Although a plethora of tools are at the disposal of the Netadmin, most of the commonly available tools are not used to their full potential. Some of these tools are built into the OS. This section discusses the usage of the following built-in tools:
Using whois Lookup for Domain Registration InformationThe whois tool provides administrative information for an Internet domain name. It is handy for finding the contacts and registration information for a domain name. The command is natively supported by Linux but is not a part of MS-Windows. While many freeware and commercial versions of whois are available for the MS-Windows version, this section covers those available for the Linux version. To use the command-line version of whois tools, follow these steps:
To investigate details of the domain mydomain.com, type whois mydomain.com at the command line, as shown in Example 2-23. Example 2-23. Output of the whois Commandspope@linuxbox# whois mydomain.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: MYDOMAIN.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS2.NYC.BIGISP.NET Name Server: NS1.NYC.BIGISP.NET Name Server: NS2.DAL.BIGISP.NET Name Server: NS1.DAL.BIGISP.NET Status: ACTIVE Updated Date: 08-aug-2002 Creation Date: 28-nov-1995 Expiration Date: 27-nov-2009 >>> Last update of whois database: Sun, 25 Jul 2004 08:27:47 EDT <<< Registrant: SUPER ECOMMERCE Companys L.P. (SUPER ECOMMERCE-DOM) 300 Anybig Road Suite 100 Dallas, TX 75201 US Domain Name: MYDOMAIN.COM Administrative Contact: Companny , SUPER ECOMMERCE (34410541I) alert1@MYDOMAIN.COM SUPER ECOMMERCE Companys. 300 Anybig Road Suite 100 Dallas, TX 75201 US 214-111-111 Technical Contact: Steve, smith (PS11887) ssmith@MYDOMAIN.COM SUPER ECOMMERCE Companys L.P. 300 Anybig Road Suite 100 Dallas, TX 75201 US 214-111-111 fax: (214) 111-9999 (214) 758-6171 Record expires on 27-Nov-2009. Record created on 28-Nov-1995. Database last updated on 25-Jul-2004 18:00:42 EDT. Domain servers in listed order: NS1.DAL.BIGISP.NET 26.152.10.11 NS2.NYC.BIGISP.NET 29.91.129.5 NS1.NYC.BIGISP.NET 29.171.129.11 NS2.DAL.BIGISP.NET 26.52.40.37 The output provides administrative and technical contacts as well as the registration details. The command output also provides the expiration date for the record, as highlighted in Example 2-23. The expiration information is helpful when isolating issues related to web or e-mail connectivity. For example if mydomain.com has expired, the DNS query for the domain will fail. As a result, users cannot access the website www.mydomain.com by using the domain name. Consequently, e-mail delivery to mydomain.com also fails. Tip cygwin enables the use of Linux commands and tools, including whois, in Windows. cygwin is available for download at http://www.cygwin.com/. Using nslookup to Find DNS InformationNslookup is a command-line tool that verifies Domain Name System (DNS) information using the local DNS server. The tool queries DNS servers to retrieve various data types associated with an Internet domain. These data types are as follows:
If you have an IP address, you can get a canonical name back for the address. If you have a canonical name, you can get an IP address. Another useful feature is the ability to get a list of mail servers for the target domain. Nslookup is available in both MS-Windows and Linux versions. Using the MS-Windows Based nslookup ToolNslookup comes preinstalled with version Windows 95 and higher of MS-Windows as a command-line tool. To query DNS information about the target domain or host, follow these steps:
Example 2-24 shows the Windows nslookup command output that determines the mail and DNS server for mydomain.com. Example 2-24. Output of the MS-Windows nslookup Commandc:\windows\system32>nslookup Default Server: ns2.myisp.com Address: 26.48.227.68 > set query=all > mydomain.com Server: ns2.myisp.com Address: 26.48.227.68 Non-authoritative answer: mydomain.com nameserver = ns5.mydomain.com mydomain.com nameserver = ns4.mydomain.com mydomain.com nameserver = ns3.mydomain.com mydomain.com MX preference = 10, mail exchanger = mail1.mydomain.com mydomain.com MX preference = 20, mail exchanger = mail2.mydomain.com mydomain.com primary name server = ns4.mydomain.com responsible mail addr = hostmaster.mydomain.com serial = 2004072000 refresh = 7200 (2 hours) retry = 600 (10 mins) expire = 2592000 (30 days) default TTL = 600 (10 mins) mydomain.com nameserver = ns4.mydomain.com mydomain.com nameserver = ns3.mydomain.com ns4.mydomain.com internet address = 131.91.51.1 ns3.mydomain.com internet address = 126.18.10.178 >exit The details of the output are as follows:
Using the Linux-Based nslookup /dig ToolThe Linux version of nslookup is similar to its Windows counterpart. To query DNS information about the target domain or host, follow these steps:
Example 2-25 shows the nslookup command retrieving the available information for mydomain.com. Example 2-25. Output of the Linux nslookup Commandspope@linuxbox# nslookup Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. > set querytype=ANY > mydomain.com Server: 26.48.227.68 Address: 26.48.227.68#53 Non-authoritative answer: mydomain.com nameserver = ns5.mydomain.com. mydomain.com nameserver = ns4.mydomain.com. mydomain.com nameserver = ns3.mydomain.com. mydomain.com mail exchanger = 10 mail1.mydomain.com. mydomain.com mail exchanger = 20 mail2.mydomain.com. Name: mydomain.com Address: 131.91.51.10 Authoritative answers can be found from: mydomain.com nameserver = ns4.mydomain.com. mydomain.com nameserver = ns3.mydomain.com. ns4.mydomain.com internet address = 131.91.51.1 ns3.mydomain.com internet address = 126.18.10.178 > exit Note the set querytype=ANY command, which retrieves the available information. The output is similar to that of its MS-Windows counterpart. The highlighted text indicates the MX record, whereas the last two lines, before the exit command, indicate the DNS servers used by mydomain.com. The exit command, as shown in the last line, returns you to the command shell. Although nslookup is an integral part of Linux, it has been deprecated. Users are encouraged to use the dig command because of its enhanced functionality, flexibility, ease of use, and clarity of output. To query DNS information about the target domain or host using the dig command, follow these steps:
Although the dig command offers various options, the most common format is as follows: dig @dns-server targetdomain query-type Example 2-26 shows the dig command retrieving available information for mydomain.com from the DNS server 26.48.27.168. Example 2-26. Output of the Linux dig Command spope@linuxbox# dig @26.48.27.168 craigslist.org ANY ; <<>> DiG 9.2.4rc2 <<>> @26.48.27.168 mydomain.com ANY ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4367 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ;mydomain.com. IN ANY ;; ANSWER SECTION: mydomain.com. 6598 IN NS ns5.mydomain.com. mydomain.com. 6598 IN NS ns4.mydomain.com. mydomain.com. 6598 IN NS ns3.mydomain.com. mydomain.com. 194 IN SOA ns4.mydomain.com. hostmaster.mydomain.com. 2004072000 7200 600 2592000 600 mydomain.com. 253 IN MX 10 mail1.mydomain.com. mydomain.com. 253 IN MX 20 mail2.mydomain.com. ;; AUTHORITY SECTION: mydomain.com. 6598 IN NS ns5.mydomain.com. mydomain.com. 6598 IN NS ns4.mydomain.com. mydomain.com. 6598 IN NS ns3.mydomain.com. ;; ADDITIONAL SECTION: ns5.mydomain.com. 150 IN A 130.94.251.2 ns4.mydomain.com. 150 IN A 130.94.251.1 ns3.mydomain.com. 37732 IN A 216.218.210.178 anco.mydomain.com. 260 IN A 123.44.14.26 dsqd.mydomain.com. 260 IN A 123.44.14.151 ;; Query time: 136 msec ;; SERVER: 26.48.27.168#53(26.48.27.168) ;; WHEN: Sun Jul 25 13:14:53 2001 ;; MSG SIZE rcvd: 299 When compared to the nslookup command, the dig command has the following features:
Using netstat for Port and Connection InformationTo design, deploy, and troubleshoot a network, network administrators need to determine the traffic flowing through it. This traffic is generated by the end stations. The administrators often require an X-ray tool to directly view the TCP/IP statistics on the servers and workstations. Netstat (or network statistics) is just the tool to directly show these TCP/IP statistics. It provides the following items:
It is one of the most useful yet underused tools for administrators. A thorough understanding of this tool aids in configuring or troubleshooting the following:
Netstat is available for both MS-Windows and Linux. Because of the importance of this tool, the following sections discuss both versions in detail. Using the MS Windows Based netstat CommandThe netstat command is preinstalled with all versions of MS-Windows. This section discusses the Windows 2000/XP version of the command. To list the active connections on a Windows computer, follow these steps:
The netstat /? command on Windows machines provides information on the usage of the netstat command. Example 2-27 shows the output of the netstat /? command in Windows XP. The output can be slightly different in other Windows versions. However, the options discussed in this chapter are applicable to all versions of Windows. Example 2-27. Output of the Windows netstat /? Command c:\windows\system32>netstat /? Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-o] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -o Displays the owning process ID associated with each connection. -p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. The sections that follow discuss the use of various netstat options on an MS-Windows computer for displaying the following items:
Using the Windows netstat Command to Display Active ConnectionsUse the netstat command with no option to display the currently active TCP connections. Example 2-28 shows the output of the netstat command. Example 2-28. Windows netstat Command: Active Connections c:\windows\system32>netstat Active Connections Proto Local Address Foreign Address State TCP WINXPBOX:4343 localhost:4344 ESTABLISHED TCP WINXPBOX:4344 localhost:4343 ESTABLISHED TCP WINXPBOX:3480 www.website1.com:http TIME_WAIT TCP WINXPBOX:3485 123.38.12.57:http TIME_WAIT TCP WINXPBOX:3488 www.website2.com:http TIME_WAIT TCP WINXPBOX:3494 62.14.80.250:http SYN_SENT This command can provide a quick snapshot of currently active connections. You can also use the interval option to view a continuous display that gets refreshed periodically. For example, the netstat 5 command displays the same output as in Example 2-28, but it is refreshed every 5 seconds until interrupted by the user pressing Ctrl-C. Note A large number of connections with the SYN_RECEIVED state indicate a half-open TCP connection. This can be an indication of a SYN flood attack. To get the output in numerical format, use the n option. Numerical format shows only IP addresses and port numbers (for example 192.168.10.10:80, instead of www.website1.com:http). Using the Windows netstat Command to Display All ConnectionsTo view both TCP and UDP connection statistics, use the a options with the netstat command. The -a option can also display all the ports in the LISTENING state. Netadmins can use this list to verify whether malicious programs are active on the local machine. The output in Example 2-29 displays all active TCP connections and the TCP and UDP ports on which the computer is listening. Example 2-29. Windows netstat Command: All Connectionsc:\windows\system32>netstat -ao Active Connections Proto Local Address Foreign Address State PID TCP WINXPBOX:epmap WINXPBOX:0 LISTENING 1500 TCP WINXPBOX:microsoft-ds WINXPBOX:0 LISTENING 4 TCP WINXPBOX:1025 WINXPBOX:0 LISTENING 1608 TCP WINXPBOX:1030 WINXPBOX:0 LISTENING 4 TCP WINXPBOX:3214 WINXPBOX:0 LISTENING 5384 TCP WINXPBOX:3389 WINXPBOX:0 LISTENING 1608 TCP WINXPBOX:4344 WINXPBOX:0 LISTENING 2312 TCP WINXPBOX:58581 WINXPBOX:0 LISTENING 1728 TCP WINXPBOX:3001 WINXPBOX:0 LISTENING 432 TCP WINXPBOX:3002 WINXPBOX:0 LISTENING 1608 TCP WINXPBOX:3003 WINXPBOX:0 LISTENING 1608 TCP WINXPBOX:4343 WINXPBOX:0 LISTENING 2312 TCP WINXPBOX:4343 localhost:4344 ESTABLISHED 2312 TCP WINXPBOX:4344 localhost:4343 ESTABLISHED 2312 TCP WINXPBOX:netbios-ssn WINXPBOX:0 LISTENING 4 TCP WINXPBOX:31337 WINXPBOX:0 LISTENING 1928 UDP WINXPBOX:microsoft-ds *:* 4 UDP WINXPBOX:3012 *:* 1792 UDP WINXPBOX:3147 *:* 1792 UDP WINXPBOX:62515 *:* 476 UDP WINXPBOX:62517 *:* 476 UDP WINXPBOX:62519 *:* 476 UDP WINXPBOX:62521 *:* 476 UDP WINXPBOX:62523 *:* 476 UDP WINXPBOX:62524 *:* 476 UDP WINXPBOX:netbios-ns *:* 4 UDP WINXPBOX:netbios-dgm *:* 4 The output lists various TCP and UDP ports, the local and foreign addresses associated with the ports, and the current state of the ports. While most ports are referred to by the port number, some of the ports are indicated by well-known services associated with the port. For example, the second line of the output shows the port name microsoft-ds instead of the port number 445. Similarly, the command displays the host name instead of the IP address. While most of the ports appear to be legitimate traffic, note the highlighted line showing TCP 31337 in the LISTENING state. The local host might be running a Trojan server on TCP 31337, because this port is associated with many malicious programs, including Backorifice. The Trojan server provides back-door entry into the host and is a security vulnerability. Also, note the use of the -o option in Example 2-29. This option, available only in Windows XP and 2003, adds another column for process identification (PID). The PID view is useful in identifying a process associated with each of the TCP or UDP ports. Armed with the knowledge of the TCP/UDP port numbers used by a worm or Trojan, administrators can use the -o option to determine the PID of the malicious code and disarm it. Using the Windows netstat Command to Display Network StatisticsTo view a summary of protocol statistics, use the -s option. The output in Example 2-30 shows the protocol summary statistics for IP, ICMP, TCP, and UDP. Also note the use of the -e option to display a summary of the Ethernet network interface. Example 2-30. Windows netstat Command: Network Statistics c:\windows\system32>netstat -es Interface Statistics Received Sent Bytes 152762747 25211410 Unicast packets 322126 297809 Non-unicast packets 34543 952 Discards 0 0 Errors 0 2 Unknown protocols 0 IPv4 Statistics Packets Received = 361884 Received Header Errors = 0 Received Address Errors = 32389 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 329497 Output Requests = 304814 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0 ICMPv4 Statistics Received Sent Messages 315 321 Errors 0 0 Destination Unreachable 8 17 Time Exceeded 21 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 27 277 Echo Replies 259 27 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 TCP Statistics for IPv4 Active Opens = 4129 Passive Opens = 19 Failed Connection Attempts = 688 Reset Connections = 362 Current Connections = 3 Segments Received = 187087 Segments Sent = 161377 Segments Retransmitted = 1346 UDP Statistics for IPv4 Datagrams Received = 141829 No Ports = 554 Receive Errors = 0 Datagrams Sent = 141711 The -es option is useful in detecting the traffic generated or received by the machine. The interface statistics provide a summary of packets sent and received. A high number of discards, errors, or unknown protocols indicates problems at the Ethernet level caused by cabling, duplex, and autonegotiation issues. When the netstat command is used in conjunction with the interval option, network administrators can analyze traffic patterns. For example, the command netstat -e 5 displays the Ethernet statistics summary and refreshes the output every 5 seconds. High numbers of errors, discards, failed connection attempts, and so on indicate problems that include Ethernet interface malfunction, cabling issues, DOS attacks, and so forth. Using the Windows netstat Command to Display a Routing TableAlthough the route print command can be used in MS-Windows to display the route table, the same output is available through the netstat -r command, as demonstrated in Example 2-31. Example 2-31. Windows netstat Command: Routing Table c:\windows\system32>netstat -r Route Table ============================================================================ Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 0d 56 df 86 a6 ...... Broadcom 570x Gigabit Integrated Controller - Pa cket Scheduler Miniport ============================================================================ ============================================================================ Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.103 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.0.103 192.168.0.103 20 192.168.0.103 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.0.255 255.255.255.255 192.168.0.103 192.168.0.103 20 224.0.0.0 240.0.0.0 192.168.0.103 192.168.0.103 20 255.255.255.255 255.255.255.255 192.168.0.103 192.168.0.103 1 Default Gateway: 192.168.0.1 ============================================================================ Persistent Routes: Network Address Netmask Gateway Address Metric 64.154.80.250 255.255.255.255 127.0.0.1 1 This is useful in isolating routing or remote-connection issues faced by the machine, especially when other computers in the same subnet are working properly. Using the Linux-Based netstat CommandThe command-line based netstat command is part of a standard Linux installation. To list active connections on a Linux computer, follow these steps:
Optionally, type netstat --help for more information, as shown in Example 2-32. Example 2-32. Linux netstat Command: Help Output spope@linuxbox# netstat --help usage: netstat [-veenNcCF] [<Af>] -r netstat {-V|--version|-h|--help} netstat [-vnNcaeol] [<Socket> ...] netstat { [-veenNac] -i | [-cnNe] -M | -s } -r, --route display routing table -i, --interfaces display interface table -g, --groups display multicast group memberships -s, --statistics display networking statistics (like SNMP) -M, --masquerade display masqueraded connections -v, --verbose be verbose -n, --numeric don't resolve names --numeric-hosts don't resolve host names --numeric-ports don't resolve port names --numeric-users don't resolve user names -N, --symbolic resolve hardware names -e, --extend display other/more information -p, --programs display PID/Program name for sockets -c, --continuous continuous listing -l, --listening display listening server sockets -a, --all, --listening display all sockets (default: connected) -o, --timers display timers -F, --fib display Forwarding Information Base (default) -C, --cache display routing cache instead of FIB <Socket>={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet List of possible address families (which support routing): inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) x25 (CCITT X.25) If you compare the available options for the Windows netstat command (Example 2-27) to those of the Linux netstat command (Example 2-32), the latter offers far more flexibility. The sections that follow discuss the use of various netstat options on a Linux computer for displaying the following items:
Using the Linux netstat Command to Display Active ConnectionsUse the netstat t command to display the currently active TCP connections. Example 2-33 shows the output of the netstat t command. Example 2-33. Linux netstat Command: Active TCP Connections spope@linuxbox#netstat -t Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 linuxbox:32855 www.myweb.com:www ESTABLISHED tcp 0 0 linuxbox:32854 www.myweb.com:www ESTABLISHED tcp 0 0 linuxbox:32857 www.myweb.com:www ESTABLISHED tcp 0 0 linuxbox:32856 www.myweb.com:www ESTABLISHED tcp 0 216 linuxbox:ssh 192.168.0.103:3578 ESTABLISHED tcp 0 1 linuxbox:32858 64.154.80.250:www SYN_SENT tcp 0 0 linuxbox:5902 192.168.0.103:3645 ESTABLISHED This command provides a quick snapshot of currently active TCP connections. You can also use the c option to view a continuous display that gets refreshed periodically until interrupted by the user pressing Ctrl-C. The command syntax is as follows: netstat -t -c You can also force the output to use numeric format by using the -n option. For example, instead of showing the host name and the service (such as www.myweb.com:www), the command will display the IP address and the port number (such as 192.168.10.11:80). The command syntax is netstat tn. Moreover, the -n option is also available in the Windows version of netstat command. Using the Linux netstat Command to Display All ConnectionsThe default netstat command with no option displays all the active network connections, including the UNIX sockets. To display all the active connections except the UNIX sockets, use the netstat atuwp command. The -p option displays the PID/program pair for each listed connection. Example 2-34 shows the output of the netstat atuwp command. Example 2-34. Linux netstat Command: All Connections spope@linuxbox#netstat -atuwp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/ Program name tcp 0 0 *:5902 *:* LISTEN 4649/Xrealvnc tcp 0 0 *:x11 *:* LISTEN 4433/XFree86 tcp 0 0 *:x11-2 *:* LISTEN 4649/Xrealvnc tcp 0 0 *:ssh *:* LISTEN 882/sshd tcp 0 0 192.168.0.30:ssh 192.168.0.103:3578 ESTABLISHED3438/0 tcp 0 0 192.168.0.30:5902 192.168.0.103:3645 ESTABLISHED4649/ Xrealvnc As discussed in the section "Using the Windows netstat Command to Display All Connections," earlier in this chapter, the PID/program name information is useful in identifying the source of network issues. Using the Linux netstat Command to Display Ethernet Network StatisticsUse the netstat i command to display the statistics of the Ethernet interface, as shown in Example 2-35. A high number of the errors, drops, or overruns indicate cabling or hardware issues. This command, when used in conjunction with the -c option (for continuous display), can aid in investigating abnormal data traffic originating from or terminating at the host. Example 2-35. Linux netstat Command: Ethernet Statistics spope@linuxbox# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 89886 0 0 0 84992 1 0 0 BMRU lo 16436 0 190 0 0 0 190 0 0 0 LRU Using the Linux netstat Command to Display Network StatisticsUse the netstat s command to get a summary of IP, ICMP, TCP, and UDP, as demonstrated in Example 2-36. Example 2-36. Linux netstat Command: Network Statisticsspope@linuxbox# netstat -s Ip: 89849 total packets received 0 forwarded 0 incoming packets discarded 70740 incoming packets delivered 85127 requests sent out Icmp: 106 ICMP messages received 3 input ICMP message failed. ICMP input histogram: destination unreachable: 17 timeout in transit: 39 echo requests: 33 echo replies: 17 53 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 20 echo replies: 33 Tcp: 154 active connections openings 12 passive connection openings 0 failed connection attempts 16 connection resets received 2 connections established 69608 segments received 84542 segments send out 4 segments retransmited 0 bad segments received. 30 resets sent Udp: 453 packets received 3 packets to unknown port received. 0 packet receive errors 463 packets sent TcpExt: 27 TCP sockets finished time wait in fast timer 4471 delayed acks sent 6 delayed acks further delayed because of locked socket Quick ack mode was activated 2 times 953 packets directly queued to recvmsg prequeue. 646566 of bytes directly received from prequeue 20998 packet headers predicted 618 packets header predicted and directly queued to user 24212 acknowledgments not containing data received 4642 predicted acknowledgments 0 TCP data loss events 2 other TCP timeouts 23 DSACKs sent for old packets 16 connections reset due to early user close root@0[root]# High numbers of errors, timeouts, and so on indicate problems including Ethernet interface malfunctions, cabling issues, DOS attacks, and so on. Under ICMP input histogram and ICMP output histogram, the Echo Requests counter indicates the number of ping packets received by the host. A rapid increase in Echo Requests indicates that the host is under an ICMP flood attack. Under TCP, a large number of segments retransmitted indicates packet loss. Also, a rapid increase in resets sent indicates that the host is being subjected to a TCP port scan. Using the Linux netstat Command to Display a Routing TableUse the netstat r command to display a routing table of the host, as demonstrated in Example 2-37. Note that the route command provides an identical output. Example 2-37. Linux netstat Command: Routing Table spope@linuxbox# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 The routing table information is useful in isolating routing or remote-connection issues faced by the machine, especially when other computers in the same subnet are working properly. Using the MS-Windows nbtstat Command to Trace MAC Addresses and Network DetailsThe Windows-based nbtstat command is an effective tool to remotely determine the current user on a Windows machine. Even in larger networks, it is comparatively easy to identify the source of a problem by its IP address. To determine the user on a Windows machine with that IP address, use the nbtstat command. It also provides the MAC address of the Ethernet interface. To query the remote Windows computer for the name of the current user, follow these steps:
Example 2-38 shows the Windows nbtstat A 192.168.0.15 command, which determines the current user on the Windows machine with an IP address of 192.168.0.15. As shown in the highlighted text, the current user is SPOPE. Also, the MAC address used by the Ethernet interface of that Windows machine is 00-0E-A6-13-41-62. Example 2-38. Output of the Windows nbtstat Commandc:\windows\system32>nbtstat -A 192.168.0.15 Local Area Connection: Node IpAddress: [192.168.0.103] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- WINPC1 <00> UNIQUE Registered WINPC1 <20> UNIQUE Registered WORKGROUP <00> GROUP Registered WORKGROUP <1E> GROUP Registered SPOPE <03> UNIQUE Registered WORKGROUP <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-0E-A6-13-41-62 To determine which computer is connected to a switch port, network administrators typically trace the physical cable. This can get cumbersome in a larger network. The following example shows how to use the nbtstat command to do the same task:
Alternately, you can use the nbtstat A ip-address command first to determine the username and the MAC address. Using the MAC address, you can then identify the user's switch port. Using the arp Command to Trace Layer 2 IssuesThe arp command is useful in checking the local arp table of a host. The arp table contains the MAC address (also referred to as the physical address) to IP address mappings. Checking the arp table is most useful when dealing with Layer 2 or duplicate IP address issues. To use the arp command on Linux or Windows, follow these steps:
Table 2-8 lists the most useful options for the arp command. These options are applicable to both Windows and Linux versions.
Note Although the MAC address is expressed as a 12-digit hexadecimal number, the exact format is different on each OS platform. The formats for various platforms are as follows:
The arp tables are populated dynamically and do not require manual intervention. However, the arp table might be corrupt because of false arp entries. In that case, Netadmins can flush the arp table using the arp -d command. Netadmins can also use the arp -s command to manually override the arp entries. Manually setting the arp entry is useful when dealing with duplicate IP address issues. The following scenario elaborates the use of the arp command to troubleshoot Layer 2 issues.
Example 2-39. Router show interface CommandRouter-Dallas# show interface ethernet0 Ethernet0 is up, line protocol is up Hardware is QUICC Ethernet, address is 0010.7bcc.57eb (bia 0010.7bcc.57eb) Internet address is 192.168.10.254/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:04, output 00:00:01, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 40160541 packets input, 3615923641 bytes, 44 no buffer Received 1536632 broadcasts, 0 runts, 6 giants, 51 throttles 35 input errors, 0 CRC, 29 frame, 0 overrun, 0 ignored, 0 abort 0 input packets with dribble condition detected 29464546 packets output, 3879477225 bytes, 0 underruns 0 output errors, 109366 collisions, 3 interface resets 0 babbles, 0 late collision, 91503 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out The output of the show interface ethernet0 command indicates that the interface and the protocol are up. The output also shows 0010.7bcc.57eb as the MAC address assigned to the Ethernet interface of the router. The Netadmin then uses the arp -a command to check the local arp table on his workstation, as shown in Example 2-40. Example 2-40. Checking the Local arp Table c:\windows\system32>arp -a Interface: 192.168.10.151 --- 0x2 Internet Address Physical Address Type 192.168.10.254 00-d0-c8-af-e2-5e dynamic The arp table entries indicate that 192.168.10.254 is mapped to MAC address 00-d0-c8-afe2-5e instead of 00-10-7b-cc-57-eb. The incorrect mapping misdirects all the Internet traffic to the host with the MAC address 00-d0-c8-af-e2-5e. Following are the possible causes of the incorrect entry in the local host:
The Netadmin must identify and reconfigure the offending machine. Meanwhile, to restore the connectivity between the local host and the default gateway, the Netadmin should clear the arp table and then manually map the IP address 192.168.10.254 to the correct MAC address of 00-10-7b-cc-57-eb, as shown in Example 2-41. Although the commands shown in Example 2-41 are on a Windows platform, the syntax should work on Linux as well. Example 2-41. Manipulating the arp Table# Delete the current arp entry for 192.168.10.254 c:\windows\system32> arp -d 192.168.10.254 # add a static entry for 192.168.10.254 c:\windows\system32> arp -s 192.168.10.254 00-10-7b-cc-57-eb # Display the arp table c:\windows\system32> arp -a Interface: 192.168.10.151 --- 0x2 Internet Address Physical Address Type 192.168.10.254 00-10-7b-cc-57-eb static Note that the manually added entry for 192.168.10.254 shows up as static. The arp entries that are automatically learned show up as dynamic in the arp table. After manually mapping the MAC address, the local host is able to communicate with the rest of the network beyond the default gateway. |