Test Commands

There are few test commands available that can be used for various purposes. Following is a list of such commands:

  • ping Helps to determine the connectivity between devices on your network.

  • traceroute Provides a method of determining the route by which packets reach their destination from one device to another.

  • telnet Helps to find out if a TCP-based application is running and listening on a specific port.

  • nslookup Helps to determine if name resolution for a domain name or IP address is working correctly.

ping Command

To check host reachability and network connectivity, use the ping command, which can be invoked from any network device that has a TCP/IP stack. For IP, the ping command sends Internet Control Message Protocol (ICMP) Echo messages. ICMP is the Internet protocol that reports errors and provides information relevant to IP packet addressing. If a station receives an ICMP Echo message, it sends an ICMP Echo Reply message back to the source.

The extended command mode of the ping command permits you to specify the supported IP header options. Different Cisco security devices implement the ping command in different ways. For example, in a router, extended ping allows the router to perform a more extensive range of test options. To enter ping extended command mode, enter yes at the extended commands prompt of the ping command on the router.

There are various other usages for the ping command than just connectivity testing. For example, extended ping on the router can be used to initiate a LAN-to-LAN IPsec tunnel by generating interesting traffic. This helps in verifying if the tunnel configuration is correct, and if the tunnel is working as expected on the routers. If the tunnel is working with extended ping, then this indicates that the problem may be somewhere else in the network. You can use count, MTU, and DF bit option to find out the packet loss and fragmentation issues. More specific usage of the ping command is discussed in the chapter that is specific to each product.

traceroute Command

The traceroute (in a Windows platform, it is tracert) command discovers the routes that a packet follows when traveling to its destination. The traceroute command permits the supported IP header options to be specified, allowing the router to perform a more extensive range of test options.

The traceroute command works by using the error message generated by routers when a datagram exceeds its time-to-live (TTL) value. First, a probe datagram is sent with a TTL value of 1. This causes the first router to discard the probe datagram and send back "time exceeded" error messages. The traceroute command then sends several probes and displays the round-trip time for each. After every third probe, the TTL is increased by 1.

Each outgoing packet can result in one of two error messages. A "time exceeded" error message indicates that an intermediate router has seen and discarded the probe. A "port unreachable" error message indicates that the destination node has received the probe and discarded it because it could not deliver the packet to an application. If the timer goes off before a response comes in, traceroute prints an asterisk (*).

The traceroute command terminates when the destination responds, when the maximum TTL is exceeded, or when the user interrupts the trace with the escape sequence. Note that for traceroute to function correctly, you must ensure that you are allowing all the ICMP types traceroute command uses ("Time Exceeded" for example); otherwise, traceroute will not work. If that happens, you are limited to using only the ping command if only Echo and Echo Reply are allowed. For details on different ICMP types, go to the following link:


Just as with ping, you can use the traceroute command for connectivity testing. But the real use of the traceroute command is to find out which device in the network is dropping the packets if there is a connectivity issue. Also, if you have a routing loop in the network or an asymmetric routing setup in the network, you can discover this by performing the trace a few times and comparing the hops the packet is taking each time.

telnet Command

As you know, Telnet is primarily used to log in to a specific device for configuration purposes. However, the telnet command also can check the status of a specific TCP port of an application to see if the application is working on that specific port. For instance, to find out if the mail server is alive and listening on port 25 for SMTP, use the telnet command with mail server IP address or the domain name along with the port number 25 as an argument, as follows:

D:\>telnet xxx.xyz.com 25 220 xxx.xyz.com ESMTP Sendmail ...... 

You can also check to see if the web server is alive by using Telnet to access the web server with port 80, and after that executing the get command. Example 2-1 shows output from a live web server with the telnet command on port 80:

Example 2-1. Shows the Output of Telnet Test for a Live Web Server

D:\>telnet www.xyz.com 80 HTTP/1.0 200 OK Cache-Control: no-store Pragma: no-cache Cache-Control: no-cache X-Bypass-Cache: Application and Content Networking System Software 4.2.9 Connection: Close <HTML><HEAD><META HTTP-EQUIV="REFRESH" CONTENT="0" URL=""></HEAD><BODY> </BODY></HTML> Connection to host lost. D:\> 

Just as with a mail server and web server, you can find out if a TCP-based application is running and listening on a specific TCP port with the telnet command in a similar fashion as shown earlier.

nslookup Command

This command is used to obtain the IP address of a domain name or a domain name of an IP address of a specific server application (for instance, Web application running on a server). This is an extremely useful command, because while troubleshooting issues with e-mail or Web packets connectivity, you may not know if you have a problem with the domain name resolution or the actual packet flow. Example 2-2 shows how to use this command to perform the resolution from domain name to IP address and vice versa.

Example 2-2. Use nslookup Command for Domain Name to IP Address Resolution and Vice Versa

! The following line is trying to find out the ip address of the www.xyz.com web ! server's IP address D:\>nslookup www.xyz.com Server:  dns-xxx.dummy.com Address:  x.x.x.x Non-authoritative answer: Name:    www.xyz.com Address: ! The following line is trying to find out the name from the IP address which results in ! www.xyz.com name D:\>nslookup Server:  dns-xxx.dummy.com Address:  x.x.x.x Name:    www.xyz.com Address: D:\> 

Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net