries, it is a sort of super-WHOIS utility.

It runs easily and quickly from the desktop Run dialog, and requires no familiarity with MS-DOS.

TRACE.BAT works with Windows 95, Windows 98 and Windows ME.

NT Version

I have not adapted the Tracer to NT, but someone else has. Simon Daykin of Byte-Sized.com sent me an NT-adapted Tracer 'way back in November '99. I provide here a copy of that modified version, which reportedly functions well. I should have posted it long ago (it's now October 2000; I never carried out my own plan to adapt the script, which plan was the reason I didn't publish Simon's version). I apologize to the many NT users who might have benefited by Simon's work.

I can't promise any kind of support of this version, and I'm reluctant to takeon the task of maintaining it with updates as I do the Win9x Tracer. But I'll take an interest in any problems and I'll do whatever I reasonably can. I'd particularly be interested to know if it works under Windows 2000. I suspect it will, since Win2K is basically a version of NT.

Users of the NT Tracer must first install the regular Tracer, omitting only NSLOOKUP.EXE (NT has its own); then replace the file trace.bat with traceNT.bat (which I advise renaming to trace.bat). I look forward to hearing how it performs.


(Note: there's a glossary of terms below.)

Over the years, in my efforts to better understand the workings of the Net, I gradually became familiar with a number of the longtime-standard command-line tools that reveal the nuts and bolts of the Internet. With names like PING, WHOIS, NSLOOKUP, and TRACEROUTE, these tools allow one to peek into basic network functions and structure. I refer to them as "network query utilities" because that's what they do. In a variety of ways, they ask systems and servers on the network for information.

And information they do receive. It's often amazing to people just how much the Net will reveal about itself if one only asks.

Most of my early experience with such utilities was on a Unix shell account. *nix users have practically always had lots of good network tools available. But finding implementations of those programs for use under Windows was a real challenge even just a few years ago.

With the arrival of Windows 95 the situation improved; but though a few decent network query utilities exist in all Windows 9x installations, they are generally unknown to the average user and most of them are DOS-based. Nowadays, Windows users usually haven't the first clue how to use the totally textual DOS command-line interface. The upshot of it is, where their network's nuts and bolts are concerned, Windows users have generally been left out in the cold and dark.

But with time, practically every useful Unix network tool has been adapted to DOS. My many searches of the Net have gradually yielded a fine collection of these powerful, simple tools.

Bringing The Tools Together

MS-DOS has a handy "batch" language of its own which allows the use of scripts to execute a series of DOS commands. This has particular advantages where a collection of text-based programs is concerned; it allows a degree of integration of otherwise disconnected processes.

Somewhere early on, I began producing batchfiles to make my own use of the various network query tools more convenient.

Things really fell into line when I found an excellent NSLOOKUP (Name Server Lookup) tool in BINDNT. Though a bit arcane, NSLOOKUP is a very powerful tool where IP networking is concerned. It wasn't long before I had put together a number of batchfiles that took advantage of NSLOOKUP, some in conjunction with other utilities such as WHOIS.

Finally I decided to come up with something really comprehensive; a batch process that would assemble information from every network query type I could muster up, and deliver the lot to the Windows desktop in a textfile. This Tracer was the result. Augmented and adapted many times, it grew into a utility I could hardly do without.

What makes the Tracer special? Except for its unique vendor code lookups and its extensive coverage of country domains -- nothing much! It's using utilities that are very ordinary to most professionals, and it's a batchfile of all things, which isn't exactly whizbang high-tech programming. The key is that it brings it all together in a single report and using one simple command.

Use of the Tracer is almost ridiculously easy. One types "trace [address]" in the Run dialog while online; without further ado it does all it can with the address, and then up pops Notepad with the results.

I realized anyone at all could now use it. It was time to let others in on the fun.

What The Tracer Is For

A few uses for the Network Tracer:

What The Tracer Finds

If the user-provided address is an email address or a URL, TRACE.BAT will attempt to extract the IP address or hostname portion, and will then restart itself using that address as its point of reference.

TRACE.BAT uses PING to firmly establish the validity of the user-provided name or address. PING will also reveal whether the address is occupied by a responding system. In the process, if given an IP address in a format other than dotted-decimal, the Tracer takes advantage of PING's ability to convert that address to the dotted-decimal format (nnn.nnn.nnn.nnn).

If a Win9x machine is online at the address, and if your machine is set up to use NetBIOS over TCP, TRACE will often obtain a NetBIOS name table. The name table often reveals specifics about the computer and/or its user. NT machines and other platforms may also support NetBIOS.

The MAC address of a NetBIOS host reveals information about the hardware (network adapter) in use on that machine. A lookup table has been incorporated into TRACE.BAT which identifies the adapter if possible. This particular feature is, so far as I know, completely unique to this utility. To implement this lookup, I had to create what I believe is the single most extensive listing of vendor codes in public existence. At this writing, it's still a work in progress.

If TRACE.BAT sees a NetBIOS server listed in the remote name table, it will attempt to use the net view command to retrieve a listing of the resources shared by the remote machine. The list can be interesting and may reveal still more about that system and its user, by way of the names and comments assigned to the shared resources. (Many, probably most Windows machines aren't configured to use this feature, but there's a good chance it will work for you if your system is on a LAN.)

Occasionally you may encounter shared files which the remote user intentionally leaves open to access; but if there's any doubt, I caution you not to attempt to access remote shares without permission. The Tracer is not intended to facilitate intrusions. For more on NetBIOS and sharing, see: http://www.nwi.net/~pchelp/security/issues/sharing.htm.

NSLOOKUP is used to identify the IP address of a name and vice versa. The name info so obtained usually identifies the domain name associated with a given address. Lookups are done both ways (address-to-name and name-to-address) in order to spot forged and bogus names. If reverse DNS shows a discrepancy, it is noted. See definitions below.

If a name is found for the address (or initially provided), the domain name portion of the hostname is is parsed and any available domain registration record is looked up using the WHOIS utility.

The whois server at the Network Abuse Clearinghouse is consulted for an abuse contact address; if one is found it is noted in the report.

The new competitive registry scheme adds some complications to WHOIS lookups of domains in the shared TLDs (top level domains). But TRACE.BAT deals with it. The Network Solutions database is checked first in the interest of efficiency; the vast majority of domains are still listed there. If no domain record is found in the Network Solutions database, TRACE.BAT will identify the applicable registry, if any, using the NSI Registry database at whois.crsnic.net; and repeat its query using that registry's server. (This makes the Tracer quite useful to verify the availability of a desired name.)

Because of the large number of WHOIS servers/databases that must be consulted in order to retrieve records on the various country domains and other top-level domains (TLDs), implementing domain lookup fully has proven to be a real challenge. It's been a slow process to install support for each and every country domain; the server address and the query format must be found for every individual TLD. There exist few resources which assemble this information in one place, and none of them is fully complete or current. There are about 250 top-level domains. The list of the Tracer's supported domains is constantly growing.

Where a standard WHOIS server is not available for a supported domain, usually there is a WHOIS gateway (web page) available at the website of the applicable Network Information Center (NIC). If such a gateway exists, the URL of the gateway is provided in the trace report and in console feedback. Where a suitable URL can be constructed, TRACE.BAT will helpfully open the applicable record in your default browser.

The ARIN database is queried, which will identify the entity(ies) to which the IP address is registered. This may not identify the domain name owner but it will locate the domain's upline provider(s).

IP addresses falling outside the ARIN regions (ARIN generally covers North and South America and sub-Saharan Africa) are on record in either the European RIPE database or in the APNIC (Asia Pacific) database. As appropriate, these are queried.

Using Netcat, the Tracer then performs RWHOIS queries for information about the IP address. This usually yields the same information as the ARIN/RIPE/APNIC queries described above, just in a different format. But on occasion it will find useful additional information.

As a final step, a traceroute is performed, which will sometimes help to identify the domain associated with an address, and/or its physical location. This is particularly useful if the name server lookups were unsuccessful.

(There is more the Tracer could do, and I'm considering several additions. And by the way, it changes constantly. If you wind up using it frequently, I strongly recommend you obtain the latest version at intervals.)

How Long It Takes

Domain-only queries typically take about 15 seconds. Except for the traceroute, the full "trace" usually requires only a little more than 30 seconds. Including the traceroute (which can be optionally excluded or interrupted manually), TRACE.BAT usually does its work in one or two minutes. Delays or failures may sometimes happen during any of the queries. Traceroute is typically the slowest query and can occasionally require many minutes. Start and finish times are logged.

The Tracer pauses when finished, offering the user 10 seconds to accept or decline the display of its report. Given no response, it will open Notepad with the text.


NOTICE: No warranty is expressed or implied. You use TRACE.BAT entirely at your own risk.

TRACE.BAT is virtually incapable of doing significant damage under any circumstances and it is unlikely to malfunction in any serious way; but no computer process is ever completely foolproof.

TRACE.BAT may fail, partially or entirely, to obtain the desired information due to network congestion, remote system failures, dropped connections, user attitude, house fires, sabotage, teenagers, whimsy, my stupid mistakes, or any number of other causes, real or imagined. You agree to endure all failures with infinite patience.

Polite complaints will be received with interest, all others will be ignored or met with sarcasm.

The Tracer's process relies on tools over which I have no direct control. Those tools must be present and correctly functional. For your information, they are:

You don't have to retrieve any of these items. The freeware .EXE's are included with TRACE.BAT in TRACE.ZIP.

Other tools similar to the included ones might work and they might not.

It might or might not work on later Windows versions than 95/98. Reports indicate that it works well under WinME.

TRACE.BAT does not presently work on NT. I don't have an NT box and so haven't been able to make rapid progress adapting to that platform. There are some differences in NT's handling of certain batch commands. CHOICE.EXE is apparently absent in most NT systems, but available in the NT Resource Kit. NT's own NSLOOKUP seems to work OK. At this point I believe I have most of the information I need to make TRACE.BAT usable on NT, but it's going to take some more time. I welcome further input from NT users, and I heartily thank those who've already contributed a great deal, especially Nils and Simon.

The Tracer creates temporary files, and capture files which are retained, using a directory (folder) and filenames which are unlikely to be used by any other application. Only in the extremely unlikely event of a folder and filename collision could it cause data loss. In that event, it may remove, overwrite or alter an existing file.

Use of the Tracer sometimes shocks the hell out of someone you traced, who naÔvely believed him/herself to be entirely anonymous or invisible. You agree to accept full responsibility for all consequences, including resuscitation of the victim, time wasted convincing the poor sod you're not a hacker, and the slow, painful restoration of confidence following shattered illusions. You further agree to publicly assign me full credit each time the Tracer helps you cure some insufferable creep of the belief he could lie to people, cheat them, insult them, or abuse their mailboxes or computers, without being held personally responsible.

Such is the price you pay for free software.

Installation And Use

Place TRACE.BAT and its companion files (the whole contents of TRACE.ZIP) in the Windows directory. That's directly in the Windows directory (folder). Not in a sub-folder or anywhere else.

If you have no utility that opens .ZIP archives, I recommend Winzip, available at www.winzip.com. But if you have PKUNZIP.EXE anywhere on your system (many people do, as it accompanies any number of applications unannounced), and if you know how to use a DOS command line, that's all you should need.

To run a trace from Windows, simply click on Start ... Run ... and in the resulting dialog box, type:

trace [Address]

Then hit Enter. A DOS window will open and display progress details as TRACE.BAT works. Then Notepad will open, displaying the report. The DOS window will close.

Some Tips:

TRACE.BAT    --*#  PCHelp's Network Tracer  #*--    _ 1999, 2000

SYNTAX:  TRACE Address [-n] [-t] [-d] [-s] [-x]
    OR:  TRACE setnameserver Address

Where      Address = an IP address in any format;
                     or, a valid hostname;
                     or, an email address;
                     or, a URL.
           -n = skip NetBIOS queries
           -t = skip Traceroute
           -d = perform domain record lookup only
           -a = skip abuse.net query during domain lookup
           -s = suppress capture file display
           -x = no trace if previously done
setnameserver = reconfigure the NSLOOKUP Name Server to Address
      checkns = verify function of current nameserver

Examples (try 'em):  trace -a -n -t
                     trace abcnews.go.com
                     trace http://www.state.nh.us/nhdoj/ -n -t

Read TRACE.BAT in any text editor for further information.

A Few Notes

Although the Tracer does accept URLs and email addresses, it extracts and traces only the hostname or IP address; the username in an email address is not traced, nor are any other parts of a URL.

The Tracer's reports are retained in the directory c:\misc\trace with filenames in the form of: [IPAddress].txt. The directory (folder) is created if it doesn't exist already. If there is no known IP address, the filename of the capture file will be [name].txt using whatever name you entered. The same applies when the -d option is used. If no IP address and no domain name record is found, the textfile, presumably useless, is deleted. If any useful information is found, the file is retained. Be aware that over time a very large number of files could accumulate in this directory.

If a former trace of the same IP address exists, the existing text is immediately opened in Notepad for the user's reference. Meanwhile (unless the -x option is used) the new trace continues, appending its results to the file. When done, it will open the updated capture file in a new Notepad window. (It's then necessary to scroll down to see the new trace.)

Date and time are recorded in the capture file, including start and finish times. Multiple traces of a name or address can therefore produce a useful record of changes.

It is possible to do multiple simultaneous traces. I specifically adapted TRACE.BAT for this purpose. Its several temporary files are named uniquely using the hundreths-of-seconds digits of the time it starts; so collisions of two simultaneous traces are a mere 1-in-100 probability; even less likely, in fact, since there are only brief moments when use of the same filenames would be a problem. However: two simultaneuous traces of the same address will collide because they'll use the same capture file. The result of any such collisions will be error messages and a likelihood of a damaged or incomplete report; nothing more serious than that.

If interrupted, TRACE.BAT may leave temporary files in its folder. They harm nothing, and consume little space. All start with the symbol $ so they percolate to the top of a sorted listing and are easily deleted. Once in a long while, TRACE.BAT will clean these up on its own, using a secret process known only to God and people who read the batchfile.

TRACE.BAT uses environment variables. These are data stored by MS-DOS in a limited memory space. In most Windows systems, DOS environment variables aren't heavily used, but if they are, sometimes there's not enough memory allocated for storage of the Tracer's many variables. In order to avoid this problem, the batchfile creates a new instance of command.com with an environment of ample size. Even so, it checks at a variety of points to be sure variables have been successfully stored, and will usually alert the user if there's any problem.

For some of its functions, TRACE.BAT must be located in the Windows directory, as defined by the %windir% variable. If it's not found there, TRACE.BAT will attempt to place a copy of itself in that directory.

To interpret results, TRACE.BAT relies on searches for, and handling of, certain texts in the responses output by the various utilities it runs. Because this output varies, it is possible you may see errors or misinterpretations on rare occasions. Name servers vary especially widely in their responses, so this is more likely with name server lookup data than with anything else.

If a name rather than an IP address is initially provided to TRACE.BAT, the name's IP address is resolved, the name is stored as a variable, and TRACE.BAT is restarted using the IP address as its principal point of reference. In such a case, the name may sometimes be an alias, but it will be a valid hostname, not a forged or bogus name assignment. That user-provided name, rather than any canonical or primary name associated with the address, will then be the basis of the domain name record lookup. Because of this, you may find it useful to do additional queries for the domain records of other name(s) you may find listed in the report. Simply run TRACE.BAT again using the canonical name with the -d option; or using the IP address alone.

TRACE.BAT will attempt to look up a domain name record, even if the name server lookup yields no IP address. It will attempt to parse whatever hostname is provided by the user to extract the domain name portion. So even an improbable or nonexistent hostname like flibberdegibbet.microsoft.com will yield a domain registration record if it uses a valid domain name. This parsing of the name will still occur if the -d parameter is used.

Unless it's performing a domain-record-only lookup (using the -d switch), TRACE.BAT will PING the address; this is not merely done to find a live remote system; it's also necessary to check for a valid address. Anyone at that address with a firewall will be able to see that you pinged their system. Also, NBTSTAT contacts the remote system for its NetBIOS nametable. Using the -n parameter will disable NBTSTAT activity but the ping will still occur. So if you're trying to be stealthy, just don't use TRACE.BAT.

The batchfile is heavily commented. Everything it does is wide open to inspection, and for the most part it's painstakingly explained. For those interested in MS-DOS batch programming, it's probably full of interesting tidbits.

For those who aren't into the technical aspects, TRACE.BAT is still fairly readable and may prove enlightening. I invite you to take a look, using Wordpad or any plain-text editor (it's too big for Notepad).

If you decide to modify the batchfile, fine; but please do so only for your own use; don't remove my copyright notice; and include comments that indicate what changes were made and by whom. Also, Do not distribute an altered TRACE.BAT. If you think I should change something, let me know. If I use your idea, I'll give you credit.

I would appreciate all possible input from users of this utility. Please email me anytime and tell me how it's working for you. I welcome suggestions.

TRACE.BAT is likely to be revised or updated at any time without notice. Only the version I offer at http://www.pc-help.org/trace/trace.zip is current and it is distributed nowhere else. Please update your copy and try the latest version before you notify me of bugs. See the bottom of this page for the date of last revision.

The Network Tracer is copyright © 1999 by pchelp.

Although TRACE.BAT is offered free of charge, I reserve all rights to its content and distribution. I forbid the distribution of any altered version without express permission in writing. I forbid its sale at any price, and I remind the user that TRACE.BAT utilizes software applications produced by others which carry their own terms. Please respect their wishes and mine. I offer no warranty but will make every effort to attend to users' input and to improve the utility.

Download TRACE.ZIP


NetBIOS      Network Basic Input Output System.  A type
             of basic networking.  It's built into 
             Microsoft's Windows and NT operating
             systems, usually implemented by default on
             their network connections.

MAC ADDRESS  Media Access Control Address.  Also called
             a "hardware address."  A 12-digit hexa-
             decimal number which identifies network
             devices and is used in NetBIOS networking
             to differentiate among networked machines.
             The first 6 digits of this number comprise
             a vendor-specific code which identifies the
             manufacturer of the network interface
             device.  The remaining digits are unique to
             that particular copy of the device.
             Sometimes MAC numbers are under software
             control and are therefore rendered
             irrelevant to the hardware.

IP ADDRESS   Internet Protocol Address.  A unique number
             which is assigned to a specific computer
             system on an IP network. Usually seen in
             "dotted-decimal" format, such as:

INTERNET PROTOCOL  The set of technical standards on
             which the Internet's networking is based.
             It defines the methods of data transmission
             and the addressing scheme by which computers
             "find" one another.

NAME SERVER  A computer system necessary to IP networking,
             which retrieves, stores, and passes on name,
             address, and related information.  There are
             thousands of name servers on the Internet.

NSLOOKUP     Name Server Lookup.  An IP networking
             utility which queries name servers to
             correlate names to IP addresses and to
             fetch related information.

DNS          Domain Name System.  This is the "distributed
             database" which associates human-readable
             names with IP addresses and related informa-
             tion, allowing computers to find one another
             on the Net using names recognizable to their
             human users.

REVERSE DNS  The usual "forward" use of DNS is to find the
             address for a name.  Reverse DNS (rDNS) goes
             the other way; it asks the specific server
             associated with an address for the name _it_
             assigns to that IP address.  Name-to-address
             information comes from a centralized source.
             Address-to-name information comes from name
             servers under localized control.

FORGED NAME  When a reverse DNS lookup produces a name, one
             can then consult the presumably correct and
             authoritative DNS system for the name's IP
             address.  If this shows a different address
             for the name than the remote server provided,
             the name is "forged."  This is usually an error
             or an outdated record, but it can sometimes be
             a deliberate forgery.  It will usually affect
             only those who rely on the errant name server.

BOGUS NAME   Like a forged name, but a DNS lookup of the
             name fails to find any address.  It could be
             intentional or an error.  It's a common

WHOIS        A standard which implements online access to
             database-type information.  It is used by
             most of the various IP allocation and domain
             registration organizations to provide DNS
             information, as well as by some businesses
             and universities for user directories.

RWHOIS       Referral WHOIS.  An extension of the WHOIS
             standard.  RWHOIS servers provide referrals to
             other servers.  The scheme allows for expanded
             access to numerous databases.  Presently it is
             most useful to find network number assignments
             and domain records in the generic TLDs.

ARIN         American Registry for Internet Numbers.  One
             of the three regional Internet registries
             which control IP address block assignments.
             The other two are RIPE and APNIC.

RIPE         Reseaux IP Europeens (European IP Networks)
             "RIPE provides technical and administrative
             coordination for IP networking in Europe."

APNIC        Asia Pacific Network Information Centre

TRACEROUTE   An IP network utility which identifies
             machine names and addresses along the path
             between two points on the network, and
             gauges response times.

Supported domains*

In alphabetical order:

AC	Ascension Island
AD	Andorra
AE	United Arab Emirates
AF	Afghanistan
AI	Anguilla
AL	Albania
AM	Armenia
AR	Argentina
AS	American Samoa
AT	Austria
AU	Australia
BA	Bosnia and Herzegowina
BD	Bangladesh
BE	Belgium
BG	Bulgaria
BH	Bahrain
BR	Brazil
BT	Bhutan
CA	Canada
CC	Cocos (Keeling) Islands
CH	Switzerland
CN	China
COM	(Generic:  Commercial)
CR	Costa Rica
DE	Germany
DK	Denmark
DO	Dominican Republic
DZ	Algeria
EC	Ecuador
EDU	(Generic:  Educational Institution)
EG	Egypt
FI	Finland
FR	France
GOV	(Generic:  US Government)
GR	Greece
GU	Guam
HK	Hong Kong
ID	Indonesia
IE	Ireland
IN	India
INT	(Generic:  International)
IS	Iceland
IT	Italy
JP	Japan
KR	Korea, Republic of
KZ	Kazakhstan
LB	Lebanon
LI	Liechtenstein
LK	Sri Lanka
LU	Luxembourg
MD	Republic of Moldova
MIL	(Generic:  US Military)
MM	Myanmar
MN	Mongolia
MO	Macau
MX	Mexico
MY	Malaysia
NC	New Caledonia
NET	(Generic:  Networks)
NG	Nigeria
NL	Netherlands
NO	Norway
NZ	New Zealand
ORG	(Generic:  Organizations)
PF	French Polynesia
PG	Papua New Guinea
PH	Philippines
PK	Pakistan
PR	Puerto Rico
PT	Portugal
RU	Russian Federation
SE	Sweden
SG	Singapore
SO	Somalia
ST	Sao Tome and Principe
TH	Thailand
TJ	Tajikistan
TM	Turkmenistan
TW	Taiwan, Republic of China
UK	United Kingdom
US	United States
VN	Viet Nam
WS	Samoa
ZA	Republic of South Africa
ZW	Zimbabwe

*By "supported" is meant, all possible support has been provided:

Last updated 18 December 2000
TRACE.BAT update status:

Download TRACE.ZIP