Troubleshooting with Diagnostic Utilities


Many utilities can be used when troubleshooting TCP/IP. Although the actual utilities available vary from platform to platform, the functionality between platforms is quite similar. Table 10.1 lists the TCP/IP troubleshooting tools covered in the Network+ exam along with their purpose.

Table 10.1. Common TCP/IP Troubleshooting Tools and Their Purpose

Tool

Purpose

tracert/traceroute

Used to track the path a packet takes as it travels across a network. tracert is used on Windows systems, traceroute is used on UNIX, Linux, and Macintosh systems.

ping

Used to test connectivity between two devices on a network.

arp

Used to view and work with the IP address to MAC address resolution cache.

netstat

Used to view the current TCP/IP connections on a system.

nbtstat

Used to view statistics related to NetBIOS name resolutions, and to see information about current NetBIOS over TCP/IP connections.

ipconfig

Used to view and renew TCP/IP configuration on a Windows system.

ifconfig

Used to view TCP/IP configuration on a UNIX, Linux or Macintosh system.

winipcfg

Graphical tool used to view TCP/IP configuration on Windows 95, 98, and Me.

nslookup/dig

Used to perform manual DNS lookups. nslookup can be used on Windows, UNIX, Macintosh, and Linux systems. dig can only be used on UNIX, Linux, and Macintosh systems.


The following sections look in more detail at these utilities and the output they produce.

Many of the utilities discussed in this chapter have a help facility that can be accessed by typing the command followed by a /?or a -?. On a Windows system, for example, you can get help on the netstat utility by typing the command netstat /? Sometimes, using a utility with an invalid switch will also bring up the help screen.


For the exam, be prepared to identify what tool to use in a given scenario. Remember, there might be more than one tool that could be usedyou will be expected to pick the best one for the situation described.


On the Network+ exam, you will be asked to identify the output from a command, and you should be able to interpret the information provided by the command.


The Trace Route Utility (tracert/traceroute)

The trace route utility does exactly what its name impliesit traces the route between two hosts. It does this by using Internet Control Message Protocol (ICMP) echo packets to report information back at every step in the journey. Each of the common network operating systems provides a trace route utility, but the name of the command and the output vary slightly on each. However, for the purposes of the NetWork+ exam, you should not concern yourself with the minor differences in the output format. Table 10.2 shows the trace route command syntax used in various operating systems

Table 10.2. Trace Route Utility Commands

Operating System

Trace Route Command Syntax

Windows Server 2000/2003

tracert <IP address>

Novell NetWare

iptrace

Linux/UNIX

traceroute <IP address>

Macintosh

traceroute <IP address>


The phrase trace route utility is used in this section to refer generically to the various route tracing applications available on common operating systems. In a live environment, you should make yourself familiar with the version of the tool used on the operating systems you are working with.


Trace route provides a lot of useful information, including the IP address of every router connection it passes through and, in many cases, the name of the router (although this depends on the router's configuration). Trace route also reports the length, in milliseconds, of the round-trip the packet made from the source location to the router and back. This information can help identify where network bottlenecks or breakdowns might be. The following is an example of a successful tracert command on a Windows 2000 system:

 C:\>tracert 24.7.70.37 Tracing route to c1-p4.sttlwa1.home.net [24.7.70.37] over a maximum of 30 hops:   1    30 ms   20 ms   20 ms  24.67.184.1   2    20 ms   20 ms   30 ms  rd1ht-ge3-0.ok.shawcable.net [24.67.224.7]   3    50 ms   30 ms   30 ms  rc1wh-atm0-2-1.vc.shawcable.net [204.209.214.193]   4    50 ms   30 ms   30 ms  rc2wh-pos15-0.vc.shawcable.net [204.209.214.90]   5    30 ms   40 ms   30 ms  rc2wt-pos2-0.wa.shawcable.net [66.163.76.37]   6    30 ms   40 ms   30 ms  c1-pos6-3.sttlwa1.home.net [24.7.70.37] Trace complete. 

Similar to the other common operating systems covered by the Network+ exam, the tracert display on a Windows-based system includes several columns of information. The first column represents the hop number. You may recall that 'hop' is the term used to describe a step in the path a packet takes as it crosses the network. The next three columns indicate the round-trip time, in milliseconds, that a packet takes in its attempts to reach the destination. The last column is the hostname and the IP address of the responding device.

Of course, not all trace route attempts are successful. The following is the output from a tracert command on a Windows Server 2003 system that doesn't manage to get to the remote host:

 C:\>tracert comptia.org Tracing route to comptia.org [216.119.103.72] over a maximum of 30 hops:   1    27 ms    28 ms    14 ms  24.67.179.1   2    55 ms    13 ms    14 ms  rd1ht-ge3-0.ok.shawcable.net [24.67.224.7]   3    27 ms    27 ms    28 ms  rc1wh-atm0-2-1.shawcable.net [204.209.214.19]   4    28 ms    41 ms    27 ms  rc1wt-pos2-0.wa.shawcable.net [66.163.76.65]   5    28 ms    41 ms    27 ms  rc2wt-pos1-0.wa.shawcable.net [66.163.68.2]   6    41 ms    55 ms    41 ms  c1-pos6-3.sttlwa1.home.net [24.7.70.37]   7    54 ms    42 ms    27 ms  home-gw.st6wa.ip.att.net [192.205.32.249]   8     *        *        *     Request timed out.   9     *        *        *     Request timed out.  10     *        *        *     Request timed out.  11     *        *        *     Request timed out.  12     *        *        *     Request timed out.  13     *        *        *     Request timed out.  14     *        *        *     Request timed out.  15     *        *        *     Request timed out. 

In this example, the trace route request only gets to the seventh hop, at which point it fails; this failure indicates that the problem lies on the far side of the device in step 7 or on the near side of the device in step 8. In other words, the device at step 7 is functioning but might not be able to make the next hop. The cause of the problem could be a range of things, such as an error in the routing table or a faulty connection. Alternatively, the seventh device might be operating 100%, but device 8 might not be functioning at all. In any case, you can isolate the problem to just one or two devices.

It should be noted that in some cases the owner of a router may configure it to not return ICMP traffic like that generated by ping or trace route. If this is the case, the ping or trace route will fail just as if the router did not exist or was not operating.


Although we have used the Windows tracert command to provide sample output in these sections, the output from traceroute on a UNIX, Linux, or Macintosh system is extremely similar.


The trace route utility can also help you isolate a heavily congested network. In the following example, the trace route packets fail in the midst of the tracert from a Windows Server 2003 system, but subsequently are able to continue. This behavior can be an indicator of network congestion:

 C:\>tracert comptia.org Tracing route to comptia.org [216.119.103.72]over a maximum of 30 hops:   1    96 ms    96 ms    55 ms  24.67.179.1   2    14 ms    13 ms    28 ms  rd1ht-ge3-0.ok.shawcable.net [24.67.224.7]   3    28 ms    27 ms    41 ms  rc1wh-atm0-2-1.shawcable.net [204.209.214.19]   4    28 ms    41 ms    27 ms  rc1wt-pos2-0.wa.shawcable.net [66.163.76.65]   5    41 ms    27 ms    27 ms  rc2wt-pos1-0.wa.shawcable.net [66.163.68.2]   6    55 ms    41 ms    27 ms  c1-pos6-3.sttlwa1.home.net [24.7.70.37]   7    54 ms    42 ms    27 ms  home-gw.st6wa.ip.att.net [192.205.32.249]   8    55 ms    41 ms    28 ms  gbr3-p40.st6wa.ip.att.net [12.123.44.130]   9     *        *        *     Request timed out.  10     *        *        *     Request timed out.  11     *        *        *     Request timed out.  12     *        *        *     Request timed out.  13    69 ms    68 ms    69 ms  gbr2-p20.sd2ca.ip.att.net [12.122.11.254]  14    55 ms    68 ms    69 ms  gbr1-p60.sd2ca.ip.att.net [12.122.1.109]  15    82 ms    69 ms    82 ms  gbr1-p30.phmaz.ip.att.net [12.122.2.142]  16    68 ms    69 ms    82 ms  gar2-p360.phmaz.ip.att.net [12.123.142.45]  17   110 ms    96 ms    96 ms  12.125.99.70  18   124 ms    96 ms    96 ms  light.crystaltech.com [216.119.107.1]  19    82 ms    96 ms    96 ms  216.119.103.72 Trace complete. 

Generally speaking, trace route utilities allow you to identify the location of a problem in the connectivity between two devices. After you have determined this location, you might need to use a utility such as ping to continue troubleshooting. In many cases, as in the examples provided in this chapter, the routers might be on a network such as the Internet and therefore not within your control. In that case, there is little you can do except inform your ISP of the problem.

ping

Most network administrators are very familiar with the ping utility and are likely to use it on an almost daily basis. The basic function of the ping command is to test the connectivity between the two devices on a network. All the command is designed to do is determine whether the two computers can see each other and to notify you of how long the round-trip takes to complete.

Although ping is most often used on its own, a number of switches can be used to assist in the troubleshooting process. Table 10.3 shows some of the commonly used switches with ping on a Windows system.

Table 10.3. ping Command Switches

Option

Description

ping -t

Pings a device on the network until stopped

ping -a

Resolves addresses to hostnames

ping -n count

Specifies the number of echo requests to send

ping -r count

Records route for count hops

ping -s count

Timestamp for count hops

ping -w timeout

Timeout in milliseconds to wait for each reply


ping works by sending ICMP echo request messages to another device on the network. If the other device on the network hears the ping request, it automatically responds with an ICMP echo reply. By default, the ping command on a Windows-based system sends four data packets; however, using the -t switch, a continuous stream of ping requests can be sent.

ping is perhaps the most widely used of all network tools; it is primarily used to verify connectivity between two network devices. On a good day, the results from the ping command will be successful, and the sending device will receive a reply from the remote device. Not all ping results are that successful, and to be able to effectively use ping, you must be able to interpret the results of a failed ping command.

The Destination Host Unreachable Message

The Destination Host Unreachable error message means that a route to the destination computer system cannot be found. To remedy this problem, you might need to examine the routing information on the local host to confirm that the local host is correctly configured, or you might need to make sure that the default gateway information is correct. The following is an example of a ping failure that gives the Destination host unreachable message:

 Pinging 24.67.54.233 with 32 bytes of data: Destination host unreachable. Destination host unreachable. Destination host unreachable. Destination host unreachable. Ping statistics for 24.67.54.233:     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds:     Minimum = 0ms, Maximum =  0ms, Average =  0ms 

The Request Timed Out Message

The Request Timed Out error message is very common when you use the ping command. Essentially, this error message indicates that your host did not receive the ping message back from the destination device within the designated time period. Assuming that the network connectivity is okay on your system, this is typically an indicator that the destination device is not connected to the network, is powered off, or is not configured correctly. It could also mean that some intermediate device is not operating correctly. In some rare cases, it can also indicate that there is so much congestion on the network that timely delivery of the ping message could not be completed. It might also mean that the ping is being sent to an invalid IP address or that the system is not on the same network as the remote host, and an intermediary device is not configured correctly. In any of these cases, the failed ping should initiate a troubleshooting process that might involve other tools, manual inspection, and possibly reconfiguration. The following example shows the output from a ping to an invalid IP address:

 C:\>ping 169.76.54.3 Pinging 169.76.54.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 169.76.54.3:     Packets: Sent = 4, Received = 0, Lost = 4 (100% Approximate round trip times in milli-seconds:     Minimum = 0ms, Maximum =  0ms, Average =  0ms 

During the ping request, you might receive some replies from the remote host that are intermixed with Request timed out errors. This is often a result of a congested network. An example follows; notice that this example, which was run on a Windows Me system, uses the -t switch to generate continuous pings:

 C:\>ping -t 24.67.184.65 Pinging 24.67.184.65 with 32 bytes of data: Reply from 24.67.184.65: bytes=32 time=55ms TTL=127 Reply from 24.67.184.65: bytes=32 time=54ms TTL=127 Reply from 24.67.184.65: bytes=32 time=27ms TTL=127 Request timed out. Request timed out. Request timed out. Reply from 24.67.184.65: bytes=32 time=69ms TTL=127 Reply from 24.67.184.65: bytes=32 time=28ms TTL=127 Reply from 24.67.184.65: bytes=32 time=28ms TTL=127 Reply from 24.67.184.65: bytes=32 time=68ms TTL=127 Reply from 24.67.184.65: bytes=32 time=41ms TTL=127 Ping statistics for 24.67.184.65:     Packets: Sent = 11, Received = 8, Lost = 3 (27% loss), Approximate round trip times in milli-seconds:     Minimum = 27ms, Maximum =  69ms, Average =  33ms 

In this example, three packets were lost. If this continued on your network, you would need to troubleshoot to find out why packets were being dropped.

The Unknown Host Message

The Unknown Host error message is generated when the hostname of the destination computer cannot be resolved. This error usually occurs when you ping an incorrect hostname, as shown in the following example, or try to use ping with a hostname when hostname resolution (via DNS or a HOSTS text file) is not configured:

 C:\>ping www.comptia.ca Unknown host www.comptia.ca 

If the ping fails, you need to verify that the ping is being sent to the correct remote host. If it is, and if name resolution is configured, you have to dig a little more to find the problem. This error might indicate a problem with the name resolution process, and you might need to verify that the DNS or WINS server is available. Other commands, such as nslookup or dig, can help in this process.

The Expired TTL Message

The Time to Live (TTL) is an important consideration in understanding the ping command. The function of the TTL is to prevent circular routing, which occurs when a ping request keeps looping through a series of hosts. The TTL counts each hop along the way toward its destination device. Each time it counts one hop, the hop is subtracted from the TTL. If the TTL reaches 0, the TTL has expired, and you get a message like the following:

 Reply from 24.67.180.1: TTL expired in transit 

If the TTL is exceeded with ping, you might have a routing problem on the network. You can modify the TTL for ping on a Windows system by using the ping -i command.

Troubleshooting with ping

Although ping does not completely isolate problems, you can use it to help identify where a problem lies. When troubleshooting with ping, take the following steps:

1.

ping the IP address of your local loopback, using the command ping 127.0.0.1. If this command is successful, you know that the TCP/IP protocol suite is installed correctly on your system and functioning. If you are unable to ping the local loopback adapter, TCP/IP might need to be reloaded or reconfigured on the machine you are using.

The Loopback Address

The loopback is a special function within the protocol stack that is supplied for troubleshooting purposes. The Class A IP address 127.X.X.X is reserved for the loopback; although convention dictates that you use 127.0.0.1, you can use any address in the 127.X.X.X range, except for the network number itself (127.0.0.0) and the broadcast address (127.255.255.255). You can also ping by using the default hostname for the local system, which is called localhost (for example, ping localhost).


2.

ping the assigned IP address of your local network interface card (NIC). If the ping is successful, you know that your NIC is functioning on the network and has TCP/IP correctly installed. If you are unable to ping the local NIC, TCP/IP might not be bound correctly to the NIC or the NIC drivers might be improperly installed.

3.

ping the IP address of another known good system on your local network. By doing so, you can determine whether the computer you are using can see other computers on the network. If you can ping other devices on your local network, you have network connectivity.

If you cannot ping other devices on your local network and you were able to ping the IP address of your system, you might not be connected to the network correctly.

4.

After you've confirmed that you have network connectivity for the local network, you can verify connectivity to a remote network by sending a ping to the IP address of the default gateway.

5.

If you are able to ping the default gateway, you can verify remote connectivity by sending a ping to the IP address of a system on a remote network.

On the Network+ exam, you might be asked to relate the correct procedure for using ping for a connectivity problem.


Using just the ping command in these steps, you can confirm network connectivity on not only the local network, but also on a remote network. The whole process requires as much time as it takes to type in the command, and you can do it all from a single location.

If you are an optimistic person, you can perform step 5 first. If that works, all the other steps will also work, saving you the need to test them. If your step 5 trial fails, you can go back to step 1 and start the troubleshooting process from the beginning.

All but one of the ping examples used in this section show the ping command using the IP address of the remote host. It is also possible to ping the Domain Name Service (DNS) name of the remote host (for example, ping www.comptia.org, ping server1); this, of course, can be done only if your network uses a DNS server. On a Windows-based network, you can also ping by using the Network Basic Input/Output System (NetBIOS) computer name.


ARP

The Address Resolution Protocol (ARP) is used to resolve IP addresses to MAC addresses. This is important because on a network, devices find each other using the IP address, but communication between devices requires the MAC address.

For the Network+ exam, remember that the function of the ARP command is to resolve IP addresses to Layer 2 or MAC addresses.


When a computer wants to send data to another computer on the network, it must know the MAC address of the destination system. To discover this information, ARP sends out a discovery packet to obtain the MAC address. When the destination computer is found, it sends its MAC address to the sending computer. The ARP-resolved MAC addresses are stored temporarily on a computer system in the ARP cache. Inside this ARP cache is a list of matching MAC and IP addresses. This ARP cache is checked before a discovery packet is sent on to the network to determine if there is an existing entry.

Entries in the ARP cache are periodically flushed so that the cache doesn't fill up with unused entries. The following code shows an example of the ARP command with the output from a Windows 2000 system:

 C:\>arp -a Interface: 24.67.179.22 on Interface 0x3   Internet Address      Physical Address      Type   24.67.179.1           00-00-77-93-d8-3d     dynamic 

As you might notice in the previous code, the type is listed as dynamic. Entries in the ARP cache can be added statically or dynamically. Static entries are added manually and do not expire. The dynamic entries are added automatically when the system accesses another on the network.

As with other command-line utilities, there are several switches available for the arp command. Table 10.4 shows the available switches for Windows-based systems.

Table 10.4. ARP Switches

Switch

Description

-a or -g

Displays both the IP and MAC addresses and whether they are dynamic or static entries

inet_addr

Specifies a specific internet address

-N if_addr

Displays the ARP entries for a specified network interface

eth_addr

Specifies a MAC address

if_addr

Specifies an Internet address

-d

Deletes an entry from the ARP cache

-s

Adds a static permanent address to the ARP cache


The netstat Command

The netstat command displays the protocol statistics and current TCP/IP connections on the local system. Used without any switches, the netstat command shows the active connections for all outbound TCP/IP connections. In addition, several switches are available that change the type of information netstat displays. Table 10.5 shows the various switches available for the netstat utility.

Table 10.5. netstat Switches

Switch

Description

-a

Displays the current connections and listening ports

-e

Displays Ethernet statistics

-n

Lists addresses and port numbers in numerical form

-p

Shows connections for the specified protocol

-r

Shows the routing table

-s

Lists per-protocol statistics

interval

Specifies the length of time to wait before redisplaying statistics


The netstat and the route print commands can be used to show the routing table.


The netstat utility is used to show the port activity for both TCP and UDP connections, showing the inbound and outbound connections. When used without switches, the netstat utility has four information headings.

  • Proto Lists the protocol being used, either UDP or TCP.

  • Local address Specifies the local address and port being used.

  • Foreign address Identifies the destination address and the port being used.

  • State Specifies whether the connection is established.

In its default usage, the netstat command shows outbound connections that have been established by TCP. The following shows a sample output from a netstat command without using any switches:

 C:\>netstat Active Connections   Proto  Local Address          Foreign Address        State   TCP    laptop:2848            MEDIASERVICES1:1755    ESTABLISHED   TCP    laptop:1833            www.dollarhost.com:80  ESTABLISHED   TCP    laptop:2858            194.70.58.241:80       ESTABLISHED   TCP    laptop:2860            194.70.58.241:80       ESTABLISHED   TCP    laptop:2354            www.dollarhost.com:80  ESTABLISHED   TCP    laptop:2361            www.dollarhost.com:80  ESTABLISHED   TCP    laptop:1114            www.dollarhost.com:80  ESTABLISHED   TCP    laptop:1959            www.dollarhost.com:80  ESTABLISHED   TCP    laptop:1960            www.dollarhost.com:80  ESTABLISHED   TCP    laptop:1963            www.dollarhost.com:80  ESTABLISHED   TCP    laptop:2870            localhost:8431         TIME_WAIT   TCP    laptop:8431            localhost:2862         TIME_WAIT   TCP    laptop:8431            localhost:2863         TIME_WAIT   TCP    laptop:8431            localhost:2867         TIME_WAIT   TCP    laptop:8431            localhost:2872         TIME_WAIT 

Like any other command-line utility, they are often used with switches. The following sections provide a brief explanation of the switches and a sample output from each.

netstat e

The netstat -e command shows the activity for the NIC and displays the number of packets that have been both sent and received. An example of the netstat -e command is shown here:

 C:\WINDOWS\Desktop>netstat -e Interface Statistics                            Received            Sent Bytes                      17412385        40237510 Unicast packets               79129           85055 Non-unicast packets             693             254 Discards                          0               0 Errors                            0               0 Unknown protocols               306 

As you can see, the netstat -e command shows more than just the packets that have been sent and received:

  • Bytes The number of bytes that have been sent or received by the NIC since the computer was turned on.

  • Unicast packets Packets sent and received directly to this interface.

  • Non-unicast packets Broadcast or multicast packets that were picked up by the NIC.

  • Discards The number of packets rejected by the NIC, perhaps because they were damaged.

  • Errors The errors that occurred during either the sending or receiving process. As you would expect, this column should be a low number. If it is not, it could indicate a problem with the NIC.

  • Unknown protocols The number of packets that were not recognizable by the system.

netstat -a

The netstat -a command displays statistics for both TCP and User Datagram Protocol (UDP). Here is an example of the netstat -a command:

 C:\WINDOWS\Desktop>netstat -a Active Connections   Proto  Local Address          Foreign Address        State   TCP    laptop:1027            LAPTOP:0               LISTENING   TCP    laptop:1030            LAPTOP:0               LISTENING   TCP    laptop:1035            LAPTOP:0               LISTENING   TCP    laptop:50000           LAPTOP:0               LISTENING   TCP    laptop:5000            LAPTOP:0               LISTENING   TCP    laptop:1035            msgr-ns41.msgr.hotmail.com:1863 ESTABLISHED   TCP    laptop:nbsession       LAPTOP:0               LISTENING   TCP    laptop:1027            localhost:50000        ESTABLISHED   TCP    laptop:50000           localhost:1027         ESTABLISHED   UDP    laptop:1900            *:*   UDP    laptop:nbname          *:*   UDP    laptop:nbdatagram      *:*   UDP    laptop:1547            *:*   UDP    laptop:1038            *:*   UDP    laptop:1828            *:*   UDP    laptop:3366            *:* 

As you can see, the output includes four columns, which show the protocol, the local address, the foreign address, and the state of the port. The TCP connections show the local and foreign destination addresses and the current state of the connection. UDP, however, is a little different; it does not list a state status because as mentioned throughout this book, UDP is a connectionless protocol and does not establish connections. The following list briefly explains the information provided by the netstat -a command:

  • Proto The protocol used by the connection.

  • Local Address The IP address of the local computer system and the port number it is using. If the entry in the local address field is an asterisk (*), it indicates that the port has not yet been established.

  • Foreign Address The IP address of a remote computer system and the associated port. When a port has not been established, as with the UDP connections, *:* appears in the column.

  • State The current state of the TCP connection. Possible states include established, listening, closed, and waiting.

netstat -r

The netstat -r command is often used to view the routing table for a system. A system uses a routing table to determine routing information for TCP/IP traffic. The following is an example of the netstat -r command from a Windows Me system:

 C:\WINDOWS\Desktop>netstat r Route table =========================================================================== =========================================================================== Active Routes: Network Destination        Netmask          Gateway       Interface  Metric           0.0.0.0          0.0.0.0      24.67.179.1    24.67.179.22       1       24.67.179.0    255.255.255.0     24.67.179.22    24.67.179.22       1      24.67.179.22  255.255.255.255        127.0.0.1       127.0.0.1       1    24.255.255.255  255.255.255.255     24.67.179.22    24.67.179.22       1         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1         224.0.0.0        224.0.0.0     24.67.179.22    24.67.179.22       1   255.255.255.255  255.255.255.255     24.67.179.22               2       1 Default Gateway:       24.67.179.1 =========================================================================== Persistent Routes:   None 

The netstat -r command output shows the same information as the output from the route print command.


netstat s

The netstat -s command displays a number of statistics related to the TCP/IP protocol suite. Understanding the purpose of every field in the output is beyond the scope of the Network+ exam, but for your reference, sample output from the netstat -s command is shown here:

 C:\>netstat -s IP Statistics   Packets Received                   = 389938   Received Header Errors             = 0   Received Address Errors            = 1876   Datagrams Forwarded                = 498   Unknown Protocols Received         = 0   Received Packets Discarded         = 0   Received Packets Delivered         = 387566   Output Requests                    = 397334   Routing Discards                   = 0   Discarded Output Packets           = 0   Output Packet No Route             = 916   Reassembly Required                = 0   Reassembly Successful              = 0   Reassembly Failures                = 0   Datagrams Successfully Fragmented  = 0   Datagrams Failing Fragmentation    = 0   Fragments Created                  = 0 ICMP Statistics                             Received    Sent   Messages                  40641       41111   Errors                    0           0   Destination Unreachable   223         680   Time Exceeded             24          0   Parameter Problems        0           0   Source Quenches           0           0   Redirects                 0           38   Echos                     20245       20148   Echo Replies              20149       20245   Timestamps                0           0   Timestamp Replies         0           0   Address Masks             0           0   Address Mask Replies      0           0 TCP Statistics   Active Opens                        = 13538   Passive Opens                       = 23132   Failed Connection Attempts          = 9259   Reset Connections                   = 254   Current Connections                 = 15   Segments Received                   = 330242   Segments Sent                       = 326935   Segments Retransmitted              = 18851 UDP Statistics   Datagrams Received    = 20402   No Ports              = 20594   Receive Errors        = 0   Datagrams Sent        = 10217 

nbtstat

The nbtstat utility is used to view protocol statistics and information for NetBIOS over TCP/IP connections. nbtstat is commonly used to troubleshoot NetBIOS name resolution problems. Because nbtstat provides the resolution of NetBIOS names, it's available only on Windows systems.

A number of case-sensitive switches are available for the nbtstat command. Table 10.6 summarizes these switches.

Table 10.6. nbtstat Switches

Switch

Description

nbtstat -a

(Adapter status) Outputs the NetBIOS name table and MAC addresses of the card for the specified computer

nbtstat -A (IP address)

(Adapter status) Lists the remote machine's name table given its IP address

nbtstat -c (cache)

Provides a list of the contents of the NetBIOS name cache

nbtstat -n (names)

Lists local NetBIOS names

nbtstat -r (resolved)

Lists names resolved by broadcast or WINS

nbtstat -R (Reload)

Purges and reloads the remote cache name table

nbtstat -S (Sessions)

Summarizes the current NetBIOS sessions and their status

nbtstat -s (sessions)

Lists sessions table converting destination IP addresses to computer NetBIOS names

nbtstat -RR (ReleaseRefresh)

Sends Name Release packets to WINS, and then starts Refresh

nbtstat RemoteName

Remote host machine name

nbtstat IP address

Dotted decimal representation of the IP address

nbtstat interval

Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics


As an example, the following is the output from the nbtstat -n command:

 C:\>nbtstat -n Lana # 0: Node IpAddress: [169.254.196.192] Scope Id: []                 NetBIOS Local Name Table        Name               Type         Status     ---------------------------------------------     LAPTOP         <00>  UNIQUE      Registered     KCS            <00>  GROUP       Registered     LAPTOP         <03>  UNIQUE      Registered 

The ipconfig Command

The ipconfig command is a technician's best friend when it comes to viewing the TCP/IP configuration of a Windows system. Used on its own, the ipconfig command shows basic information such as the name of the network interface, the IP address, the subnet mask, and the default gateway. Combined with the /all switch, it shows a detailed set of information, as you can see in the following example:

 C:\>ipconfig /all Windows 2000 IP Configuration    Host Name . . . . . . . . . . . . : server    Primary DNS Suffix  . . . . . . . : write    Node Type . . . . . . . . . . . . : Broadcast    IP Routing Enabled. . . . . . . . : Yes    WINS Proxy Enabled. . . . . . . . : No    DNS Suffix Search List. . . . . . : write                                        ok.anyotherhost.net Ethernet adapter Local Area Connection: Connection-specific DNS Suffix  . : ok.anyotherhost.net Description . . . . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet Physical Address. . . . . . . . . : 00-80-C8-E3-4C-BD DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 24.67.184.65 Subnet Mask . . . . . . . . . . . : 255.255.254.0 Default Gateway . . . . . . . . . : 24.67.184.1 DHCP Server . . . . . . . . . . . : 24.67.253.195 DNS Servers . . . . . . . . . . . : 24.67.253.195                                     24.67.253.212 Lease Obtained.. . . . : Thursday, February 07, 2002 3:42:00 AM Lease Expires .. . . . : Saturday, February 09, 2002 3:42:00 AM 

As you can imagine, you can use the output from an ipconfig /all command in a massive range of troubleshooting scenarios. Table 10.7 lists some of the most common troubleshooting symptoms, along with where to look for clues about solving them in the ipconfig /all output.

Table 10.7. Common Troubleshooting Symptoms That ipconfig Can Help Solve

Symptom

Field to Check in ipconfig Output

User is unable to connect to any other system.

Make sure the TCP/IP address and subnet mask are correct. If the network uses DHCP, make sure DHCP is enabled.

User is able to connect to another system on the same subnet but is not not able to connect to a remote system.

Make sure the default gateway is correctly configured.

User is unable to browse the Internet.

Make sure the DNS server parameters are configured correctly.

User is unable to browse across remote subnets.

Make sure the WINS or DNS server parameters are configured correctly, if applicable.


When looking at ipconfig information, you should be sure that all information is present and correct. For example, a missing or incorrect default gateway parameter limits communication to the local segment.


You should be prepared to identify the output from an ipconfig command in relationship to a troubleshooting scenario for the Network+ exam.


Using the /all switch might be far and away the most popular, but there are a few others. These include the switches listed in Table 10.8.

Table 10.8. ipconfig Switches

Switch

Description

?

Displays the ipconfig help screen

/all

Displays additional IP configuration information

/release

Releases the IP address of the specified adapter

/renew

Renews the IP address of a specified adapter


The ipconfig and its associated switches are widely used by network administrators and therefore should be expected to make an appearance on the exam.


The ipconfig /renew and ipconfig /release commands work only when your system is using DHCP.


The ipconfig command on Windows 2000, Windows XP and Windows Server 2003 provides additional switches and functionality geared toward Active Directory and Dynamic DNS. You do not need to be concerned with these switches for the Network+ exam, but you can view information on them by using the ipconfig /? command.


ifconfig

ifconfig performs the same function as ipconfig, but on a Linux, UNIX, or Macintosh system. Because Linux relies more heavily on command-line utilities than Windows, the Linux and UNIX version of ifconfig provides much more functionality than ipconfig. On a Linux or UNIX system, you can get information about the usage of the ifconfig command by using ifconfig --help. The following output provides an example of the basic ifconfig command run on a Linux system:

 eth0      Link encap:Ethernet  HWaddr 00:60:08:17:63:A0           inet addr:192.168.1.101  Bcast:192.168.1.255 Mask:255.255.255.0           UP BROADCAST RUNNING  MTU:1500  Metric:1           RX packets:911 errors:0 dropped:0 overruns:0 frame:0           TX packets:804 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:100           Interrupt:5 Base address:0xe400 lo        Link encap:Local Loopback           inet addr:127.0.0.1  Mask:255.0.0.0           UP LOOPBACK RUNNING  MTU:3924  Metric:1           RX packets:18 errors:0 dropped:0 overruns:0 frame:0           TX packets:18 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0 

Although the ifconfig command displays the IP address, subnet mask and default gateway information for both the installed network adapter and the local loopback adapter, it does not report DCHP lease information. Instead, you can use the pump s command to view detailed information on the DHCP lease including the assigned IP address, the address of the DHCP server, and the time remaining on the lease. The pump command can also be used to release and renew IP addresses assigned via DHCP and to view DNS server information.

The winipcfg Command

On a Windows 98 Second Edition and Windows Me systems, the winipcfg command is used in addition to the ipconfig command. The difference between the two utilities is that winipcfg is a graphical utility.

In basic mode, winipcfg shows information including the Media Access Control (MAC) address and IP address of the interface, the subnet mask, and the default gateway. For detailed information, similar to that produced with ipconfig /all, a More Info button allows you to switch into a much more detailed screen.

The same troubleshooting scenarios, with the same solutions, apply to winipcfg as to ipconfig. Table 10.9 lists some solutions to common problems.

Table 10.9. Common Troubleshooting Problems That winipcfg Can Help Solve

Symptom

Field to Check in winipcfg Output

User is unable to connect to any other system.

Check that the TCP/IP address and subnet mask are correct. If using DHCP, make sure DHCP is enabled.

User is able to connect to other system on the same subnet, but is not able to connect to a remote system.

Check that the default gateway is correctly configured.

User is unable to browse the Internet.

Make sure the DNS server paramenters are configured correctly.

User is unable to browse across remote subnets.

Make sure the WINS or DNS server parameters are configured correctly (if applicable).


nslookup

nslookup is a utility used to troubleshoot DNS-related problems. Using nslookup, you can, for example, run manual name resolution queries against DNS servers, get information about the DNS configuration of your system or specify what kind of DNS record should be resolved.

When nslookup is started, it displays the current hostname and the IP address of the locally configured DNS server. You will then see a command prompt which allows you to specify further queries. This is known as 'interactive' mode. The commands you can enter in interactive mode are listed in Table 10.10.

Table 10.10. nslookup Switches

Switch

Description

all

Prints options, as well as current server and host information

[no]debug

Prints debugging information

[no]d2

Prints exhaustive debugging information

[no]defname

Appends the domain name to each query

[no]recurse

Asks for recursive answer to query

[no]search

Uses domain search list

[no]vc

Always uses a virtual circuit

domain=NAME

Sets default domain name to NAME

srchlist=N1[/N2/.../N6]

Sets domain to N1 and search list to N1, N2, and so on

root=NAME

Sets root server to NAME

retry=X

Sets number of retries to X

timeout=X

Sets initial timeout interval to X seconds

type=X

Sets query type (for example, A, ANY, CNAME, MX, NS, PTR, SOA, or SRV)

querytype=X

Same as type

class=X

Sets query class (for example, IN [Internet], ANY)

[no]msxfr

Uses MS fast zone transfer

ixfrver=X

Current version to use in IXFR transfer request

server NAME

Sets default server to NAME, using current default server

exit

Exits the program


Instead of using interactive mode, you can also execute nslookup requests directly at the command prompt. The following listing shows the output from nslookup when a domain name is specified to be resolved.

 C:\>nslookup comptia.org Server:  nsc1.ht.ok.shawcable.net Address:  64.59.168.13 Non-authoritative answer: Name:    comptia.org Address:  208.252.144.4 

As you can see from the output, nslookup shows the hostname and IP address of the DNS server against which the resolution was performed, along with the hostname and IP address of the resolved host.

dig

dig is used on Linux, UNIX or Macintosh system to perform manual DNS lookups. dig performs the same basic task as nslookup, but with one major distinction: The dig command does not have an interactive mode and instead uses only command-line switches to customize results.

dig is generally considered a more powerful tool than nslookup, but in the course of a typical network administrator's day, the minor limitations of nslookup are unlikely to be too much of a factor. Instead, dig is often simply the tool of choice for DNS information and troubleshooting on UNIX, Linux, or Macintosh systems. Like nslookup, dig can be used to perform simple name resolution requests. The output from this process can be seen in the following listing:

 ; <<>> DiG 8.2 <<>> examcram.com ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUERY SECTION: ;;    examcram.com, type = A, class = IN ;; ANSWER SECTION: examcram.com.        7h33m IN A    63.240.93.157 ;; AUTHORITY SECTION: examcram.com.        7h33m IN NS    usrxdns1.pearsontc.com. examcram.com.        7h33m IN NS    oldtxdns2.pearsontc.com. ;; Total query time: 78 msec ;; FROM: localhost.localdomain to SERVER: default -- 209.53.4.130 ;; WHEN: Sat Oct 16 20:21:24 2004 ;; MSG SIZE  sent: 30  rcvd: 103 

As you can see, dig provides a number of pieces of information in the basic outputmore so than nslookup. There are three key areas of the output from which network administrators can gain information. These are the 'Answer Section,' the 'Authority Section,' and the last four lines of the output.

The Answer Section of the output provides the name of the domain or host being resolved, along with its IP address. The A in the results line indicates the record type that is being resolved.

The Authority Section provides information on the authoritative DNS servers for the domain against which the resolution request was performed. This information can be useful in determining whether the correct DNS servers are considered authoritative for a domain.

The last four lines of the output show how long the name resolution request took to process and the IP address of the DNS server that performed the resolution. It also shows the date and time of the request, as well as the size of the packets sent and received.



    Network+ Exam Cram 2
    Network+ Exam Cram 2
    ISBN: 078974905X
    EAN: N/A
    Year: 2003
    Pages: 194

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net