netsh communication networking
DESCRIPTION
booksTRANSCRIPT
Network Netsh Communication Networking 1
Network Netsh Communication Networking 2
Contents
Netsh Overview …………………………………………………………………… 3
Network Communications technologies that provide netsh functionality ……………………. 4 Features and other network Communications technologies ………………………………….. 4
Netsh Commands for All Contexts ………………………………………………………………. 7 Netsh Commands for Windows Firewall with Advanced Security ……………………………. 9 Netsh Commands for Network Bridge …………………………………………………………… 13 Netsh Commands for Dynamic Host Configuration Protocol client …………………………... 14 Netsh Commands for Windows Firewall ………………………………………………………… 15
Netsh Commands for Hypertext Transfer Protocol (HTTP) …………………………………… 30 Netsh Commands for Interface (IPv4 and IPv6) ……………………………………………….. 38 Netsh Commands for Interface 6to4 …………………………………………………………….. 42 Netsh Commands for Interface Internet Protocol version 4 (IPv4) …………………………… 46 Netsh Commands for Interface Internet Protocol version 6 (IPv6) …………………………… 67 Netsh Commands for Interface ISATAP ………………………………………………………… 95
Netsh Commands for Interface Portproxy ………………………………………………………. 96 Netsh Commands for Interface Transmission Control Protocol ……………………………… 105 Netsh Commands for Interface Teredo …………………………………………………………. 110 Netsh Commands for Interface Interface Protocol Security (IPSec) ………………………… 111 Netsh Commands for Wired Local Area Network (LAN) …………………………………….. 147
Netsh Commands for NAP Client ……………………………………………………………….. 152 Netsh Commands for Network Input Output (NETIO) ………………………………………… 162 Netsh Commands for Peer-to-peer Networking (P2P) ……………………………………….. 164 Netsh Commands for Remote Access …………………………………………………………. 174 Netsh Commands for Remote Procedure Call (RPC) ………………………………………… 200 Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP) …………………. 212
Netsh Commands for Windows Sockets (WINSOCK) ……………………………………….. 215 Netsh Commands for Wireless Local Area Network (WLAN) ……………………………….. 218
Network Netsh Communication Networking 3
�etsh Overview
Network shell (netsh) is a command-line utility that allows you to configure and display the status of various network communications server roles and components after they are installed on computers running Windows Server® 2008.
Some client technologies, such as Network Access Protection (NAP) client, also provide netsh commands that allow you to configure client computers running Windows Vista®.
In most cases, netsh commands provide the same functionality that is available when using the Microsoft Management Console (MMC) snap-in for each server role or component. In addition, there are netsh commands for network functionality, such as for IPv6, network bridge, and remote procedure call (RPC), that are not available in the user interface as an MMC snap-in.
You can use netsh commands to configure and display the status of network components on the local computer and on remote computers.
In addition, netsh commands can be run manually by typing commands at the netsh prompt and they can be run in batch files and scripts.
Netsh commands are organized in a hierarchy of contexts. Each network technology with netsh command functionality has its own context. For example, the netsh context for remote access service is ras.
Network Netsh Communication Networking 4
Network communications technologies that provide netsh functionality
Netsh functionality is provided for some server roles, role services, features, and technologies.
Server roles and role services
The following server roles provide netsh command functionality:
The Dynamic Host Configuration Protocol (DHCP) server role. After installing the DHCP server role, you can configure the DHCP server by using the commands at the netsh dhcp context. The context for DHCP is netsh dhcp.
The Network Policy and Access Services server role. This server role provides netsh functionality for
the following role services after the role services are installed:
Health Registration Authority (HRA). The context for HRA is netsh nap hra.
Network Policy Server (NPS). The context for NPS is netsh nps.
Routing and Remote Access. The contexts for Routing and Remote Access are netsh routing and netsh ras.
Features and other network communications technologies
The following features provide netsh command functionality:
Windows Internet Name Service (WINS). The context for WINS is netsh wins.
The following network communications technologies provide netsh functionality:
DHCP client. The context for DHCP client is netsh dhcpclient.
Firewall. See Windows Firewall and Windows Firewall with Advanced Security.
Hypertext Transfer Protocol (HTTP). The context for HTTP is netsh http.
Internet Authentication Service. IAS is renamed to Network Policy Server (NPS), and the context for NPS is netsh nps.
Internet Protocol version 4 (IPv4). The context for IPv4 is netsh interface ip.
Internet Protocol version 6 (IPv6). The context for IPv6 is netsh interface ipv6.
IPv4 and IPv6 network and application proxy. The context for the IPv4 and IPv6 network and
application proxy is netsh interface portproxy.
Internet Protocol security (IPsec). The context for IPsec is netsh ipsec.
Local Area Network. See Wired Local Area Network.
Network Access Protection (NAP). The context for NAP client is netsh nap. In addition, NPS provides
netsh commands at the netsh nps context that allow you to configure NPS as a NAP policy server.
Network Bridge. The context for network bridge is netsh bridge.
Network Netsh Communication Networking 5
Network input output (netio). The context for netio is netsh netio.
Remote Procedure Call (RPC). The context for RPC is netsh rpc.
Windows Firewall. The context for Windows Firewall is netsh firewall.
Windows Firewall with Advanced Security. The context for Windows Firewall with Advanced Security is netsh advfirewall.
Windows HTTP. The context for Windows HTTP is netsh winhttp.
Windows Sockets (winsock). The context for Windows Sockets is netsh winsock.
Wired Local Area Network (LAN). The context for wired LAN is netsh lan.
Wireless LAN. The context for wireless LAN is netsh wlan.
The following sections provide information about the netsh commands and their use, including a comprehensive command reference with syntax and parameters for all commands.
You can use this procedure to start the network shell and enter a netsh context.
To enter a netsh context Open command prompt.
At the command prompt, type netsh, and then press ENTER.
Type one of the values from the following table, and then press ENTER.
Netsh contexts
Following are the values you can type to enter a netsh context.
Dynamic Host Configuration Protocol (DHCP) client dhcpclient
Dynamic Host Configuration Protocol (DHCP) server dhcp
Health Registration Authority (HRA) nap hra
Hypertext Transfer Protocol (HTTP) http
Interface (IPv4 and IPv6) interface
Internet Authentication Service (IAS). IAS is renamed to Network Policy Server. nps
Internet Protocol security ipsec
Network Access Protection (NAP) client nap
Network Bridge bridge
Network Input Output (NETIO) netio
Network Policy Server (NPS) nps
Network Netsh Communication Networking 6
Remote Access ras
Routing routing
Remote Procedure Call (RPC) rpc
Windows Firewall firewall
Windows Firewall with Advanced Security advfirewall
Windows Hypertext Transfer Protocol (WinHTTP) winhttp
Windows Internet Name Service (WINS) wins
Windows Sockets (WINSOCK) winsock
Wired Local Area Network (LAN) lan
Wireless Local Area Network (LAN) wlan
Additional information
To enter a context, you can type only enough letters in the context name to allow netsh to uniquely identify the context. For example, to enter the winhttp context from the netsh prompt (that is, netsh>), you can type winh, and then press ENTER.
Some of these contexts are not available at the netsh prompt unless you have previously installed the server role, role service, feature, or other technology. For example, the DHCP server context netsh dhcp is not available at the netsh prompt until after you install the DHCP server role.
Many of the contexts listed above have one or more subcontexts. Subcontexts contain netsh
commands that can be run only within the subcontext. For example, to run the add scope command, you must be within the server subcontext of the dhcp context: netsh dhcp server add scope parameters
Where parameters are the properties of the scope that you can configure with the command.
Network Policy Server (NPS) was formerly known as Internet Authentication Service, and is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and
proxy, as well as a client health policy server for Network Access Protection (NAP).
Network Netsh Communication Networking 7
Netsh Commands for All Contexts
Netsh uses the following standard commands in all contexts that you can run from a Netsh.exe command prompt (that is, netsh>).
Netsh standard commands
Following is the list of netsh commands that you can run in all netsh contexts. To view the command syntax, click a command:
add helper
Installs the helper dynamic-link library (DLL) in netsh.
Syntax
add helper DLLName
Parameters
DLLName
Required. Specifies the name of the helper DLL that you want to install. /?
Displays help at the command prompt.
Network Netsh Communication Networking 8
alias
Adds an alias that consists of a user-defined character string, which netsh treats as equivalent to another character string. Used without parameters, alias displays all available aliases.
Syntax
alias[AliasName] [String1 [String2 ...]]
Parameters
alias[ AliasName]
Displays the specified alias. alias[ AliasName][ String1[ String2...]]
Sets AliasName to the specified strings. /?
Displays help at the command prompt.
Network Netsh Communication Networking 9
Netsh Commands for Windows Firewall with Advanced Security
Netsh advfirewall is a command-line tool for Windows Firewall with Advanced Security that helps with the creation, administration, and monitoring of Windows Firewall and IPsec settings and provides an alternative to console-based management. This can be useful in the following situations:
When deploying Windows Firewall with Advanced Security settings to computers on a wide area network (WAN), commands can be used interactively at the Netsh command prompt to provide better performance than graphical utilities when used across slow-speed network links.
When deploying Windows Firewall with Advanced Security settings to a large number of computers,
commands can be used in batch mode at the Netsh command prompt to help script and automate recurring administrative tasks that must be performed.
You must have the required permissions to run the netsh advfirewall commands:
If you are a member of the Administrators group, and User Account Control is enabled on your computer, then run the commands from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.
If you are a member of the Network Operators group then you can run the commands from any
command prompt.
If you are a not a member of Administrators or Network Operators, and have not been delegated any other permissions to run this command, then you can run only those commands that display, but do not change settings.
Netsh AdvFirewall context
The following commands are available at the netsh advfirewall> prompt.
To start the advfirewall context at an elevated command prompt, type netsh, press ENTER, then type advfirewall and press ENTER.
To view the command syntax, click a command:
dump
This command is available for some netsh contexts, but is not implemented for the netsh
advfirewall context or any of its three subcontexts. It produces no output, but also generates no error. When the dump command is used from the root context, no Windows Firewall or IPsec configuration information is included in the output.
export
Exports the Windows Firewall with Advanced Security configuration in the current store to a file. This file can be used with the import command to restore the Windows Firewall with Advanced Security service configuration to a store on the same or to a different computer. The Windows Firewall with Advanced Security configuration on which the export command works is determined by the set store command. This command is the equivalent to the Export Policy command in the Windows Firewall with Advanced Security MMC snap-in.
Syntax
export [Path]FileName
Network Netsh Communication Networking 10
Parameters
[Path]FileName
Required. Specifies, by name, the file where the Windows Firewall with Advanced Security configuration will be written. If the path, file name, or both contain spaces, quotation marks must be used. If you do specify Path then the command places the file in your current folder. The recommended file name extension is .wfw.
Examples
In the following example, the command exports the complete Windows Firewall with Advanced Security service configuration to the file C:\temp\wfas.wfw.
export c:\temp\wfas.wfw
import
Imports a Windows Firewall with Advanced Security service configuration from a file to the local service. The configuration file is created by using export command. This command is equivalent to the Import Policy command in the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in.
Syntax
import [Path]FileName
Parameters
[Path]FileName
Required. Specifies, by name, the file from which the Windows Firewall with Advanced Security configuration will be imported. If the path, the file name, or both contain spaces, quotation marks must be used. If you do not specify Path, then the command looks in the current folder for the file.
Examples
In the following example, the command imports the complete Windows Firewall with Advanced Security service configuration from the file c:\temp\wfas.wfw.
import c:\temp\wfas.wfw
reset
Restores Windows Firewall with Advanced Security to all of its default settings and rules. Optionally, it first backs up the current settings by using the export command to a configuration file. This command is equivalent to the Restore Defaults command in the Windows Firewall with Advanced Security MMC snap-in.
If the current focus of your commands is the local computer object, then the default settings and rules immediately take effect on the computer.
If the current focus of your commands is a GPO, then this command resets all policy settings in that
object to Not Configured, and deletes all connection security and firewall rules from the object. Changes do not take place until that policy is refreshed on those computers to which the policy applies. To use the Netsh tool to modify a GPO rather than the local computer's configuration store.
Syntax
reset [export [Path]FileName]
Parameters
[Export [Path]FileName]
Network Netsh Communication Networking 11
Specifies that the current configuration is backed up to the specified file before Windows Firewall with Advanced Security is reset to all default configuration settings and rules. If you do specify Path, then the command places the file in your current folder. The recommended file name extension is .wfw.
Examples
In the following example, the command exports the complete Windows Firewall with Advanced
Security configuration to the file c:\Temp\wfas.wfw, and then resets the Windows Firewall with Advanced Security configuration to its default configuration settings and rules.
reset export c:\Temp\wfas.wfw
set
Configures settings that apply globally, or to the per-profile configurations of Windows Firewall with Advanced Security.
The Set commands available at the netsh advfirewall> prompt are:
set {ProfileType}
Configures options for the profile associated with the specified network location type. Windows only uses one profile at a time, regardless of the number and types of networks to which you are connected. To see which profile is currently active on your computer, use the netsh advfirewall show currentprofile command. The set {ProfileType} command is equivalent to using the Windows Firewall with Advanced Security Properties page, with the tabs for Domain, Private, and Public profiles.
When your computer is connected to multiple networks, the profile type that Windows Firewall with Advanced Security uses is the one that is expected to be more protective of your computer. For example, if your computer is connected to both a Public network and a Domain network, then Windows Firewall with Advanced Security will use the profile associated with the Public network location type, because it is expected to contain more restrictive and protective settings than the
Domain profile. The list of network location types in order of expected increasing restrictiveness is domain, private, and then public. We recommend that you maintain that expected order when you modify the profiles so that you do not unexpectedly use a less protective profile when you are connected to less secure network location type.
Syntax
set ProfileType Parameter Value
Parameters
ProfileType
Required. Can be any one of the following:
• allprofiles
• currentprofile
• domainprofile
• privateprofile
• publicprofile
Network Netsh Communication Networking 12
Network Netsh Communication Networking 13
Netsh Commands for Network Bridge
You can run these commands from the command prompt on a computer running Microsoft® Windows Vista® or Windows Server® 2008 from the netsh bridge context. To successfully run these commands at the command prompt on a computer running Windows Server 2008, you must type netsh bridge before typing the commands and parameters as they appear in this topic.
Netsh commands for Network Bridge
show adapter
Displays adapter identification, adapter names, and the state of the Layer 3 compatibility mode of adapters that are part of Network Bridge.
show adapter 2
This command lists the adapter ID, friendly name, and the state of the Layer 3 compatibility mode information for adapter 2.
set adapter
This command modifies the configuration of a specified adapter that is part of Network Bridge by setting the state of the adapter to either enable or disable network layer (Layer 3) compatibility mode.
set adapter 2 forcecompatmode=enable
This command is used to force adapter 2 to run in Layer 3 compatibility mode.
Network Netsh Communication Networking 14
Netsh Commands for Dynamic Host Configuration Protocol client
The Netsh commands for Dynamic Host Configuration Protocol (DHCP) client offer a command-line tool that helps with the administration of DHCP clients.
Netsh commands for DHCP client
You can run these commands from the command prompt for the Netsh DHCP context. For these commands to work at the command prompt, you must type netsh dhcp before typing commands and parameters as they appear in the syntax below.
Netsh DHCP client
The following commands are available at the dhcpclient> prompt, which is rooted within the netsh environment.
trace
Specifies whether logging, which is also called tracing, is enabled or disabled for the DHCP client on the local computer.
Syntax
trace { enable | disable }
Parameters
Enable
Optional. Specifies that logging is enabled for the DHCP client service on the local computer. If the DHCP Network Access Protection (NAP) Enforcement Client is enabled, NAP events are also logged. Disable
Optional. Specifies that logging is disabled for the DHCP client service on the local computer. If the DHCP NAP Enforcement Client is enabled, logging of NAP events is also disabled.
Example
The following example enables tracing for the DHCP client service and the DHCP NAP Enforcement Client:
netsh dhcpclient trace enable
Network Netsh Communication Networking 15
Netsh Commands for Windows Firewall
The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings.
The firewall context of the netsh command-line tool is provided only for backwards-compatibility with earlier versions of Windows. The firewall context works on computers that are running Microsoft® Windows Vista® and Windows Server® 2008, but it does not allow you to manage or interact with any of the firewall features that are new to Windows Vista or Windows Server 2008. This context does not allow you to work remotely on a computer to directly configure its firewall.
Microsoft recommends that you use the advfirewall context unless you are using this tool in a mixed environment and must maintain backwards-compatibility with earlier versions of Windows. To use the new firewall features included with Windows Vista and Windows Server 2008, you must use the advfirewall context instead. We recommend that you do not use this context on a computer that is running Windows Vista or Windows Server 2008, because by using it you can create and modify firewall rules only for the domain and private profiles. Earlier versions of Windows only supported a domain and standard profile. On Windows Vista or Windows Server 2008, standard maps to the private profile and domain continues to map to the domain profile. Rules for the public profile can only be manipulated when the computer is actually attached to a public network and the command is run against the "current" profile. You can run these commands from within the netsh tool at the netsh firewall> prompt.
For these commands to work at a standard Windows command prompt, you must preface each command with netsh firewall, followed by the specific command and parameters as they appear in the syntax below.
Netsh firewall
The following sections describe each command and its syntax.
add allowedprogram
Adds a program-based exception to the firewall.
Syntax
add allowedprogram [ program = ] PathAndFileName [ name = ] ProgramName [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ program = ] PathAndFileName
Required. The path and file name of the program to be added to the firewall exception list. If the path or file name includes spaces, then you must use quotation marks around the path and file name. [ name = ] ProgramName
Required. Friendly name of the program to be added to the list. This value is displayed in the Firewall control panel exception list. [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer. The default value is enable.
Network Netsh Communication Networking 16
[ [ scope = ] { all | subnet | custom } ]
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. The default value is all.
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:
• An IPv4 or IPv6 address. For example, 192.168.0.15.
• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.
• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.
• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The firewall profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
• You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.
• To specify the profile associated with the public network location type, you must specify
profile=current when the computer is attached to a public network.
• The addresses parameter cannot contain an unspecified IPv6 address, a loopback address,
or a multicast address.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
add allowedprogram "C:\My App\MyApp.exe" "My Application" enable
Network Netsh Communication Networking 17
add allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,12AB:0000:0000:CD30::/60,localsubnet
set allowedprogram
Modifies the settings of an existing program-based exception.
Syntax
set allowedprogram [ program = ] PathAndFileName [ [ name = ] ProgramName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ program = ] PathAndFileName ]
Required. The path and file name of the program whose exception you want to modify. If the path or file name includes spaces, then you must use quotation marks around the path and file name.
[ [ name = ] ProgramName ]
Friendly name of the program to be added to the list. This value is displayed in the Firewall control
panel exception list. [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer. [ [ scope = ] { all | subnet | custom } ]
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter.
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:
• An IPv4 or IPv6 address. For example, 192.168.0.15.
• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.
• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.
• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
Network Netsh Communication Networking 18
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
You must specify at least one parameter other than program.
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses
cannot be blank.
To specify the profile associated with the public network location type, you must specify
profile=current when the computer is attached to a public network.
The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a
multicast address.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set allowedprogram "C:\My App\MyApp.exe" "My Application" enable
set allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
set allowedprogram program="C:\My App\MyApp.exe" name=MyApp mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
delete allowedprogram
Deletes an existing program-based exception.
Syntax
delete allowedprogram [ program = ] PathAndFileName [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ program = ] PathAndFileName
Required. The path and file name of the program to be deleted from the firewall exception list. [ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the computer.
Network Netsh Communication Networking 19
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe profile=all
set icmpsetting
Specifies the types of ICMP traffic that are permitted through the firewall.
Syntax
set icmpsetting [ type = ] { 2-5 | 8-9 | 11-13 | 17 | all } [ [ mode = ] { enable | disable} ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ type = ] { 2-5 | 8-9 | 11-13 | 17 | all }
Required. The type of ICMP traffic to allow. The value must be one of the following ICMP message types:
• 2 - Outbound packet too big.
• 3 - Outbound destination unreachable.
• 4 - Outbound source quench.
• 5 - Redirect.
• 8 - Inbound echo request (ping).
• 9 - Inbound router request.
• 11 - Outbound time exceeded.
• 12 - Outbound parameter problem.
• 13 - Inbound timestamp request.
• 17 - Inbound mask request.
• all - All of the above types.
[ [ mode = ] { enable | disable} ]
Specifies whether this exception is currently applied and active on the local computer. The default value is enable.
Network Netsh Communication Networking 20
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the
computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set icmpsetting 8 enable all
set icmpsetting type=all mode=disable
set multicastbroadcastresponse
Specifies whether or not responses to a multicast or broadcast request are allowed through the firewall.
Syntax
set multicastbroadcastresponse [ mode = ] { enable | disable} [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ mode = ] { enable | disable}
Required. Specifies whether to enable or disable responses to multicast or broadcast traffic. The default value is enable. [ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the
computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Network Netsh Communication Networking 21
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set multicastbroadcastresponse enable
set multicastbroadcastresponse mode=enable profile=all
set notifications
Specifies whether the firewall displays a pop-up notification to the user when a program attempts to listen on a port.
Syntax
set notifications [ mode = ] { enable | disable} [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ mode = ] { enable | disable}
Required. Specifies whether to enable or disable responses to multicast or broadcast traffic. [ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the
computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set notifications enable
set notifications disable
set notifications mode=enable profile=current
set logging
Specifies whether the firewall writes information to a log file, and what details are included. This command only affects the currently active profile.
Syntax
set logging [ [ filelocation = ] PathAndFileName ] [ [ maxfilesize = ] Integer ] [ [ droppedpackets = ] { enable | disable } ] [ [ connections = ] { enable | disable } ]
Network Netsh Communication Networking 22
Parameters
[ [ filelocation = ] PathAndFileName ]
Specifies the path and file name of the file to which the firewall writes its log. The default value is %windir%\pfirewall.log. [ [ maxfilesize = ] Integer ]
Specifies the maximum file size in kilobytes. Must be an integer value from 1 to 32767. The default value is 4096. [ [ droppedpackets = ] { enable | disable } ]
Specifies whether to include an entry for each packet dropped by the firewall. The default value is disable. [ [ connections = ] { enable | disable } ] ]
Specifies whether to include an entry for each successful connection. The default value is disable.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set logging enable enable
set logging 4096 enable disable
set logging c:\mylogs\mylog.log 4096 enable enable
set opmode
Specifies the operating mode of Windows Firewall.
Syntax
set opmode [ mode = ] { enable | disable } [ [ exceptions = ] { enable | disable } ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ mode = ] { enable | disable}
Required. Specifies whether to turn the firewall on or off. [ [ exceptions = ] { enable | disable } ]
Specifies whether the firewall uses any currently defined port and program exceptions that are enabled. If exceptions=disable, then all enabled port and program exceptions are ignored. Default is enable.
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the computer.
• domain specifies that the command applies only to the domain profile.
Network Netsh Communication Networking 23
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set opmode enable
set opmode mode=enable exceptions=enable
add portopening
Creates a port-based exception.
Syntax
add portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ name = ] ExceptionName [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]
Parameters
[ protocol = ] { tcp | udp | all }
Required. Specifies whether the port number refers to TCP, UDP, or both. [ port = ] Integer
Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535. Only a single value can be specified and port ranges are not supported. [ name = ] ExceptionName
Required. Specifies the name of the exception. This value is displayed in the Firewall control panel exception list. [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer. [ scope = ] { all | subnet | custom }
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is
allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. The default value is all. [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:
• An IPv4 or IPv6 address. For example, 192.168.0.15.
• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.
Network Netsh Communication Networking 24
• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.
• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
• The keyword localsubnet, which includes all addresses that are on the local computer's
current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet [ profile = ] { current | domain | standard | all }
Specifies the firewall profile to which the command applies. The profile is determined by the
detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
add portopening tcp 80 MyWebPort
add portopening udp 500 "IKE Exception" enable all
add portopening all 53 DNS enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
set portopening
Modifies the settings of an existing port-based exception.
Syntax
set portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ name = ] ExceptionName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]
Parameters
[ protocol = ] { tcp | udp | all }
Required. Specifies whether the port number refers to TCP, UDP, or both. [ port = ] Integer
Required. Specifies the port number of the exception to be modified. Must be an integer value from 1 to 65535. Only a single value can be specified and port ranges are not supported. [ [ name = ] ExceptionName ]
Network Netsh Communication Networking 25
Specifies the name of the exception. This value is displayed in the Firewall control panel exception list. [ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer.
[ scope = ] { all | subnet | custom }
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:
• An IPv4 or IPv6 address. For example, 192.168.0.15.
• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.
• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.
• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
• The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.
Multiple entry types can be combined on a command line by separating them with commas:
172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet [ profile = ] { current | domain | standard | all }
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set portopening tcp 80 "My Web Port"
set portopening udp 500 "IKE Exception" enable all
Network Netsh Communication Networking 26
set portopening all 53 "DNS Exception" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
delete portopening
Deletes an existing port-based exception.
Syntax
delete portopening
[ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ profile = ] current | domain | standard | all } ]
Parameters
[ protocol = ] { tcp | udp | all }
Required. Specifies whether the port number refers to TCP, UDP, or both. [ port = ] Integer
Required. Specifies the port number to be excepted. Must be an integer value from 1 to 65535. [ profile = ] { current | domain | standard | all }
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the
computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
delete portopening tcp 80
delete portopening protocol=all port=25
set service
Enables or disables the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.
Syntax
set service [ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all } [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all }
Network Netsh Communication Networking 27
Required. Specifies the service whose pre-defined rules are enabled or disabled. The value must be one of the following:
• fileandprint. The file and printer sharing service.
• remoteadmin. The ability to remotely administer a computer running Windows.
• remotedesktop. The ability to use a Terminal Services client such as Remote Desktop.
• upnp. Universal Plug-and-Play protocol for networked devices.
• all. All of the above services.
[ [ mode = ] { enable | disable } ]
Specifies whether this exception is currently applied and active on the local computer. The default value is enable. [ [ scope = ] { all | subnet | custom } ]
Specifies the scope of the allowed network traffic from remote computers. all indicates that traffic is allowed from any computer, including those on the Internet. subnet indicates that traffic is allowed from computers on the local computer's subnet only. custom indicates that traffic is allowed from only those computers whose IP address matches the addresses parameter. [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
Specifies a custom list of addresses for the scope=custom parameter. Each entry can be:
• An IPv4 or IPv6 address. For example, 192.168.0.15.
• An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example,
192.168.0.1-192.168.0.50.
• A subnet indicated by the subnet address and subnet mask separated by a '/'. For example,
192.168.0.0/255.255.255.0.
• A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.
• The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.
Multiple entry types can be combined on a command line by separating them with commas: 172.16.0.0/16, 10.0.0.0/255.0.0.0, 12AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
Specifies the firewall profile to which the command applies. The profile is determined by the detected network location types accessible through the computer's network adapters.
• current specifies that the command applies to the profile that is currently active on the computer.
• domain specifies that the command applies only to the domain profile.
• standard specifies that the command applies only to the private profile.
Network Netsh Communication Networking 28
• all specifies that the command applies to all profiles except the private profile.
The default value is current.
Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set service fileandprint
set service remoteadmin enable subnet
set service type=remotedesktop mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
show commands
The following show commands are used to display the current configuration:
show allowedprogram [ [ verbose = ] { enable | disable } ] Displays the current list of program exceptions for the domain and standard profiles. Use the parameter verbose=enable to see additional details.
show config [ [ verbose = ] { enable | disable } ]
Displays the local configuration information for the domain and standard profiles, including the output of all other show commands. Use parameter verbose=enable to see additional details.
show currentprofile
Displays the current profile in use for the network location type.
• show icmpsetting [ [ verbose = ] { enable | disable } ] Displays the ICMP settings. Use parameter verbose=enable to see additional details.
• show logging
Displays the current logging settings.
• show multicastbroadcastresponse
Displays multicast/broadcast response settings for each profile.
• show notifications Displays whether the firewall displays pop-up notifications for each profile.
• show opmode Displays the operational mode for the firewall for each profile.
• show portopening
Displays the current list of port exceptions for each profile. Use parameter verbose=enable to see additional details.
Network Netsh Communication Networking 29
• show service
Displays the service configuration for each profile. Use parameter verbose=enable to see additional details.
• show state
Displays the current state information for the firewall. Use parameter verbose=enable to see additional details.
reset
Resets the configuration of Windows Firewall to default settings. All manually configured changes are lost. There are no parameters for the reset command.
Network Netsh Communication Networking 30
Netsh Commands for Hypertext Transfer Protocol (HTTP)
You can use commands in the netsh http context to configure properties of the HTTP service. The Netsh commands for HTTP can be run manually at the netsh prompt or in scripts and batch files.
To run these commands from the command prompt, you must either enter the netsh http context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then http to enter the netsh http context, you must type:
netsh http command
Where command is the command that you want to run, including all of the required parameters for the command.
Netsh http commands
The following entries provide details for each command.
add iplisten
Adds a new IP address to the IP listen list. This does not include the port number.
Syntax
add iplisten [ ipaddress= ] IPAddress
Parameters
ipaddress
Required. The IPv4 or IPv6 address to be added to the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds. "0.0.0.0" means any IPv4 address and "::" means any IPv6 address. Examples
Following are four examples of the add iplisten command.
add iplisten ipaddress=fe80::1
add iplisten ipaddress=1.1.1.1
add iplisten ipaddress=0.0.0.0
add iplisten ipaddress=::
add sslcert
Adds a new SSL server certificate binding and corresponding client certificate policies for an IP address and port.
Syntax
add sslcert [ ipport= ] IPAddress:port [ certhash= ] CertHash [ appid= ] GUID [ [ certstorename= ] CertStoreName [ verifyclientcertrevocation= ] enable | disable [ verifyrevocationwithcachedclientcertonly= ] enable | disable [ usagecheck= ] enable | disable [ revocationfreshnesstime= ] U-Int [ urlretrievaltimeout= ] U-Int [ sslctlidentifier= ] SSLCTIdentifier [ sslctlstorename= ] SSLCtStoreName [ dsmapperusage= ] enable | disable [ clientcertnegotiation= ] enable | disable ] ]
Network Netsh Communication Networking 31
Parameters
ipport
Required. Specifies the IP address and port for the binding. A colon character (:) is used as a delimiter between the IP address and the port number. certhash
Required. Specifies the SHA hash of the certificate. This hash is 20 bytes long and is specified as a hexadecimal string. appid
Required. Specifies the GUID to identify the owning application.
certstorename
Optional. Specifies the store name for the certificate. Defaults to MY. Certificate must be stored in the local machine context. verifyclientcertrevocation
Optional. Specifies the Turns on/off verification of revocation of client certificates. verifyrevocationwithcachedclientcertonly
Optional. Specifies whether the usage of only cached client certificate for revocation checking is enabled or disabled. usagecheck
Optional. Specifies whether the usage check is enabled or disabled. Default is enabled. revocationfreshnesstime
Optional. Specifies the time interval, in seconds, to check for an updated certificate revocation list
(CRL). If this value is zero, then the new CRL is updated only if the previous one expires. urlretrievaltimeout
Optional. Specifies the timeout interval (in milliseconds) after the attempt to retrieve the certificate revocation list for the remote URL. sslctlidentifier Optional. Specifies the list of the certificate issuers that can be trusted. This list can be a subset of the certificate issuers that are trusted by the computer. sslctlstorename
Optional. Specifies the certificate store name under LOCAL_MACHINE where SslCtlIdentifier is stored. dsmapperusage
Optional. Specifies whether DS mappers is enabled or disabled. Default is disabled. clientcertnegotiation Examples
Following is an example of the add sslcert command.
add sslcert ipport=1.1.1.1:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
add timeout
Adds a global timeout to the service.
Syntax
Network Netsh Communication Networking 32
add timeout [ timeouttype= ] IdleConnectionTimeout | HeaderWaitTimeout [ value= ] U-Short
Parameters
Timeouttype
Type of timeout for setting. Value
Value of the timeout (in seconds). If value is in hexadecimal notation, then add the prefix 0x. Examples
Following are two examples of the add timeout command.
add timeout timeouttype=idleconnectiontimeout value=120
add timeout timeouttype=headerwaittimeout value=0x40
add urlacl
Adds a Uniform Resource Locator (URL) reservation entry. This command reserves the URL for non-administrator users and accounts. The DACL can be specified by using an NT account name with the listen and delegate parameters or by using an SDDL string.
Syntax
add urlacl [ url= ] URL [ [user=] User [ [ listen= ] yes | no [ delegate= ] yes | no ] | [ sddl= ] SDDL ]
Parameters
url
Required. Specifies the fully qualified Uniform Resource Locator (URL). user
Required. Specifies the user or user-group name listen
Optional. Specifies one of the following values: yes: Allow the user to register URLs. This is the default value. no: Deny the user from registering URLs. delegate
Optional. Specifies one of the following values: yes: Allow the user to delegate URLs no: Deny the
user from delegating URLs. This is the default value. sddl
Optional. Specifies an SDDL string that describes the DACL. Examples
Following are four examples of the add urlacl command.
add urlacl url=http://+:80/MyUri user=DOMAIN\user
Network Netsh Communication Networking 33
add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user listen=yes
add urlacl url=http://www.contoso.com:80/MyUri user=DOMAIN\user delegat
e=no
add urlacl url=http://+:80/MyUri sddl=...
delete cache
Deletes all entries or the specified entry from the HTTP service kernel URI cache.
Syntax
delete cache [ [ url= ] URL [ [recursive= ] yes | no ]
Parameters
url
Optional. Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete. recursive
Optional. Specifies whether all entries under the specified url cache are removed. yes: all entries
are removed. no: all entries are not removed. Examples
Following are two examples of the delete cache command.
delete cache url=http://www.contoso.com:80/myresource/ recursive=yes
delete cache
delete iplisten
Deletes an IP address from the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds.
Syntax
delete iplisten [ ipaddress= ] IPAddress
Parameters
ipaddress
Required. The IPv4 or IPv6 address to be deleted from the IP listen list. The IP listen list is used to scope the list of addresses to which the HTTP service binds. "0.0.0.0" means any IPv4 address and "::" means any IPv6 address. This does not include the port number. Examples
Following are four examples of the delete iplisten command.
delete iplisten ipaddress=fe80::1
delete iplisten ipaddress=1.1.1.1
delete iplisten ipaddress=0.0.0.0
Network Netsh Communication Networking 34
delete iplisten ipaddress=::
delete sslcert
Deletes SSL server certificate bindings and corresponding client certificate policies for an IP address and port.
Syntax
delete sslcert [ ipport= ] IPAddress:port
Parameters
ipport
Required. Specifies the IPv4 or IPv6 address and port for for which the SSL certificate bindings will be deleted. A colon character (:) is used as a delimiter between the IP address and the port number. Examples
Following are three examples of the delete sslcert command.
delete sslcert ipport=1.1.1.1:443
delete sslcert ipport=0.0.0.0:443
delete sslcert ipport=[::]:443
delete timeout
Deletes a global timeout and makes the service revert to default values.
Syntax
delete timeout [ timeouttype= ] idleconnectiontimeout | headerwaittimeout
Parameters
timeouttype
Required. Specifies the type of timeout for setting. Examples
Following are two examples of the delete timeout command.
delete timeout timeouttype=idleconnectiontimeout
delete timeout timeouttype=headerwaittimeout
delete urlacl
Deletes a URL reservation.
Syntax
delete urlacl [ url= ] URL
Parameters
url
Network Netsh Communication Networking 35
Required. Specifies the fully qualified Uniform Resource Locator (URL) that you want to delete. Examples
Following are two examples of the delete urlacl command.
delete urlacl url=http://+:80/MyUri
delete urlacl url=http://www.contoso.com:80/MyUri
flush logbuffer
Flushes the internal buffers for the logfiles.
Syntax
flush logbuffer
show cachestate
Lists cached URI resources and their associated properties. This command lists all resources and their associated properties that are cached in HTTP response cache or displays a single resource and its associated properties.
Syntax
show cachestate [ [url= ] URL]
Parameters
url
Optional. Specifies the fully qualified URL that you want to display. If unspecified, displays all URLs.
The URL could also be a prefix to registered URLs. Examples
Following are two examples of the show cachestate command
show cachestate url=http://www.contoso.com:80/myresource
show cachestate
show iplisten
Displays all IP addresses in the IP listen list. The IP listen list is used to scope the list of addresses
to which the HTTP service binds. "0.0.0.0" means any IPv4 address and "::" means any IPv6 address.
Syntax
show iplisten
show servicestate
Displays a snapshot of the HTTP service.
Syntax
show servicestate [ [ view= ] session | requestq ] [ [ verbose= ] yes |no ]
Network Netsh Communication Networking 36
Parameters
View
Optional. Specifies whether to view a snapshot of the HTTP service state based on the server session or on the request queues. Verbose
Optional. Specifies whether to display verbose information that also shows property information. Examples
Following are two examples of the show servicestate command.
show servicestate view="session"
show servicestate view="requestq"
show sslcert
Displays Secure Sockets Layer (SSL) server certificate bindings and corresponding client certificate policies for an IP address and port.
Syntax
show sslcert [ ipport= ] IPAddress:port
Parameters
Ipport
Required. Specifies the IPv4 or IPv6 address and port for which the SSL certificate bindings will be displayed. A colon character (:) is used as a delimiter between the IP address and the port number. If you do not specify ipport, all bindings are displayed. Examples
Following are five examples of the show sslcert command.
show sslcert ipport=[fe80::1]:443
show sslcert ipport=1.1.1.1:443
show sslcert ipport=0.0.0.0:443
show sslcert ipport=[::]:443
show sslcert
show timeout
Displays, in seconds, the timeout values of the HTTP service.
Syntax
show timeout
show urlacl
Displays discretionary access control lists (DACLs) for the specified reserved URL or all reserved URLs.
Network Netsh Communication Networking 37
Syntax
show urlacl [ [url= ] URL]
Parameters
url
Optional. Specifies the fully qualified URL that you want to display. If unspecified, displays all URLs. Examples
Following are three examples of the show urlacl command.
show urlacl url=http://+:80/MyUri
show urlacl url=http://www.contoso.com:80/MyUri
show urlacl
Network Netsh Communication Networking 38
Netsh Commands for Interface (IPv4 and IPv6)
You can use commands in the Netsh Interface context and subcontexts to configure the TCP/IP version 4 protocol (including addresses, default gateways, Domain Name System (DNS) and WINS servers) and to display configuration and statistical information for IPv4.
In addition, you can use commands in this context and related subcontexts (6to4, isatap, portproxy, and teredo) to configure Internet Protocol version 6 (IPv6).
To run these commands from the command prompt, you must either enter the netsh interface context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then interface to enter the netsh interface context, you must type:
netsh interface command
Where command is the command that you want to run, including all of the required parameters for the command.
The Netsh Interface context also includes several subcontexts.
Subcontexts of Netsh Interface
This context provides the following subcontexts:
Subcontext name Result
6to4 Changes to the netsh interface 6to4 context.
ipv4 Changes to the netsh interface ipv4 context.
ipv6 Changes to the netsh interface ipv6 context.
isatap Changes to the netsh interface isatap context.
portproxy Changes to the netsh interface portproxy context.
tcp Changes to the netsh interface tcp context.
teredo Changes to the netsh interface teredo context.
Netsh Interface command reference
Following are the details for the commands in the Netsh Interface context.
add
Adds an interface to the router. For full interfaces, a phone book entry with the same name must already exist on the system.
Syntax
add [name=] Name [[type=]full]
Network Netsh Communication Networking 39
Parameters
name
Required. Specifies the name of the interface to be added. type
Optional. Specifies that a demand dial interface is created when full is designated. Examples
Following is an example of the add interface command that creates a demand dial interface.
add name="Demand-Dial Interface" type=full
delete
Deletes an interface from the router.
Syntax
delete [ name= ] Name
Parameters
name
Required. Specifies the name of the interface to be deleted. Examples:
The following example command deletes a demand dial interface at the router
delete name="Demand-Dial Interface"
reset
Deletes all of the interfaces that can be added through this context.
Syntax
reset
set credentials
Specifies the credentials that are used to connect to or add an interface.
Syntax
set credentials [ name= ] InterfaceName [ user= ]UserName [[ domain= ] Domain [password=] Password ]
Parameters
InterfaceName
Required. Specifies the name of the interface that you want to add. UserName
Required. Specifies the user account name that has the required permissions to add an interface.
Network Netsh Communication Networking 40
Domain
Optional. Specifies the domain where the user account is located. Password
Optional. Specifies the password of the user account. Examples
Following are two examples of the set credentials command.
set credentials name="Demand-Dial Interface" user=guest
set credentials name="Demand-Dial Interface" user=admin domain=mydomain password=mypassword
set interface
Changes the parameters for an existing interface.
Syntax
set interface [name = ] IfName [ [admin = ] ENABLED|DISABLED [connect = ] CONNECTED|DISCONNECTED [newname = ] NewName ]
Parameters
IfName
Required. Specifies the name of the interface that you want to modify. admin
Optional. Specifies whether the interface should be enabled or disabled. connect
Optional. Specifies whether or not to enable and connect the interface (non-LAN only).
newname
Optional. Specifies a new name for the interface (LAN only).
show credentials
Displays the credentials that are used to connect to an interface.
Syntax
show credentials [name = ] IfName
Parameters
IfName
Required. Specifies the name of the interface whose credentials you want to display.
Network Netsh Communication Networking 41
show interface
Displays a list of the configured interfaces, including their current Name, Admin State, State, and Type.
Syntax
show interface [[name=] Name]
Parameters
Name
Optional. Specifies the name of the interface that you want to display. If Name is not specified, all interfaces are displayed. Examples
Following is an example of the show interface command.
show interface name="Local Area Connection"
Network Netsh Communication Networking 42
Netsh commands for Interface 6to4 Interface 6to4 commands
The following entries provide details for each command.
add
Adds an interface to the router. For full interfaces, a phone book entry with the same name must already exist on the system.
Syntax
add [name=] Name [[type=]full]
Parameters
name
Required. Specifies the name of the interface to be added. type
Optional. Specifies that a demand dial interface is created when full is designated.
Examples
Following is an example of the add command that creates a demand-dial interface.
add name="Demand-Dial Interface" type=full
delete
Deletes an interface from the router.
Syntax
delete [ name= ] Name
Parameters
name Required. Specifies the name of the interface to be deleted. Examples:
The following example command deletes a demand-dial interface at the router
delete name="Demand-Dial Interface"
reset
Deletes all of the interfaces that can be added through this context.
Syntax
reset
Network Netsh Communication Networking 43
set interface
Sets 6to4 interface configuration information.
Syntax
set interface [ name= ] Name [ [ routing= ]( enabled | disabled | default )]
Parameters
name
Required. Specifies the interface name. routing
Optional. Specifies whether to act as a router. Examples
Following is an example of the set interface command.
set interface "Private" enabled
set relay
Sets 6to4 relay information.
Syntax
set relay [ [ name= ]( Name | default )] [ [ state= ] ( enabled | disabled | automatic | default ) ] [[ interval= ] Integer ]
Parameters
name
Optional. Specifies the name of the 6to4 relay.
state
Optional. Specifies whether relay name resolution is enabled or disabled. interval
Optional. Specifies an integer that is the resolution interval (in minutes). Examples
Following is an example of the set relay command.
set relay 6to4.ipv6.org. enabled 1440
set routing
Sets 6to4 routing information.
Syntax
set routing [ [ routing= ]( enabled | disabled | automatic | default ) ] [ [ sitelocals= ] (enabled | disabled | default ) ]
Network Netsh Communication Networking 44
Parameters
routing
Optional. Specifies the state of 6to4 routing. sitelocalsq
Optional. Specifies whether to use Site-Local addresses. Examples
Following are two examples of the set routing command.
set routing default default
set routing routing=enabled sitelocals=enabled
set state
Sets the 6to4 configuration state.
Syntax
set state [ [ state= ] ( enabled |disabled | automatic | default ) ] [ [ undoonstop= ] ( enabled | disabled | default ) ]
Parameters
state
Optional. Specifies whether 6to4 is enabled. undoonstop
Optional. Specifies whether 6to4 is disabled on service stop. Examples
Following are two examples of the set state command.
set state default default
set state state=enabled undoonstop=disabled
show interface
Displays the 6to4 interface configuration information.
Syntax
show interface
show relay
Displays the 6to4 relay information.
Syntax
show relay
show routing
Displays the 6to4 routing state.
Network Netsh Communication Networking 45
Syntax
show routing
show state
Displays the 6to4 state.
Syntax
show state
Network Netsh Communication Networking 46
Netsh commands for Interface Internet Protocol version 4 (IPv4)
You can use commands in the Netsh Interface IP context to configure the TCP/IP protocol (including addresses, default gateways, DNS servers, and WINS servers) and to display configuration and statistical information.
You can run these commands at the command prompt for the netsh interface ip context. For these commands to work at the command prompt, you must type netsh interface ip before typing commands and parameters as they appear in the syntax below.
add address
Adds an IP address and a default gateway on a specified interface configured with a static IP address.
Syntax
add address [name=]InterfaceName [addr=]IPAddress [mask=]SubnetMask[[gateway=] DefaultGateway [gwmetric=]GatewayMetric]
Parameters
[name=] InterfaceName
Required. Specifies the name of the interface for which you want to add address and gateway information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=] IPAddress[ mask=] SubnetMask
Required. Specifies the IP address to add and the subnet mask for that IP address. [ gateway=] DefaultGateway[ gwmetric=] GatewayMetric
Specifies the IP address of the default gateway to add and the metric for that default gateway. /?
Displays help at the command prompt.
add dnsserver
Adds a DNS server to a list of DNS servers for a specified interface.
Syntax
add dnsserver [name=]InterfaceName [addr=] DNSAddress [[index=]DNSIndex]
Parameters
[name=] InterfaceName
Required. Specifies the name of the interface for which you want to add DNS information. The InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [addr=] DNSAddress
Required. Specifies the IP address of the DNS server to add. [index=] DNSIndex
Specifies the position of the added DNS server in the list of DNS servers for the interface.
Network Netsh Communication Networking 47
/?
Displays help at the command prompt.
add neighbors
Specifies an entry in the neighbor cache.
Syntax
add neighbors [interface=]<string>[address=]<IPv4Address> [neighbor=]<string> [subinterface=]<string>[[store=]active|persistent]
Parameters
[interface=]<string>
Specifies an interface name or index. [address=]<IPv4Address>
Specifies the address of the neighbor. [neighbor=]<string>
Specifies the link layer address of the neighbor. [subinterface=]<string>
Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces.
[[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Examples
This example command adds an entry to the neighbor cache on the interface named "Private."
add neighbors "Private" "10.1.1.1" "12-34-56-78-9a-bc"
add route
Adds a route for a specified prefix. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
add route [prefix=]IP4Address/Integer [[interface=]String] [[nexthop=]IPv4Address] [[siteprefixlength=]Integer] [[metric=]Integer] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix for which to add a route. Integer specifies the prefix length. [[ interface=] String]
Specifies an interface name or index. [[ nexthop=] IPv6Address]
Specifies the gateway address, if the prefix is not on-link.
Network Netsh Communication Networking 48
[[ siteprefixlength=] Integer]
Specifies the prefix length for the entire site, if the prefix is not on-link. [[ metric=] Integer]
Specifies the route metric. [[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is valid. The default value is infinite.
[[ preferredlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is preferred. The default value is infinite. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command adds a route on the interface named "Internet".
add route 10.2.0.0/16 "Internet" 10.0.0.1
add winsserver
Adds a WINS server to a list of WINS servers for a specified interface.
Syntax
add winsserver [name=]InterfaceName [addr=] WINSAddress [[index=]WINSIndex]
Parameters
[ name=] InterfaceName
Required. Specifies the name of the interface for which you want to add WINS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=] WINSAddress
Required. Specifies the IP address of the WINS server to add. [ index=] WINSIndex
Specifies the position of the added WINS server in the WINS server list for that interface. /?
Displays help at the command prompt.
delete address
Deletes an IP address or a default gateway on a statically configured interface.
Syntax
delete address [name=]InterfaceName [addr=] IPAddress [[gateway=]{DefaultGateway | all}]
Parameters
[ name=] InterfaceName
Network Netsh Communication Networking 49
Required. Specifies the name of the interface for which you want to delete address and gateway information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=] IPAddress
Required. Specifies the IP address to delete. [ gateway=]{ DefaultGateway| all}
Specifies whether to delete one default gateway or all default gateways. If only one default gateway should be deleted, DefaultGateway specifies the IP address of the default gateway to be deleted. /?
Displays help at the command prompt.
delete arpcache
Removes the entries in the Address Resolution Protocol (ARP) cache for a specified interface. Used without parameters, delete arpcache removes the entries in the ARP caches of all interfaces.
Syntax
delete arpcache [name=]<InterfaceName>
Parameters
[name=]<InterfaceName>
Specifies the name of the interface for which you want to remove the ARP cache entries. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?
Displays help at the command prompt.
delete destinationcache
Clears the destination cache. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that destination cache entry.
Syntax
delete destinationcache [[interface=]String] [[address=]IPv4Address]
Parameters
[[ interface=] String]
Specifies an interface name or index.
[[ address=] IPv4Address]
Specifies the address of the destination.
Examples
This example command deletes the destination cache for the interface named "Private."
Network Netsh Communication Networking 50
delete destinationcache "Private"
delete dnsserver
Deletes a DNS server or all DNS servers from a list of DNS servers for a specified interface or for all interfaces.
Syntax
delete dnsserver [name=]InterfaceName [addr=]{DNSAddress | all}
Parameters
[ name=] InterfaceName
Required. Specifies the name of the interface for which you want to delete DNS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=]{ DNSAddress| all}
Required. Specifies whether to delete the address of one DNS server or all servers for all interfaces. If only one DNS server should be deleted, DNSAddress specifies the IP address of the DNS server to
delete. /?
Displays help at the command prompt.
delete neighbors
Specifies that all entries in the neighbor cache are deleted. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that neighbor cache entry.
Syntax
delete neighbors [[interface=]String] [[address=]IPv4Address]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IPv4Address]
Specifies the address of the neighbor.
Examples
This example command removes all entries from the neighbor cache on the interface named "Private."
delete neighbors "Private"
delete route
Deletes an IPv4 route.
Syntax
delete route [prefix=]IPv4Address/Integer [[interface=]String] [[nexthop=]IPv4Address] [[store=]{active | persistent}]
Network Netsh Communication Networking 51
Parameters
[ prefix=] IPv4Address/Integer
Required. Specifies the prefix of the route to delete. [[ interface=] String]
Specifies an interface name or index.
[[ nexthop=] IPv4Address]
Specifies the gateway address, if the prefix is not on-link. [[ store=]{ active| persistent}]
Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command deletes a route from the interface named "Internet."
delete route 10.2/16 "Internet" 10.0.0.1
delete winsserver
Deletes a WINS server or servers from a list of WINS servers for a specified interface or all interfaces.
Syntax
delete winsserver [name=]InterfaceName [addr=]{WINSAddress | all}
Parameters
[ name=] InterfaceName
Required. Specifies the name of the interface for which you want to delete a WINS server or servers. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ addr=]{ WINSAddress| all}
Required. Specifies whether to delete only one server for an interface or all servers for all interfaces. If only one server should be deleted, WINSAddress specifies the IP address of the WINS server to delete. /?
Displays help at the command prompt.
dump
Displays the current configuration as a series of Netsh Interface IP commands.
Syntax
dump
Parameters
none
Network Netsh Communication Networking 52
install
Installs the IPv4 protocol. A reboot is required for the installation to take effect.
Syntax
install
reset
Resets the IPv4 configuration state. A reboot is required for changes to take effect.
Syntax
reset
set address
Configures an IP address and a default gateway on a specified interface.
Syntax
set address [name=]InterfaceName [source=]{dhcp | static [addr=]IPAddress[mask=]SubnetMask [gateway=]{none | DefaultGateway [[gwmetric=]GatewayMetric]}}
Parameters
[ name =] InterfaceName
Required. Specifies the name of the interface for which you want to configure address and gateway information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ source=]{ dhcp| static[ addr=] IPAddress[ mask=] SubnetMask[ gateway=]{ none| DefaultGateway[[ gwmetric=] GatewayMetric]}}
Required. Specifies whether the IP address to configure originates from a Dynamic Host
Configuration Protocol (DHCP) server or is static. If the address is static, IPAddress specifies the address to configure, and SubnetMask specifies the subnet mask for the IP address being configured. If the address is static, you must also specify whether you want to leave the current default gateway (if any) in place or configure one for the address. If you configure a default gateway, DefaultGateway specifies the IP address of the default gateway to be configured, and GatewayMetric specifies the metric for the default gateway to be configured. /?
Displays help at the command prompt.
set compartment
Modifies compartment configuration parameters.
Syntax
set compartment [compartment=]<integer> [defaultcurhoplimit=]<integer>[store=]active|persistent
Parameters
[compartment=]<integer>
Specifies an interface name or index. [defaultcurhoplimit=]<integer>[
Network Netsh Communication Networking 53
Specifies the address of the neighbor. [[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Example
set compartment compartment=1 defaultcurhoplimit=255 store=active
set dnsserver
Configures a DNS server address for a specified interface.
Syntax
set dnsserver [name=]InterfaceName [source=]{dhcp | static } [addr=]{IP Address | none} [register=]{none | primary | both}
Parameters
[ name=] InterfaceName
Required. Specifies the name of the interface for which you want to set DNS information. The InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ source=]{ dhcp| static }
Required. Specifies whether the IP address of the DNS server is configured by DHCP or is static. [ addr=]{ IP Address| none }
If the IP address is static, IP Address specifies the IP address of the DNS server to configure, and none specifies that the DNS configuration should be removed. [ register=]{ none| primary| both }
None specifies whether to disable dynamic update. Primary registers the computer name under
the primary DNS suffix only. Both register the computer name under both the primary DNS suffix as well as under the connection-specific suffix. /?
Displays help at the command prompt.
Examples
set dnsserver name="Local Area Connection" source=dhcp
set dnsserver "Local Area Connection" static 10.0.0.1 primary
set dynamicportrange
Modifies the range of ports used for dynamic port assignment. Dynamic port assignment is also known as wildcard port assignment.
Network Netsh Communication Networking 54
Syntax
set dynamicportrange [[protocol=]tcp|udp][startport=]<integer> [numberofports=]<integer>[[store=]active|persistent]
Parameters
[[protocol=[tcp|udp]
One of the following values:
• TCP: Display the dynamic port range for TCP.
UDP: Display the dynamic port range for UDP. [startport=]<integer>
Specifies the starting port for dynamic port assignment. [numberofports=]<integer>
• Specifies the number of ports available for dynamic port assignment.
[[store=]active|persistent]
One of the following values:
• Active: Address will disappear on next boot.
Example
set dynamicportrange protocol=tcp startport=10000 numberofports=20000
set global
Modifies global configuration parameters.
Syntax
set global [[defaultcurhoplimit=]Integer] [[neighborcachelimit=]Integer][[routecachelimit=]Integer] [[reassemblylimit=]Integer] [[store=]{active | persistent}]
Parameters
[[defaultcurhoplimit=] Integer]
Specifies the default hop limit of packets sent.
[[neighborcachelimit=] Integer
Required. Specifies the maximum number of neighbor cache entries. [[routecachelimit=] Integer]
Specifies the maximum number of route cache entries. [[reassemblylimit=] Integer]
Specifies the maximum size of the reassembly buffer. [[store=]active|persistent]
Network Netsh Communication Networking 55
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command sets global parameters for all IPv6-enabled interfaces on the computer. The default hop limit is set to 32, the maximum number of neighbor cache entries is set to 100, and the maximum number of route cache entries is 100,000.
set global 32 100 100000
set interface
Modifies interface configuration parameters.
Syntax
set interface [[interface=]String] [[forwarding=]{enabled | disabled}] [[advertise=]{enabled | disabled}] [[mtu=]Integer] [[siteid=]Integer] [[metric=]Integer] [[firewall=]{enabled | disabled}] [[siteprefixlength=]Integer] [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index.
[[ forwarding=]{ enabled| disabled}]
Specifies whether packets arriving on this interface can be forwarded to other interfaces. The default selection is disabled. [[ advertise=]{ enabled| disabled}]
Specifies whether Router Advertisements are sent on this interface. The default selection is disabled. [[ mtu=] Integer]
Specifies the Maximum Transfer Unit (MTU) of this interface. The default MTU is the natural MTU of the link.
[[ siteid=] Integer]
Specifies the site scope zone identifier. [[ metric=] Integer]
Specifies the interface metric, which is added to route metrics for all routes over the interface. [[ firewall=]{ enabled| disabled}]
Specifies whether to operate in firewall mode. [[ siteprefixlength=] Integer]
Specifies the default length of the global prefix for the entire site.
[[ store=]{ active| persistent}]
Network Netsh Communication Networking 56
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command sets the interface with the name "Private," with a siteid of two and a metric of two. All other parameter values are left at the default values.
set interface "Private" siteid=2 metric=2
set neighbors
Sets an entry in the neighbor cache.
Syntax
set neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IPv4Address]
Specifies the address of the neighbor. [neighbor=]<string>
Specifies the link layer address of the neighbor. [[subinterface=]<string>]
Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces. [[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Examples
This example command sets an entry to the neighbor cache on the interface named "Private."
set neighbors "Private" "10.1.1.1" "12-34-56-78-9a-bc"
set route
Modifies route parameters. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
set route [prefix=]IPv4Address/Integer [[interface=]String] [[nexthop=]IPv4Address] [[siteprefixlength=]Integer] [[metric=]Integer] [publish=]{no | yes | immortal}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]
Network Netsh Communication Networking 57
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix (IPv6Address) and prefix length (Integer) of the route to modify. [[ interface=] String]
Specifies an interface name or index.
[[ nexthop=] IPv6Address]
Specifies the gateway address, if the prefix is not on-link. [[ siteprefixlength=] Integer]
Specifies the prefix length for the entire site, if the prefix is not on-link. [[ metric=] Integer]
Specifies the route metric. [[ publish=]{ no| yes| immortal}]
Specifies whether routes are advertised (yes), advertised with an infinite lifetime (immortal), or not advertised (no) in Route Advertisements. The default selection is no. [[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is valid. The default value is infinite. [[ preferredlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is preferred. The default value is infinite. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command sets a route on the interface named "Internet."
set route 10.2.0.0/16 "Internet" 10.0.0.1 0 2 yes 5000 5000 store=active
set subinterface
Modifies subinterface configuration parameters.
Syntax
set subinterface [interface=]<string> [[mtu=]<integer>] [[subinterface=]<string>] [[store=]active|persistent]
[[ interface=] String]
Specifies an interface name or index. [[mtu=]<integer>]
Specifies the MTU of this subinterface. The default is the natural MTU of the link.
Network Netsh Communication Networking 58
[[subinterface=]<string>]
Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces. [[ store=][active|persistent]
Specifies whether active (active) or persistent (persistent) addresses are displayed. The default
selection is active.
Example
set subinterface "1" mtu=1500 store=active
set winsserver
Sets WINS server configuration to either DHCP or static mode for a specified interface.
Syntax
set winsserver [name=]InterfaceName [source=]{dhcp | static [addr=]{WINSAddress | none }}
Parameters
[ name=] InterfaceName
Required. Specifies the name of the interface for which you want to set WINS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). [ source=]{ dhcp| static[ addr=]{ WINSAddress| none}}
Required. Specifies whether the IP address of the WINS server to configure should be assigned by DHCP or is static. If the IP address is static, WINSAddress specifies the IP address of the WINS server to configure, and none specifies that the WINS configuration should be removed. /?
Displays help at the command prompt.
show address
Displays information about static IP addresses and default gateways on a specified interface. Used without parameters, show address displays address information for all interfaces.
Syntax
show address [[name=]InterfaceName]
Parameters
[ name=] InterfaceName
Specifies the name of the interface for which you want to display address information. The InterfaceName must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?
Displays help at the command prompt.
Network Netsh Communication Networking 59
show compartments
Displays information about all compartments, or about a given compartment if one is specified.
Syntax
show compartments [compartment=]<integer> [[level=]normal|verbose] [store=]active|persistent
Parameters
[compartment=]<integer>
Specifies an interface name or index. [[level=]normal|verbose]
One of the following values:
• normal: Display one line per compartment (default when no compartment is specified).
• verbose: Display extra information about each compartment( default when a compartment
is specified).
[[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Example
show compartments
show config
Displays IP address and other configuration information for a specified interface. Used without parameters, show config displays configuration information for all interfaces.
Syntax
show config [[name=]InterfaceName]
Parameters
[ name=] InterfaceName
Specifies the name of the interface for which you want to display configuration information. The InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?
Displays help at the command prompt.
show destinationcache
Displays destination cache entries. If an interface is specified, displays the cache only on that interface. If an address is also specified, displays only that destination cache entry.
Network Netsh Communication Networking 60
Syntax
show destinationcache [[interface=]String] [[address=]IPv4Address]
Parameters
[[ interface=] String]
Specifies an interface name or index.
[[ address=] IPv4Address]
Specifies the address of the destination.
show dnsservers
Displays the DNS configuration of a specified interface. Used without parameters, show dnsservers displays the DNS configurations of all interfaces.
Syntax
show dnsservers [[name=]InterfaceName]
Parameters
[ name=] InterfaceName
Specifies the name of the interface whose DNS configuration you want to display. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?
Displays help at the command prompt.
show dynamicportrange
Displays dynamic port range configuration parameters.
Syntax
show dynamicportrange [[protocol=]tcp|udp] [[store=]active|persistent]
Parameters
[[protocol=[tcp|udp]
One of the following values:
• TCP: Show the dynamic port range for TCP.
• UDP: Show the dynamic port range for UDP.
[[store=]active|persistent]
One of the following values:
• Active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Network Netsh Communication Networking 61
Example
show dynamicportrange
show global
Displays global configuration parameters.
Syntax
show global [[store=]{active | persistent}]
Parameters
[[ store=]{ active| persistent}]
Specifies whether active (active) or persistent (persistent) information is displayed. The default selection is active.
show icmpstats
Displays ICMP statistics. Used without parameters, show icmp displays the statistics only once.
Syntax
show icmpstats [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show interfaces
Displays statistics for a specified interface. Used without parameters, show interfaces displays statistics for all interfaces only once.
Syntax
show interfaces [[index=]InterfaceIndex] [[rr=]RefreshRate]
Parameters
[ index=] InterfaceIndex
Specifies the interface index, an integer that identifies the interface. [ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show ipaddresses
Displays information for a specified IP address. Used without parameters, show ipaddresses displays information for all IP addresses on all interfaces once.
Network Netsh Communication Networking 62
Syntax
show ipaddresses [[index=]IPAddress] [[rr=]RefreshRate]
Parameters
[ index=] IPAddress
Specifies an IP address of an interface.
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show ipnettomedia
Displays the contents of the Address Resolution Protocol (ARP) cache, which contains the hardware addresses of resolved next-hop IP addresses. Used without parameters, show ipnettomedia displays the information once.
Syntax
show ipnettomedia [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show ipstats
Displays IP statistics. Used without parameters, show ipstats displays the statistics once.
Syntax
show ipstats [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show joins
Displays IP multicast groups that have been joined for the specified IP address. Used without parameters, show joins displays information for all IP addresses.
Syntax
show joins [[index=]IPAddress]
Network Netsh Communication Networking 63
Parameters
[ index=] IPAddress
Specifies an IP address of an interface. /?
Displays help at the command prompt.
show neighbors
Displays neighbor cache entries. If an interface is specified, the command displays the cache only on that interface. If a subinterface is also specified, the command shows only the cache for that subinterface. If an address is specified as well, the command displays only that specific neighbor cache entry.
Syntax
show neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent] [[level=]normal|verbose]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IP4Address]
Specifies the address of the neighbor. [[subinterface=]<string>]
Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces. [[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
[[level=]normal|verbose]
One of the following values:
• normal: Display one line per subinterface (default when no subinterface is specified).
• verbose: Display extra information on each subinterface. (default when a subinterface is
specified).
Example
show neighbors
show offload
Displays the tasks that can be performed by the network adapter for the specified interface corresponding to installed network hardware. Used without parameters, show offload displays offload information for all interfaces corresponding to installed network hardware.
Network Netsh Communication Networking 64
Syntax
show offload [[name=]InterfaceName ]
Parameters
[ name=] InterfaceName
Specifies the name of the interface for which you want to display offload information. The
InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?
Displays help at the command prompt.
show route
Displays route table entries.
Syntax
show route [[level=]normal | verbose] [[store=]active | persistent]
Parameters
[[ level=] normal| verbose]
Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal. [[ store=]active| persistent]
Specifies whether active (active) or persistent (persistent) routes are displayed. The default selection is active.
show subinterfaces
Displays information about all subinterfaces, or about all subinterfaces on a given interface if one is specified.
Syntax
show subinterfaces [interface=]<string> [[ level=]normal| verbose] [[subinterface=]<string>] [[store=]active|persistent]
[[ interface=] String]
Specifies an interface name or index. [[ level=]normal|verbose]
Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal. [[subinterface=]<string>]
Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.
[[ store=][active|persistent]
Specifies whether active (active) or persistent (persistent) addresses are displayed. The default selection is active.
Network Netsh Communication Networking 65
Example
show subinterfaces
show tcpconnections
Displays information on a specified TCP connection. Used without parameters, show tcpconnections displays information for all TCP connections once.
Syntax
show tcpconnections [[index=]{LocalIPAddress | LocalPort | RemoteIPAddress | RemotePort}] [[rr=]RefreshRate]
Parameters
[ index=]{ LocalIPAddress| LocalPort| RemoteIPAddress| RemotePort}
Specifies the connection about which to display information. The LocalIPAddress parameter specifies an IP address of an interface. The LocalPort parameter specifies a TCP port for a local process. The RemoteIPAddress parameter specifies an IP address of a remote host. The RemotePort parameter specifies a TCP port for a remote process.
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the information). /?
Displays help at the command prompt.
show tcpstats
Displays TCP statistics. Used without parameters, show tcpstats displays the statistics once.
Syntax
show tcpstats [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show udpconnections
Displays information about the (User Datagram Protocol) UDP ports used for each IP address. Used without parameters, show udpconnections displays UDP port information for all IP addresses once.
Syntax
show udpconnections [[index=]{LocalIPAddress | LocalPort}] [[rr=]RefreshRate]
Parameters
[ index=]{ LocalIPAddress| LocalPort}
Specifies the connection about which to display information. The LocalIPAddress parameter specifies an IP address of an interface. The LocalPort parameter specifies a UDP port for a local process.
Network Netsh Communication Networking 66
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show udpstats
Displays UDP statistics. Used without parameters, show udpstats displays the statistics once.
Syntax
show udpstats [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show winsservers
Displays the WINS configuration for a specified interface. Used without parameters, show winsservers displays the WINS configuration for all interfaces.
Syntax
show winsservers [[name=]InterfaceName]
Parameters
[ name=] InterfaceName
Specifies the name of the interface whose WINS information you want to display. The InterfaceName parameter must match the name of the interface as specified in Network
Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?
Displays help at the command prompt.
Network Netsh Communication Networking 67
Netsh commands for Interface Internet Protocol version 6
(IPv6) The Netsh commands for Interface IPv6 provide a command-line tool that you can use to query and configure IPv6 interfaces, address, caches, and routes.
In addition, the Interface IPv6 context of netsh has a subcontext for 6to4. You can use the commands in the netsh interface IPv6 6to4 context to configure or display the configuration of the 6to4 service on either a 6to4 host or a 6to4 router.
You can run these commands at the command prompt for the netsh interface ipv6 context. For these commands to work at the command, you must type netsh interface ipv6 before typing commands and parameters as they appear in the syntax below. To view help for a command at the command prompt, type CommandName/?, where CommandName is the name of the command.
6to4
Specifies that the 6to4 context of netsh interface IPv6 6to4 is used.
Syntax
6to4
add 6over4tunnel
Creates a 6over4 interface by using the specified IPv4 address.
Syntax
add 6over4tunnel [[interface=]String] [localaddress=]IPv4Address [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index. [ localaddress=] IPv4Address
Required. Specifies the IPv4 address that is encapsulated. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command creates a 6over4 interface by using the IPv4 address 10.1.1.1 on the interface named "Private."
add 6over4tunnel "Private" 10.1.1.1
add address
Adds an IPv6 address to a specified interface. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Network Netsh Communication Networking 68
Syntax
add address [[interface=]String] [address=]IPv6Address [[type=]{unicast | anycast}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index. [ address=] IPv6Address
Required. Specifies the IPv6 address to add. [[ type=]{ unicast| anycast}]
Specifies whether a unicast address (unicast) or an anycast address (anycast) is added. The default selection is unicast. [[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the address is valid. The default value is infinite.
[[ preferredlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the address is preferred. The default value is infinite. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command adds the IPv6 address FE80::2 to the interface named "Private."
add address "Private" FE80::2
add dnsserver
Adds a new DNS server IP address to the statically-configured list of DNS servers for the specified interface.
Syntax
add dnsserver [interface=]String [address=]IPAddress [[index=]Integer]
Parameters
[ interface=] String
Required. Specifies, by name, which interface will have a DNS server IP address added to its list of DNS server IP addresses. [ address=] IPAddress
Required. Specifies the IPv6 address of the DNS server to add to the list. [[ index=] Integer]
Specifies the position on the statically-configured list in which to place the DNS server IP address specified in address. By default, the DNS server IP address is added to the end of the list.
Network Netsh Communication Networking 69
Remarks
If an index is specified, the Domain Name System (DNS) server is placed in that position in the list.
Examples
In the first example command, a DNS server with the IPv6 address FEC0:0:0:FFFF::1 is added to the list of DNS server IP addresses for the interface named "Local Area Connection." In the second
example, a DNS server with the IPv6 address FEC0:0:0:FFFF::2 is added at index 2 as the second server on the list of servers for the interface named "Local Area Connection."
add dnsserver "Local Area Connection" FEC0:0:0:FFFF::1
add dnserver "Local Area Connection" FEC0:0:0:FFFF::2 index=2
add neighbors
Specifies an entry in the neighbor cache.
Syntax
add neighbors [[interface=]String] [[address=]IPv4Address] [neighbor=]<string> [[subinterface=]<string>]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IPv4Address]
Specifies the address of the neighbor.
[neighbor=]<string>
Specifies the link layer address of the neighbor. [[subinterface=]<string>]
Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces. [[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Examples
This example command adds an entry to the neighbor cache on the interface named "Private."
add neighbors "Private" "3f::2" "12-34-56-78-9a-bc"
add potentialrouter
Adds a potential router to a given interface.
Syntax
add potentialrouter [interface=]<string> [[address=]<IPv6 address>]
Network Netsh Communication Networking 70
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IPv6Address]
Specifies the address of the potential router.
add prefixpolicy
Adds a source and destination address selection policy for a specified prefix.
Syntax
add prefixpolicy [prefix=]IPv6Address/Integer [precedence=]Integer [label=]Integer [[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix for which to add a policy in the policy table. Integer specifies the prefix length.
[ precedence=] Integer
Required. Specifies the precedence value used for sorting destination addresses in the policy table. [ label=] Integer
Required. Specifies the label value that allows for policies that require a specific source address prefix for use with a destination address prefix. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command adds a prefix policy for prefix ::/96, with a precedence value of three and a label value of four.
add prefixpolicy ::/96 3 4
add route
Adds a route for a specified prefix. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
add route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address] [[siteprefixlength=]Integer] [[metric=]Integer] [[publish=]{no | yes | immortal}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix for which to add a route. Integer specifies the prefix length.
Network Netsh Communication Networking 71
[[ interface=] String]
Specifies an interface name or index. [[ nexthop=] IPv6Address]
Specifies the gateway address, if the prefix is not on-link.
[[ siteprefixlength=] Integer]
Specifies the prefix length for the entire site, if the prefix is not on-link. [[ metric=] Integer]
Specifies the route metric. [[ publish=]{ no| yes| immortal}]
Specifies whether routes are advertised (yes), advertised with an infinite lifetime (immortal), or not advertised (no) in Route Advertisements. The default selection is no. [[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is valid. The default value is infinite.
[[ preferredlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is preferred. The default value is infinite. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command adds a route on the interface named "Internet" with a prefix of 3FFE:: and a prefix length of 16 bits (3FFE::/16). The nexthop value is FE80::1.
add route 3FFE::/16 "Internet" FE80::1
add v6v4tunnel
Creates an IPv6-in-IPv4 tunnel.
Syntax
add v6v4tunnel [[interface=]String] [localaddress=]IPv4Address [remoteaddress=]IPv4Address [[neighbordiscovery=]{enabled | disabled}] [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index. [ localaddress=] IPv4Address
Required. Specifies the IPv4 address of the local tunnel endpoint.
[ remoteaddress=] IPv4Address
Network Netsh Communication Networking 72
Required. Specifies the IPv4 address of the remote tunnel endpoint. [[ neighbordiscovery=]{ enabled| disabled}]
Specifies whether Neighbor Discovery is enabled (enabled) or disabled (disabled) on the interface. The default selection is disabled.
[[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command creates an IPv6-in-IPv4 tunnel between the local address 10.0.0.1 and the remote address 192.168.1.1 on the interface "Private."
add v6v4tunnel "Private" 10.0.0.1 192.168.1.1
delete address
Syntax
delete address [[interface=]String] [address=]IPv6Address [[store=]{active | persistent}]
Modifies an IPv6 address on a specified interface.
Parameters
[[ interface=] String]
Specifies an interface name or index.
[ address=] IPv6Address
Required. Specifies the IPv6 address to delete. [[ store=]{ active| persistent}]
Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command deletes the address FE80::2 from the interface named "Private."
delete address "Private" FE80::2
delete destinationcache
Clears the destination cache. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that destination cache entry.
Syntax
delete destinationcache [[interface=]String] [[address=]IPv6Address]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IPv6Address]
Network Netsh Communication Networking 73
Specifies the address of the destination.
Examples
This example command deletes the destination cache for the interface named "Private."
delete destinationcache "Private"
delete dnsserver
Deletes statically configured DNS server IPv6 addresses for a specific interface.
Syntax
delete dnsserver [interface=]String [[address=]{IPv6Address | all}]
Parameters
[ interface=] String
Required. Specifies the interface, by name, for which you want to remove a DNS server from the list of DNS servers. [[ address=]{ IPv6Address| all}]
Specifies the DNS server IPv6 address to delete. If all is specified, all DNS server IPv6 addresses on the list for the interface are deleted.
Examples
In the first example command, the DNS server IPv6 address FEC0:0:0:FFFF::1 is deleted from the list of addresses for the connection named "Local Area Connection." In the second example command, all DNS server IPv6 addresses are deleted for the connection named "Local Area Connection."
delete dnsserver "Local Area Connection" FEC0:0:0:FFFF::1
delete dnsserver "Local Area Connection" all
delete interface
Deletes a specified interface from the IPv6 stack.
Syntax
delete interface [[interface=]String] [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ store=]{ active| persistent}]
Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command deletes the interface named "Private."
delete interface "Private"
Network Netsh Communication Networking 74
delete neighbors
Specifies that all entries in the neighbor cache are deleted. If an interface is specified, clears the cache only on that interface. If an address is also specified, deletes only that neighbor cache entry.
Syntax
delete neighbors [[interface=]String] [[address=]IPv6Address]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IPv6Address]
Specifies the address of the neighbor.
Examples
This example command removes all entries from the neighbor cache on the interface named "Private."
delete neighbors "Private"
delete potentialrouter
Delete a potential router from a given interface.
Syntax
delete potentialrouter [interface=]<string> [[address=]<IPv6 address>]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IPv6Address]
Specifies the address of the potential router.
delete prefixpolicy
Deletes the source and destination address selection policy for a specified prefix.
Syntax
delete prefixpolicy [prefix=]IPv6Address/Integer [[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix (IPv6Address) and prefix length (Integer) to delete from the policy table. [[ store=]{ active| persistent}]
Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command deletes the prefix ::/96 from the policy table.
Network Netsh Communication Networking 75
delete prefixpolicy ::/96
delete route
Deletes an IPv6 route.
Syntax
delete route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address] [[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix of the route to delete. [[ interface=] String]
Specifies an interface name or index. [[ nexthop=] IPv6Address]
Specifies the gateway address, if the prefix is not on-link.
[[ store=]{ active| persistent}]
Specifies whether the deletion lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command deletes the route with the prefix 3FFE::/16 and the gateway FE80::1 from the interface named "Internet."
delete route 3FFE::/16 "Internet" FE80::1
dump
Dumps the network adapter IPv6 configuration to the command prompt window when run within the netsh context. When used in a batch file or script, output can be saved in a text file.
Syntax
netsh interface ipv6 dump > [PathAndFileName]
Parameters
[ PathAndFileName]
Specifies both the location where to the file is saved and the name of the destination file to which the configuration is saved.
Examples
In the first example, the command is run manually at the netsh interface ipv6 context of a command prompt. The IPv6 configuration is displayed in the command prompt window, and can be copied and pasted into a text file. In the second example, the dump command is run in a batch file, and the configuration is saved to a text file named Ipv6_conf.txt at the location C:\Temp.
dump
netsh interface ipv6 dump > C:\temp\ipv6_conf.txt
Network Netsh Communication Networking 76
isatap
Specifies that the isatap context of netsh interface IPv6 isatap is used.
Syntax
isatap
reset
Resets the IPv6 configuration state.
Syntax
reset
set address
Modifies an IPv6 address on a specified interface. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
set address [[interface=]String] [address=]IPv6Address [[type=]{unicast | anycast}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index. [ address=] IPv6Address
Required. Specifies the IPv6 address to modify. [[ type=]{ unicast| anycast}]
Specifies whether the address is marked as a unicast address (unicast) or as an anycast address (anycast). The default selection is unicast.
[[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the address is valid. The default value is infinite. [[ preferredlifetime=]{ Integer| infinite}] Specifies the lifetime over which the address is preferred. The default value is infinite. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command sets the address FE80::2 on the interface named "Private" as an anycast address.
set address "Private" FE80::2 anycast
set compartment
Modifies compartment configuration parameters.
Network Netsh Communication Networking 77
Syntax
set compartment [compartment=]<integer> [defaultcurhoplimit=]<integer>[store=]active|persistent
Parameters
[compartment=]<integer>
Specifies an interface name or index. [defaultcurhoplimit=]<integer>[
Specifies the address of the neighbor. [[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Example
set compartment compartment=1 defaultcurhoplimit=255 store=active
set dnsserver
Configures a DNS server address for a specified interface.
Syntax
set dnsserver [name=]InterfaceName [source=]{dhcp | static } [addr=]{IP Address | none} [register=]{none | primary | both}
Parameters
[ name=] InterfaceName
Required. Specifies the name of the interface for which you want to set DNS information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name").
[ source=]{ dhcp| static }
Required. Specifies whether the IP address of the DNS server is configured by DHCP or is static. [ addr=]{ IP Address| none }
If the IP address is static, IP Address specifies the IP address of the DNS server to configure, and none specifies that the DNS configuration should be removed. [ register=]{ none| primary| both }
None specifies whether to disable dynamic update. Primary registers the computer name under the primary DNS suffix only. Both register the computer name under both the primary DNS suffix as well as under the connection-specific suffix.
/?
Displays help at the command prompt.
Network Netsh Communication Networking 78
Examples
set dnsserver name="Local Area Connection" source=dhcp
set dnsserver "Local Area Connection" static fec0:0:0:ffff::1 primary
set dynamicportrange
Modifies the range of ports used for dynamic port assignment. Dynamic port assignment is also known as wildcard port assignment.
Syntax
set dynamicportrange [[protocol=]tcp|udp][startport=]<integer> [numberofports=]<integer>[[store=]active|persistent]
Parameters
[[protocol=[tcp|udp]
One of the following values:
• TCP: Display the dynamic port range for TCP.
UDP: Display the dynamic port range for UDP.
[startport=]<integer>
Specifies the starting port for dynamic port assignment. [numberofports=]<integer>
• Specifies the number of ports available for dynamic port assignment.
[[store=]active|persistent]
One of the following values:
• Active: Address will disappear on next boot.
Example
set dynamicportrange protocol=tcp startport=10000 numberofports=20000
set global
Modifies global configuration parameters.
Syntax
set global [[defaultcurhoplimit=]Integer] [neighborcachelimit=]Integer [[routecachelimit=]Integer] [[reassemblylimit=]Integer] [[store=]{active | persistent}]
Parameters
[[ defaultcurhoplimit=] Integer]
Specifies the default hop limit of packets sent. [ neighborcachelimit=] Integer
Required. Specifies the maximum number of neighbor cache entries. [[ routecachelimit=] Integer]
Network Netsh Communication Networking 79
Specifies the maximum number of route cache entries. [[ reassemblylimit=] Integer]
Specifies the maximum size of the reassembly buffer. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command sets global parameters for all IPv6-enabled interfaces on the computer. The default hop limit is set to 32, the maximum number of neighbor cache entries is set to 100, and the maximum number of route cache entries is 100,000.
set global 32 100 100000
set interface
Modifies interface configuration parameters.
Syntax
set interface [[interface=]String] [[forwarding=]{enabled | disabled}] [[advertise=]{enabled | disabled}] [[mtu=]Integer] [[siteid=]Integer] [[metric=]Integer] [[firewall=]{enabled | disabled}] [[siteprefixlength=]Integer] [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ forwarding=]{ enabled| disabled}]
Specifies whether packets arriving on this interface can be forwarded to other interfaces. The default selection is disabled. [[ advertise=]{ enabled| disabled}]
Specifies whether Router Advertisements are sent on this interface. The default selection is disabled. [[ mtu=] Integer]
Specifies the Maximum Transfer Unit (MTU) of this interface. The default MTU is the natural MTU of the link. [[ siteid=] Integer]
Specifies the site scope zone identifier. [[ metric=] Integer]
Specifies the interface metric, which is added to route metrics for all routes over the interface.
[[ firewall=]{ enabled| disabled}]
The Firewall can no longer be configured from Netsh. The value specified is ignored.
Network Netsh Communication Networking 80
[[ siteprefixlength=] Integer]
Specifies the default length of the global prefix for the entire site. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command sets the interface with the name "Private," with a siteid of two and a metric of two. All other parameter values are left at the default values.
set interface "Private" siteid=2 metric=2
set neighbors
Sets an entry in the neighbor cache.
Syntax
set neighbors [[interface=]String] [[address=]IPv6Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent]
Parameters
[[ interface=] String]
Specifies an interface name or index.
[[ address=] IPv6Address]
Specifies the address of the neighbor. [neighbor=]<string>
Specifies the link layer address of the neighbor. [[subinterface=]<string>]
Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces. [[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Examples
This example command sets an entry to the neighbor cache on the interface named "Private."
set neighbors "Private" "fec0::2" "12-34-56-78-9a-bc"
set prefixpolicy
Modifies a source and destination address selection policy for a specified prefix.
Network Netsh Communication Networking 81
Syntax
set prefixpolicy [prefix=]IPv6Address/Integer [precedence=]Integer [label=]Integer [[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix for which to add a policy in the policy table. Integer specifies the prefix length. [ precedence=] Integer
Required. Specifies the precedence value used for sorting destination addresses in the policy table. [ label=] Integer
Required. Specifies the label value that allows for policies that require a specific source address prefix for use with a destination address prefix. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
Examples
This example command sets a policy in the policy table for the prefix ::/96, with a precedence value of three and a label value of four.
set prefixpolicy ::/96 3 4
set privacy
Modifies parameters related to temporary address generation. If randomtime= is specified, maxrandomtime= is not used. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
set privacy [[state=]{enabled | disabled}] [[maxdadattempts=]Integer] [[maxvalidlifetime=]Integer] [[maxpreferredlifetime=]Integer] [[regeneratetime=]Integer] [[maxrandomtime=]Integer] [[randomtime=]Integer] [[store=]{active | persistent}]
Parameters
[[ state=]{ enabled| disabled}]
Specifies whether temporary addresses are enabled. [[ maxdadattempts=] Integer]
Specifies the number of duplicate address detection attempts made. The default value is five. [[ maxvalidlifetime=] Integer]
Specifies the maximum lifetime over which a temporary address is valid. The default value is 7d (seven days).
[[ maxpreferredlifetime=] Integer]
Specifies the maximum lifetime over which an anonymous is preferred. The default value is 1d (one day).
Network Netsh Communication Networking 82
[[ regeneratetime=] Integer]
Specifies the duration of time that elapses when a new address is generated prior to deprecating a temporary address. The default value is 5s (five seconds). [[ maxrandomtime=] Integer]
Specifies the upper limit to use when computing a random delay at boot. The default value is 10m (10 minutes). [[ randomtime=] Integer]
Specifies a time value to use, instead of a value generated at boot. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent). The default selection is persistent.
set route
Modifies route parameters. Time values can be expressed in days (d), hours (h), minutes (m), and seconds (s). For example, 2d represents two days.
Syntax
set route [prefix=]IPv6Address/Integer [[interface=]String] [[nexthop=]IPv6Address] [[siteprefixlength=]Integer] [[metric=]Integer] [publish=]{no | yes | immortal}] [[validlifetime=]{Integer | infinite}] [[preferredlifetime=]{Integer | infinite}] [[store=]{active | persistent}]
Parameters
[ prefix=] IPv6Address/Integer
Required. Specifies the prefix (IPv6Address) and prefix length (Integer) of the route to modify.
[[ interface=] String]
Specifies an interface name or index. [[ nexthop=] IPv6Address]
Specifies the gateway address, if the prefix is not on-link. [[ siteprefixlength=] Integer]
Specifies the prefix length for the entire site, if the prefix is not on-link. [[ metric=] Integer]
Specifies the route metric.
[[ publish=]{ no| yes| immortal}]
Specifies whether routes are advertised (yes), advertised with an infinite lifetime (immortal), or not advertised (no) in Route Advertisements. The default selection is no. [[ validlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is valid. The default value is infinite.
Network Netsh Communication Networking 83
[[ preferredlifetime=]{ Integer| infinite}]
Specifies the lifetime over which the route is preferred. The default value is infinite. [[ store=]{ active| persistent}]
Specifies whether the change lasts only until the next boot (active) or is persistent (persistent).
The default selection is persistent.
Examples
This example command sets a route on the interface named "Internet." The route prefix is 3FFE::, and has a length of 16 bits. The gateway address, defined by the nexthop= parameter, is FE80::1.
set route 3FFE::/16 "Internet" FE80::1
set state
Enables or disables IPv4 compatibility. The default value for all parameters is disabled.
Syntax
set state [[6over4=]{enabled | disabled | default}] [[v4compat=]{enabled | disabled | default}]
Parameters
[[6over4=]{enabled| disabled| default}]
Specifies whether 6over4 interfaces are created. To both disable and delete 6over4 compatible interfaces, specify default. To disable 6over4 compatible interfaces without deleting them, specify disabled. [[ v4compat=]{ enabled| disabled| default}]
Specifies whether IPv4 compatible interfaces are created. To both disable and delete IPv4 compatible interfaces, specify default. To disable IPv4 compatible interfaces without deleting them, specify disabled.
Examples
In the first example command, IPv4-compatible addresses are disabled, and any previously existing interfaces are deleted. In the second example command, IPv4-compatible addresses are enabled.
set state default
set state 6over4=disabled v4compat=enabled
set subinterface
Modifies subinterface configuration parameters.
Syntax
set subinterface [interface=]<string> [[mtu=]<integer>] [[subinterface=]<string>] [[store=]active|persistent]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[mtu=]<integer>]
Network Netsh Communication Networking 84
Specifies the MTU of this subinterface. The default is the natural MTU of the link. [[subinterface=]<string>]
Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces. [[ store=][active|persistent]
Specifies whether active (active) or persistent (persistent) addresses are displayed. The default selection is active.
Example
set subinterface "1" mtu=1500 store=active
set teredo
Sets the Teredo state. A 'default' argument to a parameter sets it to the system default.
Syntax
set teredo [[type]=disabled|client|enterpriseclient|default][[servername=]<hostname>|<IPv4 address>|default][[refreshinterval=]<integer>|default][[clientport=]<integer>|default][[supernode=]<hostname>|<IPv4 address>|default]
Parameters
[[type]=disabled|client|enterpriseclient|default]
One of the following values:
• Disabled: Disables the Teredo service.
• Client: Enables the Teredo client.
• Enterpriseclient: Skip managed network detection.
[servername=]<hostname>|<IPv4 address>|default]
Specifies the name or IPv4 address of the Teredo server. [refreshinterval=]<integer>|default]
Specifies the client refresh interval (in seconds). [clientport=]<integer>|default]
Specifies the client's UDP port (otherwise chosen by system). [supernode=]<hostname>|<IPv4 address>|default]
Specifies the super-node to use when behind a firewall.
Examples
set teredo disable
set teredo client teredo.ipv6.microsoft.com 60 34567
show address
Displays all IPv6 addresses, or all addresses on a specified interface.
Network Netsh Communication Networking 85
Syntax
show address [[interface=]String] [[level=]{normal | verbose}] [[store=]{active | persistent}]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ level=]{ normal| verbose}]
Specifies whether one line per interface is displayed (normal) or additional information is displayed for each interface (verbose). When no interface is specified, the default selection is normal. When an interface is specified, the default selection is verbose. [[ store=]{ active| persistent}]
Specifies whether active (active) or persistent (persistent) addresses are displayed. The default selection is active.
show compartments
Displays information about all compartments, or about a given compartment if one is specified.
Syntax
show compartments [compartment=]<integer> [[level=]normal|verbose] [store=]active|persistent
Parameters
[compartment=]<integer>
Specifies an interface name or index. [[level=]normal|verbose]
One of the following values:
• normal: Display one line per compartment (default when no compartment is specified).
• verbose: Display extra information about each compartment( default when a compartment
is specified).
[[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Example
show compartments
show destinationcache
Displays destination cache entries. If an interface is specified, displays the cache only on that interface. If an address is also specified, displays only that destination cache entry.
Network Netsh Communication Networking 86
Syntax
show destinationcache [[interface=]String] [[address=]IPv6Address]
Parameters
[[ interface=] String]
Specifies an interface name or index.
[[ address=] IPv6Address]
Specifies the address of the destination.
show dnsservers
Displays the DNS server configuration for a specific interface or interfaces.
Syntax
show dnsservers [[interface=]String]
Parameters
[[ interface=] String]
Specifies the interface, by name, for which you want to display configured DNS server IPv6 addresses. If no interface is specified, servers for all interfaces are displayed.
Examples
In this example command, DNS server IPv6 addresses configured on the "Local Area Connection" interface are displayed.
show dnsservers "Local Area Connection"
show dynamicportrange
Displays dynamic port range configuration parameters.
Syntax
show dynamicportrange [[protocol=]tcp|udp] [[store=]active|persistent]
Parameters
[[protocol=[tcp|udp]
One of the following values:
• TCP: Show the dynamic port range for TCP.
• UDP: Show the dynamic port range for UDP.
[[store=]active|persistent]
One of the following values:
• Active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
Example
show dynamicportrange
Network Netsh Communication Networking 87
show global
Displays global configuration parameters.
Syntax
show global [[store=]{active | persistent}]
Parameters
[[ store=]{ active| persistent}]
Specifies whether active (active) or persistent (persistent) information is displayed. The default selection is active.
show interfaces
Displays information about all interfaces, or about a specified interface.
Syntax
show interfaces [[interfaces=]String] [[level=]{normal | verbose}] [[store=]{active | persistent}]
Parameters
[[ interfaces=] String]
Specifies an interface name or index. [[ level=]{ normal| verbose}]
Specifies whether one line per interface is displayed (normal) or additional information is displayed for each interface (verbose). When no interface is specified, the default selection is normal. When an interface is specified, the default selection is verbose. [[ store=]{ active| persistent}]
Specifies whether active (active) or persistent (persistent) interfaces are displayed. The default selection is active.
show ipstats
Displays IP statistics. Used without parameters, show ipstats displays the statistics once.
Syntax
show ipstats [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics). /?
Displays help at the command prompt.
show joins
Displays all IPv6 multicast addresses, or all multicast addresses on a specified interface.
Syntax
show joins [[interface=]String] [[level=]{normal | verbose}]
Network Netsh Communication Networking 88
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ level=]{ normal| verbose}]
Specifies whether one line per interface is displayed (normal) or additional information is displayed
for each interface (verbose). When no interface is specified, the default selection is normal. When an interface is specified, the default selection is verbose.
show neighbors
Displays neighbor cache entries. If an interface is specified, the command displays the cache only on that interface. If a subinterface is also specified, the command shows only the cache for that subinterface. If an address is specified as well, the command displays only that specific neighbor cache entry.
Syntax
show neighbors [[interface=]String] [[address=]IPv6Address] [neighbor=]<string> [[subinterface=]<string>][[store=]active|persistent] [[level=]normal|verbose]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[ address=] IP6Address]
Specifies the address of the neighbor. [[subinterface=]<string>]
Specifies the LUID of the subinterface. This is only needed on interfaces with multiple subinterfaces. [[store=]active|persistent]
One of the following values:
• active: Address will disappear on next boot.
• Persistent (default): Address will be persistent.
[[level=]normal|verbose]
One of the following values:
• normal: Display one line per subinterface (default when no subinterface is specified).
• verbose: Display extra information on each subinterface. (default when a subinterface is
specified).
Example
show neighbors
Network Netsh Communication Networking 89
show offload
Displays the tasks that can be performed by the network adapter for the specified interface corresponding to installed network hardware. Used without parameters, show offload displays offload information for all interfaces corresponding to installed network hardware.
Syntax
show offload [[name=]InterfaceName ]
Parameters
[ name=] InterfaceName
Specifies the name of the interface for which you want to display offload information. The InterfaceName parameter must match the name of the interface as specified in Network Connections. If InterfaceName contains spaces, use quotation marks around the text (for example, "Interface Name"). /?
Displays help at the command prompt.
show potentialrouters
Displays all potential routers, or all potential routers on a given
interface if one is specified.
Syntax
show potentialrouter [interface=]<string> [[level=]normal|verbose]
Parameters
[[ interface=] String]
Specifies an interface name or index. [[level=]normal|verbose]
One of the following values:
• normal: Display one line per subinterface (default when no subinterface is specified).
• verbose: Display extra information on each subinterface. (default when a subinterface is specified).
show prefixpolicies
Displays prefix policy table entries used in source and destination address selection.
Syntax
show prefixpolicies [[store=]{active | persistent}]
Parameters
[[ store=]{ active| persistent}]
Specifies whether active (active) or persistent (persistent) information is displayed. The default selection is active.
show privacy
Displays privacy configuration parameters.
Network Netsh Communication Networking 90
Syntax
show privacy [[store=]{active | persistent}]
Parameters
[[ store=]{ active| persistent}]
Specifies whether active (active) or persistent (persistent) information is displayed. The default
selection is active.
show route
Displays route table entries.
Syntax
show route [[level=]{normal | verbose}] [[store=]{active | persistent}]
Parameters
[[ level=]{ normal| verbose}]
Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal.
[[ store=]{ active| persistent}]
Specifies whether active (active) or persistent (persistent) routes are displayed. The default selection is active.
show siteprefixes
Displays the site prefix table.
Syntax
show siteprefixes
show subinterfaces
Displays information about all subinterfaces, or about all subinterfaces on a given interface if one is specified.
Syntax
show subinterfaces [interface=]<string> [[ level=]normal| verbose] [[subinterface=]<string>] [[store=]active|persistent]
[[ interface=] String]
Specifies an interface name or index. [[ level=]normal|verbose]
Specifies whether only normal routes (normal) or routes used for loopback (verbose) are displayed. The default selection is normal. [[subinterface=]<string>]
Specifies the subinterface LUID. This is only required on interfaces with multiple subinterfaces.
[[ store=][active|persistent]
Specifies whether active (active) or persistent (persistent) addresses are displayed. The default selection is active.
Network Netsh Communication Networking 91
Example
show subinterfaces
show tcpstats
Displays TCP statistics. Used without parameters, show tcpstats displays the statistics once.
Syntax
show tcpstats [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).
show teredo
shows the Teredo state.
Syntax
show teredo
Examples
show teredo
show udpstats
Displays UDP statistics. Used without parameters, show udpstats displays the statistics once.
Syntax
show udpstats [[rr=]RefreshRate]
Parameters
[ rr=] RefreshRate
Specifies the refresh rate (the number of seconds between refreshing the display of the statistics).
/?
Displays help at the command prompt.
Netsh interface IPv6 6to4
You can use the following commands in the netsh interface IPv6 6to4 context to display the configuration of or configure the 6to4 service on either a 6to4 host or a 6to4 router.
set interface
Configures the 6to4 service on an interface.
Syntax
set interface [name=] InterfaceName [[routing=] {enabled | disabled | default}]
Parameters
[ name=] InterfaceName
Network Netsh Communication Networking 92
Required. Specifies the name of the interface for which you want to set 6to4 service configuration. InterfaceName must match the name of the interface specified in Network Connections. If InterfaceName contains any spaces, it must be enclosed in quotes. [[ routing=] { enabled| disabled| default}]
Specifies whether the forwarding of 6to4 packets received on the interface is enabled, disabled, or
set to its default value.
show interface
Displays the 6to4 service routing configuration on all interfaces, or on a specified interface.
Syntax
show interface [[name=] InterfaceName]
Parameters
[[ name=] InterfaceName]
Specifies the name of the interface for which you want to display the 6to4 service configuration. InterfaceName must match the name of the interface specified in Network Connections. If InterfaceName contains any spaces, it must be enclosed in quotes.
set relay
Configures the name of the 6to4 relay router for the 6to4 service. Additionally, specifies how often the name is resolved and the state of the relay component for the 6to4 service.
Syntax
set relay [[name=] {RelayDNSName | default}] [[state=] {enabled | disabled | automatic | default}] [[interval=] {ResInterval | default}]
Parameters
[[ name=] { RelayDNSName| default}]
Specifies either the fully qualified domain name (FQDN) of a 6to4 relay router on the IPv4 Internet
(RelayDNSName), or sets the relay name to its default value of 6to4.ipv6.microsoft.com (default). [[ state=] { enabled| disabled| automatic| default}]
Specifies whether the state of the relay component for the 6to4 service is enabled, disabled, automatically enabled if a public IPv4 address is configured, or set to its default value. [[ interval=] { ResInterval| default}]
Specifies how often the name of the relay router is resolved in minutes (ResInterval) or sets the resolution interval to its default value of 1440 minutes (default).
show relay
Displays the relay router configuration for the 6to4 service.
Syntax
show relay
set routing
Sets both the state of routing and the inclusion of site-local address prefixes in Router Advertisements that are sent by the 6to4 router.
Network Netsh Communication Networking 93
Syntax
set routing [[routing=] {enabled | disabled | automatic | default}] [[sitelocals=] {enabled | disabled | default}]
Parameters
[[ routing=] { enabled| disabled| automatic| default}]
Specifies whether the state of routing on a 6to4 router is enabled, disabled, automatically enabled if Internet Connection Sharing (ICS) is enabled, or set to its default value. [[ sitelocals=] { enabled| disabled| default}]
Specifies whether the advertising of site-local address prefixes, in addition to 6to4 address prefixes, is enabled, disabled, or set to its default value.
show routing
Displays the routing configuration of the 6to4 service.
Syntax
show routing
set state
Configures the state of the 6to4 service.
Syntax
set state [[state=] {enabled | disabled | default}] [[undoonstop=] {enabled | disabled | default}] [[6over4=] {enabled | disabled | default}]
Parameters
[[ state=] { enabled| disabled| default}]
Specifies whether the state of the 6to4 service is enabled, disabled, or set to its default value.
[[ undoonstop=] { enabled| disabled| default}]
Specifies whether the reversal of all automatic configuration that has been performed by the 6to4 service occurs when the service stops is enabled, disabled, or set to its default value.
show state
Displays the state of the 6to4 service.
Syntax
show state
Netsh interface ipv6 isatap
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an address assignment and tunneling mechanism for communication between IPv6/IPv4 nodes within an IPv4 site. It is described in the
Internet draft titled "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)" (draft-ietf-ngtrans-isatap-00.txt). You can use the following commands to configure the ISATAP router.
set router
Specifies the Intra-Site Automatic Tunneling Address Protocol (ISATAP) router information, including router name, state, and resolution interval.
Network Netsh Communication Networking 94
Syntax
set router [[name=]{String | default}] [[state=]{Enabled | Disabled | Default}] [[interval]=Integer]
Parameters
[[ name=]{ String| default}]
Specifies whether the router is named with a string. If default is specified, the system reverts to using the default name. [[ state=]{ Enabled| Disabled| Default}]
Specifies whether the ISATAP router relays packets between subnets. [[ interval]= Integer]
Specifies the router resolution interval, in minutes. The default interval is 1440 (24 hours).
Examples
The following example command sets the router name to isatap, enables the router, and sets the resolution interval to 120 minutes:
set router isatap enabled 120
set state
Enables or disables IPv4 compatibility. The default value for all parameters is disabled.
Syntax
set state [[state=]{enabled | disabled | default}]
Parameters
[[state=]{enabled| disabled| default}]
Specifies whether isatap interfaces are created. To both disable and delete isatap compatible interfaces, specify default. To disable isatap compatible interfaces without deleting them, specify disabled.
Examples
In this example command, IPv6-compatible addresses are disabled, and any previously existing interfaces are deleted.
set state default
show router
Displays configuration information for the ISATAP router.
Syntax
show router
show state
Displays the ISATAP state.
Syntax
show state
Network Netsh Communication Networking 95
Netsh commands for Interface ISATAP
The following entries provide details for each command.
set router
Sets Intra-site Automatic Tunnel Address Protocol ISATAP router information.
Syntax
set router [ [ name= ] (Name | default )] [ [ state= ] ( enabled | disabled | default ) ] [[interval=] Interval ]
Parameters
name
Optional. Specifies the name of the ISATAP router. state
Optional. Specifies the state of router name resolution. interval
Optional. Specifies an integer that is the resolution interval (in minutes). Examples
Following is an example of the set router command.
set router isatap enabled 1440
set state
Sets the ISATAP state.
Syntax
set state [ state= ] ( enabled | disabled | default)
Parameters
state
Optional. Specifies whether ISATAP is enabled.
show router
Shows the ISATAP router information.
Syntax
show router
show state
Shows the ISATAP state.
Syntax
show state
Network Netsh Communication Networking 96
Netsh commands for Interface Portproxy
The Netsh Interface Portproxy commands provide a command-line tool for use in administering servers that act as proxies between IPv4 and IPv6 networks and applications. You can use these commands to establish proxy service in the following ways:
IPv4-configured computer and application messages sent to other IPv4-configured computers and applications.
IPv4-configured computer and application messages sent to IPv6-configured computers and
applications.
IPv6-configured computer and application messages sent to IPv4-configured computers and
applications.
IPv6-configured computer and application messages sent to other IPv6-configured computers and
applications.
When writing batch files or scripts using these commands, each command must be preceded by netsh interface portproxy. For example, when using the delete v4tov6 command to specify that the portproxy server delete an IPv4 port and address from the list of IPv4 addresses for which the server listens, the batch file or script must use the following syntax:
netsh interface portproxy delete v4tov6 listenport= {Integer | ServiceName} [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]
You can run these commands at the command prompt in a Windows Server®2008 operating system or at the command prompt for the netsh interface portproxy context. For these commands to work at the command prompt in Windows Server 2008, you must type netsh interface portproxy before typing commands and parameters as they appear in the syntax below.
add v4tov4
Specifies that the portproxy server listen for messages sent to a specific port and IPv4 address, and maps a port and IPv4 address to which to send the messages received after establishing a separate TCP connection.
Syntax
add v4tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv4 port, by port number or service name, on which to listen. connectaddress
Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local
computer. connectport
Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer.
Network Netsh Communication Networking 97
listenaddress
Specifies the IPv4 address for which to listen. Acceptable values are IP address, computer NetBIOS name, or computer Domain Name System (DNS) name. If an address is not specified, the default is the local computer.
protocol
Specifies the protocol to use. Currently, only Transmission Control Protocol (TCP) is supported. /?
Displays help at the command prompt.
add v4tov6
Specifies that the portproxy server listen for messages sent to a specific port and IPv4 address, and maps a port and IPv6 address to which to send the messages received after establishing a separate TCP connection.
Syntax
add v4tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv4 port, by port number or service name, on which to listen. connectaddress
Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer.
connectport
Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. listenaddress
Specifies the IPv4 address on which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported.
/?
Displays help at the command prompt.
add v6tov4
Specifies that the portproxy server listen for messages sent to a specific port and IPv6 address, and maps a port and IPv4 address to which to send the messages received after establishing a separate TCP connection.
Network Netsh Communication Networking 98
Syntax
add v6tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv6 port, by port number or service name, on which to listen. connectaddress
Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. connectport
Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer.
listenaddress
Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported. /?
Displays help at the command prompt.
add v6tov6
Specifies that the portproxy server listen for messages sent to a specific port and IPv6 address, and
maps a port and IPv6 address to which to send the messages received after establishing a separate TCP connection.
Syntax
add v6tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv6 port, by port number or service name, on which to listen.
connectaddress
Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. connectport
Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer.
Network Netsh Communication Networking 99
listenaddress
Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported. /?
Displays help at the command prompt.
delete v4tov4
Specifies that the portproxy server delete an IPv4 address from the list of IPv4 ports and addresses for which the server listens.
Syntax
delete v4tov4 listenport= {Integer | ServiceName} [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv4 port to delete. listenaddress
Specifies the IPv4 address to delete. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported. /?
Displays help at the command prompt.
delete v4tov6
Specifies that the portproxy server delete an IPv4 port and address from the list of IPv4 addresses for which the server listens.
Syntax
delete v4tov6 listenport= {Integer | ServiceName} [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv4 port to delete. listenaddress
Specifies the IPv4 address to delete. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported.
Network Netsh Communication Networking 100
/?
Displays help at the command prompt.
delete v6tov4
Specifies that the portproxy server delete an IPv6 port and address from the list of IPv6 addresses for which the server listens.
Syntax
delete v6tov4 listenport= {Integer | ServiceName} [[listenaddress=] {IPv6Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv6 port to delete. listenaddress
Specifies the IPv6 address to delete. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported. /?
Displays help at the command prompt.
delete v6tov6
Specifies that the portproxy server delete an IPv6 address from the list of IPv6 addresses for which the server listens.
Syntax
delete v6tov6 listenport= {Integer | ServiceName} [[listenaddress=] {IPv6Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv6 port to delete. listenaddress
Specifies the IPv6 address to delete. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported. /?
Displays help at the command prompt.
reset
Resets the IPv6 configuration state.
Network Netsh Communication Networking 101
Syntax
reset
set v4tov4
Modifies the parameter values of an existing entry on the portproxy server created with the add v4tov4 command, or adds a new entry to the list that maps port/address pairs.
Syntax
set v4tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address | HostName}] [[connectport=] {Integer | ServiceName}] [listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv4 port, by port number or service name, on which to listen. connectaddress
Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer
NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. connectport
Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. listenaddress
Specifies the IPv4 address for which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently, only Transmission Control Protocol (TCP) is supported. /?
Displays help at the command prompt.
set v4tov6
Modifies the parameter values of an existing entry on the portproxy server created with the add v4tov6 command, or adds a new entry to the list that maps port/address pairs.
Syntax
set v4tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv4Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv4 port, by port number or service name, on which to listen. connectaddress
Network Netsh Communication Networking 102
Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. connectport
Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not
specified, the default is the value of listenport on the local computer. listenaddress
Specifies the IPv4 address on which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported. /?
Displays help at the command prompt.
set v6tov4
Modifies the parameter values of an existing entry on the portproxy server created with the add v6tov4 command, or adds a new entry to the list that maps port/address pairs.
Syntax
set v6tov4 listenport= {Integer | ServiceName} [[connectaddress=] {IPv4Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv6 port, by port number or service name, on which to listen.
connectaddress
Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. connectport
Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. listenaddress
Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS
name, or computer DNS name. If an address is not specified, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported. /?
Displays help at the command prompt.
Network Netsh Communication Networking 103
set v6tov6
Modifies the parameter values of an existing entry on the portproxy server created with the add v6tov6 command, or adds a new entry to the list that maps port/address pairs.
Syntax
set v6tov6 listenport= {Integer | ServiceName} [[connectaddress=] {IPv6Address | HostName}] [[connectport=] {Integer | ServiceName}] [[listenaddress=] {IPv6Address| HostName}] [[protocol=]tcp]
Parameters
listenport
Required. Specifies the IPv6 port, by port number or service name, on which to listen. connectaddress
Specifies the IPv6 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer.
connectport
Specifies the IPv6 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. listenaddress
Specifies the IPv6 address on which to listen. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If you do not specify an address, the default is the local computer. protocol
Specifies the protocol to use. Currently only TCP is supported.
/?
Displays help at the command prompt.
show all
Displays all portproxy parameters, including port/address pairs for v4tov4, v4tov6, v6tov4, and v6tov6.
Syntax
show all
show v4tov4
Displays v4tov4 portproxy parameters.
Syntax
show v4tov4
show v4tov6
Displays v4tov6 portproxy parameters.
Network Netsh Communication Networking 104
Syntax
show v4tov6
show v6tov4
Displays v6tov4 portproxy parameters.
Syntax
show v6tov4
show v6tov6
Displays v6tov6 portproxy parameters.
Syntax
show v6tov6
Network Netsh Communication Networking 105
Netsh commands for Interface Transmission Control Protocol
The following sections provide details for each command.
add chimneyapplication
Sets the Transmission Control Protocol (TCP) chimney state for a particular application.
Syntax
add chimneyapplication [ state= ] disabled | enabled [ application= ] PathName
Parameters
state
Required. Specifies one of the following values: disabled: Disables TCP chimney offload for application. enabled: Enables TCP chimney offload for application. Applies to new connections only. application
Required. Specifies the application name and path. Examples
Following are two examples of the add chimneyapplication command.
add chimneyapplication disabled c:\path\database.exe
add chimneyapplication state=disabled application=c:\path\database.exe
add chimneyport
Sets the TCP chimney state for a source port, destination port pair.
Syntax
add chimneyport [ state= ] disabled | enabled [ localport= ] *| Integer [ remoteport= ] *| Integer
Parameters
state
Required. Specifies one of the following values: disabled: Disables TCP chimney offload for the local port, remote port pair. enabled: Enables TCP chimney offload for the local port, remote port pair. Applies to new connections only. localport
Required. Specifies the source port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. remoteport
Required. Specifies the destination port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. Examples
Following are two examples of the add chimneyport command.
add chimneyport disabled 10000 *
Network Netsh Communication Networking 106
add chimneyport state=disabled localport=10000 remoteport=*
delete chimneyapplication
Deletes the application from the TCP chimney offload selection table.
Syntax
delete chimneyapplication [application=] ApplicationName
Parameters
application
Required. Specifies the application name and path. Example
Following are two examples of the delete chimneyapplication command.
delete chimneyapplication c:\path\database.exe
delete chimneyapplication application=c:\path\database.exe
delete chimneyport
Deletes the port entry from the TCP chimney offload selection table
Syntax
delete chimneyport [ localport= ] *| Integer [ remoteport= ] *| Integer
Parameters
localport
Required. Specifies the source port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. remoteport
Required. Specifies the destination port. An asterisk (*) specifies all ports. To specify a specific port number, provide a value for Integer. Examples
Following are two examples of the delete chimneyport command.
delete chimneyport 80 *
delete chimneyport localport=80 remoteport=*
reset
Removes all user configured settings and resets all TCP parameters to their default values.
Syntax
reset
set global
Sets TCP parameters that affect all connections.
Syntax
Network Netsh Communication Networking 107
set global [ [ rss= ] disabled | enabled |default ] [ [ chimney= ] disabled | enabled | default ] [ [ autotuninglevel= ] disabled | highlyrestricted | restricted | normal |experimental ] [ [ congestionprovider= ] none |ctcp |default ] [ [ ecncapability= ] disabled | enabled | default ] [ [ timestamps= ] disabled | enabled | default ]
Parameters
rss
Optional. Specifies one of the following values: disabled: Disable receive-side scaling. enabled : Enable receive-side scaling.
default : Restore receive-side scaling state to the system default. Chimney
Optional. Specifies one of the following values: disabled: Disable Chimney offload. enabled : Enable Chimney offload. default : Restore Chimney offload state to the system default.
autotuninglevel
Optional. Specifies one of the following values:
disabled: Fix the receive window at its default value. highlyrestricted: Allow the receive window to grow beyond its default value, but do so very conservatively. restricted: Allow the receive window to grow beyond its default value, but limit such growth in some scenarios. normal: Allow the receive window to grow to accommodate almost all scenarios. experimental: Allow the receive window to grow to accommodate extreme scenarios. WARNING:
This can dramatically degrade performance in common scenarios and should only be used for research purposes. congestionprovider
Optional. Specifies one of the following values: none: Use the built-in standard congestion control algorithm. ctcp: Use the add-on Compound TCP congestion control algorithm. default: Restore the selected provider to the system default. ecncapability
Optional. Specifies one of the following values:
disabled: Disable ECN Capability. enabled: Enable ECN Capability. default: Restore ECN Capability state to the system default. timestamps
Network Netsh Communication Networking 108
Optional. Specifies one of the following values: disabled: Disable RFC 1323 timestamps. enabled: Enable RFC 1323 timestamps.
default: Restore RFC 1323 timestamps state to the system default. Examples
Following are two examples of the set global command.
set global enabled enabled normal
set global rss=enabled chimney=enabled autotuninglevel=normal
show chimneyapplications
Shows TCP Chimney application filters.
Syntax
show chimneyapplications [ [ level= ] normal | verbose ]
Parameters:
level
Optional. Specifies one of the following values: normal: Display the TCP connect IPv4 filters in the TCP chimney offload table. This is the default value. verbose: Display filters for all events in the TCP chimney offload table.
show chimneyports
Shows TCP Chimney port filters.
Syntax
show chimneyports [ [ level= ] normal | verbose ]
Parameters:
level
Optional. Specifies one of the following values: normal: Display the TCP connect IPv4 filters in the TCP chimney offload table. This is the default value. verbose: Display filters for all events in the TCP chimney offload table.
show global
Shows TCP parameters that affect all connections.
Syntax
show global [ [ store= ] active | persistent ] ]
Parameters
Network Netsh Communication Networking 109
store
Optional. Specifies one of the following values: active: Show information in the stack (default). persistent: Show persistent information.
Network Netsh Communication Networking 110
Netsh commands for Interface Teredo
This section contains the following commands
set state
show state
Interface Teredo commands
The following entries provide details for each command.
set state
Sets the Teredo state. A default argument to a parameter sets it to the system default.
Syntax
set state [ [ type= ] disabled | client | enterpriseclient | default ] [ [ servername= ] HostName | IPv4Address | default ] [ [ refreshinterval= ] Integer | default ] [ [ clientport= ] Integer | default ] [ [ supernode= ] HostName | IPv4Address | default ]
Parameters
type
Optional. Specifies one of the following values: disabled: Disable the Teredo service. client: Enable the Teredo client. enterpriseclient: Skip managed network detection. servername
Optional. Specifies the Host Name or IPv4 address of the Teredo server. refreshinterval
Optional. Specifies an integer value for the client refresh interval (in seconds). clientport
Optional. Specifies the an integer that is the client's UDP port (if default is specified, this value is chosen by system).
supernode
Optional. Specifies the Super-Node to use when behind a firewall. Examples
Following are two examples of the set state command.
set state disable
set state client teredo.ipv6.microsoft.com 60 34567
show state
Shows the Teredo state.
Syntax
show state
Network Netsh Communication Networking 111
Netsh Commands for Internet Protocol Security (IPsec)
The Netsh commands for Internet Protocol security (IPsec) provide an alternative to the console-based management and diagnostic capabilities provided by the IP Security Policy Management and IP Security Monitor snap-ins available for the Microsoft Management Console (MMC). By using the Netsh commands for IPsec, you can configure and view static or dynamic IPsec Main Mode settings, Quick Mode settings, rules, currently established security associations, and configuration parameters.
Administering IPsec from the command line is especially useful when you want to:
Script IPsec configuration.
Extend the security and manageability of IPsec by configuring the following features, which are not
available in the IP Security Policy Management snap-in: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.
You can run these commands from within the netsh tool at the netsh ipsec> prompt.
For these commands to work at a standard Windows command prompt, you must preface each command with netsh firewall, followed by the specific command and parameters as they appear in the syntax below.
Netsh IPsec static-mode commands
You can use the netsh ipsec static commands to perform the same management and monitoring tasks that you can perform by using the IP Security Policy Management console. By using these commands, you can create and modify IPsec policies without immediately affecting the configuration of the active IPsec policy. Policies affect the operational state of computer when you
use the assign=Yes parameter on an add policy or set policy command. If you make changes to an assigned policy, they will take affect immediately. A Group Policy assigned to the computer will override a local policy, even when the assign=yes option is part of the local policy command.
Netsh IPsec dynamic-mode commands
You can use the netsh ipsec dynamic commands to display the active state of IPsec and to immediately affect the configuration of the active IPsec policy. These commands directly configure the security policy database (SPD). Changes that you make to an IPsec policy while using these commands take effect only while the IPsec service is running. If the IPsec service is stopped, the dynamic policy settings are discarded. Although most of these commands take effect immediately, several configuration commands still require you to restart the IPsec service or restart the computer before they take effect. For more information about these commands, see the syntax descriptions for the netsh ipsec dynamic set config commands.
Netsh IPsec
The following commands are available at the IPsec> prompt, which is rooted within the netsh environment.
While the netsh ipsec dynamic commands modify the currently active configuration without storing the change anywhere, the netsh ipsec static commands modify a store which contains an IPsec configuration which allows the changes to persist, be saved, and recalled later.
static
Switches to the IPsec static context. In static mode you configure an IPsec policy which can be
assigned to a computer at a later time. Changes made in this mode do not immediately affect the
Network Netsh Communication Networking 112
current IPsec state of the computer on which they are made, unless the policy being modified has the assign=yes property currently set and a Group Policy assigned IPsec policy is not currently overriding the local policy.
Syntax
static
Parameters
none
dynamic
Switches to the IPsec dynamic context. In dynamic mode, you are making changes to active IPsec state of the computer on which you run the command. The changes are not saved to a policy that can then be deployed to another computer.
Syntax
dynamic
Parameters
none
Netsh IPsec static
The following commands are available at the ipsec static> prompt, which is rooted within the netsh environment.
add filter
Adds a filter to the specified filter list.
Syntax
add filter [ filterlist = ] FilterListName [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType } [ [ description = ] string ] [ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ] [ [ mirrored = ] { yes | no } ] [ [ srcmask = ] { Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ] [ [ srcport = ] Port ] [ [ dstport = ] Port ]
Parameters
[ filterlist = ] FilterListName
Required. Specifies the name of the filter list to which the filter is added. Each filter defines a set of inbound or outbound network traffic to be secured. [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
Required. Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, Domain Name System (DNS) name, or server type for the IP traffic. For ServerType, you can use wins, dns, dhcp, or gateway to match the locally configured IP addresses of the computers providing those services. The me keyword matches the IP address(es) assigned to the local computer, even when they change. Any matches any IP address.
[ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
Required. Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use wins, dns, dhcp, or gateway to match the locally configured IP addresses of the computers providing those services. The me keyword matches the IP address(es) assigned to the local computer, even when they change. Any matches any IP address.
Network Netsh Communication Networking 113
[ [ description = ] String ]
Provides information about the filter. [ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ]
Specifies the IP protocol if, in addition to addressing information, you want to filter a specific IP protocol. The default value is any.
[ [ mirrored= ] { yes | no } ]
Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter settings--one for traffic to the destination and one for traffic from the destination. Both source and destination addresses and ports are mirrored. The default value is yes. [ [ srcmask = ] {Mask|Prefix} ]
Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] {Mask|Prefix} ]
Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You
can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ srcport = ] Port ]
Specifies the source port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is any. [ [ dstport = ] Port ]
Specifies the destination port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default is any.
add filteraction
Creates a filter action with the specified Quick Mode security methods.
Syntax
add filteraction [ name = ] FilterActionName [ [ description = ] string ] [ [ qmpfs = ] { yes | no }] [ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ] [ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]
Parameters
[ name = ] FilterActionName
Required. Specifies the name of the filter action to be created.
[ [ description = ] string ]
Provides information about the filter action. [ [ qmpfs = ] { yes | no } ]
Network Netsh Communication Networking 114
Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new master key material is renegotiated each time a new session key is required. The default value is no. [ [ inpass = ] { yes | no } ]
Specifies whether to allow an incoming packet that matches the configured filter list to be
unsecured, but require IPsec-secured communication when replying. The default value is no. [ [ soft = ] { yes | no } ]
Specifies whether to fall back to unsecured communication with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is no. [ [ action = ] {permit | block | negotiate } ]
Specifies the action to take on the traffic that matches the rule containing this filter action. If permit is specified, traffic is transmitted or received without requiring IPsec protection. If block is specified, traffic is blocked. If negotiate is specified, IPsec is used with the specified list of security methods. The default value is negotiate.
[ [ qmsecmethods = ] "SecMethodsString" ]
Specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:
• ESP [ EncAlg,AuthAlg]:numk/nums
• AH [ HashAlg ]: num k/ num s
• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums
Where: EncAlg
Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none. AuthAlg
Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none. HashAlg
Specifies the hash function. HashAlg can be MD5 or SHA1. num k
Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100000 kilobytes.
num s
Specifies the session key lifetime in seconds. The default value is 3600 seconds.
add filterlist
Creates an empty filter list with the specified name.
Syntax
add filterlist [ name = ] FilterListName [ [ description = ] string ]
Network Netsh Communication Networking 115
Parameters
[ name = ] FilterListName
Required. Specifies the name of the filter list to be created. [ [ description = ] string ]
Provides information about the filter list.
add policy
Creates an IPsec policy with the specified name.
Syntax
add policy [ name = ] PolicyName [ [ description = ] string ] [ [ mmpfs = ] { yes | no } ] [ [ qmpermm = ] Integer ] [ [ mmlifetime = ] Integer ] [ [ activatedefaultrule = ] { yes | no } ] [ [ pollinginterval = ] Integer ] [ [ assign = ] { yes | no } ] [ [ mmsecmethods = ] "KeyExchMethods" ]
Parameters
[ name = ] PolicyName
Required. Specifies the name of the IPsec policy to be created. [ [ description = ] string ]
Provides information about the IPsec policy. [ [ mmpfs = ] { yes | no } ]
Specifies whether to enable master key perfect forward secrecy (PFS). If yes is specified, Main Mode security SAs are reauthenticated and new master key keying material is negotiated each time session key material for a Quick Mode SA is required. The default value is no. [ [ qmpermm = ] Integer ]
Specifies the number of times that master keying material can be used to derive the session key. The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the Main Mode SA. [ [ mmlifetime = ] Integer ]
Specifies the number of minutes after which a new master key will be generated. The default value is 480 minutes. [ [ activatedefaultrule = ] { yes | no } ]
Specifies whether to activate the default response rule for this IPsec policy. The default value is no. This setting is not valid on Windows Vista or Windows Server 2008. When set through a Group
Policy that is shared with earlier versions of Windows, computers running Windows Vista or Windows Server 2008 ignore the value. If you are running the command locally on a computer running Windows Vista or Windows Server 2008, it generates an error. [ [ pollinginterval = ] Integer ]
Specifies how often IPsec polls for changes to this policy. The default value is 180 minutes. [ [ assign = ] { yes | no } ]
Network Netsh Communication Networking 116
Specifies whether to assign this IPsec policy (only one IPsec policy can be assigned) The default value is no. [ [ mmsecmethods = ] "KeyExchMethods" ]
Specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:
EncAlg-HashAlg-GroupNumb Where:
EncAlg
Specifies the encryption algorithm. EncAlg can be DES or 3DES. HashAlg
Specifies the hashing algorithm. HashAlg can be MD5 or SHA1. GroupNum
Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).
add rule
Creates a rule that links a specified IPsec policy, filter list, and filter action with specified authentication methods.
Syntax
add rule [ name = ] RuleName [ policy = ] PolicyName [ filterlist = ] FilterListName [ filteraction = ] FilterActionName [ [ tunnel = ] { IPAddress | DNSName } ] [ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ] [ [ description = ] string ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no }" ]
Parameters
[ name = ] RuleName
Required. Specifies the name of the IPsec rule to be created. [ policy = ] PolicyName
Required. Specifies the name of the IPsec policy that contains this rule. [ filterlist = ] FilterListName
Required. Specifies the name of the IP filter list for this rule. [ filteraction = ] FilterActionName
Required. Specifies the name of the filter action for this rule. [ [ tunnel = ] {IPAddress | DNSName} ]
Specifies the IP address (IPv4 or IPv6) or DNS name of the tunnel endpoint for tunnel mode. By default, this option is not specified and transport mode is used. [ [ conntype = ] { lan | dialup | all }]
Specifies whether the rule applies only to dial-up connections, only to local area network (LAN) connections, or to all connections. The default value is all.
Network Netsh Communication Networking 117
[ [ activate = ]{ yes | no } ]
Specifies whether to enable this rule in the specified IPsec policy. The default value is yes. [ [ description = ] string]
Provides information about the rule. [ [ kerberos = ]{ yes | no } ]
Specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey]
Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no } "]
Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:
CertName
Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.
certmap:{ yes | no }
Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer. excludecaname:{ yes | no }
Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
delete all
Deletes all IPsec policies, filter lists, and filter actions.
Syntax
delete all
Parameters
None.
delete filter
Deletes a filter from a filter list that matches the specified parameters.
Syntax
delete filter [ filterlist = ] FilterListName [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType } [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType }
[ [ protocol = ] { any | icmp | tcp | udp | raw | Integer } ] [ [ srcmask = ] { Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ] [ [ srcport = ] Port ] [ [ dstport = ] Port ] [ [ mirrored = ] { yes | no } ]
Parameters
[ filterlist = ] FilterListName
Required. Specifies the name of the filter list to which the filter was added.
Network Netsh Communication Networking 118
[ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway. [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway. [ [ protocol = ] {ANY|ICMP|TCP|UDP|RAW|Integer} ]
Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A value of ANY matches filters with a protocol setting of any. [ [ srcmask = ] {Mask|Prefix} ]
Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 0 through 32. The default value is the mask of 255.255.255.255, equivalent to the prefix value of 32.
[ [ dstmask = ] {Mask|Prefix} ]
Specifies the destination address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 0 through 32. The default value is the mask of 255.255.255.255, equivalent to the prefix value of 32. [ [ srcport = ] Port ]
Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. The default is to match any port number. [ [ dstport = ] Port ]
Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. The default is to match any port number.
[ [ mirrored = ] { yes | no } ]
Specifies whether a mirrored filter was created.
delete filteraction
Deletes the specified filter action, or all filter actions.
Syntax
delete filteraction { [ name = ] FilterActionName | all }
Parameters
{ [ name = ] FilterActionName | all}
Required. Specifies the name of the filter action to delete. Or, if all is specified, all filter actions are deleted.
delete filterlist
Deletes the specified filter list, or all filter lists.
Network Netsh Communication Networking 119
Syntax
delete filterlist { [ name = ] FilterListName | all }
Parameters
{ [ name = ] FilterListName | all }
Required. Specifies the name of the filter list to delete. Or, if all is specified, all filter lists are
deleted.
delete policy
Deletes the specified IPsec policy and all associated rules, or all IPsec policies.
Syntax
delete policy { [ name = ] PolicyName | all }
Parameters
{ [ name = ] PolicyName | all }
Required. Specifies the name of the IPsec policy to delete. Or, if all is specified, all IPsec policies are deleted.
delete rule
Deletes a specified rule, or all rules from the specified IPsec policy.
Syntax
delete rule { [ name = ] RuleName | [ ID = ] Integer | all } [ policy = ] PolicyName
Parameters
{ [ name = ] RuleName | [ ID = ] Integer | all }
Required. Specifies the rule to delete. If either the rule name or the rule ID (the number identifying the position of the rule in the policy rule list) is specified, the corresponding rule is deleted. If all is specified, all rules are deleted.
[ policy = ] PolicyName
Required. Specifies the name of the policy from which one or more rules are deleted.
exportpolicy
Exports IPsec policy information to the specified file. You can export all policies, or a specified policy.
Syntax
Exportpolicy [ file = ] FilePathAndName [ name = ] PolicyName
Parameters
file= FilePathAndName
Required. Specifies the folder path and name of the file into which the IPsec policy information is exported. [ [ name = ] PolicyName ]
Specifies the policy to export. If no value is provided, then all polices are exported.
Network Netsh Communication Networking 120
importpolicy
Imports IPsec policy information from the specified IPsec file.
Syntax
Importpolicy [ file = ] FilePathAndName
Parameters
[ file = ] FilePathAndName
Required. Specifies the folder path and name of the file from which the IPsec policy information is imported.
set batch
Sets batch mode. When batch mode is enabled, netsh caches information used during the processing of commands. When other commands reference that same information, the command can typically be processed much more quickly since it is in the cache memory. This can significantly improve performance of scripts that run a sequence of netsh commands.
Syntax
set batch [ mode = ] { enable | disable }
Parameters
[ mode = ] { enable | disable }
Required. Turns batch mode with its associated caching of information on or off. Use enable to turn it on before running a sequence of commands.
set defaultrule
Modifies the default response rule for the specified policy. This option is only applicable to computers running Windows XP or Windows Server 2003, and does not apply to Windows Vista or Windows Server 2008.
Syntax
set defaultrule [ policy = ] PolicyName [ [ qmpfs = ] { yes | no } ] [ [ activate = ] { yes | no } ] [ [ qmsecmethods = ] "SecMethodsString" ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no }"]
Parameters
[ policy = ] PolicyName
Required. Specifies the name of the IPsec policy for which the default response rule is to be modified. [ [ qmpfs = ]{ yes | no } ]
Specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new
master key material is renegotiated each time a new session key is required. The default value is no. [ [ activate = ]{ yes | no } ]
Specifies whether to activate this rule for the specified IPsec policy. The default value is yes. [ [ qmsecmethods = ] "SecMethodsString" ]
Specifies one or more security methods, separated by spaces and defined by the following format:
Network Netsh Communication Networking 121
{ESP [EncAlg,AuthAlg]:k/s | AH [HashAlg]:k/s | AH [HashAlg]+ESP[EncAlg,AuthAlg]:k/s}] Where:
EncAlg
Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or none.
AuthAlg
Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm 1), or none.
HashAlg
Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1. k
Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.
s
Specifies the session key lifetime in seconds. The default value is 3600 seconds. [ [ kerberos = ]{ yes | no } ]
Specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey ]
Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname: { yes | no }"]
Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:
String
Specifies the distinguished name of the certificate, if a certificate is used as an authentication method.
certmap:{ yes | no }
Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer. excludecaname:{ yes | no }
Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
set filteraction
Modifies a filter action.
Syntax
set filteraction { [ name = ] FilterActionName | [ guid = ] FilterActionGUID } [ [ newname = ] NewFilterActionName ] [ [ description = ] String ] [ [ qmpfs = ] { yes | no } ] [ [ inpass = ] { yes | no } ] [ [ soft = ] { yes | no } ] [ [ action = ] { permit | block | negotiate } ] [ [ qmsecmethods = ] "SecMethodsString" ]
Network Netsh Communication Networking 122
Parameters
{ [ name = FilterActionName | [ guid = ] FilterActionGUID }
Required. Specifies the name or global unique identifier (GUID) of the filter action to modify. [ [ newname = ] NewFilterActionName ]
Changes the name of the filter action to the specified value. If a value is not specified, then the
name is not changed. [ [ description = ] String ]
Changes the information about the filter action. If a value is not specified, then description is not changed. [ [ qmpfs = ] { yes | no } ]
Changes the value that specifies whether to enable session key perfect forward secrecy (PFS). If yes is specified, new master key material is renegotiated each time a new session key is required. If a value is not specified, then qmpfs is not changed.
[ [ inpass = ] { yes | no } ]
Changes the value that specifies whether to allow an incoming packet that matches the configured filter list to be unsecured, but require IPsec-secured communication when replying. If a value is not specified, then inpass is not changed. [ [ soft = ] { yes | no } ]
Changes the value that specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. If a value is not specified, then soft is not changed. [ [ action = ] { permit | block | negotiate } ]
Changes the value that specifies whether to permit traffic without negotiating IPsec. If permit is
specified, traffic is transmitted or received without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the specified list of security methods. If a value is not specified, then action is not changed. [ [ qmsecmethods = ] "SecMethodsString" ]
Changes the string that specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:
• ESP [ EncAlg,AuthAlg]:numk/nums
• AH [ HashAlg ]: num k/ num s
• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums
Where: EncAlg
Specifies the encryption algorithm. EncAlg can be DES, 3DES, or none. AuthAlg
Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none. HashAlg
Network Netsh Communication Networking 123
Specifies the hash function. HashAlg can be MD5 or SHA1. num k
Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100000 kilobytes.
num s
Specifies the session key lifetime in seconds. The default value is 3600 seconds. If a value is not specified, then qmsecmethods is not changed.
set filterlist
Modifies a filter list.
Syntax
set filterlist { [ name = FilterListName | [ guid = ] FilterListGUID } [ [ newname = ] NewFilterActionName ] [ [ description = ] String ]
Parameters
{ [ name = FilterListName | [ guid = ] FilterListGUID }
Required. Specifies the name or globally unique identifier (GUID) of the filter list to modify.
[ [ newname = ] NewFilterActionName ]
Changes the name of the filter list to the specified value. If a value is not specified, then the name is not changed. [ [ description = ] String ]
Changes the information about the filter list. If a value is not specified, then description is not changed.
set policy
Modifies an IPsec policy.
Syntax
set policy { [ name = PolicyName | [ guid = ] PolicyGUID } [ [ newname = ] NewPolicyName ] [ [ description = ] String ] [ [ mmpfs = ] { yes | no } ] [ [ qmpermm = ] Integer ] [ [ mmlifetime = ] Integer ] [ [ activatedefaultrule = ] { yes | no } ] [ [ pollinginterval = ] Integer ] [ [ assign = ] { yes | no } ] [ [ gponame = ] NameOfGPO ] [ [ mmsecmethods = ] "KeyExchMethods" ]
Parameters
name= String| guid=guid
Required. Specifies the name or GUID of the IPsec policy to modify. [ [ newname = ] String ]
Changes the name of the IPsec policy to the specified value. If a value is not specified, then the name is not changed. [ [ description = ] String ]
Changes the information about the IPsec policy. If a value is not specified, then description is not changed.
Network Netsh Communication Networking 124
[ [ mmpfs = ] { yes | no } ]
Changes the value that specifies whether to enable master key perfect forward secrecy (PFS). If yes is specified, Main Mode security SAs are reauthenticated and new master key keying material is negotiated each time session key material for a Quick Mode SA is required. If a value is not specified, then mmpfs is not changed.
[ [ qmpermm = ] Integer ]
Changes the value that specifies the number of times that master keying material can be used to derive the session key. If a value is not specified, then qmpermm is not changed. [ [ mmlifetime = ] Integer ]
Changes the value that specifies the number of minutes after which a new master key will be generated. If a value is not specified, then mmlifetime is not changed. [ [ activatedefaultrule = ] { yes | no } ]
Changes the value that specifies whether to activate the default response rule for this IPsec policy. This setting is not valid on Windows Vista or Windows Server 2008. When set through a Group Policy that is shared with earlier versions of Windows, computers running Windows Vista or
Windows Server 2008 ignore the value. If you are running the command locally on a computer running Windows Vista or Windows Server 2008, it generates an error. If a value is not specified, then activatedefaultrule is not changed. [ [ pollinginterval = ] Integer ]
Changes the value that specifies how often IPsec polls for changes to this policy. If a value is not specified, then pollinginterval is not changed. [ [ assign={ yes| no}] ]
Changes the value that specifies whether to assign this IPsec policy (only one IPsec policy can be assigned) If a value is not specified, then assign is not changed.
[ [ gponame = ] NameOfGPO ]
Changes the value that specifies the name of the Group Policy object to which the IPsec policy is assigned. This parameter is only applicable if you are configuring policy for a computer that is an Active Directory domain member. If a value is not specified, then gponame is not changed. [ [ mmsecmethods = ] "KeyExchMethods" ]
Changes the string that specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:
EncAlg - HashAlg - GroupNumb Where:
EncAlg
Specifies the encryption algorithm. EncAlg can be DES or 3DES. HashAlg
Specifies the hashing algorithm. HashAlg can be MD5 or SHA1. GroupNum
Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits). If a value is not specified, then mmsecmethods is not changed.
Network Netsh Communication Networking 125
set rule
Modifies a rule in an IPsec policy.
Syntax
set rule { [ name = ] RuleName | [ ID = ] Integer } [ policy = ] PolicyName [ [ newname = ] NewRuleName ] [ [ description = ] String ] [ [ filterlist = ] FilterListName ]
[ [ filteraction = ] FilterActionName ] [ [ tunnel = ] { IPAddress | DNSName } ] [ [ conntype = ] { lan | dialup | all } ] [ [ activate = ] { yes | no } ] [ [ kerberos = ] { yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no }" ]
Parameters
{ [ name = ] RuleName | [ ID = ] Integer }
Required. Specifies the name or ID (the number identifying the position of the rule in the policy rule list) of the rule to modify. [ policy = ] PolicyName
Required. Specifies the name of the IPsec policy that contains the rule to modify.
[ [ newname = ] NewRuleName ]
Changes the name of the rule to the specified value. If a value is not specified, then the name is not changed. [ [ description = ] String ]
Changes the information about the rule. If a value is not specified, then description is not changed. [ [ filterlist = ] FilterListName ]
Changes the IP filter list associated with this rule. If a value is not specified, then filterlist is not
changed. [ [ filteraction = ] FilterActionName ]
Changes the filter action associated with this rule. If a value is not specified, then filteraction is not changed. [ [ tunnel = ] {IPAddress|DNSName} ]
Changes the value that specifies the IP address or DNS name of the tunnel endpoint for tunnel mode. If a value is not specified, then tunnel is not changed. [ [ conntype = ] { lan | dialup | all }]
Changes the value that specifies whether the rule applies only to dial-up connections or to local area
network (LAN) connections, or to all connections. If a value is not specified, then conntype is not changed. [ [ activate = ] { yes | no } ]
Changes the value that specifies whether to enable this rule for the specified IPsec policy. If a value is not specified, then activate is not changed. [ [ kerberos = ] { yes | no } ]
Network Netsh Communication Networking 126
Changes the value that specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey]
Changes the string of characters to use for the preshared key, if a preshared key is used as an authentication method. If a value is not specified, then psk is not changed.
[ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no } "]
Changes the value that specifies certificate authentication options. The argument is a string in quotes that contains the following elements:
String
Specifies the distinguished name of the certificate, if a certificate is used as an authentication method. certmap:{ yes | no }
Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer.
excludecaname:{ yes | no }
Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted. If a value is not specified, then rootca is not changed.
set store
Sets the current IPsec policy storage location.
Syntax
set store [ location = ] { local | domain } [ [ domain = ] DomainName ]
Parameters
[ location = ] { local | domain }
Required. Specifies the storage location for the IPsec policy. [ [ domain = ] DomainName ]
Specifies the name of the domain where the IPsec policy is stored, if the policy is stored in Active Directory (when location=domain is specified).
show all
Displays configuration information for all IPsec policies, rules, filter lists, and filter actions.
Syntax
show all [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]
Parameters
[ [ format = ] { list | table} ]
Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format. [ [ wide = ] { yes | no } ]
Network Netsh Communication Networking 127
Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.
show filteraction
Displays configuration information for one or more filter actions.
Syntax
show filteraction { [ name = ] FilterActionName | [ rule = ] RuleName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]
Parameters
{ [ name = ] FilterActionName | [ rule = ] RuleName | all }
Required. Specifies one or more filter actions for which configuration information is to be displayed.
• If name is specified, then the filter action with the specified name is displayed.
• If rule is specified, then the filter action associated with the specified rule is displayed.
• If all is specified, all filter actions are displayed.
[ [ level = ] { verbose | normal } ]
Specifies the level of information to display. If verbose is specified, information about the security methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled is displayed, in addition to basic filter action information. The default value is normal. [ [ format = ] { list | table } ]
Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
[ [ wide = ] { yes | no } ]
Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.
show filterlist
Displays configuration information for one or more filter lists.
Syntax
show filterlist { [ name = ] FilterListName | [ rule = ] RuleName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ resolvedns = ] { yes | no } ] [ [ wide = ] { yes | no } ]
Parameters
{ [ name = ] FilterListName | [ rule = ] RuleName | all }
Required. Specifies one or more filter lists to display. If name is specified, the filter list with the specified name is displayed. If rule is specified, all filter lists associated with the specified rule are displayed. If all is specified, all filter lists are displayed. [ [ level = ] { verbose | normal } ]
Network Netsh Communication Networking 128
Specifies the level of information to display. If verbose is specified, information about the security methods, policy storage location, and whether session key perfect forward secrecy (PFS) is enabled is displayed, in addition to basic filter action information. The default value is normal. [ [ format = ] { list | table } ]
Specifies whether to display IPsec configuration information in screen or tab-delimited format. The
default value is list, meaning that output is displayed in screen format. [ [ resolvedns = ] { yes | no } ]
Specifies whether to resolve the DNS or NetBIOS computer name associated with an IP address when displaying sources or destinations. If yes is specified, level must also be set to verbose, or the DNS names are not displayed. The default value is no. [ [ wide = ] { yes | no } ]
Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.
show gpoassignedpolicy
Displays configuration information for the active IPsec policy assigned to the specified Group Policy object.
Syntax
show gpoassignedpolicy [ [ name = ] GPOName ]
Parameters
[ [ name = ] GPOName ]
Specifies the name of the Group Policy object to which the active IPsec policy is assigned. If no name is specified, the local IPsec policy is displayed.
show policy
Displays configuration information for the specified IPsec policy, or for all IPsec policies.
Syntax
show policy { [ name = ] PolicyName | all } [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]
Parameters
{ [ name = ] PolicyName | all }
Required. Specifies the name of the IPsec policy to display or, if all is specified, that all IPsec policies are displayed. [ [ level = ] { verbose | normal } ]
Specifies the level of information to display. If verbose is specified, the security methods and authentication method are displayed, in addition to information about filter actions and rules. The default value is normal. [ [ format = ] { list | table } ]
Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
Network Netsh Communication Networking 129
[ [ wide = ] { yes | no } ]
Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.
show rule
Displays configuration information for a rule for a specified policy, or for all rules for a specified policy.
Syntax
show rule { [ name = ] RuleName | [ id = ] Integer | all | default } [ policy = ] PolicyName [ [ type = ] { transport | tunnel } ] [ [ level = ] { verbose | normal } ] [ [ format = ] { list | table } ] [ [ wide = ] { yes | no } ]
Parameters
{ [ name = ] RuleName | [ id = ] Integer | all | default }
Required. Specifies one or more rules to display. If either the rule name or the rule ID (the number identifying the position of the rule in the policy rule list) is specified, the corresponding rule is displayed. If all is specified, all rules for the specified policy are displayed. If default is specified,
the default response rule is displayed. [ policy = ] PolicyName
Required. Specifies the name of the policy for which the specified rule, or all rules, are displayed. [ [ type = ] { transport | tunnel } ]
Specifies whether to display all transport rules or all tunnel rules. The default value is to display all rules. [ [ level = ] { verbose | normal } ]
Specifies the level of information to display. If verbose is specified, the security methods and
authentication method are displayed, in addition to information about filter actions and rules. The default value is normal. [ [ format = ] { list | table } ]
Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format. [ [ wide = ] { yes | no } ]
Specifies whether to allow the display of IPsec configuration information to exceed the screen width of 80 characters. The default value is no, meaning that the display of configuration information is limited to the screen width.
show store
Displays the current IPsec policy storage location. Commands that you enter to change the state of the IPsec configuration apply to the displayed location unless you use the set store command to change the location first.
Syntax
show store
Netsh IPsec dynamic
Network Netsh Communication Networking 130
The following commands are available at the ipsec dynamic > prompt, which is rooted within the netsh environment.
add mmpolicy
Creates an IPsec Main Mode policy with the specified name and adds it to the security policy database (SPD).
Syntax
add mmpolicy name = PolicyName [ qmpermm = Integer ] [ mmlifetime = Integer ] [ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]
Parameters
name = PolicyName
Required. Specifies the name of the IPsec policy to be created. [ qmpermm = Integer ]
Specifies the number of times that master keying material can be used to derive the session key. The default value is 0, meaning an unlimited number of Quick Mode SAs can be derived from the Main Mode SA.
[ mmlifetime=Integer ]
Specifies the number of minutes after which a new master key is generated. If a new master key is generated sooner because of the qmpermm parameter, then this timer is reset and begins counting again. A value of 0 specifies that the master key is never regenerated because of time. The default value is 480 minutes. [ softsaexpirationtime = Integer ]
Specifies the number of minutes after which an unprotected security association (a soft SA) expires. A value of 0 specifies that soft SAs do not expire. The default value is 480 minutes.
[ mmsecmethods = "KeyExchMethods" ]
Specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:
EncAlg-HashAlg-GroupNumb Where:
EncAlg
Specifies the encryption algorithm. EncAlg can be DES or 3DES. HashAlg
Specifies the hashing algorithm. HashAlg can be MD5 or SHA1. GroupNum
Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high,
protects with 2048 bits).
add qmpolicy
Creates an IPsec Quick Mode policy with the specified name and adds it to the SPD.
Network Netsh Communication Networking 131
Syntax
add qmpolicy name = PolicyName [ soft = { yes | no } ] [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ] [ qmsecmethods = "SecMethodsString" ]
Parameters
name= String
Required. Specifies the name of the IPsec Quick Mode policy to be created. [ soft={ yes| no}]
Specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. The default value is no. [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]
Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low, with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of
keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is used. If grpmm is specified, the group value is taken from the current Main Mode settings. The default value is nopfs, meaning session key PFS is disabled. [ qmsecmethods = "SecMethodsString" ]
Specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:
• ESP [ EncAlg,AuthAlg]:numk/nums
• AH [ HashAlg ]: num k/ num s
• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums
Where: EncAlg
Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or none.
AuthAlg
Specifies the integrity algorithm. AuthAlg can be MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm 1), or none.
HashAlg
Specifies the hash function. HashAlg can be MD5 (Message Digest 5) or SHA1.
k
Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.
s
Specifies the session key lifetime in seconds. The default value is 3600 seconds.
Network Netsh Communication Networking 132
add rule
Creates an IPsec rule with the specified Main Mode policy and Quick Mode policy and adds it to the security policy database.
Syntax
add rule [ srcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType }
[ dstaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ mmpolicy = ] MMPolicyName [ [ qmpolicy = ] QMPolicyName ] [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ mirrored = ] { yes | no } ] [ [ conntype = ]{ lan | dialup | all } ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ] { permit | block | negotiate } ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ]{ IPAddress | DNSName } ] [ [ kerberos = ]{ yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no }"]
Parameters
[ srcaddr = ] { Me | Any | IPAddress | IPRange | dns | server }
Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway. [ dstaddr = ] { Me | Any | IPAddress | IPRange | dns | server }
Required. Specifies the source IPv4 or IPv6 address, an IP address range, a DNS name, or a server type for the IP traffic. For ServerType you can use WINS, DNS, DHCP, or gateway. [ mmpolicy = ] MMPolicyName
Required. Specifies the name of the Main Mode policy. [ [ qmpolicy = ] QMPolicyName ]
Specifies the name of the Quick Mode policy. Required if actioninbound=negotiate or actionoutbound=negotiate are specified. [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
Specifies the IP protocol if, in addition to address information, you want to filter a specific IP protocol. The default value is ANY, meaning all protocols are used for the filter. [ [ srcport = ] Integer ]
Specifies the source port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent from any port are filtered. The default is 0.
[ [ dstport = ] Integer ]
Specifies the destination port number of the packets to be filtered. This option only applies if you are filtering TCP or UDP packets. If 0 is specified, packets sent to any port are filtered. The default is 0. [ [ mirrored = ]{ yes | no } ]
Specifies whether to create a mirrored filter. Use yes to create two filters based on the filter settings, one for traffic to the destination and one for traffic from the destination. The default value is yes. [ [ conntype=] = ] { lan | dialup | all } ]
Network Netsh Communication Networking 133
Specifies whether the rule applies only to remote access/dial-up connections, to local area network (LAN) connections, or to all connections. The default value is all. [ [ actioninbound = ] { permit | block | negotiate } ]
Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is received without negotiating or applying IP security. If block is specified, traffic is blocked. If
negotiate is specified, IPsec is used, with the list of security methods specified in the Main Mode and Quick Mode policies. The default value is negotiate. [ [ actionoutbound = ] { permit | block | negotiate } ]
Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies. The default value is negotiate. [ [ srcmask = ] { Mask | Prefix } ]
Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
[ [ dstmask = ] { Mask | Prefix } ]
Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ tunneldstaddress = ] { IPAddress | DNSName } ]
Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel). The default is to not create a tunnel, but to use IPsec in Transport mode. [ [ kerberos = ] { yes | no } ]
Specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey ]
Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "CertName certmap:{ yes | no } excludecaname:{ yes | no } "] Specifies certificate authentication options. The argument is a string in quotes that contains the following elements:
CertName
Specifies the distinguished name of the certificate, if a certificate is used as an authentication method. certmap:{ yes | no }
Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer. excludecaname:{ yes | no }
Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
Network Netsh Communication Networking 134
delete all
Deletes all IPsec policies, filters, and authentication methods, if possible, from the Security Policy Database (SPD).
Syntax
delete all
Parameters
None.
delete mmpolicy
Deletes the specified IPsec Main Mode policy, or all IPsec Main Mode policies, from the SPD.
Syntax
delete mmpolicy [ name = ]{ MMPolicyName | all }
Parameters
[ name = ] { MMPolicyName | all }
Required. Specifies the name of the IPsec Main Mode policy to delete. Or, if all is specified, all IPsec Main Mode policies are deleted.
delete qmpolicy
Deletes the specified IPsec Quick Mode policy, or all IPsec Quick Mode policies, from the SPD.
Syntax
delete qmpolicy [ name = ]{ QMPolicyName | all }
Parameters
[ name = ] { QMPolicyName | all }
Required. Specifies the name of the IPsec Quick Mode policy to delete. Or, if all is specified, all
IPsec Quick Mode policies are deleted.
delete rule
Deletes an IPsec rule from the security policy database.
Syntax
delete rule [ srcaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ dstaddr = ]{ Me | Any | IPAddress | IPRange | ServerType } [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integer [ dstport = ] Integer [ mirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all } [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ]{ IPAddress | DNSName } ]
Parameters
[ srcaddr = ] { Me | Any | IPAddress | IPRange | ServerType }
Required. Specifies the source IP address, DNS name, or server type for the IP traffic. You can use WINS, DNS, DHCP, or gateway for ServerType. [ dstaddr = ] { Me | Any | IPAddress | IPRange | ServerType }
Network Netsh Communication Networking 135
Required. Specifies the destination IP address, DNS name, or server type for the IP traffic. You can use WINS, DNS, DHCP, or gateway for ServerType. [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer }
Required. Specifies the IP protocol used for the filter.
[ srcport = ] Integer
Required. Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. [ dstport = ] Integer
Required. Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. [ mirrored = ]{ yes | no }
Required. Specifies whether the rule was created with mirrored filters. [ conntype=] = ] { lan | dialup | all }
Required. Specifies whether the rule to be deleted applies only to remote access/dial-up connections, to local area network (LAN) connections, or to all connections. [ [ srcmask = ] { Mask | Prefix } ]
Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] { Mask | Prefix } ]
Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255.
[ [ tunneldstaddress = ] { IPAddress | DNSName } ]
Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel).
delete sa
Deletes Main Mode security associations.
Syntax
delete sa [ [ srcaddr = ]{ IPv4Address } ] [ [ dstaddr = ]{ IPv4Address } ]
Parameters
[ [ srcaddr = ] { IPv4Address } ]
Specifies the source IPv4 address to match against existing SAs. [ [ dstaddr = ] { IPv4Address } ]
Specifies the destination IPv4 address to match against existing SAs.
Network Netsh Communication Networking 136
set config
Creates or modifies the following IPsec settings: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.
Syntax
set config [ property = ]{ PropertyToSet } [ value = ] ValueToAssign
Parameters
The property must be specified, and can be any of the options shown here:
IPsecdiagnostics { 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 } Specifies whether to enable IPsec diagnostic logging and, if so, which level of logging to provide. The default value is 0, meaning that logging is disabled. If you change the value for this setting, you must restart the computer for the new value to take effect. You can specify other values as follows, to enable different levels of logging:
• 1: Bad SPI packets (the total number of packets for which the Security Parameters Index or SPI was incorrect), IKE negotiation failures, IPsec processing failures, packets received with packet syntax that is not valid, and other errors are recorded in the System log.
Unauthenticated hashes (with the exception of the "Clear text received when should have been secured" event) are logged as well.
• 2: Inbound per-packet drop events are recorded in the System log.
• 3: Level 1 and level 2 logging are performed. In addition, unexpected clear text events
(packets that are sent or received in plaintext) are also recorded.
• 4: Outbound per-packet drop events are recorded in the System log.
• 5: Level 1 and level 4 logging are performed.
• 6: Level 2 and level 4 logging are performed.
• 7: All levels of logging are performed.
ikelogging { 0 | 1 }
Specifies whether to enable IKE (Oakley) logging, to generate details about the SA establishment
process. The default value is 0, meaning that IKE logging is disabled. strongcrlcheck { 0 | 1 | 2 }
Specifies the level of CRL checking to use. The default value is 1.
• 0: CRL checking is disabled.
• 1: Standard CRL checking is used, and certificate validation fails only if the certificate is determined to be revoked.
• 2: Strong CRL checking is used, and certificate validation fails if any CRL check error occurs.
IPsecloginterval {Integer}
Network Netsh Communication Networking 137
Specifies the interval, in seconds, after which IPsec event logs are sent to the System log. For Integer, valid values range from 60 through 86400. The default value is 3600. If you change the value for this setting, you must restart the computer for the new value to take effect. IPsecexempt { 0 | 1 | 2 | 3 }
Specifies whether to modify the default IPsec traffic exemption (traffic that is not matched against IPsec filters but is still permitted). The default value is 3. If you change the value for this setting,
you must restart the computer for the new value to take effect. You can specify other values as follows:
• 0: Multicast, broadcast, RSVP, Kerberos, and IKE traffic is exempted from IPsec filtering.
• 1: Only multicast, broadcast, and IKE traffic is exempted from IPsec filtering (Kerberos and
RSVP traffic is not exempted).
• 2: Only RSVP, Kerberos, and IKE is exempted from IPsec filtering (multicast and broadcast traffic is not exempted).
• 3: Only IKE traffic is exempted.
bootmode { stateful | block | permit } Specifies the action that IPsec is required to take when the computer starts.
• stateful: Only the following traffic is permitted during computer startup: outbound traffic
initiated by the computer during startup, inbound traffic that is sent in response to the outbound traffic, and DHCP traffic.
• block: All inbound and outbound traffic is blocked until a local IPsec policy or a domain-based IPsec policy is applied.
• permit: All traffic is transmitted and received.
The default value is stateful. If you use either of the values stateful or block, you can use the bootexemptions parameter to specify traffic types that you want to exempt from IPsec filtering during computer startup. If you change the value for this setting, you must restart the computer for the new value to take
effect. bootexemptions { none | "Exempt1 Exempt2 …" } Specifies one or more IPsec traffic exemptions from startup security, separated by spaces and defined by the following format for TCP and UDP traffic: protocol:srcport:dstport:direction and the following format for non-TCP/UDP traffic: protocol:direction, where: protocol ={ ICMP| TCP| UDP| RAW| Integer }
Specifies the IP protocol type to exempt from IPsec filtering during computer startup. srcport = Port
Specifies the source port number of the packets to exempt from IPsec filtering during computer
startup. A value of 0 means that any source port is exempted. dstport = Port
Specifies the destination port number of the packets to exempt from IPsec filtering during computer startup. A value of 0 means that any destination port is exempted.
direction ={ inbound | outbound}
Specifies the direction of the traffic to exempt from IPsec filtering during computer startup.
Network Netsh Communication Networking 138
set mmpolicy
Modifies an IPsec Main Mode policy and writes the changes to the security policy database.
Syntax
set mmpolicy name = PolicyName [ qmperm = Integer ] [ mmlifetime = Integer ] [ softsaexpirationtime = Integer ] [ mmsecmethods = "KeyExchMethods" ]
Parameters
name = PolicyName
Required. Specifies the name of the IPsec Main Mode policy to modify. [ qmperm = Integer ]
Specifies the number of times that master keying material is used to derive the session key. A value of 0 means that an unlimited number of Quick Mode SAs can be derived from the Main Mode SA. [ mmlifetime = Integer ]
Specifies the number of minutes after which a new master key is generated.
[ softsaexpirationtime = Integer ]
Specifies the number of minutes after which an unprotected security association expires. [ mmsecmethods = "KeyExchMethods" ]
Specifies one or more key exchange security methods, separated by spaces. Each method is described by a string of the following format:
EncAlg-HashAlg-GroupNumb Where:
EncAlg
Specifies the encryption algorithm. EncAlg can be DES or 3DES. HashAlg
Specifies the hashing algorithm. HashAlg can be MD5 or SHA1. GroupNum
Specifies the Diffie-Hellman group to be used for the base keying material. GroupNumb can be: 1 (low, protects with 768 bits of keying material), 2 (medium, protects with 1024 bits), and 3 (high, protects with 2048 bits).
set qmpolicy
Modifies an IPsec Quick Mode policy and writes the changes to the SPD.
Syntax
set qmpolicy name = PolicyName [ soft = { yes | no } ] [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ] [ qmsecmethods = "SecMethodsString" ]
Parameters
name = PolicyName
Required. Specifies the name of the IPsec Quick Mode policy to modify. [ soft = { yes | no } ]
Network Netsh Communication Networking 139
Specifies whether to fall back to unsecured communications with other computers that do not support IPsec, or when IPsec negotiations with an IPsec-capable computer fail. [ pfsgroup = { grp1 | grp2 | grp3 | grpmm | nopfs } ]
Specifies the Diffie-Hellman group to use for session key PFS. If grp1 is specified, Group 1 (low, with 768 bits of keying material) is used. If grp2 is specified, Group 2 (medium, with 1024 bits of
keying material) is used. If grp3 is specified, Group 3 (high, with 2048 bits of keying material) is used. If grpmm is specified, the group value is taken from the current Main Mode settings. [ qmsecmethods = "SecMethodsString" ]
Changes the string that specifies one or more security methods. Each method is described by one of the following formats, separated by spaces:
• ESP [ EncAlg,AuthAlg]:numk/nums
• AH [ HashAlg ]: num k/ num s
• AH [ HashAlg ]+ ESP[ EncAlg,AuthAlg]:numk/nums
Where: EncAlg
Specifies the encryption algorithm. ConfigAlg can be DES, 3DES, or none. AuthAlg
Specifies the integrity algorithm. AuthAlg can be MD5, SHA1, or none. HashAlg
Specifies the hash function. HashAlg can be MD5 or SHA1. k
Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000
kilobytes. s
Specifies the session key lifetime in seconds. The default value is 3600 seconds.
set rule
Modifies an IPsec rule that defines a set of filters and writes the changes to the SPD.
Syntax
set rule [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } [ srcport = ] Integer [ dstport = ] Integer [ mirrored = ]{ yes | no } [ conntype = ]{ lan | dialup | all }
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ tunneldstaddress = ] { IPAddress | DNSName } ] [ [ mmpolicy = ] MainModePolicyName ] [ [ qmpolicy = ] QuickModePolicyName ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ kerberos = ]{ yes | no } ] [ [ psk = ] PreSharedKey ] [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no }" ]
Parameters
[ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
Network Netsh Communication Networking 140
Required. Specifies the source IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway. [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType}
Required. Specifies the destination IP address or range, DNS name, or server type for the IP traffic being matched. For ServerType you can use WINS, DNS, DHCP, or gateway.
[ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer }
Specifies the IP protocol if, in addition to addressing information, a specific IP protocol is filtered. A value of ANY matches filters with a protocol setting of any. [ srcport = ] Integer
Required. Specifies the source port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets. [ dstport = ] Integer
Required. Specifies the destination port number of the packets being filtered. This option only applies if you are filtering TCP or UDP packets.
[ mirrored = ] { yes | no }
Required. Specifies whether the rule was created with mirrored filters. [ conntype = ] { lan | dialup | all }
Required. Specifies whether the rule applies only to remote access or dial-up connections or to local area network (LAN) connections, or to all connections. [ [ srcmask = ] {Mask|Prefix} ]
Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] {Mask|Prefix} ]
Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ tunneldstaddress = ] { IPAddress | DNSName } ]
Specifies whether the traffic is tunneled and, if it is, the IP address or DNS name of the tunnel destination (the computer or gateway on the other side of the tunnel). [ [ mmpolicy = ] MainModePolicyName ]
Specifies the name of the Main Mode policy.
[ [ qmpolicy = ] QuickModePolicyName ]
Specifies the name of the Quick Mode policy. [ [ actioninbound = ] { permit | block | negotiate } ]
Specifies the action that IPsec is required to take for inbound traffic. If permit is specified, traffic is received without negotiating or applying IP security. If block is specified, traffic is blocked. If
Network Netsh Communication Networking 141
negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies. [ [ actioninbound = ] { permit | block | negotiate } ]
Specifies the action that IPsec is required to take for outbound traffic. If permit is specified, traffic is sent without negotiating or applying IP security. If block is specified, traffic is blocked. If
negotiate is specified, IP security is used, with the list of security methods specified in the Main Mode and Quick Mode policies. [ [ kerberos = ]{ yes | no } ]
Specifies whether to use the Kerberos V5 protocol as an authentication method. [ [ psk = ] PreSharedKey ]
Specifies the string of characters to use for the preshared key, if a preshared key is used as an authentication method. [ [ rootca = ] "String certmap:{ yes | no } excludecaname:{ yes | no } " ]
Specifies certificate authentication options. The argument is a string in quotes that contains the
following elements: String
Specifies the distinguished name of the certificate, if a certificate is used as an authentication method. certmap:{ yes | no }
Specifies whether to enable certificate-to-account mapping. You can enable certificate-to-account mapping to verify that the certificate is being used by a trusted computer. excludecaname:{ yes | no }
Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
show all
Displays configuration information for all IPsec policies, filters, statistics, and security associations in the security policy database.
Syntax
show all [ [ resolvedns = ]{ yes | no } ]
Parameters
[ [ resolvedns = ] { yes | no } ]
Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations.
show config
Displays values for the following IPsec settings: IPsec diagnostics, default traffic exemptions, strong certificate revocation list (CRL) checking, IKE (Oakley) logging, logging intervals, computer startup security, and computer startup traffic exemptions.
Syntax
show config
Network Netsh Communication Networking 142
show mmfilter
Displays configuration information for the specified IPsec Main Mode filter, or for all IPsec Main Mode filters, in the SPD.
Syntax
show mmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ]
[ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ resolvedns = { yes | no } ]
Parameters
{ [ name = ] FilterName | all }
Required. Specifies the name of the IPsec Main Mode filter to display. If all is specified, all IPsec Main Mode filters are displayed. [ [ type = ] { generic| specific} ]
Specifies whether to display generic or specific Main Mode filters. The default value is generic.
[ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ srcmask = ] { Mask | Prefix } ]
Specifies the source address subnet mask or the prefix of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ [ dstmask = ] { Mask | Prefix } ]
Specifies the destination address subnet mask or the prefix value of the packets to be filtered. You can specify a prefix value in the range of 1 through 32. The default value is the mask of 255.255.255.255. [ resolvedns={ yes | no}]
Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.
show mmpolicy
Displays configuration information for the specified IPsec Main Mode policy, or for all IPsec Main Mode policies, in the SPD.
Syntax
show mmpolicy { [ name = ] PolicyName | all }
Parameters
{ [ name = ] PolicyName | all }
Network Netsh Communication Networking 143
Required. Specifies the name of the IPsec Main Mode policy to display. Or, if all is specified, all IPsec Main Mode policies are displayed.
show mmsas
Displays the IPsec Main Mode security associations for the specified source and destination addresses, or all IPsec Main Mode security associations, in the SPD.
Syntax
show mmsa [ all ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ format = ]{ list | table } ] [ [ resolvedns = ]{ yes | no} ]
Parameters
[ all ]
Specifies that all Main Mode security associations are displayed. This is the default option if no other parameters are specified. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Specifies the source IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name,
or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Specifies the destination IP address, either IPv4 or IPv6, or an IPv4 or IPv6 address range, DNS name, or server type for the IP traffic. For ServerType, you can use WINS, DNS, DHCP, or GATEWAY. [ [ format = ] { list | table } ]
Specifies whether to display IPsec configuration information in screen or tab-delimited format. The default value is list, meaning that output is displayed in screen format.
[ [ resolvedns={ yes | no} ] ]
Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.
show qmfilter
Displays configuration information for the specified Quick Mode filter, or for all Quick Mode filters, in the SPD.
Syntax
show qmfilter { [ name = ] FilterName | all } [ [ type = ]{ generic | specific } ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr | ServerType } ]
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ]{ Mask | Prefix } ] [ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns={ yes | no} ] ]
Parameters
{ [ name = ] FilterName | all }
Required. Specifies the name of the IPsec Quick Mode filter to display. If all is specified then all IPsec Quick Mode filters are displayed.
Network Netsh Communication Networking 144
[ [ type = ] { generic | specific } ]
Specifies whether to display generic or specific Quick Mode filters. The default value is generic. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Specifies that only filters matching the specified source IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Specifies that only filters matching the destination IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType. [ [ srcmask = ] { Mask | Prefix } ]
Specifies the source address subnet mask or the prefix of the packets being filtered. You can specify a prefix value in the range of 1 through 32. [ [ dstmask = ] { Mask | Prefix } ]
Specifies the destination address subnet mask or the prefix value of the packets being filtered. You can specify a prefix value in the range of 1 through 32.
[ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
Specifies that only filters that match the IP protocol are displayed. [ [ srcport = ] Integer ]
Specifies that only filters that match the source port number are displayed. [ [ dstport = ] Integer ]
Specifies that only filters that match the destination port number are displayed. [ [ actioninbound = ] { permit | block | negotiate } ]
Specifies that only filters matching the action are displayed.
[ [ actionoutbound = ] { permit | block | negotiate } ]
Specifies that only filters matching the action are displayed.
show qmpolicy
Displays configuration information for the specified IPsec Quick Mode policy, or for all IPsec Quick Mode policies, in the SPD.
Syntax
show qmpolicy { [ name = ] FilterName | all }
Parameters
{ [ name = ] FilterName | all }
Required. Specifies the name of the IPsec Quick Mode policy to display. If all is specified then all IPsec Quick Mode policies are displayed.
Network Netsh Communication Networking 145
show qmsas
Displays the IPsec Quick Mode security associations for the specified source and destination addresses, or all IPsec Quick Mode security associations, in the SPD.
Syntax
show qmsas [ all ] [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]
[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ] [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ format = ] { list | table } ] [ [ resolvedns={ yes | no} ] ]
Parameters
[ all]
Specifies that all IPsec Quick Mode security associations are displayed. This is the default option if no other parameters are specified. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]
Specifies that only SAs that match the source IPv4 or IPv6 address, address range, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
[ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr | ServerType} ]
Specifies that only SAs that match the destination IPv4 or IPv6 address, address range, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType. [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
Specifies that only SAs that match the IP protocol if, in addition to addressing information, a specific IP protocol is being used for the security association. [ [ format = ] { list | table } ]
Specifies whether to display the results in screen or tab-delimited format. The default value is list,
meaning that output is displayed in screen format. [ [ resolvedns={ yes | no} ] ]
Specifies whether to resolve the Domain Name System (DNS) or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.
show rule
Displays configuration information for one or more IPsec rules in the SPD.
Syntax
show rule [ [ type = ]{ transport | tunnel } ] [ [ srcaddr = ]{ me | any | IPAddr | IPAddr-IPAddr |ServerType} ] [ [ dstaddr = ]{ me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
[ [ srcmask = ]{ Mask | Prefix } ] [ [ dstmask = ] { Mask | Prefix } ] [ [ protocol = ]{ ANY | ICMP | TCP | UDP | RAW | Integer } ] [ [ srcport = ] Integer ] [ [ dstport = ] Integer ] [ [ actioninbound = ]{ permit | block | negotiate } ] [ [ actionoutbound = ]{ permit | block | negotiate } ] [ [ resolvedns = ]{ yes | no} ]
Parameters
[ [ type = ] { transport | tunnel } ]
Specifies whether to display transport rules or tunnel rules. The default value is to display all rules. [ [ srcaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Network Netsh Communication Networking 146
Specifies that only rules matching the source IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType. [ [ dstaddr = ] { me | any | IPAddr | IPAddr-IPAddr |ServerType} ]
Specifies that only rules matching the destination IP address, DNS name, or server type are displayed. You can use WINS, DNS, DHCP, or gateway for ServerType.
[ [ srcmask = ] { Mask | Prefix } ]
Specifies that only rules matching the source address subnet mask or the prefix of the packets are displayed. You can specify a prefix value in the range of 1 through 32. [ [ dstmask = ] { Mask | Prefix } ]
Specifies that only rules matching the source address subnet mask or the prefix of the packets are displayed. You can specify a prefix value in the range of 1 through 32. [ [ protocol = ] { ANY | ICMP | TCP | UDP | RAW | Integer } ]
Specifies that only filters that match the IP protocol are displayed.
[ [ srcport = ] Integer ]
Specifies that only filters that match the source port number are displayed. [ [ dstport = ] Integer ]
Specifies that only filters that match the destination port number are displayed. [ [ actioninbound = ] { permit | block | negotiate } ]
Specifies that only filters matching the action are displayed. [ [ actionoutbound = ] { permit | block | negotiate } ]
Specifies that only filters matching the action are displayed.
[ resolvedns={ yes | no}]
Specifies whether to resolve the DNS or NETBIOS computer name associated with an IP address when displaying sources or destinations. The default value is no.
show stats
Displays Main Mode and Quick Mode statistics for IPsec.
Syntax
show stats [ [type = ]{ all | ike | ipsec } ]
Parameters
[ [type=] { all | ike | ipsec } ]
Specifies the IPsec statistics to display. If all is specified, IPsec Main Mode and Quick Mode statistics are displayed. If ike is specified, only IPsec Main Mode statistics are displayed. If ipsec is specified, only IPsec Quick Mode statistics are displayed.
Network Netsh Communication Networking 147
Netsh Commands for Wired Local Area Network (LAN)
The Netsh commands for wired local area network (LAN) provide methods to configure connectivity and security settings for computers running Windows Vista® and Windows Server® 2008. You can use the Netsh LAN commands to configure the local computer or to configure multiple computers by using a logon script. You can also use the netsh LAN commands to view wired 802.1X Group Policy and to administer user wired 802.1X settings.
Netsh LAN commands
add profile
Adds a LAN profile to the specified interface on the computer.
Syntax
add profile filename= PathAndProfileName [[interface=]InterfaceName]
Parameters
Filename
Required. Specifies the path and name of the XML file containing the profile data. Interface
Optional. Specifies the name of the interface on which the profile will be set (where InterfaceName is the name of the interface as displayed in Network Connections or as rendered by the netsh lan show interfaces command).
Example command
add profile filename=C:\Users\WiredUser\Documents\profile1.xml interface="Local Area Connection"
delete profile
Removes a LAN profile from one or multiple interfaces.
Syntax
delete profile interface= InterfaceName
Parameters
Interface
Required. Specifies the name of the interface on which the profile is to be deleted (where
InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).
Example commands
delete profile interface="Local Area Connection"
delete profile interface=L*
export profile
Saves LAN profiles as XML files to a specified location.
Network Netsh Communication Networking 148
Syntax
export profile folder= PathAndFileName [[interface=]InterfaceName]
Parameters
Folder
Required. Specifies the path and file name for the profile XML file.
Interface
Optional. Specifies the name of the interface on which the profile is configured (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).
Example commands
export profile folder=c:\Users\user\Documents\ interface="Local Area Connection"
export profile folder=c:\Users\user\Documents\
reconnect
Attempts to reauthenticate to a wired network by using the specified interface.
Syntax
reconnect [[interface=]InterfaceName]
Parameters
Interface
Optional. Specifies the interface that is used for the connection attempt (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).
Example command
reconnect interface="Local Area Connection "
set autoconfig
Enables or disables Wired AutoConfig Service on an interface.
Syntax
set autoconfig enabled={yes|no} interface=InterfaceName
Parameters
Enabled
Required. Specifies whether to set Wired AutoConfig Service to enabled or disabled. Interface
Required. Specifies the name of the interface on which the service is enabled or disabled (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).
Network Netsh Communication Networking 149
Example command
set autoconfig enabled=yes interface="Local Area Connection"
set profileparameter
Sets parameters in a wired network profile.
Syntax
set profileparameter name= ProfileName [[interface=]InterfaceName] [[authMode=]{machineOrUser|machineOnly|userOnly|guest}] [[ssoMode=]{preLogon|postLogon|none}] [[maxDelay=]1-120] [[allowDialog={yes|no}] [[userVLAN=]{yes|no}]
Parameters
Name
Required. Specifies the name of the profile to set (where ProfileName is the name of the profile, as rendered by the netsh lan show profile command). Interface
Optional. Specifies the name of the interface on which the profile is set (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command). AuthMode
Optional [conditional, see "Remarks"]. Specifies the type of credentials to be used for
authentication. SSOMode
Optional [conditional, see "Remarks"].Specifies the type of single sign on (SSO) to be attempted if any. MaxDelay
Optional [conditional, see "Remarks"]. Specifies the timeout value allowed to establish the single sign-on connection. AllowDialog
Optional [conditional, see "Remarks"].Specifies whether to allow or disallow a dialog to be shown for preLogon. UserVLAN
Optional [conditional, see "Remarks"].Specifies if the network switches to a different VLAN on user
authentication.
Example commands
set profileparameter name="Profile 1" authMode=userOnly ssoMode=preLogon
set profileparameter name=Profile2 interface="Local Area Connection" ssoMode=none
set tracing
Enables or disables wired tracing.
Network Netsh Communication Networking 150
Syntax
set tracing [[mode=]{yes|no|persistent}]
Parameters
Mode
Required. Specifies whether wired tracing is disabled, enabled and persistent, or enabled and
nonpersistent. See "Remarks" for additional information.
Example command
set tracing mode=persistent
show interfaces
Displays a list of the current wired interfaces on the computer.
Syntax
show interfaces
Parameters
There are no parameters for this command.
Example command
show interfaces
show profiles
Displays a list of wired profiles that are configured on the computer.
Syntax
show profiles [[interface=]InterfaceName]
Parameters
Interface
Optional. Specifies the name of the interface which has this profile configured (where InterfaceName is the name of the interface as displayed in Network Connections, or as rendered by the netsh lan show interfaces command).
Example commands
show profiles interface="Local Area Connection"
show profiles
show settings
Displays the current global settings of the wired LAN
Syntax
show settings
Network Netsh Communication Networking 151
Parameters
There are no parameters for this command.
Example command
show settings
show tracing
Displays whether wired tracing is enabled or disabled.
Syntax
show tracing
Parameters
There are no parameters for this command.
Example command
show tracing
Network Netsh Communication Networking 152
Netsh Commands for NAP Client
NAP client commands
The following entries provide details for each command.
add server
Adds the uniform resource locator (URL) of a Health Registration Authority (HRA) server to a trusted server group.
Syntax
add server [ group = ] group [ url = ] url [ [ processingorder = ] processingorder ]
Parameters
group
Required. Specifies the name of the trusted server group to which you want to add an HRA server. url
Required. Specifies the URL of an HRA server that you want to add to the trusted server group. If the trusted server group requires server verification (https:), then the URL must contain the
https:// prefix. processingorder
Optional. Designates the processing order of the HRA URL in the list of URLs in the trusted server group. If you do not specify the processing order, the URL is added to the end of the list and is processed last.
Example
add server group = "group1" url = "url1" processingorder = "1"
add trustedservergroup
Adds a trusted server group.
Syntax
add trustedservergroup [ name = ] name [ [ requirehttps = ] ENABLE | DISABLE ]
Parameters
name
Required. Specifies the name of the trusted server group that you want to add to the NAP client configuration. requirehttps
Optional. Specifies whether server verification (https:) is required for all servers in this group. If not specified, https: is enabled by default.
Example
add trustedservergroup name = "group1" requirehttps = "ENABLE"
delete server
Deletes the URL of an HRA server from the specified trusted server group.
Network Netsh Communication Networking 153
Syntax
delete server [ group = ] group [ url = ] url
Parameters
group
Required. Specifies the name of the trusted server group from which you want to remove an HRA
server. url
Required. Specifies the URL of the HRA server that you want to remove from the trusted server group.
Example
delete server group = "group1" url = "url1"
delete trustedservergroup
Deletes a trusted server group.
Syntax
delete trustedservergroup [ name = ] name
Parameters
name
Required. Specifies the name of the trusted server group that you want to remove from the NAP client configuration.
Example
delete trustedservergroup name = "group1"
dump
Creates a script that contains the current NAP client configuration.
Syntax
dump
export
Exports an *.xml file that contains the current configuration settings for the NAP client.
Syntax
export [ filename = ] filename
Parameters
Filename
Required. Specifies the file name and folder location where you want to save the *.xml file.
Example
export filename = "c:\config.xml"
Network Netsh Communication Networking 154
help
Displays a list of commands that are available at the netsh context where the command is run, and those inherited from the parent context.
Syntax
help
import
Imports an .xml file that contains configuration settings for the Network Access Protection (NAP) client.
Syntax
import [ filename = ] filename
Parameters
Filename
Required. Specifies the file name and folder location from which you want to import the *.xml file.
Example
import filename = "c:\config.xml"
rename server
Renames the HRA URL of an existing trusted server in the specified trusted server group.
Syntax
rename server [ group = ] group [ url = ] url [ newurl = ] newurl
Parameters
Group Required. Specifies the name of the trusted server group that contains the HRA server URL that you
want to change. url
Required. Specifies the existing HRA server URL. Newurl
Required. Specifies the new HRA server URL. If no value is supplied for newurl, the HRA server URL is not changed.
Example
rename server group = "group1" url = "url1" newurl = "url2"
rename trustedservergroup
Renames an existing trusted server group.
Syntax
rename trustedservergroup [ name = ] name [ newname = ] newname
Parameters
Name
Network Netsh Communication Networking 155
Required. Specifies the name of the trusted server group that you want to rename. Newname
Required. Specifies the new name of the trusted server group.
Example
rename trustedservergroup name = "group1" newname = "group2"
reset configuration
Restores the NAP client configuration to the default settings.
Syntax
reset configuration
reset csp
Sets the cryptographic service provider (CSP) Request Policy to Microsoft Enhanced Cryptographic Provider v1.0.
Syntax
reset csp
reset enforcement
Sets the enforcement client parameter to DISABLED.
Syntax
reset enforcement
reset hash
Sets the hash algorithm Request Policy to sha1RSA (1.3.14.3.2.29).
Syntax
reset hash
reset server
Deletes all URLs in a specified trusted server group.
Syntax
reset server [ group = ] group
Parameters
Group
Required. Specifies the name of the trusted server group.
Example
reset server group = "group1"
reset tracing
Sets the tracing parameter to DISABLE.
Syntax
reset tracing
Network Netsh Communication Networking 156
reset trustedservergroup
Deletes all trusted server groups and the list of all health registration authority servers (by URL) contained in each trusted server group.
Syntax
reset trustedservergroup
reset userinterface
Deletes all user interface settings in the NAP client configuration.
Syntax
reset userinterface
set csp
Changes the cryptographic service provider (CSP) in the NAP client configuration. You can display name of the currently available CSPs with the show csps command.
Syntax
set csp [ name = ] name [ [ keylength = ] keylength ]
Parameters
name
Required. Specifies the name of the cryptographic service provider (CSP). keylength
Optional. Specifies the length of the asymmetric key. The default key length is 2048.
Example
set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"
set enforcement
Enables or disables NAP enforcement clients in the NAP client configuration. When NAP enforcement clients are enabled, NAP clients can connect to a network with the same type of enforcement server. For example, if a NAP client has the DHCP enforcement client enabled, the NAP client can connect to your network with a DHCP NAP enforcement server. You must specify one or more enforcement clients. By default, all enforcement clients are disabled.
Syntax
set enforcement [ ID = ] ID [ ADMIN = ] ENABLE | DISABLE
Parameters
ID
Required. Specifies the identifier of an installed enforcement client to be enabled or disabled. You
can view a list of available enforcement clients and their associated IDs with the show configuration command. ADMIN
Required. Specifies the administrative state of the specified enforcement client. You must specify ENABLE in order for a NAP client to connect to a network using the type of NAP enforcement method specified by the ID parameter.
Network Netsh Communication Networking 157
Example
set enforcement ID = 79619 ADMIN = "ENABLE"
set hash
Sets the hash algorithm that will be used on the target computer. You can obtain the object identifier (OID) from the "show hashes" command.
Syntax
set hash [ oid = ] oid
Parameters
oid
Required. Specifies the OID of the hash algorithm. You can specify only one OID.
Example
set hash oid = "1.2.840.113549.1.1.5"
set server
Sets the URL and processing order of an HRA server within an existing trusted server group.
Syntax
set server [ group = ] group [ url = ] url [ processingorder = ] processingorder
Parameters
group
Required. Specifies the name of an existing trusted server group that contains the HRA server that you want to add or modify. url
Required. Specifies the HRA server URL. If the trusted server group requires server verification (https:), then the URL must use the https:// prefix. If the URL is not found in the specified trusted
server group, it will be added. processingorder
Required. Designates the processing order of the HRA URL in the list of URLs in the trusted server group.
Example
set server group = "group1" url = "url1" processingorder = "1"
set tracing
Specifies whether tracing is enabled and the amount of information that is logged by NAP client. Although both parameters are optional, you must specify at least one parameter.
Syntax
set tracing [ [ state = ] ENABLE | DISABLE [ level = ] BASIC | ADVANCED | VERBOSE ]
Parameters
state
Network Netsh Communication Networking 158
Optional. Specifies whether tracing is enabled or disabled. If you specify ENABLE, NAP client creates a trace log file. If you specify DISABLE, NAP client does not create a trace log file. The default is DISABLE. If you enable tracing but do not specify a value for level, NAP client uses the default level value of BASIC level
Optional. Specifies the amount of information that is logged by NAP client and that appears in the tracing log file. If you specify BASIC, the least amount of information is logged in the trace log file. If you specify ADVANCED, a greater amount of information is logged in the trace log file. If you specify VERBOSE, all information is logged in the trace log file. The default is BASIC. If you do not specify a value for state, NAP client uses the default state value of DISABLE.
Example
set tracing state = "ENABLE" level = "ADVANCED"
set userinterface
Specifies the NAP client user interface settings. Although all parameters are optional, you must specify at least one parameter.
Syntax
set userinterface [ [ title = ] title [ text = ] text [ image = ] image ]
Parameters
title
Optional. Specifies the title that appears in the NAP client user interface. text
Optional. Specifies the description that appears in the NAP client user interface. Image
Optional. Specifies the image that appears in the NAP client user interface.
Example
set userinterface title = "My company" text = "Protecting your computer" image = "c:\Logo.jpg"
show configuration
Displays configuration settings and state information for NAP client, including CSP, enforcement client, tracing, and trusted server group configurations.
Syntax
show configuration
show csps
Displays all available cryptographic service providers (CSPs) on the target system. Use this command to obtain the names that you can use in the add csp and delete csp commands.
Syntax
show csps
Network Netsh Communication Networking 159
show grouppolicy
Displays Group Policy configuration settings and state information for NAP client.
Syntax
show grouppolicy
show hashes
Displays all available hash algorithms on the target system. Use this command to obtain the OIDs that you can use in the add hash and delete hash commands.
Syntax
show hashes
Example
Following is an example of the information displayed when you run the show hashes command at the netsh nap client prompt.
Hash OID
sha1RSA 1.2.840.113549.1.1.5
md5RSA 1.2.840.113549.1.1.4
sha1DSA 1.2.840.10040.4.3
sha1RSA 1.3.14.3.2.29
shaRSA 1.3.14.3.2.15
md5RSA 1.3.14.3.2.3
md2RSA 1.2.840.113549.1.1.2
md4RSA 1.2.840.113549.1.1.3
md4RSA 1.3.14.3.2.2
md4RSA 1.3.14.3.2.4
md2RSA 1.3.14.7.2.3.1
sha1DSA 1.3.14.3.2.13
dsaSHA1 1.3.14.3.2.27
mosaicUpdatedSig 2.16.840.1.101.2.1.1.19
sha1NoSign 1.3.14.3.2.26
md5NoSign 1.2.840.113549.2.5
sha256NoSign 2.16.840.1.101.3.4.2.1
Network Netsh Communication Networking 160
sha384NoSign 2.16.840.1.101.3.4.2.2
sha512NoSign 2.16.840.1.101.3.4.2.3
sha256RSA 1.2.840.113549.1.1.11
sha384RSA 1.2.840.113549.1.1.12
sha512RSA 1.2.840.113549.1.1.13
RSASSA-PSS 1.2.840.113549.1.1.10
sha1ECDSA 1.2.840.10045.4.1
sha256ECDSA 1.2.840.10045.4.3.2
sha384ECDSA 1.2.840.10045.4.3.3
sha512ECDSA 1.2.840.10045.4.3.4
specifiedECDSA 1.2.840.10045.4.3
show state
Displays state information, including client access restriction state, the state of installed enforcement clients and system health agents, and the client compliance and remediation results.
Syntax
show state
show trustedservergroup
Displays all trusted server groups and the HRA server URLs in each group.
Syntax
show trustedservergroup
Example
Following is an example of the information displayed when you run the show trustedservergroup command at the netsh nap client prompt.
Setting Value
Group Trusted server group 1
Require Https Enabled
URL https://www.example.com
Processing order 1
Group Trusted server group 2
Network Netsh Communication Networking 161
Require Https Enabled
URL https://www.contoso.com
Processing order 1
Group Trusted server group 2
Require Https Enabled
URL https://www.example.com
Processing order 2
Network Netsh Communication Networking 162
Netsh Commands for Network Input Output (NETIO)
You can use commands in the Netsh netio context to configure binding filters. The Netsh commands for netio can be run manually at the netsh prompt or in scripts and batch files.
To run these commands from the command prompt, you must either enter the netsh netio context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then netio to enter the netsh netio context, you must type:
netsh netio command
Where command is the command that you want to run, including all of the required parameters for the command.
add bindingfilter
Adds a binding filter.
Syntax
add bindingfilter [npi=]NPI [client=] client [provider=] provider [[type=]block|singleclient] [[store=]active|persistent]
Parameters
npi
Required. Specifies the network programming interface GUID or name as a string value. client
Required. Specifies the client name or GUID as a string value.
provider
Required. Specifies the client name or GUID as a string value. type
Optional. Specifies either block or singleclient. Singleclient is the default. If you specify block, the specified client cannot bind to the provider. If you specify singleclient, only the specified client can bind to the provider. store
Optional. Specifies that the binding filter is either active or persistent. Persistent is the default. If you specify active, the filter is applied only until the computer is restarted; after it is restarted the binding filter is not applied. If you specify persistent, the filter is permanently applied.
Examples
The following example disables IPv4 loopback by installing an NMR filter to prevent the binding.
netsh netio add bindingfilter framing ipv4 fl4l block persistent
The following example disables IPv6 loopback by installing an NMR filter to prevent the binding.
netsh netio add bindingfilter framing ipv6 fl6l block persistent
delete bindingfilter
Deletes a binding filter.
Network Netsh Communication Networking 163
Syntax
delete bindingfilter [npi=]NPI [client=] client [provider=] provider [[store=]active|persistent]
Parameters
npi
Required. Specifies the network programming interface guid or name as a string value. client
Required. Specifies the client name or guid as a string value. provider
Required. Specifies the client name or guid as a string value. store
Optional. Specifies that the deletion of the binding filter is either active or persistent. Persistent is the default. If you specify active, the filter is deleted only until the computer is restarted; after it is restarted the binding filter is applied again. If you specify persistent, the filter is permanently deleted.
show bindingfilters
Displays all binding filters.
Syntax
show bindingfilters [[store=]active|persistent]
Network Netsh Communication Networking 164
Netsh Commands for Peer-to-Peer Networking (P2P)
Peer-to-peer (P2P) technologies are used to facilitate real-time communication and collaboration across distributed networks. In the peer-to-peer model, without using Internet servers, each computer user can do the following:
Exchange data
Share resources
Locate other users
Communicate
Collaborate directly in real time
By using peer-to-peer technologies, applications that coordinate the use of computer CPU cycles and storage can share resources among large or small groups of computers connected to the Internet. P2P is configured and administered by using Netsh commands.
You can run these commands from the command prompt for the Netsh P2P context. For these commands to work at the command prompt, you must type netsh p2p before typing commands and parameters as they appear in the syntax below.
Netsh P2P
The following commands are available at the p2p> prompt, which is rooted within the netsh environment.
collab
Changes to the netsh p2p collab context.
dump
Creates a script that contains the current configuration. If saved to a
file, this script can be used to restore altered configuration settings.
group
Changes to the netsh p2p group context.
idmgr
Changes to the netsh p2p idmgr context.
pnrp
Changes to the netsh p2p pnrp context.
Netsh P2P collab
The following commands are available at the p2p collab> prompt, which is rooted within the netsh environment.
contact
Changes to the netsh p2p collab contact context.
Network Netsh Communication Networking 165
Netsh P2P collab contact
The following commands are available at the p2p collab contact> prompt, which is rooted within the netsh environment.
delete
Deletes a contact from the contact store.
Syntax
delete peer name
export
Exports the Me contact to a file name. This file can be later copied to another machine and is imported there.
Syntax
Export file name
import
Imports a contact from a file to the contact store.
Syntax
import file name
set
Sets the properties of a contact.
Syntax
set {Id=<Peer Name>]<FriendlyName=<friendly name>Watch=<true | false> WatchPerm=<allow | block>}
show contacts
Displays all contacts.
Syntax
show contacts
show xml
Displays the contents of the contact XML file.
Syntax
show xml file name
Netsh P2P group
The following commands are available at the p2p group> prompt, which is rooted within the netsh environment.
database
Changes to the netsh p2p group database context.
resolve
Resolves a participant in the group and lists its address.
Network Netsh Communication Networking 166
Syntax
resolve {ANY | REMOTE} <group P2PID> [<cloud name>]
show acl
Lists access control list (ACL) information.
Syntax
show acl { identity <identity P2PID> | db <identity P2PID> <group P2PID>| <File path> }
show address
Resolves a participant in the current node and lists its address.
Syntax
show address <group P2PID> [ <cloud name> ]
Netsh P2P group database
The following commands are available at the p2p group database> prompt, which is rooted within the netsh environment.
show statistics
Lists database stats for given <identity P2PID> <group P2PID>.
Syntax
show statistics <identity P2PID> <group P2PID>
Netsh P2P idmgr
The following commands are available at the p2p idmgr> prompt, which is rooted within the netsh environment.
delete group
Deletes groups from identities.
Syntax
delete group <identity P2PID> { <group P2PID> | ALL | EXPIRED }
delete identity
Deletes identities.
Syntax
delete identity <identity P2PID> { <identity P2PID> | ALL | QUIET }
show groups
Displays identity and related group information.
Syntax
show groups { <identity P2PID> | ALL } [ EXPIRED ]
show identities
Displays identity information.
Syntax
show identities { ALL | <identity P2PID> }
Network Netsh Communication Networking 167
show statistics
Displays a count of identities and associated groups.
Syntax
show statistics
Netsh P2P pnrp
The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh environment.
cloud
Changes to the netsh p2p pnrp cloud context.
diagnostics
Changes to the netsh p2p pnrp diagnostics context.
peer
Changes to the netsh p2p pnrp peer context.
Netsh P2P pnrp cloud
The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh environment.
flush
Deletes all cache entries.
Syntax
flush [cloud=]<cloud name>
Example
flush Global_
repair
Detects and repairs Peer Name Resolution Protocol (PNRP) cloud fragmentation.
Syntax
repair [cloud=]<cloud name>
Example
repair Global_
show initialization
Displays cloud bootstrap configuration and status.
Syntax
show initialization [[cloud=]{ * | <cloud name>}]
Examples
show initialization cloud=Global_
show initialization *
Network Netsh Communication Networking 168
show list
Displays a list of clouds.
Syntax
show list [[cloud=] <cloud name>]
Examples
show list Global_
show list
show names
Displays all names registered on the local machine.
Syntax
show names [[cloud=]{ * | <cloud name>}]
Examples
show names cloud=Global_
show names
show pnrpmode
Displays PNRP mode configuration parameters.
Syntax
show pnrpmode [[cloud=]<cloud name>]
Example
show pnrpmode Global_
show seed
Displays PNRP seed server configuration parameters.
Syntax
show seed [cloud=]<cloud name>
Example
Show seed Global_
show statistics
Displays cloud statistics.
Syntax
show statistics [[cloud=]{ * | <cloud name>}]
Examples
Show statistics names cloud=Global_
show statistics names
start
Bootstraps a cloud.
Network Netsh Communication Networking 169
Syntax
start [cloud=]<cloud name>
Example
start Global_
synchronize host
Queries a specified host for the addresses of other members of the cloud.
Syntax
synchronize host [host=]<host name> [cloud=]<cloud name>
Example
synchronize host host1 Global_
synchronize seed
Queries the seed server for the addresses of other members of the cloud.
Syntax
synchronize seed [cloud=]<cloud name>
Example
synchronize seed Global_
Netsh P2P pnrp diagnostics
The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh environment.
ping host
Tests PNRP connectivity to a node by specifying an address or a host name.
Syntax
ping host [host=]{<ip address> | <host name>} [cloud=]<cloud name>
Example
ping host myhost Global_
ping seed
Tests PNRP connectivity to the configured seed server.
Syntax
ping seed [cloud=]<cloud name>
Example
ping seed Global_
Netsh P2P pnrp peer
The following commands are available at the p2p pnrp> prompt, which is rooted within the netsh environment.
add registration
Registers a peer name. (Note that the registration will only last as long as the Netsh instance.)
Network Netsh Communication Networking 170
Syntax
add registration [peername=]<peer name> [cloud=]<cloud name>
[[comment]=<comment>]
Parameters
Peer name
<canonical pnrp name>|<dns encoded pnrp name>
Cloud
The cloud where the name should be registered. Default is all Clouds. Comment
The comment that should be registered for the name.
Examples
add registration peername=0.0
add registration 0.0 Global_
delete registration
Unregisters a peer name.
Syntax
delete registration [peername=]{ * | <peer name>} [cloud=]<cloud name>
Parameters
Peername
<canonical pnrp name>|<dns-encoded pnrp name>
Cloud
The cloud from which the name should be unregistered. Default is all Clouds.
Examples
delete registration *
delete registration peername=0.0 cloud=Global_
enumerate
Search for multiple registrations of a peer name in the specified cloud.
Syntax
enumerate [peername=]<peer name> [cloud=]<cloud name>
[[maxresults=]<number>]
Parameters
Peername
<canonical pnrp name>|<dns-encoded pnrp name>
Network Netsh Communication Networking 171
Cloud
The cloud where the enumeration should happen. Maxresults
Should be a number between one and 500. Default is 50.
Examples
enumerate 0.0 cloud=Global_ maxresults=2
enumerate peername=0.0 cloud=Global_
resolve
Resolves a peer name.
Syntax
resolve [peername=]<peer name> [[cloud=]<cloud name>]
Parameters
Peername
<canonical pnrp name>|<dns-encoded pnrp name>
Examples
resolve peername=0.0 cloud=Global_
resolve 0.anyname
set file
Copies the console output to a file.
Syntax
set file [ mode= ] { open [ name= ] <filename> | append [ name = ]<filename> | close }
Parameters
Mode
One of the following values:
Open: Creates a new file or overwrites an existing file and streams the console output to the file.
Append: Opens an existing file and streams the console output to the end of the existing file.
Close: Stops streaming and closes a file.
Name
Name of the file (full path optional)
Examples
set file open c:\logfiles\logfile.txt
The above command creates a file and logs all output to it.
Network Netsh Communication Networking 172
set machinename
Configure the PNRP Machine Name Publication Service.
Syntax
set machinename [[name=]<PeerName>] [[publish=]Start|Stop] [[autopublish=]enable|disable]
Parameters
Name
The name to use as the machine name. If value is null, a secured name is automatically generated. Publish
If set to 'start,' will cause the name to start being published immediately. If set to 'stop,' will stop the publication of the name. Autopublish
Sets whether or not automatic publication is enabled. When autopublish is enabled, the machine automatically begins publishing the name at boot.
Examples
set machinename publish=start autopublish=enable
set mode
Sets the current mode to online or offline.
Syntax
set mode [ mode= ] { online | offline }
Parameters
Mode
One of the following values:
online: Commit changes immediately
offline: Delay commit until explicitly requested
Example
Set mode online
show convertedname
Converts standard peer names to DNS encoded peer names and vice versa.
Syntax
show convertedname [peername=]<peer name>
Example
show convertedname 0.anyname
show machinename
Display the PNRP Machine Name Publication Service configuration.
Network Netsh Communication Networking 173
Syntax
show machinename
Example
show machinename
show registration
List peer names registered by this instance of netsh.
Syntax
show registration [[cloud=]<cloud name>]
Example
show registration cloud=Global_
traceroute
Resolves a peer name with path tracing.
Syntax
traceroute [peername =]<peer name> [cloud=]<cloud name>
Examples
traceroute peername=0.0 Global_
traceroute 0.anyname Global_
Network Netsh Communication Networking 174
Netsh Commands for Remote Access
You can use commands in the Netsh ras context to configure all aspects of remote access. The Netsh commands for remote access provide the same functionality as the Routing and Remote
Access console, and the commands can be run manually at the netsh prompt or in scripts and batch files.
To run these commands from the command prompt, you must either enter the netsh ras context
or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then ras to enter the netsh ras context, you must type:
netsh ras command
Netsh RAS Commands
The following commands are specific to the ras context within the Netsh environment.
show activeservers
Displays a list of remote access server (RAS) advertisements.
Syntax
show activeservers
show client
Lists remote access clients connected to this server.
Syntax
show client
[[name=] Name]
Parameters
[[name=] Name]
Shows the status of a given client connected to the server. If this parameter is "*", show client enumerates the status of all clients. If no name is specified, show client shows which, if any, remote access clients are connected to the server.
set client
Resets the user statistics and disconnects a remote access client.
Syntax
set client
[name=] Name
[state=] {disconnect | resetstats}
Parameters
[name=] Name
Required. Specifies the user name of the client to disconnect or reset statistics. [state=] {disconnect | resetstats}
Network Netsh Communication Networking 175
Required. Specifies the action to perform. The parameter disconnect disconnects the specified user. The parameter resetstats resets the statistics for the specified user.
dump
Displays the configuration of the remote access server in script form.
Syntax
dump
Example
The following command saves the current configuration as a script in the rascfg.dmp file.
dump > rascfg.dmp
show tracing
Shows whether tracing is enabled for the specified component. To see a list of all installed components and whether tracing is enabled for each, use the show tracing command without parameters.
Syntax
show tracing [component]
Parameters
component
Specifies the component for which to display information. If no component is specified, show tracing shows the state of all installed components.
set tracing
Enables or disables tracing for the specified component.
Syntax
set tracing component {enabled | disabled}
Parameters
Component
Required. Specifies the component for which you want to enable or disable tracing. Use "*" to
specify all components. {enabled | disabled}
Required. Specifies whether to enable or disable tracing for the specified component.
Example
To set tracing for the PPP component, type:
set tracing ppp enabled
show authmode
Shows whether dial-up clients using certain types of devices should be authenticated.
Syntax
show authmode
Network Netsh Communication Networking 176
set authmode
Specifies whether dial-up clients using certain types of devices should be authenticated.
Syntax
set authmode {standard | nodcc | bypass}
Parameters
{standard | nodcc | bypass}
Required. Specifies whether dial-up clients using certain types of devices should be authenticated. The parameter standard specifies that clients using any type of device should be authenticated. The parameter nodcc specifies that clients using any type of device except a direct-connect device should be authenticated. The parameter bypass specifies that no clients should be authenticated.
add authtype
Adds an authentication type to the list of types through which the remote access server should attempt to negotiate authentication.
Syntax
add authtype {pap | md5chap | mschap | mschapv2 | eap}
Parameters
{pap | md5chap | mschap | mschapv2 | eap}
Required. Specifies which authentication type to add to the list of types through which the remote access server should attempt to negotiate authentication. The pap parameter specifies that the remote access server should use the Password Authentication Protocol (plaintext). The md5chap parameter specifies that the remote access server should use the Challenge Handshake Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the response). The mschap parameter specifies that the remote access server should use the Microsoft Challenge-Handshake Authentication Protocol. The mschapv2 parameter specifies that the remote access server should use version 2 of MSCHAP. The eap parameter specifies that the remote access server
should use Extensible Authentication Protocol.
delete authtype
Deletes an authentication type from the list of types through which the remote access server should attempt to negotiate authentication.
Syntax
delete authtype{pap | md5chap | mschap | mschapv2 | eap}
Parameters
{pap| md5chap | mschap | mschapv2 | eap}
Required. Specifies which authentication type to delete from the list of types through which the remote access server should attempt to negotiate authentication. The pap parameter specifies that
the remote access server should not use the Password Authentication Protocol (plaintext). The md5chap parameter specifies that the remote access server should not use the Challenge Handshake Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the response). The mschap parameter specifies that the remote access server should not use the Microsoft Challenge-Handshake Authentication Protocol. The mschapv2 parameter specifies that the remote access server should not use version 2 of MSCHAP. The eap parameter specifies that the remote access server should not use Extensible Authentication Protocol.
show authtype
Lists the authentication type (or types) that the remote access server uses to attempt to negotiate authentication.
Network Netsh Communication Networking 177
Syntax
show authtype
add link
Adds a link property to the list of link properties PPP will negotiate.
Syntax
add link {swc | lcp}
Parameters
{swc | lcp}
Required. Specifies which link property to add to the list of link properties PPP will negotiate. The parameter swc specifies that software compression (MPPC) should be added. The parameter lcp specifies that Link Control Protocol extensions from the PPP suite of protocols should be added.
delete link
Deletes a link property from the list of link properties PPP will negotiate.
Syntax
delete link {swc | lcp}
Parameters
{swc | lcp}
Required. Specifies which link property to delete from the list of link properties PPP will negotiate. The parameter swc specifies that software compression (MPPC) should be deleted. The parameter lcp specifies that Link Control Protocol extensions from the PPP suite of protocols should be deleted.
show link
Displays the link properties PPP will negotiate.
Syntax
show link
add multilink
Adds a multilink type to the list of multilink types PPP will negotiate.
Syntax
add multilink {multi | bacp}
Parameters
{multi | bacp}
Required. Specifies which multilink type to add to the list of multilink types PPP will negotiate. The parameter multi specifies that multilink PPP sessions should be added. The parameter bacp
specifies that Bandwidth Allocation Control Protocol should be added.
delete multilink
Deletes a multilink type from the list of multilink types PPP will negotiate.
Syntax
delete multilink {multi | bacp}
Network Netsh Communication Networking 178
Parameters
{multi | bacp}
Required. Specifies which multilink type to delete from the list of multilink types PPP will negotiate. The parameter multi specifies that multilink PPP sessions should be deleted. The parameter bacp specifies that Bandwidth Allocation Control Protocol should be deleted.
show multilink
Shows the multilink types PPP will negotiate.
Syntax
show multilink
add registeredserver
Registers the specified server as a remote access server in the specified Active Directory® domain. Used without parameters, add registeredserver registers the computer from which you type the command in its primary domain.
Syntax
add registeredserver
[[domain=] DomainName]
[[server=] ServerName]
Parameters
[[domain=] DomainName]
Specifies, by domain name, the domain in which to register the server. If you do not specify a domain, the server is registered in its primary domain. [[server=] ServerName]
Specifies, by Domain Name System (DNS) name or IP address, the server to register. If you do not specify a server, the computer from which you type the command is registered.
delete registeredserver
Deletes the registration of the specified server as a remote access server from the specified Active Directory domain. Used without parameters, delete registeredserver deletes the registration of the computer from which you type the command from its primary domain.
Syntax
delete registeredserver
[[domain=] DomainName]
[[server=] ServerName]
Parameters
[[domain=] DomainName]
Specifies, by domain name, the domain from which to remove the registration. If you do not specify
a domain, the registration is removed from the primary domain of the computer from which you type the command. [[server=] ServerName]
Network Netsh Communication Networking 179
Specifies, by IP address or DNS name, the server whose registration you want to remove. If you do not specify a server, the registration is removed for the computer from which you type the command.
show registeredserver
Displays status information about the specified server registered as a remote access server in the specified Active Directory domain. Used without parameters, the computer and primary domain from which the command is issued is assumed.
Syntax
show registeredserver
[[domain=] DomainName]
[[server=] ServerName]
Parameters
[[domain=] DomainName]
Specifies, by domain name, the domain in which the server about which you want to display information is registered. If you do not specify a domain, the primary domain of the computer from which the command is issued is assumed. [[server=] ServerName]
Specifies, by IP address or DNS name, the server about which you want to display information. If you do not specify a server, the computer from which the command is issued is assumed.
show user
Displays the properties of a specified remote access user or users. Used without parameters, show user displays the properties of all remote access users.
Syntax
show user
[name=] UserName
[[mode=] {permit | report}]
Parameters
[name=] UserName
Specifies, by logon name, the user whose properties you want to display. If you do not specify a user, the properties of all users are displayed. [[mode=] {permit | report}]
Specifies whether to show properties for all users or only those whose dial-up permission is set to permit. The permit parameter specifies that properties should be displayed only for users whose dial-up permission is permit. The report parameter specifies that properties should be displayed for all users.
set user
Sets the properties of the specified remote access user.
Syntax
set user
Network Netsh Communication Networking 180
[name=] UserName
[dialin=] {permit | deny | policy}
[cbpolicy=] {none | caller | admin
[cbnumber=] CallbackNumber}
Parameters
[name=] UserName
Required. Specifies, by logon name, the user for which you want to set properties. [dialin=] {permit | deny | policy}
Required. Specifies under what circumstances the user should be allowed to connect. The permit parameter specifies that the user should always be allowed to connect. The deny parameter specifies that the user should never be allowed to connect. The policy parameter specifies that remote access policies should determine whether the user is allowed to connect. [cbpolicy] {none | caller | admin [cbnumber=] CallbackNumber}
Required. Specifies the callback policy for the user. The callback feature saves the user the cost of the phone call used to connect to a remote access server. The none parameter specifies that the user should not be called back. The caller parameter specifies that the user should be called back at a number specified by the user at connection time. The admin parameter specifies that the user should be called back at the number specified by the CallbackNumber parameter.
Example
To allow GuestUser to connect and be called back at (425) 555-0110, type:
set user guestuser permit admin 4255550110
show status
Shows the status of server running Routing and Remote Access.
Syntax
show status
show conf
Shows the remote access configuration state of the server.
Syntax
show conf
set conf
Sets the remote access configuration state of the server.
Syntax
set conf
[confstate=] {enabled | disabled}
Parameters
[confstate=] {enabled | disabled}
Network Netsh Communication Networking 181
Required. Specifies the remote access configuration state. The enabled parameter enables the server configuration. The disabled parameter disables the server configuration and removes the server from the list of remote access servers.
show portstatus
Shows the current status of RAS ports.
Syntax
show portstatus
[[name=] PortName]
[[state=] State]
Parameters
[[name=] PortName]
Specifies the port for which to display status. [[state=] State]
Display ports with the specified state.
nonoperational
Non-operational ports disconnected
Disconnected ports callingback
Ports calling back listening
Ports listening authenticating
Ports authenticating connected
Authenticated and connected ports initializing
Ports initializing
Examples
The following show the port status using the name and state parameters.
show portstatus name=VPN0-127
show portstatus state=connected
Network Netsh Communication Networking 182
set portstatus
Resets the RAS ports statistics.
Syntax
set portstatus
[[name=] PortName]
Parameters
[[name=] PortName]
Specifies the name of the port. If none is specified, resets statistics of all active ports.
show type
Shows the router and RAS properties.
Syntax
show type
set type
Specifies the router and RAS roles of the server.
Syntax
set type
[ipv4rtrtype=] {lanonly | lananddd | none}
[ipv6rtrtype=] {lanonly | lananddd | none}
[rastype=] {ipv4 | ipv6 | both | none}
Parameters
[ipv4rtrtype=] {lanonly | lananddd | none}
Specifies the computer is configured as an IPv4 router. The lanonly parameter specifies that this computer is a LAN-only router and does not require demand-dial or VPN connections. The lananddd parameter specifies that this computer is a LAN and demand-dial router and supports
VPN connections. The none parameter specifies that this computer is not enabled as an IPv4 router. [ipv6rtrtype=] {lanonly | lananddd | none}
Specifies the computer is configured as an IPv6 router. The lanonly parameter specifies that this computer is a LAN-only router and does not require demand-dial or VPN connections. The lananddd parameter specifies that this computer is a LAN and demand-dial router and supports VPN connections. The none parameter specifies that this computer is not enabled as an IPv6 router. [rastype=] {ipv4 | ipv6 | both | none}
Specifies the computer is configured as a remote access server. The ipv4 parameter specifies the computer is configured for IPv4. The ipv6 parameter specifies the computer is configured for IPv6.
The both parameter specifies the computer is configured for IPv4 and IPv6. The none parameter specifies the computer is not configured as a remote access server.
Netsh RAS AAAA Context Commands
The following commands are specific to the ras AAAA context within the Netsh environment.
Network Netsh Communication Networking 183
dump
Displays the AAAA configuration of a remote access server in script form.
Syntax
dump
You can dump the contents of the current configuration to a file that can be used to restore altered configuration settings.
Example
The following is the command to save the current configuration as a script in the rasaaaacfg.dmp file.
dump > rasaaaacfg.dmp
add acctserver
Specifies the IP address or the Domain Name System (DNS) name of a RADIUS server to use for accounting.
Syntax
add acctserver
[name=] ServerID
[[secret=] SharedSecret]
[[init-score=] ServerPriority]
[[port=] Port]
[[timeout=] Seconds]
[[messages] {enabled | disabled}]
Parameters
[name=] ServerID
Required. Specifies, by IP address or DNS name, the RADIUS server. [[secret=] SharedSecret]
Specifies the preshared key. [[init-score=] ServerPriority]
Specifies the initial score (server priority). [[port=] Port]
Specifies the port to which accounting requests should be sent. [[timeout=] Seconds]
Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it should be marked unavailable.
Network Netsh Communication Networking 184
[[messages] {enabled | disabled}]
Specifies whether to send accounting on/off messages. The enabled parameter specifies that messages should be sent. The disabled parameter specifies that messages should not be sent.
delete acctserver
Deletes a RADIUS accounting server.
Syntax
delete acctserver
[name=] ServerID
Parameters
[name=] ServerID
Required. Specifies, by DNS name or IP address, which server to delete.
set acctserver
Provides the IP address or the DNS name of a RADIUS server to use for accounting.
Syntax
add acctserver
[name=] ServerID
[[secret=] SharedSecret]
[[init-score=] ServerPriority]
[[port=] Port]
[[timeout=] Seconds]
[[messages] {enabled | disabled}]
Parameters
[name=] ServerID
Required. Specifies, by IP address or DNS name, the RADIUS server. [[secret=] SharedSecret]
Specifies the preshared key. [[init-score=] ServerPriority]
Specifies the initial score (server priority). [[port=] Port]
Specifies the port on which to send the authentication requests.
[[timeout=] Seconds]
Specifies, in seconds, the amount of time that should elapse before the RADIUS server is marked unavailable.
Network Netsh Communication Networking 185
[[messages=] {enabled | disabled}]
Specifies whether accounting on/off messages should be sent.
show acctserver
Displays detailed information about an accounting server. Used without parameters, show acctserver displays information about all configured accounting servers.
Syntax
show acctserver
[[name=] ServerID]
Parameters
[name=] ServerID
Specifies, by DNS name or IP address, the RADIUS server about which to display information.
add authserver
Provides the IP address or the DNS name of a RADIUS server to which authentication requests should be passed.
Syntax
add authserver
[name=] ServerID
[[secret=] SharedSecret]
[[init-score=] ServerPriority]
[[port=] Port]
[[timeout=] Seconds]
[[signature] {enabled | disabled}]
Parameters
[name=] ServerID]
Required. Specifies, by IP address or DNS name, the RADIUS server. [[secret=] SharedSecret]
Specifies the preshared key. [[init-score=] ServerPriority]
Specifies the initial score (server priority). [[port=] Port]
Specifies the port to which authentication requests should be sent. [[timeout=] Seconds]
Network Netsh Communication Networking 186
Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it should be marked unavailable. [[signature] {enabled | disabled}]
Specifies whether to use digital signatures. The enabled parameter specifies that digital signatures should be used. The disabled parameter specifies that digital signatures should not be used.
delete authserver
Deletes a RADIUS authentication server.
Syntax
delete authserver
[name=]ServerID
Parameters
[name=] ServerID
Required. Specifies, by DNS name or IP address, which server to delete.
set authserver
Provides the IP address or the DNS name of a RADIUS server to which authentication requests should be passed.
Syntax
set authserver
[name=] ServerID
[[secret=] SharedSecret]
[[init-score=] ServerPriority]
[[port=] Port]
[[timeout=] Seconds]
[[signature] {enabled | disabled}]
Parameters
[name=] ServerID]
Required. Specifies, by IP address or DNS name, the RADIUS server. [[secret=] SharedSecret]
Specifies the preshared key. [[init-score=] ServerPriority]
Specifies the initial score (server priority).
[[port=] Port]
Specifies the port on which to send the authentication requests. [[timeout=] Seconds]
Network Netsh Communication Networking 187
Specifies the amount of time, in seconds, that should elapse before the RADIUS server is marked unavailable. [[signature=] { enabled | disabled}]
Specifies whether digital signatures should be used.
show authserver
Displays detailed information about an authentication server. Used without parameters, show authserver displays information about all configured authentication servers.
Syntax
show authserver
[[name=] ServerID]
Parameters
[[name=] ServerID]
Specifies, by DNS name or IP address, the RADIUS server about which to display information.
set accounting
Specifies the accounting provider.
Syntax
set accounting {windows | radius | none}
Parameters
{windows | radius | none}
Required. Specifies whether accounting should be performed and by which server. The windows parameter specifies that Windows security should perform accounting. The radius parameter specifies that a RADIUS server should perform accounting. The none parameter specifies that no accounting should be performed.
show accounting
Displays the accounting provider.
Syntax
show accounting
set authentication
Specifies the authentication provider.
Syntax
set authentication {windows | radius}
Parameters
{windows | radius}
Required. Specifies which technology should perform authentication. The windows parameter specifies that Windows security should perform authentication. The radius parameter specifies that
a RADIUS server should perform authentication.
Network Netsh Communication Networking 188
show authentication
Displays the authentication provider.
Syntax
show authentication
set ipsecpolicy
Sets the IPsec policy for the L2TP connection.
Syntax
set ipsecpolicy
[psk = ] {enabled | disabled}
[secret = ] SharedSecret
Parameters
[psk = ] {enabled | disabled}
Required. Specifies whether an L2TP connection can use a custom IPsec policy. The enabled parameter specifies that the IPsec policy is set to a custom IPsec policy using a preshared key. The disabled parameter specifies that the IPsec policy is set to certificate. [secret = ] SharedSecret
Required when psk authentication is enabled. Specifies the preshared key to be used with the custom IPsec policy.
Example
The following sets the IPsec policy for the L2TP connection.
set ipsecpolicy psk=enabled secret="P@ssword"
show ipsecpolicy
Shows the IPsec policy for the L2TP connection.
Syntax
show ipsecpolicy
Netsh RAS Diagnostic Context Commands
The following commands are specific to the ras diagnostics context within the Netsh environment.
dump
Displays the configuration of Remote Access Diagnostics in script form.
Syntax
dump
Example
The following is the command to save the current configuration as a script in the rasdiag.dmp file.
dump > rasdiag.dmp
Network Netsh Communication Networking 189
show installation
Creates a Remote Access Diagnostic Report that includes only diagnostics results for Information Files, Installation Check, Installed Networking Components, and Registry Check and delivers the report to a location you specify.
Syntax
show installation
[type=] {file | email}
[destination=] {FileLocation | EmailAddress}
[[compression=] {enabled | disabled}]
[[hours=] NumberOfHours]
[[verbose=] {enabled | disabled}]
Parameters
[type=] {file | email}
Specifies whether the report should be saved to a file or sent to an e-mail address. [destination=] {FileLocation| EmailAddress}
Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent.
[[compression=] {enabled | disabled}]
Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the report is compressed if you send it to an e-mail address but not if you save it to a file. [[hours=] NumberOfHours]
Specifies the number of past hours for which to show activity in the report. This parameter must be an integer between 1 and 24. If you do not specify this parameter, all past information is included. [[verbose=] {enabled | disabled}]
Specifies the amount of data to include in the report. If you do not specify this parameter, only minimal data is included.
Example
To save a diagnostic report to c:\mytemp\rasdiag.htm, type:
show installation type=file destination="c:\mytemp\rasdiag"
show loglevel
Shows the global logging level for Routing and Remote Access service.
Syntax
show loglevel
set loglevel
Sets the global logging level for Routing and Remote Access service.
Network Netsh Communication Networking 190
Syntax
set loglevel
[state=] {error | warn | all | none}
Parameters
[state=] {error | warn | all | none}
Required. Specifies the level of global logging. The none parameter specifies that no events are logged. The error parameter specifies that only errors are logged. The warn parameter specifies that errors and warnings are logged. The all parameter specifies that all events are logged.
show logs
Creates a Remote Access Diagnostic Report that contains only diagnostics results for Tracing Logs, Modem Logs, Connection Manager Logs, IP Security Log, Remote Access Event Logs, and Security Event Logs and delivers the report to a location you specify.
Syntax
show logs
[type=] {file | email}
[destination=] {FileLocation | EmailAddress}
[[compression=] {enabled | disabled}]
[[hours=] NumberOfHours]
[[verbose=] {enabled | disabled}]
Parameters
[type=] {file | email}
Required. Specifies whether the report should be saved to a file or sent to an e-mail address. [destination=] {FileLocation| EmailAddress}
Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent. [[compression=] {enabled | disabled}]
Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the report is compressed if you send it to an e-mail address but not if you save it to a file. [[hours=] NumberOfHours]
Specifies the number of past hours for which to show activity in the report. This parameter must be an integer between 1 and 24. If you do not specify this parameter, all past information will be included in the report. [[verbose=] {enabled | disabled}]
Specifies the amount of data to include in the report. If you do not specify this parameter, minimal data is included.
Example
To save a diagnostic report to c:\mytemp\rasdiag.htm, type:
Network Netsh Communication Networking 191
show logs type=file destination="c:\mytemp\rasdiag"
show configuration
Creates a Remote Access Diagnostic Report that includes only diagnostics results for Installed Devices, Process Information, Command-line Utilities, and Phone Book Files and delivers the report to a location you specify.
Syntax
show configuration
[type=] {file | email}
[destination=] {FileLocation | EmailAddress}
[[compression=] {enabled | disabled}]
[[hours=] NumberOfHours]
[[verbose=] {enabled | disabled}]
Parameters
[type=] {file | email}
Required. Specifies whether the report should be saved to a file or sent to an e-mail address. [destination=] {FileLocation| EmailAddress}
Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent.
[[compression=] {enabled | disabled}]
Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the report is compressed if you send it to an e-mail address but not if you save it to a file. [[hours=] NumberOfHours]
Specifies the number of past hours for which to show activity in the report. This parameter must be an integer between 1 and 24. If you do not specify this parameter, all past information is included. [[verbose=] {enabled | disabled}]
Specifies the amount of data to include in the report. If you do not specify this parameter, minimal
data is included.
Example
To save a diagnostic report to c:\mytemp\rasdiag.htm, type:
show configuration type=file destination="c:\mytemp\rasdiag"
show all
Creates a Remote Access Diagnostic Report for all remote access logs and delivers the report to a location you specify.
Syntax
show all
[type=] {file | email}
Network Netsh Communication Networking 192
[destination=] {FileLocation | EmailAddress}
[[compression=] {enabled | disabled}]
[[hours=] NumberOfHours]
[[verbose=] {enabled | disabled}]
Parameters
[type=] {file | email}
Required. Specifies whether the report should be saved to a file or sent to an e-mail address. [destination=] {FileLocation| EmailAddress}
Required. Specifies the full path and file name to which the report should be saved or the full e-mail address to which the report should be sent. [[compression=] {enabled | disabled}]
Specifies whether to compress the report into a .cab file. If you do not specify this parameter, the
report is compressed if you send it to an e-mail address but not if you save it to a file. [[hours=] NumberOfHours]
Specifies the number of past hours for which to show activity in the report. This parameter must be an integer between 1 and 24. If you do not specify this parameter, all past information is included. [[verbose=] {enabled | disabled}]
Specifies the amount of data to include in the report. If you do not specify this parameter, minimal data is included.
Example
To save a diagnostic report to c:\mytemp\rasdiag.htm that includes all diagnostic information, type:
show all type=file destination="c:\mytemp\rasdiag"
show cmtracing
Shows whether information about Connection Manager connections is being logged.
Syntax
show cmtracing
set cmtracing
Enables or disables logging of information about all Connection Manager connections.
Syntax
set cmtracing {enabled | disabled}
Parameters
{enabled | disabled}
Required. Specifies whether you want information about Connection Manager connections to be logged. The enabled parameter specifies that you want information to be logged. The disabled parameter specifies that you do not want information to be logged.
Network Netsh Communication Networking 193
show modemtracing
Shows whether modem tracing is enabled or disabled.
Syntax
show modemtracing
set modemtracing
Enables or disables modem tracing for all modems installed for the local computer.
Syntax
set modemtracing {enabled | disabled}
Parameters
{enabled | disabled}
Required. Specifies whether you want modem activity for each modem to be logged. The enabled parameter specifies that you want activity to be logged. The disabled parameter specifies that you do not want activity to be logged.
show rastracing
Shows whether tracing for the given component is enabled. If no component is specified, shows the state of all components.
Syntax
show rastracing [component=] Component
Parameters
[component=] Component
Specifies the component for which you want to determine whether tracing is enabled or disabled. If no component is specified, the state of all components is displayed.
set rastracing
Enables or disables tracing and logging of all activity for all remote access components or for a specific remote access component.
Syntax
set rastracing
[component=] {Component | *} {enabled | disabled}
[state=] {enabled | disabled}
Parameters
[ component=] {Component| *}
Required. Specifies whether you want to enable or disable tracing and logging for a component that you specify or for all components. The Component parameter specifies the component for which you want to enable or disable tracing and logging. Use '*' to denote all components. [state=] {enabled | disabled}
Required. Specifies whether you want activity to be traced and logged. The enabled parameter specifies that you want activity to be traced and logged. The disabled parameter specifies that you
do not want activity to be traced and logged.
Network Netsh Communication Networking 194
show securityeventlog
Shows whether security events are being logged.
Syntax
show securityeventlog
set securityeventlog
Enables or disables logging of all security events.
Syntax
set securityeventlog {enabled | disabled}
Parameters
{enabled | disabled}
Required. Specifies whether you want security events to be logged. The enabled parameter specifies that you want security events to be logged. The disabled parameter specifies that you do not want security events to be logged.
show tracefacilities
Shows whether all activity for all remote access components or for a remote access component that you specify is being traced and logged.
Syntax
show tracefacilities
set tracefacilities
Enables or disables tracing and logging of all activity for all remote access components that are configured on the local computer.
Syntax
set tracefacilities
[state=] {enabled | disabled | clear}
Parameters
[state=] {enabled | disabled | clear}
Required. Specifies whether you want to enable tracing for all remote access components, to disable tracing, or to clear all logs generated by tracefacilities. The enabled parameter specifies that you want to enable tracing. The disabled parameter specifies that you want to disable tracing. The clear parameter specifies that you want to clear all logs.
Netsh RAS IP Context Commands The following commands are specific to the ras IP context within the Netsh environment.
dump
Displays the IP configuration of a remote access server in script form.
Syntax
dump
Example
Following is the command to save the current configuration as a script in the rasipcfg.dmp file.
Network Netsh Communication Networking 195
dump > rasipcfg.dmp
show config
Displays the current IP configuration of the remote access server.
Syntax
show config
set negotiation
Specifies whether the remote access server should allow IP to be configured for any client connections the server accepts.
Syntax
set negotiation
[mode=] {allow | deny}
Parameters
[mode=] {allow | deny}
Required. Specifies whether to permit IP over client connections. The allow parameter allows IP over client connections. The deny parameter prevents IP over client connections.
set access
Specifies whether IP network traffic from any client should be forwarded to the network or networks to which the remote access server is connected.
Syntax
set access
[mode=] {all | serveronly}
Parameters
[mode=] {all | serveronly}
Required. Specifies whether clients should be able to reach the remote access server and any networks to which it is connected. The all parameter allows clients to reach networks through the server. The serveronly parameter allows clients to reach only the server.
set addrassign
Sets the method by which the remote access server should assign IP addresses to its clients.
Syntax
set addrassign
[method=] {auto | pool}
Parameters
[method=] {auto | pool}
Required. Specifies whether IP addresses should be assigned by using DHCP or from a pool of addresses held by the remote access server. The auto parameter specifies that addresses should be assigned by using DHCP. If no DHCP server is available, a random, private address is assigned. The
pool parameter specifies that addresses should be assigned from a pool.
Network Netsh Communication Networking 196
set addrreq
Specifies whether dial-in clients should be able to request their own IP addresses.
Syntax
set addrreq
[mode=] {allow | deny}
Parameters
[mode=] {allow | deny}
Required. Specifies whether clients should be able to request their own IP addresses. The allow parameter allows clients to request addresses. The deny parameter prevents clients from requesting addresses.
set broadcastnameresolution
Enables or disables broadcast name resolution using NetBIOS over TCP/IP.
Syntax
set broadcastnameresolution
[mode=] {enabled | disabled}
Parameters
[mode=] {enabled | disabled}
Required. Specifies whether to enable or disable broadcast name resolution using NetBIOS over TCP/IP. The enabled parameter enables broadcast name resolution using NetBIOS over TCP/IP.
The disabled parameter disables broadcast name resolution using NetBIOS over TCP/IP.
show broadcastnameresolution
Displays whether broadcast name resolution using NetBIOS over TCP/IP has been enabled or disabled for the remote access server.
Syntax
show broadcastnameresolution
add range
Adds a range of addresses to the pool of static IP addresses that the remote access server can assign to clients.
Syntax
add range
[from=] StartingIPAddress
[to=] EndingIPAddress
Parameters
[from=] StartingIPAddress [to=] EndingIPAddress
Required. Specifies the range of IP addresses to add. The StartingIPAddress parameter specifies the first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the range.
Network Netsh Communication Networking 197
Example
To add the range of IP addresses 10.2.2.10 to 10.2.2.20 to the static pool of IP addresses that the remote access server can assign, type:
add range from=10.2.2.10 to=10.2.2.20
delete range
Deletes a range of addresses from the pool of static IP addresses that the remote access server can assign to clients.
Syntax
delete range
[from=] StartingIPAddress
[to=] EndingIPAddress
Parameters
[from=] StartingIPAddress [to=] EndingIPAddress
Required. Specifies the range of IP addresses to delete. The StartingIPAddress parameter specifies the first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the range.
Example
To delete the range of IP addresses 10.2.2.10 to 10.2.2.20 from the pool of static IP addresses that the remote access server can assign, type:
delete range from=10.2.2.10 to=10.2.2.20
delete pool
Deletes all addresses from the pool of static IP addresses that the remote access server can assign to clients.
Syntax
delete pool
set preferredadapter
Specifies the preferred adapter for Routing and Remote Access service.
Syntax
set preferredadapter
[name=] InterfaceName
Parameters
[name=] InterfaceName
Specifies that the adapter to be used to obtain the IP addresses for allocation (if configured to use DHCP) and the IP address of DHCP and WINS servers for assignment to remote access clients and demand-dial routers. If no interface is specified, the server randomly selects an adapter when the Routing and Remote Access service is started.
show preferredadapter
Displays the preferred adapter for Routing and Remote Access service.
Network Netsh Communication Networking 198
Syntax
show preferredadapter
Netsh RAS IPv6 Context Commands
The following commands are specific to the ras IPv6 context within the Netsh environment.
dump
Displays the IPv6 configuration of a remote access server in script form.
Syntax
dump
You can dump the contents of the current configuration to a file that can be used to restore altered configuration settings.
Example
The following is the command to save the current configuration as a script in the rasipv6cfg.dmp file.
dump > rasipv6cfg.dmp
set negotiation
Specifies whether the remote access server should allow IPv6 to be configured for any client connections the server accepts.
Syntax
set negotiation
[mode=] {allow | deny}
Parameters
[mode=] {allow | deny}
Required. Specifies whether to permit IPv6 over client connections. The allow parameter allows IPv6 over client connections. The deny parameter prevents IPv6 over client connections.
set access
Specifies whether IPv6 network traffic from any client should be forwarded to the network or networks to which the remote access server is connected.
Syntax
set access
[mode=] {all | serveronly}
Parameters
[mode=] {all | serveronly}
Required. Specifies whether clients should be able to reach the remote access server and any networks to which it is connected. The all parameter allows clients to reach networks through the server. The serveronly parameter allows clients to reach only the server.
set prefix
Sets the static IPv6 prefix that the remote access server users to advertise to clients.
Network Netsh Communication Networking 199
Syntax
set prefix
[prefix=] IPv6Prefix
Parameters
[prefix=] IPv6Prefix
Required. Specifies the IPv6 prefix in the form: 'x:x:x:x::'
Example
The following sets the IPv6 prefix to 3ffe:ffff:a:1.
set prefix prefix=3ffe:ffff:a:1::
show config
Displays the current IP configuration of the remote access server.
Syntax
show config
Network Netsh Communication Networking 200
Netsh Commands for Remote Procedure Call (RPC)
netsh rpc is a command-line tool that you can use to create remote procedure call (RPC) Firewall Filters and the rules and conditions that are associated with the filters.
You can run the Netsh RPC commands from the command prompt for the netsh rpc context. For these commands to work at the Windows Server 2008 command prompt, you must type netsh rpc before typing commands and parameters as they appear in the syntax.
You must have the required permissions to run the netsh rpc commands:
If you are a member of the Administrators group, and User Account Control is enabled on your computer, run the commands from a command prompt with elevated permissions. To open a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.
If you are a member of the Network Operators group, you can run the commands from any command prompt.
If you are a not a member of Administrators or Network Operators and you have not been
delegated any other permissions to run this command, you can run only the commands that display the settings, not the commands that change the settings.
filter
This command changes the command-line context to the netsh rpc filter subcontext. This subcontext is for running commands that set rules and conditions for RPC Firewall filtering.
Parameters
add rule
Adds an RPC Firewall Filter rule.
add condition
Adds a condition to an existing RPC Firewall Filter rule. add filter
Adds an RPC Firewall Filter. show filter
Displays a list of active RPC Firewall Filters. delete filter
Deletes all active RPC Firewall Filters and the rules and conditions that are associated with those
filters. delete rule
Deletes the existing RPC Firewall Filter rules. /?
Displays help at the command prompt.
Network Netsh Communication Networking 201
add rule
Adds a rule to specify an action when a given condition is met. Rules and conditions are combined to specify RPC Firewall Filters.
Use the following order when you add rules, conditions, and filters:
Add rule. The information in this "add rule" section provides details for step 1 (adding rules), including syntax, parameters, and allowed values.
Add conditions.
Add the filter that is created by the combination of rules and conditions that you enter.
filter add rule [layer=]<string> [actiontype=]<string> [[filterkey=]<string>] [[persistence=]volatile] [[audit=]enable]
Parameters
The following sections provide information about the Layer tag and the values of the parameters that are associated with the Layer tag.
Layer tag
RPC Firewall layers represent abstract connection types. Each layer applies to a different aspect of an RPC connection. RPC Firewall layers are not directly related to RPC architectural components, but they are used to specify an aspect or type of RPC connection.
Tag Required Default Description Allowed values
Layer Yes None Specifies an RPC communications protocol layer.
Um, Epmap, Ep_add, Proxy_conn, Proxy_if
Actiontype Yes None
Describes the action to take for the specified layer: block the item, permit the item to invoke a function that executes in another process, or continue processing the rule.
Block, Permit, Continue
Filterkey No
A randomly
generated Universally Unique Identifier (UUID)
A 128-bit, unique identifier to uniquely identify this filter.
UUID
Persistence No Persistent Persists or does not persist if the system is restarted.
Persistent, Volatile
Audit No Disabled
Allows auditing of the process or does not audit the process. In Audit mode, rules are not applied and traffic is not filtered. Instead, the RPC filtering engine logs events where a rule would have been applied.
Enabled, Disabled
Network Netsh Communication Networking 202
Allowed values for the Layer tag
Value Name Description
um User Mode layer
An RPC communications protocol layer that is used for high-level policies, such as filtering on a user or application identity.
epmap The Endpoint Mapper layer
An RPC communications protocol layer that is used to write interface-specific rules.
ep_add Endpoint Addition layer
A layer that allows dynamic or static endpoint ports to be added for each interface. These layers are not used for filtering. Instead, they are containers that specify an interface and an endpoint to add to the process hosting the interfaces.
proxy_conn RPC Proxy Connect layer
An RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role.
proxy_if RPC Proxy Interface layer
An RPC communications protocol layer that is used to write interface-specific rules for an RPC proxy role.
Allowed values for the Actiontype tag
Value Description
Block Does not allow the specified item access over RPC.
Permit Allows the specified item access over RPC.
Continue Does not allow the specified item access over RPC until all rules in the filter are run. Access is based on the cumulative results of all the rules in the filter.
Allowed values for the Filterkey tag
Value Name Description
UUID Universally Unique Identifier A unique, 128-bit identifier that identifies this filter.
Allowed values for the Persistence tag
Value Description
Persistent The value is stored on the disk and persists through a system restart. This is the default value.
Network Netsh Communication Networking 203
Volatile The value is not stored. If the system is restarted, the value is lost.
Allowed values for the Audit tag
Value Description
Enabled
Specifies that the RPC filtering engine runs in Audit mode. In Audit mode, rules are not applied and traffic is not filtered. Instead, the RPC filtering engine logs events when a rule would be applied.
Auditing is not allowed for the ep_add layer.
Disabled Specifies that the RPC filtering engine does not run in Audit mode. Instead, the RPC filtering engine actively filters traffic and applies the filtering rules. This is the default value.
Examples
The following example adds a rule to block RPC traffic that matches the given condition. This rule applies to the user mode (um) layer. A specific filter key identifies the filter.
add rule layer=um actiontype=block
The following example is a rule to add an endpoint to an interface. The rule references a specific filterkey. This is the only rule that is necessary for adding a dynamic endpoint to an interface.
add rule layer=epmap actiontype=permit filterkey=11111111-2222-3333-4444-555555555555
add condition
Adds a condition that must be met so that a filtering rule can be applied. Conditions are combined with rules to specify RPC Firewall Filters.
Use the following order when you add rules, conditions, and filters:
Add rule.
Add conditions. The information in this "add condition" section provides details for step 2, including
syntax, parameters, and allowed values
Add the filter that is created by the combination of rules and conditions that you enter.
Syntax
Filter add condition [field=]<string> [matchtype=]<string> [data=]<string>
Parameters
See the following tables for the add condition parameters and their values. The filtering engine checks that the condition you specify is met before the associated rule is run and the filtering is applied. An administrator can use the parameters and their values to fine-tune the filter so that it applies only to the specified RPC port, interface, or transport.
Tag Required Default Description Allowed Values
Field Yes None
Identifies the RPC field where the condition applies. The allowed values of the field tag vary, depending on the layer that is specified in the filtering rule.
See the tables in the section "Allowed values for the Field tag by Layer."
Network Netsh Communication Networking 204
MatchType Yes None Defines the type of comparison to perform on a given field.
See the tables in the section "Allowed values for the MatchType tag."
Data Yes None
The data that is used for making comparisons to the value in the field to determine whether your condition is met or not met. The data is compared to the value using the comparison that is defined in the MatchType tag.
The value that is allowed for the Data tag varies for each field that is specified.
Allowed values for the Field tag by Layer
The allowed values for the Field tag depend on the RPC layer to which the rules apply. For each layer, there is a set of allowed Field values. The layer is specified in the add rule command. The following tables describe the allowed values for the Field tag by RPC layer.
Allowed values for the User Mode Layer
The following values for filtering are allowed for User Mode (UM) Layer conditions. There are no required fields for UM Layer conditions.
Allowed value Description
if_uuid
The 128-bit interface UUID. The UUID is formatted as follows:
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
if_version The version of the interface as defined in the RPC Interface Definition Language (IDL) file.
if_flag
The RPF Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag as described in the following table.
Flag Value Description
RPC_FW_IF_FLAG_DCOM 0x0001 This flag indicates the condition applies to DCOM activations or calls to DCOM interfaces.
For example, to create a condition to block a DCOM activation, use the following command:
Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001
dcom_app_id
The UUID of the DCOM application where the condition is applied. The UUID is formatted as follows:
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
image_name
The name of the executable image. It is specified with an s preceding the name if the name is given in ASCII or with a w if the name is Unicode. For example, to apply this condition on Image.exe, use the following command:
Netsh rpc filter add condition field=image_name matchtype=equal data=simage.exe
protocol The protocol over which to block. It must be one of the following strings:
Network Netsh Communication Networking 205
NCACN_IP_TCP to indicate the TCP protocol
NCACN_NP to indicate the named pipes protocol
For example, to create a rule that applies to the TCP protocol, use the following command:
netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP
auth_type The authentication service type. The value is specified as a decimal number.
auth_level The authentication-level constant. This value represents authentication levels that are passed to various run-time functions. The value is specified as a decimal number in increasing order, starting with 0.
sec_encrypt_alg The certificate-based, security service provider interface (SSPI) encryption algorithm.
sec_key_size The certificate-based, SSPI encryption key size.
remote_user_token A data structure that contains authentication and authorization information for a remote user.
local_addr_v4 The local IP version 4 (IPv4) address over which to apply the condition. The data is in hexadecimal 0x notation.
local_addr_v6 The local IP version 6 (IPv6) address over which to apply the condition. The data is in standard colon notation.
remote_addr_v4 The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.
remote_addr_v6 The remote IPv6 address over which to apply the condition. The data is in standard colon notation.
local_port The local port where the condition is applied. The port is a decimal number.
pipe The remote named pipe that provides communication between processes on different computers.
Allowed values for the Endpoint Mapper (EPMAP) Layer
The following values for filtering are allowed for EPMAP Layer conditions. Conditions for the EPMAP layer are used to create interface-specific rules. If_uuid and if_version are both required values. The if_uuid value must be the first value that is specified
Value Description
if_uuid
The 128-bit, interface UUID. The UUID is formatted as follows:
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
The if_uuid is a required value for the EPMAP Layer, and it must be the first value that is specified.
Network Netsh Communication Networking 206
if_version
The version of the interface as defined in the RPC IDL file. This is a decimal number
The if_version field is a required value for the EPMAP Layer, and it must be the second value that is specified.
protocol
The protocol over which to block. It must be one of the following strings:
NCACN_IP_TCP, to indicate the TCP protocol
NCACN_NP, to indicate the named pipes protocol
For example, to create a rule that applies to the TCP protocol, use the following command:
netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP
auth_type
The authentication service type.
The value is specified as a decimal number.
auth_level
The authentication-level constant. This represents authentication levels that are passed to various run-time functions..
The value is specified as a decimal number in increasing order starting with 0.
sec_encrypt_alg The certificate-based, SSPI encryption algorithm.
sec_key_size The certificate-based, SSPI encryption key size.
remote_user_token A data structure that contains authentication and authorization information for a remote user.
local_addr_v4 The local IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.
local_addr_v6 The local IPv6 address over which to apply the condition. The data is in standard colon notation.
remote_addr_v4 The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.
remote_addr_v6 The remote IPv6 address over which to apply the condition. The data is in standard colon notation.
local_port The local port on which to apply the condition. The port is a decimal number.
pipe The remote named pipe that provides communication between processes on different computers.
Allowed values for the Proxy Interface (PROXY_IF) layer
The following values for filtering are allowed for PROXY_IF Layer conditions. The proxy_if layer applies to interface-specific conditions and rules on an RPC proxy. The if_uuid value is required, and it must be the first value that is specified.
Network Netsh Communication Networking 207
Value Description
if_uuid
The 128-bit interface UUID. The UUID is formatted as follows:
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
The if_uuid value is required, and it must be the first value that is specified.
if_version The version of the interface as defined in the RPC IDL file. This is a decimal number.
server_name The name of the server that is the target for the condition. The name is specified as a string, preceded by s for ASCII or w for Unicode.
server_port The server port that is the target for the condition. The port is specified as a decimal value.
proxy_auth_type The RPC proxy authentication service type.
client_token A data structure that contains authentication and authorization information for the client when it is using an RPC proxy.
client_cert_oid The object identifier in the client certificate.
cert_key_length The SSL key length in the client certificate.
Allowed values for the Endpoint Addition (EP_ADD) layer
The following values for filtering are allowed for EP_ADD Layer conditions. The EP_ADD layer allows
dynamic or static ports to be added to interfaces at run time, regardless of the application. The process_with_if_uuid value is required for the EP_ADD layer, and it must be the first value that is specified. The protocol value is required for the EP_ADD layer, and it must be the second value that is specified.
Value Description
process_with_if_uuid The UUID of the interface on which to add the dynamic endpoint port. This value is required, and it must be the first value that is specified.
Protocol
The protocol over which to block. It must be one of the following strings:
NCACN_IP_TCP, to indicate the TCP protocol.
NCACN_NP, to indicate the named pipes protocol.
For example, to create a rule that applies to the TCP protocol, use the following command:
netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP
The protocol value is a required value for the EP_ADD layer, and it must be the second value that is specified.
ep_value The port on which to add the endpoint. The value is specified as a decimal value. If it is not specified, a dynamic endpoint, rather than a static endpoint port, is added to the interface.
Network Netsh Communication Networking 208
ep_flags
The RPC Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag is described in the following table.
Flag Value Description
RPC_FW_IF_FLAG_DCOM 0x0001 This flag indicates that the condition applies to DCOM activations or calls to DCOM interfaces.
For example, to create a condition to block a DCOM activation, use the following command:
Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001
Allowed values for the Proxy Connect (PROXY_CONN) layer
The following values for filtering are allowed for PROXY_CONN Layer conditions. The PROXY_CONN layer is an RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role.
Value Description
server_name The name of the target server that the condition applies to. This is specified as a string preceded with s for ASCII or w for Unicode.
server_port The target server port that the condition applies to. This is specified as a decimal value.
proxy_auth_type The RPC proxy authentication service type.
client_token The client user identity that is produced by the front-end authentication.
client_cert_key_name The client certificate key name.
client_cert_oid The object identifier in the client certificate.
Allowed values for the MATCHTYPE tag
The match type specifies the type of comparison to perform on a given value.
Value Description
Equal Tests whether the value is equal to the condition value.
Greater Tests whether the value is greater than the condition value.
Less Tests whether the value is less than the condition value.
Greater or equal Tests whether the value is greater than or equal to the condition value.
Less or equal Tests whether the value is less than or equal to the condition value.
Network Netsh Communication Networking 209
Range Tests whether the value is within a given range of condition values.
All set Tests whether all flags are set.
Any set Tests whether any flags are set.
None set Tests whether no flags are set.
add filter
You can specify the rule and the conditions and run the add filter command, which takes those
rules and conditions and adds them as a filter to the firewall. You must already have added at least one rule and one condition.
Use the following order when you add rules, conditions, and filters:
Add rule.
Add conditions.
Add the filter that is created by the combination of rules and conditions that you enter. This "add
filter" section provides the syntax.
Syntax
filter add filter
Parameters
This command has no parameters. The command combines the rule and conditions to create an RPC Firewall Filter.
show filter
Lists the active RPC Firewall Filters.
filter show filter
Parameters
This command has no parameters. This command lists the currently active RPC filters.
delete filter
Deletes all active RPC Firewall Filters.
Syntax
filter delete filter.<filter key>
Parameters
Value Description
All Deletes all filters. Removes all filters and all rules and conditions that are associated with the filters.
<GUID>
Globally unique identifier (GUID). The 128-bit filter identifier. This value is specified in the filterkey tag when you use the add filter command or it is automatically generated. If it is not specified, you can find the filter key by running the show filter command. The identifier is specified in the following notation:
Network Netsh Communication Networking 210
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Example
The following example deletes all RPC Firewall Filters:
delete filter filterkey=all
The following example deletes the filter identified by filter key 11111111-2222-3333-4444-555555555555:
Delete filter filterkey=11111111-2222-3333-4444-555555555555
delete rule
Deletes the current RPC Firewall Filter rule.
Syntax
filter delete rule
Parameters
This command has no parameters. This command deletes the current RPC Firewall Filter rule. The command deletes the firewall filter rule and associated conditions.
Examples of RPC Firewall Filter commands
The following examples demonstrate the use of RPC Firewall Filters in real-world situations.
To block all RPC connections over TCP:
netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=protocol matchtype=equals data= NCACN_IP_TCP netsh rpc filter add filter
To block RPC connections on port 12345:
netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=local_port matchtype=equals data=12345 netsh rpc filter add filter
To block RPC connections from server 192.168.1.1:
netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=remot_addr_v4 matchtype=equals data=0xC0A80101 netsh rpc filter add filter
To add a dynamic endpoint for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:
netsh rpc filter add rule layer=ep_add actiontype=permit netsh rpc filter add condition field= process_with_if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111 netsh rpc filter add condition field=protocol matchtype=equal data=ncacn_ip_tcp netsh rpc filter add filter
To block RPC connections for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:
Network Netsh Communication Networking 211
netsh rpc filter add rule layer=epmap actiontype=block netsh rpc filter add condition field=if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111 netsh rpc filter add condition field=if_version matchtype=equal data=1 netsh rpc filter add filter
For an RPC proxy, it is possible to block RPC connections through the RPC proxy where the target server is named TargetServer:
netsh rpc filter add rule layer=proxy_conn actiontype=block netsh rpc filter add condition field=server_name matchtype=equals data=sTargetServer netsh rpc filter add filter
Network Netsh Communication Networking 212
Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)
You can use commands in the netsh winhttp context to configure proxy and tracing settings for Windows HTTP. The Netsh commands for winhttp can be run manually at the netsh prompt or in scripts and batch files.
To run these commands from the command prompt, you must either enter the netsh winhttp context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then winhttp to enter the netsh winhttp context, you must type:
netsh winhttp command
Netsh winhttp commands
The following entries provide details for each command.
flush logbuffer
Flushes the internal buffers for the log files.
Syntax
flush loggbuffer
import proxy
Imports the proxy settings in the Internet Explorer Web browser's Internet Options. Importing settings from IE is the only available option
Syntax
import proxy source =ie
reset proxy
Resets the WinHTTP proxy setting to DIRECT.
Syntax
reset proxy
reset tracing
Resets the WinHTTP trace parameters to the default settings.
Syntax
reset tracing
Tracing State Disable
Trace-file-prefix None
Output File
Level Default
Format Ansi
Max-trace-file-size 65535
Network Netsh Communication Networking 213
set proxy
Configures the WinHTTP proxy setting.
Syntax
set proxy [proxy-server=] ProxyServerName [bypass-list=] <HostsList>
Parameters
Proxy-Server
Required. Specifies the proxy server to use for http, secure http (https), or both http and https protocols. Bypass-list
Optional. Specifies a list of Web sites that should be visited without utilizing the proxy server. Use "<local>" to bypass all short name hosts.
Examples
Following are three examples of how to use the set proxy command.
set proxy myproxy set proxy myproxy:80 "<local>bar" set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.contoso.com"
set tracing
Configures the WinHTTP tracing parameters.
Syntax
set tracing [output=] file | debugger | both [trace-file-prefix=] FilePrefix [level=] default | verbose [format=] ansi | hex [max-trace-file-size=] FileSize [state=] enabled |disabled
Parameters:
Output
Optional. Specifies whether tracing data is exported to a file, a debugger, or both. Trace-file-prefix
Optional. Specifies a string value that is a prefix for the log file. The file prefix can include a folder location/path. Type "*" to delete an existing prefix.
Level
Optional. Specifies the amount of information to log. Format
Optional. Specifies the display format of network traffic (hexadecimal or ansi). Max-trace-file-size
Optional. Specifies a numeric value that is the maximum size of the trace file in bytes. State
Required. Specifies whether tracing is enabled or disabled.
Network Netsh Communication Networking 214
Examples
Following are two examples of how to use the set tracing command.
set tracing trace-file-prefix="C:\Temp\Test3" level=verbose format=hex set tracing output=debugger max-trace-file-size=512000 state=enabled
show proxy
Displays the current WinHTTP proxy setting.
Syntax
show proxy
show tracing
Displays the current WinHTTP tracing parameters.
Syntax
show tracing
Network Netsh Communication Networking 215
Netsh Commands for Windows Sockets (WINSOCK)
You can use commands in the netsh winsock context to configure Windows Sockets. The Netsh commands for winsock can be run manually at the netsh prompt or in scripts and batch files.
To run these commands from the command prompt, you must either enter the netsh winsock context or prepend the context to the command. For example, if you are at the command prompt but have not typed netsh and then winsock to enter the netsh winsock context, you must type:
netsh winsock command
Netsh winsock command reference
The following entries provide details for each command.
audit trail
Shows the audit trail of Layered Service Providers (LSPs) that have been installed and uninstalled.
Syntax
audit trail
remove provider
Removes a Winsock Layered Service Provider (LSP) from the system.
Syntax
remove provider catalog_id
Parameters
catalog_id
Required. Specifies the catalog identifier of the Layered Service Provider (LSP) that you want to remove from the system.
reset
Restores the Winsock Catalog to a clean state and uninstalls all Winsock Layered Service Providers.
Syntax
reset
show catalog
Displays the contents of the Winsock Catalog.
Syntax
show catalog
Winsock Catalog Provider Entry
Entry Type: Base Service Provider
Description: MSAPD Tcpip [UDP/IP]
Network Netsh Communication Networking 216
Provider ID: {E7041AA0-AB8B-11CF-8CA3-
00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1002
Version: 2
Address Family: 2
Max Address Lenght: 16
Min Address Lenght: 16
Socket Type: 2
Protocol: 17
Protocol Chain Lenght: 1
Winsock Catalog Provider Entry
Entry Type: Base Service Provider
Description: MSAPD Tcpip [RAW/IP]
Provider ID: {E7041AA0-AB8B-11CF-8CA3-
00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1003
Version: 2
Address Family: 2
Max Address Lenght: 16
Min Address Lenght: 16
Socket Type: 3
Protocol: 0
Protocol Chain Lenght: 1
Network Netsh Communication Networking 217
Winsock Catalog Provider Entry
Entry Type: Base Service Provider
Description: MSAPD Tcpip [TCP/IPv6]
Provider ID: {F9EAB0C0-26D4-11D0-BBBF-
00AA006C34E4}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1004
Version: 2
Address Family: 23
Max Address Lenght: 28
Min Address Lenght: 28
Socket Type: 1
Protocol: 6
Protocol Chain Lenght: 1
Network Netsh Communication Networking 218
Netsh Commands for Wireless Local Area Network (WLAN)
The Netsh commands for wireless local area network (WLAN) provide methods to configure 802.11 wireless connectivity and security settings for computers running Windows Vista® and Windows Server® 2008. You can use the Netsh WLAN commands to configure the local computer or
to configure multiple computers by using a logon script. You can also use the netsh WLAN commands to view applied wireless Group Policy settings.
Wireless Network (IEEE 802.11) Policies profiles are read-only, and cannot be modified or deleted by using Netsh WLAN commands.
Running Netsh wlan commands on computers running
Windows Server2008
To run Netsh WLAN commands on computers running Windows Server 2008, you must first install the Wireless LAN Service.
Note:
On computers running Windows Server 2008, installing the Wireless LAN Service in Server Manager / Features, adds and starts the WLAN AutoConfig service. WLAN AutoConfig is located in Server Manager/Diagnostics/Services Microsoft Management Console (MMC). To remove the WLAN AutoConfig service from a Computer running Windows Server 2008, you must remove (uninstall) the Wireless LAN Service from Server Manager / Features.
To install Wireless LAN Service on computers running Windows Server 2008 Do one of the following:
In Initial Configuration Tasks, in Customize This Server, click Add Features. The Add Features Wizard opens.
Click Start, and then click Server Manager. In the left pane of Server Manager, click Features, and in the details pane, in Features Summary, click Add Features. The Add Features Wizard
opens.
In Select Features, in Features, scroll down the list, select Wireless LAN Service, and then click Next.
In Confirm installation selections, click Install.
In Installation Results, review your installation results, and then click Close.
Netsh WLAN commands
add filter
Adds a wireless network, by Service Set Identifier (SSID), to the wireless allowed or blocked list.
Syntax
add filter permission={allow|block|denyall} ssid=WirelessNetworkName networktype={infrastructure|adhoc}
Parameters
Permission
Required. Specifies the permission type of the filter.
Network Netsh Communication Networking 219
SSID
Required [conditional, see "Remarks"]. SSID of the wireless network. Networktype
Required. Specifies the wireless network type.
Example commands
add filter permission=allow ssid=WiFiNetwork networktype=infrastructure
add filter permission=block ssid="Wireless Net" networktype=adhoc
add filter permission=denyall networktype=infrastructure
add profile
Adds a WLAN profile to the specified interface on the computer.
Syntax
add profile filename= PathAndFileName [[interface=]InterfaceName] [[user=]{all|current}]
Parameters
Filename
Required. Specifies both the path to, and name of the XML file containing the profile data. Interface
Optional. Specifies the name of the wireless interface on which to add the profile (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command) User
Optional. Specifies whether the profile is applied only to the current user or to all users.
Example commands
add profile filename=C:\Users\WirelessUser\Documents\profile1.xml interface="Wireless Network Connection"
add profile filename="C:\Wireless Profiles\WiFi Profile.xml" interface=w*
connect
Connects to a wireless network by using the specified parameter.
Syntax
connect [[ssid=]WirelessNetworkName] name=ProfileName interface=InterfaceName
Parameters
SSID
Optional [conditional, see "Remarks"]. Specifies the SSID of the wireless network.
Network Netsh Communication Networking 220
Name Required. Specifies the name of the wireless profile to use for the connection attempt, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command).
Interface
Required [conditional, see "Remarks"]. Specifies the wireless interface to use for the connection attempt, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Examples
connect ssid=WiFiNetwork name=Profile1
connect ssid="Wireless Net" name=Profile2 interface="Wireless Network Connection"
delete filter
Removes a wireless network from the wireless allowed or blocked list.
Syntax
delete filter permission={allow|block|denyall} ssid=WirelessNetworkName networktype={infrastructure|adhoc}]
Parameters
Permission
Required. Specifies the permission type of the filter.
SSID
Required [conditional, see "Remarks"]. Specifies the SSID of the wireless network. Networktype
Required. Specifies whether the wireless network type is adhoc or infrastructure.
Example commands
delete filter permission=allow ssid=WiFiNetwork networktype=infrastructure
delete filter permission=block ssid="Wireless Net" networktype=adhoc
delete filter permission=denyall networktype=adhoc
delete profile
Removes a WLAN profile from one or multiple interfaces.
Syntax
delete profile name=ProfileName [[interface=]InterfaceName]
Parameters
Name
Network Netsh Communication Networking 221
Required. Specifies the name of the wireless profile to delete, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command). Interface
Optional. Specifies the name of the wireless interface on which to delete the profile, (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Example commands
delete profile name="Profile 1" interface="Wireless Network Connection"
delete profile name=Profile2 interface=*
delete profile name="Profile 1" i=*
disconnect
Disconnects the specified interface from a wireless network.
Syntax
disconnect interface=InterfaceName
Parameters
Interface
Required [conditional, see "Remarks"]. Specifies which wireless interface is used for the disconnect attempt , (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Example commands
disconnect
disconnect interface="Wireless Network Connection"
export profile
Saves WLAN profiles as XML files to the specified location.
Syntax
export profile folder=PathAndFileName [[name=]ProfileName] [[interface=]InterfaceName]
Parameters
Folder
Optional. Specifies the path and file where the profile XML file is to be saved, and the name to use for the saved file. Name
Optional. Specifies the name of the wireless profile to export. (the name of the wireless profile, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command).
Network Netsh Communication Networking 222
Interface
Optional. Specifies the name of the wireless interface on which the profile is configured, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Example commands
export profile folder=c:\profiles name="Profile 1" interface="Wireless Network Connection"
export profile folder="c:\wifi profiles" name=Profile2 interface=*
set autoconfig
Enables or disables WLAN Auto Config Service on an interface.
Syntax
set autoconfig enabled={yes|no} interface=InterfaceName
Parameters
enabled
Required. Specifies whether to set WLAN Auto Config Service to enabled or disabled. Interface
Required. Specifies the name of the interface on which the service has been enabled or disabled, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Example command
set autoconfig enabled=yes interface="Wireless Network Connection"
set blockednetworks
Shows or hides the blocked networks in the visible network list.
Syntax
set blockednetworks display={show|hide}
Parameters
Display
Required. Specifies whether to show or hide the blocked networks in the list of available wireless.
Example command
set blockednetworks display=show
The example command specifies that blocked networks are shown in the list of available networks.
Network Netsh Communication Networking 223
set createalluserprofile
Specifies whether users are allowed to create all-user profiles, regardless of whether they are members of the Administrators group. Users who have membership in the Administrators group can create all-user profiles no matter whether “set createalluserprofile enabled=” is set to “yes” or “no.”
Syntax
set createalluserprofile enabled={yes|no}
Parameters
Enabled
Required. Specifies whether all computer users are allowed to create all user profiles.
Example command
set createalluserprofile enabled=yes
set profileorder
Sets the preference order of a wireless network profile on a wireless network interface.
Syntax
set profileorder name=ProfileName interface=InterfaceName priority=integer
Parameters
Name
Required. Specifies the name of the profile to set, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command). Interface
Required. Specifies the name of the interface that has this profile configured, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command). Priority
Required. Specifies the new priority number for the profile.
Example command
set profileorder name="profile 1" interface="Wireless Network Connection" priority=1
set profileparameter
Sets parameters in a wireless network profile.
Syntax
set profileparameter name=ProfileName [[interface=]InterfaceName] [[authMode=]{machineOrUser|machineOnly|userOnly|guest}] [[ssoMode=]{preLogon|postLogon|none}] [[maxDelay=]1-120] [[allowDialog={yes|no}] [[userVLAN=]{yes|no}] [[fips=]{yes|no}]
Network Netsh Communication Networking 224
Parameters
Name
Required. Specifies the name of the profile to set, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command).
Interface
Optional. Specifies the name of the interface on which the profile is set, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh
wlan show interfaces command).
AuthMode
Optional [conditional, see "Remarks"]. Specifies the type of credentials to use for authentication. SSOMode
Optional [conditional, see "Remarks"]. Specifies the type of single sign on to be attempted, if any. MaxDelay
Optional [conditional, see "Remarks"]. Specifies the timeout value to establish single sign-on connection. AllowDialog
Optional [conditional, see "Remarks"]. Specifies whether to allow or disallow a dialog to be shown for prelogon. UserVLAN
Optional [conditional, see "Remarks"]. Specifies if the network switches to a different VLAN upon user authentication. FIPS
Optional [conditional, see "Remarks"]. Specifies whether to enable or disable Federal Information Processing Standards Publications (FIPS) mode.
Example commands
set profileparameter name="Profile 1" authMode=userOnly ssoMode=preLogon
set profileparameter name=Profile2 ssoMode=none fips=yes
set tracing
Enables or disables WLAN tracing.
Syntax
set tracing mode={yes|no|persistent}
Parameters
Mode
Network Netsh Communication Networking 225
Required. Specifies whether tracing is disabled, enabled and persistent, or enabled and nonpersistent. See "Remarks" for additional information.
Example command
set tracing mode=persistent
show all
Displays the entire collection of information about wireless network adapters, wireless profiles and wireless networks.
Syntax
show all
Parameters
There are no parameters for this command.
Example command
show all
show autoconfig
Displays whether WLAN AutoConfig service is enabled or disabled
Syntax
show autoconfig
Parameters
There are no parameters for this command.
Displays whether WLAN AutoConfig service is enabled or disabled on each wireless adapter interface.
Example command
show autoconfig
show blockednetworks
Displays the global setting whether to display or hide blocked networks in the visible network list
Syntax
show blockednetworks
Parameters
There are no parameters for this command.
Example command
show blockednetworks
show drivers
Displays the properties of the wireless adapter drivers on the computer.
Network Netsh Communication Networking 226
Syntax
show drivers [[interface=]InterfaceName]
Parameters
Interface
Optional. Specifies the name of the interface for which driver information is displayed, (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Example command
show drivers interface="Wireless Network Connection"
show filters
Displays the current list of allowed and blocked wireless networks.
Syntax
show filters [[permission=]{allow|block}]
Parameters
Permission
Optional. Specifies whether to show the list of allowed and blocked networks configured on the
computer.
Example commands
show filters
show filters permission=allow
show filters permission=block
show interfaces
Displays a list of the current wireless interfaces on a computer.
Syntax
show interfaces
Parameters
There are no parameters for this command.
Example command
show interfaces
show networks
Displays a list of wireless networks that are visible on the computer.
Syntax
show networks [[interface=]InterfaceName] [[mode=]{ssid|bssid}]
Network Netsh Communication Networking 227
Parameters
Interface
Optional. Specifies for which interface the network information is returned, (where InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Mode
Optional. Specifies whether to display information for Basic Service Set Identifier (BSSID), or Service Set Identifier (SSID).
Example commands
show networks interface="Wireless Network Connection"
show networks mode=bssid
show networks
show profiles
Displays a list of wireless profiles that are configured on the computer.
Syntax
show profiles [[name=]ProfileName] [[interface=]InterfaceName]
Parameters
Name
Optional. Specifies the name of the profile to display, (where ProfileName is the name of the wireless profile, as listed in Manage Wireless Networks, or as rendered by the netsh wlan show profiles command). Interface
Optional. Specifies the name of the interface which has this profile configured, (where
InterfaceName is the name of the wireless interface, as listed in Network Connections, or as rendered by the netsh wlan show interfaces command).
Example commands
show profiles name="profile 1" interface="Wireless Network Connection"
show profiles name=profile2
show profiles
show settings
Displays the current global settings of the wireless LAN.
Syntax
show settings
Network Netsh Communication Networking 228
Parameters
There are no parameters for this command.
Example command
show settings
show tracing
Displays whether wireless tracing is enabled or disabled.
Syntax
show tracing
Parameters
There are no parameters for this command.
Network Netsh Communication Networking 229
Network Netsh Communication Networking 230