Advanced Network Connectivity Testing Tools

Although a plethora of tools are at the disposal of the Netadmin, most of the commonly available tools are not used to their full potential. Some of these tools are built into the OS. This section discusses the usage of the following built-in tools:

• whois

• nslookup

• netstat

• nbtstat

• arp

Using whois Lookup for Domain Registration Information

The whois tool provides administrative information for an Internet domain name. It is handy for finding the contacts and registration information for a domain name.

The command is natively supported by Linux but is not a part of MS-Windows. While many freeware and commercial versions of whois are available for the MS-Windows version, this section covers those available for the Linux version. To use the command-line version of whois tools, follow these steps:

To investigate details of the domain mydomain.com, type whois mydomain.com at the command line, as shown in Example 2-23.

Example 2-23. Output of the whois Command

 spope@linuxbox# whois mydomain.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.    Domain Name: MYDOMAIN.COM    Registrar: NETWORK SOLUTIONS, INC.    Whois Server: whois.networksolutions.com    Referral URL: http://www.networksolutions.com    Name Server: NS2.NYC.BIGISP.NET    Name Server: NS1.NYC.BIGISP.NET    Name Server: NS2.DAL.BIGISP.NET    Name Server: NS1.DAL.BIGISP.NET    Status: ACTIVE    Updated Date: 08-aug-2002    Creation Date: 28-nov-1995    Expiration Date: 27-nov-2009 >>> Last update of whois database: Sun, 25 Jul 2004 08:27:47 EDT <<< Registrant: SUPER ECOMMERCE Companys L.P. (SUPER ECOMMERCE-DOM)    300 Anybig Road    Suite 100    Dallas, TX 75201    US    Domain Name: MYDOMAIN.COM    Administrative Contact:       Companny , SUPER ECOMMERCE  (34410541I)                alert1@MYDOMAIN.COM       SUPER ECOMMERCE Companys.       300 Anybig Road       Suite 100       Dallas, TX 75201       US       214-111-111    Technical Contact:       Steve, smith (PS11887)             ssmith@MYDOMAIN.COM       SUPER ECOMMERCE Companys L.P.       300 Anybig Road       Suite 100       Dallas, TX 75201       US       214-111-111 fax: (214) 111-9999       (214) 758-6171    Record expires on 27-Nov-2009.                                                    Record created on 28-Nov-1995.    Database last updated on 25-Jul-2004 18:00:42 EDT.    Domain servers in listed order:    NS1.DAL.BIGISP.NET             26.152.10.11    NS2.NYC.BIGISP.NET             29.91.129.5    NS1.NYC.BIGISP.NET             29.171.129.11    NS2.DAL.BIGISP.NET             26.52.40.37 

The output provides administrative and technical contacts as well as the registration details. The command output also provides the expiration date for the record, as highlighted in Example 2-23. The expiration information is helpful when isolating issues related to web or e-mail connectivity. For example if mydomain.com has expired, the DNS query for the domain will fail. As a result, users cannot access the website www.mydomain.com by using the domain name. Consequently, e-mail delivery to mydomain.com also fails.

Tip

cygwin enables the use of Linux commands and tools, including whois, in Windows. cygwin is available for download at http://www.cygwin.com/.

Using nslookup to Find DNS Information

Nslookup is a command-line tool that verifies Domain Name System (DNS) information using the local DNS server. The tool queries DNS servers to retrieve various data types associated with an Internet domain. These data types are as follows:

• MX Mail exchanger records

• A IP addresses

• CNAME Canonical names

If you have an IP address, you can get a canonical name back for the address. If you have a canonical name, you can get an IP address. Another useful feature is the ability to get a list of mail servers for the target domain. Nslookup is available in both MS-Windows and Linux versions.

Using the MS-Windows Based nslookup Tool

Nslookup comes preinstalled with version Windows 95 and higher of MS-Windows as a command-line tool. To query DNS information about the target domain or host, follow these steps:

Example 2-24 shows the Windows nslookup command output that determines the mail and DNS server for mydomain.com.

Example 2-24. Output of the MS-Windows nslookup Command

 c:\windows\system32>nslookup Default Server:  ns2.myisp.com Address: 26.48.227.68 > set query=all > mydomain.com Server:  ns2.myisp.com Address:  26.48.227.68 Non-authoritative answer: mydomain.com  nameserver = ns5.mydomain.com mydomain.com  nameserver = ns4.mydomain.com mydomain.com  nameserver = ns3.mydomain.com mydomain.com  MX preference = 10, mail exchanger = mail1.mydomain.com mydomain.com  MX preference = 20, mail exchanger = mail2.mydomain.com mydomain.com         primary name server = ns4.mydomain.com         responsible mail addr = hostmaster.mydomain.com         serial  = 2004072000         refresh = 7200 (2 hours)         retry   = 600 (10 mins)         expire  = 2592000 (30 days)         default TTL = 600 (10 mins) mydomain.com  nameserver = ns4.mydomain.com mydomain.com  nameserver = ns3.mydomain.com ns4.mydomain.com      internet address = 131.91.51.1 ns3.mydomain.com      internet address = 126.18.10.178 >exit 

The details of the output are as follows:

• The first two lines of the output show the name and IP address of the default DNS server used by the host. This is typically provided to the host by the Dynamic Host Configuration Protocol (DHCP) server or is manually configured in the TCP/IP properties of the network interface card (NIC).

• The set query=all command instructs the tool to query all the available information.

• To selectively view only the mail server records, you can use the set query=MX command.

• The exit command, as shown in the last line, returns you to the command shell.

• The last four lines indicate the details of the DNS servers for mydomain.com.

Using the Linux-Based nslookup /dig Tool

The Linux version of nslookup is similar to its Windows counterpart. To query DNS information about the target domain or host, follow these steps:

Example 2-25 shows the nslookup command retrieving the available information for mydomain.com.

Example 2-25. Output of the Linux nslookup Command

 spope@linuxbox# nslookup Note:  nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. > set querytype=ANY > mydomain.com Server:         26.48.227.68 Address:        26.48.227.68#53 Non-authoritative answer: mydomain.com  nameserver = ns5.mydomain.com. mydomain.com  nameserver = ns4.mydomain.com. mydomain.com  nameserver = ns3.mydomain.com. mydomain.com  mail exchanger = 10 mail1.mydomain.com. mydomain.com  mail exchanger = 20 mail2.mydomain.com. Name:   mydomain.com Address: 131.91.51.10 Authoritative answers can be found from: mydomain.com  nameserver = ns4.mydomain.com. mydomain.com  nameserver = ns3.mydomain.com. ns4.mydomain.com      internet address = 131.91.51.1 ns3.mydomain.com      internet address = 126.18.10.178 > exit 

Note the set querytype=ANY command, which retrieves the available information. The output is similar to that of its MS-Windows counterpart.

The highlighted text indicates the MX record, whereas the last two lines, before the exit command, indicate the DNS servers used by mydomain.com.

The exit command, as shown in the last line, returns you to the command shell.

Although nslookup is an integral part of Linux, it has been deprecated. Users are encouraged to use the dig command because of its enhanced functionality, flexibility, ease of use, and clarity of output. To query DNS information about the target domain or host using the dig command, follow these steps:

Although the dig command offers various options, the most common format is as follows:

   dig @dns-server targetdomain query-type 

Example 2-26 shows the dig command retrieving available information for mydomain.com from the DNS server 26.48.27.168.

Example 2-26. Output of the Linux dig Command

 spope@linuxbox# dig @26.48.27.168 craigslist.org ANY ; <<>> DiG 9.2.4rc2 <<>> @26.48.27.168 mydomain.com ANY ;; global options:  printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4367 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ;mydomain.com.            IN    ANY ;; ANSWER SECTION: mydomain.com.        6598    IN    NS    ns5.mydomain.com. mydomain.com.        6598    IN    NS    ns4.mydomain.com. mydomain.com.        6598    IN    NS    ns3.mydomain.com. mydomain.com.        194    IN   SOA    ns4.mydomain.com. hostmaster.mydomain.com. 2004072000 7200 600 2592000 600 mydomain.com.        253    IN    MX    10 mail1.mydomain.com. mydomain.com.        253    IN    MX    20 mail2.mydomain.com. ;; AUTHORITY SECTION: mydomain.com.        6598    IN    NS    ns5.mydomain.com. mydomain.com.        6598    IN    NS    ns4.mydomain.com. mydomain.com.        6598    IN    NS    ns3.mydomain.com. ;; ADDITIONAL SECTION: ns5.mydomain.com.    150    IN    A    130.94.251.2 ns4.mydomain.com.    150    IN    A    130.94.251.1 ns3.mydomain.com.    37732    IN    A    216.218.210.178 anco.mydomain.com.   260    IN    A    123.44.14.26 dsqd.mydomain.com.   260    IN    A    123.44.14.151 ;; Query time: 136 msec ;; SERVER: 26.48.27.168#53(26.48.27.168) ;; WHEN: Sun Jul 25 13:14:53 2001 ;; MSG SIZE rcvd: 299 

When compared to the nslookup command, the dig command has the following features:

• It is easier to use because all the options can be specified in a single line. This helps when using the command in automated scripts.

• The output is easier to read and decipher because it is better organized in various sections.

• The output is more detailed.

Using netstat for Port and Connection Information

To design, deploy, and troubleshoot a network, network administrators need to determine the traffic flowing through it. This traffic is generated by the end stations. The administrators often require an X-ray tool to directly view the TCP/IP statistics on the servers and workstations.

Netstat (or network statistics) is just the tool to directly show these TCP/IP statistics. It provides the following items:

• The current network session to and from the host

• Protocol statistics, including those for TCP and UDP

• Display of a routing table

• Display of the number of bytes sent, received, or dropped

It is one of the most useful yet underused tools for administrators. A thorough understanding of this tool aids in configuring or troubleshooting the following:

• Access lists on routers and firewalls

• Intrusion detection

• Network protection from viruses, worms, Trojan horses, and so on

Netstat is available for both MS-Windows and Linux. Because of the importance of this tool, the following sections discuss both versions in detail.

Using the MS Windows Based netstat Command

The netstat command is preinstalled with all versions of MS-Windows. This section discusses the Windows 2000/XP version of the command. To list the active connections on a Windows computer, follow these steps:

The netstat /? command on Windows machines provides information on the usage of the netstat command. Example 2-27 shows the output of the netstat /? command in Windows XP. The output can be slightly different in other Windows versions. However, the options discussed in this chapter are applicable to all versions of Windows.

Example 2-27. Output of the Windows netstat /? Command

 c:\windows\system32>netstat /? Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-o] [-s] [-p proto] [-r] [interval]   -a            Displays all connections and listening ports.   -e            Displays Ethernet statistics. This may be combined with the -s                 option.   -n            Displays addresses and port numbers in numerical form.   -o            Displays the owning process ID associated with each connection.   -p proto      Shows connections for the protocol specified by proto; proto                 may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s                 option to display per-protocol statistics, proto may be any of:                 IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.   -r            Displays the routing table.   -s            Displays per-protocol statistics. By default, statistics are                 shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;                 the -p option may be used to specify a subset of the default.   interval      Redisplays selected statistics, pausing interval seconds                 between each display. Press CTRL+C to stop redisplaying                 statistics. If omitted, netstat will print the current                 configuration information once. 

The sections that follow discuss the use of various netstat options on an MS-Windows computer for displaying the following items:

• Active connections

• All network connections

• Network statistics

• Routing table

Using the Windows netstat Command to Display Active Connections

Use the netstat command with no option to display the currently active TCP connections. Example 2-28 shows the output of the netstat command.

Example 2-28. Windows netstat Command: Active Connections

 c:\windows\system32>netstat Active Connections   Proto  Local Address           Foreign Address        State   TCP    WINXPBOX:4343         localhost:4344         ESTABLISHED   TCP    WINXPBOX:4344         localhost:4343         ESTABLISHED   TCP    WINXPBOX:3480         www.website1.com:http  TIME_WAIT   TCP    WINXPBOX:3485         123.38.12.57:http      TIME_WAIT   TCP    WINXPBOX:3488         www.website2.com:http  TIME_WAIT   TCP    WINXPBOX:3494         62.14.80.250:http      SYN_SENT 

This command can provide a quick snapshot of currently active connections. You can also use the interval option to view a continuous display that gets refreshed periodically. For example, the netstat 5 command displays the same output as in Example 2-28, but it is refreshed every 5 seconds until interrupted by the user pressing Ctrl-C.

Note

A large number of connections with the SYN_RECEIVED state indicate a half-open TCP connection. This can be an indication of a SYN flood attack.

To get the output in numerical format, use the n option. Numerical format shows only IP addresses and port numbers (for example 192.168.10.10:80, instead of www.website1.com:http).

Using the Windows netstat Command to Display All Connections

To view both TCP and UDP connection statistics, use the a options with the netstat command. The -a option can also display all the ports in the LISTENING state. Netadmins can use this list to verify whether malicious programs are active on the local machine. The output in Example 2-29 displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

Example 2-29. Windows netstat Command: All Connections

 c:\windows\system32>netstat -ao Active Connections   Proto Local Address         Foreign Address       State      PID   TCP    WINXPBOX:epmap       WINXPBOX:0         LISTENING       1500   TCP    WINXPBOX:microsoft-ds  WINXPBOX:0         LISTENING       4      TCP    WINXPBOX:1025        WINXPBOX:0         LISTENING       1608   TCP    WINXPBOX:1030        WINXPBOX:0         LISTENING       4   TCP    WINXPBOX:3214        WINXPBOX:0         LISTENING       5384   TCP    WINXPBOX:3389        WINXPBOX:0         LISTENING       1608   TCP    WINXPBOX:4344        WINXPBOX:0         LISTENING       2312   TCP    WINXPBOX:58581       WINXPBOX:0         LISTENING       1728   TCP    WINXPBOX:3001        WINXPBOX:0         LISTENING       432   TCP    WINXPBOX:3002        WINXPBOX:0         LISTENING       1608   TCP    WINXPBOX:3003        WINXPBOX:0         LISTENING       1608   TCP    WINXPBOX:4343        WINXPBOX:0         LISTENING       2312   TCP    WINXPBOX:4343        localhost:4344       ESTABLISHED     2312   TCP    WINXPBOX:4344        localhost:4343       ESTABLISHED     2312   TCP    WINXPBOX:netbios-ssn  WINXPBOX:0         LISTENING       4   TCP    WINXPBOX:31337        WINXPBOX:0         LISTENING       1928    UDP    WINXPBOX:microsoft-ds  *:*                                  4   UDP    WINXPBOX:3012        *:*                                  1792   UDP    WINXPBOX:3147        *:*                                  1792   UDP    WINXPBOX:62515       *:*                                  476   UDP    WINXPBOX:62517       *:*                                  476   UDP    WINXPBOX:62519       *:*                                  476   UDP    WINXPBOX:62521       *:*                                  476   UDP    WINXPBOX:62523       *:*                                  476   UDP    WINXPBOX:62524       *:*                                  476   UDP    WINXPBOX:netbios-ns  *:*                                  4   UDP    WINXPBOX:netbios-dgm  *:*                                  4 

The output lists various TCP and UDP ports, the local and foreign addresses associated with the ports, and the current state of the ports. While most ports are referred to by the port number, some of the ports are indicated by well-known services associated with the port. For example, the second line of the output shows the port name microsoft-ds instead of the port number 445. Similarly, the command displays the host name instead of the IP address.

While most of the ports appear to be legitimate traffic, note the highlighted line showing TCP 31337 in the LISTENING state. The local host might be running a Trojan server on TCP 31337, because this port is associated with many malicious programs, including Backorifice. The Trojan server provides back-door entry into the host and is a security vulnerability.

Also, note the use of the -o option in Example 2-29. This option, available only in Windows XP and 2003, adds another column for process identification (PID). The PID view is useful in identifying a process associated with each of the TCP or UDP ports. Armed with the knowledge of the TCP/UDP port numbers used by a worm or Trojan, administrators can use the -o option to determine the PID of the malicious code and disarm it.

Using the Windows netstat Command to Display Network Statistics

To view a summary of protocol statistics, use the -s option. The output in Example 2-30 shows the protocol summary statistics for IP, ICMP, TCP, and UDP.

Also note the use of the -e option to display a summary of the Ethernet network interface.

Example 2-30. Windows netstat Command: Network Statistics

 c:\windows\system32>netstat -es Interface Statistics                            Received            Sent Bytes                     152762747        25211410 Unicast packets              322126          297809 Non-unicast packets           34543             952 Discards                          0               0 Errors                            0               2 Unknown protocols                 0 IPv4 Statistics   Packets Received                  = 361884   Received Header Errors            = 0   Received Address Errors           = 32389   Datagrams Forwarded               = 0   Unknown Protocols Received        = 0   Received Packets Discarded        = 0   Received Packets Delivered        = 329497   Output Requests                   = 304814   Routing Discards                  = 0   Discarded Output Packets          = 0   Output Packet No Route            = 0   Reassembly Required               = 0   Reassembly Successful             = 0   Reassembly Failures               = 0   Datagrams Successfully Fragmented = 0   Datagrams Failing Fragmentation   = 0   Fragments Created                 = 0 ICMPv4 Statistics                            Received      Sent   Messages                 315           321   Errors                   0             0   Destination Unreachable  8             17   Time Exceeded            21            0   Parameter Problems       0             0   Source Quenches          0             0   Redirects                0             0   Echos                    27            277   Echo Replies             259           27   Timestamps               0             0   Timestamp Replies        0             0   Address Masks            0             0   Address Mask Replies     0             0 TCP Statistics for IPv4   Active Opens                        = 4129   Passive Opens                       = 19   Failed Connection Attempts          = 688   Reset Connections                   = 362   Current Connections                 = 3   Segments Received                   = 187087   Segments Sent                       = 161377   Segments Retransmitted              = 1346 UDP Statistics for IPv4   Datagrams Received    = 141829   No Ports              = 554   Receive Errors        = 0   Datagrams Sent        = 141711 

The -es option is useful in detecting the traffic generated or received by the machine. The interface statistics provide a summary of packets sent and received. A high number of discards, errors, or unknown protocols indicates problems at the Ethernet level caused by cabling, duplex, and autonegotiation issues.

When the netstat command is used in conjunction with the interval option, network administrators can analyze traffic patterns. For example, the command netstat -e 5 displays the Ethernet statistics summary and refreshes the output every 5 seconds. High numbers of errors, discards, failed connection attempts, and so on indicate problems that include Ethernet interface malfunction, cabling issues, DOS attacks, and so forth.

Using the Windows netstat Command to Display a Routing Table

Although the route print command can be used in MS-Windows to display the route table, the same output is available through the netstat -r command, as demonstrated in Example 2-31.

Example 2-31. Windows netstat Command: Routing Table

 c:\windows\system32>netstat -r Route Table ============================================================================ Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 0d 56 df 86 a6 ...... Broadcom 570x Gigabit Integrated Controller - Pa cket Scheduler Miniport ============================================================================ ============================================================================ Active Routes: Network Destination        Netmask         Gateway         Interface   Metric           0.0.0.0          0.0.0.0     192.168.0.1     192.168.0.103        20         127.0.0.0        255.0.0.0       127.0.0.1         127.0.0.1        1       192.168.0.0    255.255.255.0   192.168.0.103     192.168.0.103        20     192.168.0.103  255.255.255.255       127.0.0.1         127.0.0.1        20     192.168.0.255  255.255.255.255   192.168.0.103     192.168.0.103        20         224.0.0.0        240.0.0.0   192.168.0.103     192.168.0.103        20   255.255.255.255  255.255.255.255   192.168.0.103     192.168.0.103        1 Default Gateway:       192.168.0.1 ============================================================================ Persistent Routes:   Network Address          Netmask  Gateway Address  Metric     64.154.80.250  255.255.255.255        127.0.0.1       1 

This is useful in isolating routing or remote-connection issues faced by the machine, especially when other computers in the same subnet are working properly.

Using the Linux-Based netstat Command

The command-line based netstat command is part of a standard Linux installation. To list active connections on a Linux computer, follow these steps:

Optionally, type netstat --help for more information, as shown in Example 2-32.

Example 2-32. Linux netstat Command: Help Output

 spope@linuxbox# netstat --help usage: netstat [-veenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}        netstat [-vnNcaeol] [<Socket> ...]        netstat { [-veenNac] -i | [-cnNe] -M | -s }         -r, --route              display routing table         -i, --interfaces         display interface table         -g, --groups             display multicast group memberships         -s, --statistics         display networking statistics (like SNMP)         -M, --masquerade         display masqueraded connections         -v, --verbose            be verbose         -n, --numeric            don't resolve names         --numeric-hosts          don't resolve host names         --numeric-ports          don't resolve port names         --numeric-users          don't resolve user names         -N, --symbolic           resolve hardware names         -e, --extend             display other/more information         -p, --programs           display PID/Program name for sockets         -c, --continuous         continuous listing         -l, --listening          display listening server sockets         -a, --all, --listening   display all sockets (default: connected)         -o, --timers             display timers         -F, --fib                display Forwarding Information Base (default)         -C, --cache              display routing cache instead of FIB   <Socket>={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom   <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet   List of possible address families (which support routing):     inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)     netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)     x25 (CCITT X.25) 

If you compare the available options for the Windows netstat command (Example 2-27) to those of the Linux netstat command (Example 2-32), the latter offers far more flexibility.

The sections that follow discuss the use of various netstat options on a Linux computer for displaying the following items:

• Active connections

• All network connections

• Ethernet interface statistics

• Network statistics

• Routing table

Using the Linux netstat Command to Display Active Connections

Use the netstat t command to display the currently active TCP connections. Example 2-33 shows the output of the netstat t command.

Example 2-33. Linux netstat Command: Active TCP Connections

 spope@linuxbox#netstat -t Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address          Foreign Address         State tcp        0      0 linuxbox:32855     www.myweb.com:www       ESTABLISHED tcp        0      0 linuxbox:32854     www.myweb.com:www       ESTABLISHED tcp        0      0 linuxbox:32857     www.myweb.com:www       ESTABLISHED tcp        0      0 linuxbox:32856     www.myweb.com:www       ESTABLISHED tcp        0    216 linuxbox:ssh       192.168.0.103:3578      ESTABLISHED tcp        0      1 linuxbox:32858     64.154.80.250:www       SYN_SENT tcp        0      0 linuxbox:5902      192.168.0.103:3645      ESTABLISHED 

This command provides a quick snapshot of currently active TCP connections. You can also use the c option to view a continuous display that gets refreshed periodically until interrupted by the user pressing Ctrl-C. The command syntax is as follows:

  netstat -t -c 

You can also force the output to use numeric format by using the -n option. For example, instead of showing the host name and the service (such as www.myweb.com:www), the command will display the IP address and the port number (such as 192.168.10.11:80). The command syntax is netstat tn. Moreover, the -n option is also available in the Windows version of netstat command.

Using the Linux netstat Command to Display All Connections

The default netstat command with no option displays all the active network connections, including the UNIX sockets. To display all the active connections except the UNIX sockets, use the netstat atuwp command. The -p option displays the PID/program pair for each listed connection. Example 2-34 shows the output of the netstat atuwp command.

Example 2-34. Linux netstat Command: All Connections

 spope@linuxbox#netstat -atuwp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address          Foreign Address         State      PID/ Program name tcp      0     0 *:5902               *:*                  LISTEN    4649/Xrealvnc tcp      0     0  *:x11                *:*                  LISTEN    4433/XFree86 tcp      0     0 *:x11-2              *:*                  LISTEN    4649/Xrealvnc tcp       0     0 *:ssh                 *:*                    LISTEN     882/sshd tcp       0     0 192.168.0.30:ssh      192.168.0.103:3578       ESTABLISHED3438/0 tcp       0     0 192.168.0.30:5902      192.168.0.103:3645       ESTABLISHED4649/ Xrealvnc 

As discussed in the section "Using the Windows netstat Command to Display All Connections," earlier in this chapter, the PID/program name information is useful in identifying the source of network issues.

Using the Linux netstat Command to Display Ethernet Network Statistics

Use the netstat i command to display the statistics of the Ethernet interface, as shown in Example 2-35. A high number of the errors, drops, or overruns indicate cabling or hardware issues. This command, when used in conjunction with the -c option (for continuous display), can aid in investigating abnormal data traffic originating from or terminating at the host.

Example 2-35. Linux netstat Command: Ethernet Statistics

 spope@linuxbox# netstat -i Kernel Interface table Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg eth0   1500 0     89886      0      0      0   84992      1      0      0 BMRU lo    16436 0       190      0      0      0     190      0      0      0 LRU 

Using the Linux netstat Command to Display Network Statistics

Use the netstat s command to get a summary of IP, ICMP, TCP, and UDP, as demonstrated in Example 2-36.

Example 2-36. Linux netstat Command: Network Statistics

 spope@linuxbox# netstat -s Ip:     89849 total packets received     0 forwarded     0 incoming packets discarded     70740 incoming packets delivered     85127 requests sent out Icmp:     106 ICMP messages received     3 input ICMP message failed.     ICMP input histogram:         destination unreachable: 17         timeout in transit: 39         echo requests: 33                    echo replies: 17                 53 ICMP messages sent     0 ICMP messages failed     ICMP output histogram:         destination unreachable: 20         echo replies: 33             Tcp:     154 active connections openings     12 passive connection openings     0 failed connection attempts     16 connection resets received     2 connections established     69608 segments received     84542 segments send out     4 segments retransmited              0 bad segments received.     30 resets sent                   Udp:     453 packets received     3 packets to unknown port received.     0 packet receive errors     463 packets sent TcpExt:     27 TCP sockets finished time wait in fast timer     4471 delayed acks sent     6 delayed acks further delayed because of locked socket     Quick ack mode was activated 2 times     953 packets directly queued to recvmsg prequeue.     646566 of bytes directly received from prequeue     20998 packet headers predicted     618 packets header predicted and directly queued to user     24212 acknowledgments not containing data received     4642 predicted acknowledgments     0 TCP data loss events     2 other TCP timeouts     23 DSACKs sent for old packets     16 connections reset due to early user close root@0[root]# 

High numbers of errors, timeouts, and so on indicate problems including Ethernet interface malfunctions, cabling issues, DOS attacks, and so on.

Under ICMP input histogram and ICMP output histogram, the Echo Requests counter indicates the number of ping packets received by the host. A rapid increase in Echo Requests indicates that the host is under an ICMP flood attack.

Under TCP, a large number of segments retransmitted indicates packet loss. Also, a rapid increase in resets sent indicates that the host is being subjected to a TCP port scan.

Using the Linux netstat Command to Display a Routing Table

Use the netstat r command to display a routing table of the host, as demonstrated in Example 2-37. Note that the route command provides an identical output.

Example 2-37. Linux netstat Command: Routing Table

 spope@linuxbox# netstat -r Kernel IP routing table Destination     Gateway          Genmask         Flags   MSS Window  irtt Iface 192.168.0.0     *                255.255.255.0   U         0 0          0 eth0 default         192.168.0.1      0.0.0.0         UG        0 0          0 eth0 

The routing table information is useful in isolating routing or remote-connection issues faced by the machine, especially when other computers in the same subnet are working properly.

Using the MS-Windows nbtstat Command to Trace MAC Addresses and Network Details

The Windows-based nbtstat command is an effective tool to remotely determine the current user on a Windows machine. Even in larger networks, it is comparatively easy to identify the source of a problem by its IP address. To determine the user on a Windows machine with that IP address, use the nbtstat command. It also provides the MAC address of the Ethernet interface.

To query the remote Windows computer for the name of the current user, follow these steps:

Example 2-38 shows the Windows nbtstat A 192.168.0.15 command, which determines the current user on the Windows machine with an IP address of 192.168.0.15. As shown in the highlighted text, the current user is SPOPE. Also, the MAC address used by the Ethernet interface of that Windows machine is 00-0E-A6-13-41-62.

Example 2-38. Output of the Windows nbtstat Command

 c:\windows\system32>nbtstat -A 192.168.0.15 Local Area Connection: Node IpAddress: [192.168.0.103] Scope Id: []            NetBIOS Remote Machine Name Table        Name               Type         Status     ---------------------------------------------     WINPC1         <00>  UNIQUE      Registered     WINPC1         <20>  UNIQUE      Registered     WORKGROUP      <00>  GROUP       Registered     WORKGROUP      <1E>  GROUP       Registered     SPOPE          <03>  UNIQUE      Registered     WORKGROUP      <1D>  UNIQUE      Registered     ..__MSBROWSE__.<01>  GROUP       Registered     MAC Address = 00-0E-A6-13-41-62             

To determine which computer is connected to a switch port, network administrators typically trace the physical cable. This can get cumbersome in a larger network. The following example shows how to use the nbtstat command to do the same task:

  Router# show mac-address-table dynamic  vlan   mac address     type    protocol  qos              ports  -----+---------------+--------+---------+---+-------------------------  -------   200  0010.0d40.37ff  dynamic        ip  --  5/8     10 0080.1c93.8040  dynamic        ip  --  5/7 

  Router# show arp  Protocol  Address           Age (min)  Hardware Addr   Type   Interface  Internet  172.20.52.11             4   0090.2156.d800  ARPA   Vlan10  Internet  172.20.52.12             58   0080.1c93.8040  ARPA   Vlan10 

  c:\windows\system32>nbtstat -A 172.20.52.12  Local Area Connection:  Node IpAddress: [172.20.52.115] Scope Id: []             NetBIOS Remote Machine Name Table         Name               Type         Status      ---------------------------------------------      XPDOMAIN11974       <00>  UNIQUE      Registered      XPDOMAIN            <00>  GROUP       Registered      XPDOMAIN11974L      <20>  UNIQUE      Registered      XPDOMAIN            <1E>  GROUP       Registered      XPDOMAIN11974L      <03>  UNIQUE      Registered      SPOPE               <03>  UNIQUE      Registered      XPDOMAIN            <1D>  UNIQUE      Registered      ..__MSBROWSE__.<01>  GROUP       Registered      MAC Address = 0080.1c93.8040 

Alternately, you can use the nbtstat A ip-address command first to determine the username and the MAC address. Using the MAC address, you can then identify the user's switch port.

Using the arp Command to Trace Layer 2 Issues

The arp command is useful in checking the local arp table of a host. The arp table contains the MAC address (also referred to as the physical address) to IP address mappings. Checking the arp table is most useful when dealing with Layer 2 or duplicate IP address issues.

To use the arp command on Linux or Windows, follow these steps:

Table 2-8 lists the most useful options for the arp command. These options are applicable to both Windows and Linux versions.

Note

Although the MAC address is expressed as a 12-digit hexadecimal number, the exact format is different on each OS platform. The formats for various platforms are as follows:

• Windows NN-NN-NN-NN-NN-NN; example: 00-11-22-33-44-55

• Linux NN:NN:NN:NN:NN:NN; example: 00:11:22:33:44:55

• Cisco IOS and PIX NNNN.NNNN.NNN; example: 0011.2233.4455

• Cisco CatOS NN-NN-NN-NN-NN-NN; example: 00-11-22-33-44-55

The arp tables are populated dynamically and do not require manual intervention. However, the arp table might be corrupt because of false arp entries. In that case, Netadmins can flush the arp table using the arp -d command. Netadmins can also use the arp -s command to manually override the arp entries. Manually setting the arp entry is useful when dealing with duplicate IP address issues.

The following scenario elaborates the use of the arp command to troubleshoot Layer 2 issues.

Scenario: Consider a LAN scenario shown in Figure 2-11, where all the hosts use the Ethernet interface of the router as the default gateway. The IP address of the default gateway is 192.168.10.254.

Figure 2-11. Using the arp Command for Troubleshooting

Problem: All the hosts in the 192.168.10.0/24 subnet of the LAN are facing intermittent connectivity issues. The regular applications like web and e-mail are either not working or are extremely slow.

Troubleshooting: Because all the hosts in the LAN are facing the issue, the Netadmin pings the default gateway to verify the connectivity. The ping replies from 192.168.10.254 are successful, but pings to any address beyond the Ethernet interface fails. So the Netadmin tries to Telnet into the router for further investigation. However, the Telnet connection fails, too. The Netadmin then consoles into the router and issues the show interface ethernet0 command, as shown in Example 2-39.

Example 2-39. Router show interface Command

 Router-Dallas# show interface ethernet0 Ethernet0 is up, line protocol is up                                           Hardware is QUICC Ethernet, address is 0010.7bcc.57eb (bia 0010.7bcc.57eb)   Internet address is 192.168.10.254/24   MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255   Encapsulation ARPA, loopback not set, keepalive set (10 sec)   ARP type: ARPA, ARP Timeout 04:00:00   Last input 00:00:04, output 00:00:01, output hang never   Last clearing of "show interface" counters never   Queueing strategy: fifo   Output queue 0/40, 0 drops; input queue 0/75, 0 drops   5 minute input rate 1000 bits/sec, 1 packets/sec   5 minute output rate 0 bits/sec, 0 packets/sec      40160541 packets input, 3615923641 bytes, 44 no buffer      Received 1536632 broadcasts, 0 runts, 6 giants, 51 throttles      35 input errors, 0 CRC, 29 frame, 0 overrun, 0 ignored, 0 abort      0 input packets with dribble condition detected      29464546 packets output, 3879477225 bytes, 0 underruns      0 output errors, 109366 collisions, 3 interface resets      0 babbles, 0 late collision, 91503 deferred      0 lost carrier, 0 no carrier      0 output buffer failures, 0 output buffers swapped out 

The output of the show interface ethernet0 command indicates that the interface and the protocol are up. The output also shows 0010.7bcc.57eb as the MAC address assigned to the Ethernet interface of the router.

The Netadmin then uses the arp -a command to check the local arp table on his workstation, as shown in Example 2-40.

Example 2-40. Checking the Local arp Table

 c:\windows\system32>arp -a Interface: 192.168.10.151 --- 0x2   Internet Address      Physical Address     Type   192.168.10.254        00-d0-c8-af-e2-5e    dynamic 

The arp table entries indicate that 192.168.10.254 is mapped to MAC address 00-d0-c8-afe2-5e instead of 00-10-7b-cc-57-eb. The incorrect mapping misdirects all the Internet traffic to the host with the MAC address 00-d0-c8-af-e2-5e.

Following are the possible causes of the incorrect entry in the local host:

• The IP address of the default gateway is also used by another host in the local subnet.

• A local host is running a malicious program to poison the arp table of all the hosts in the subnet.

The Netadmin must identify and reconfigure the offending machine. Meanwhile, to restore the connectivity between the local host and the default gateway, the Netadmin should clear the arp table and then manually map the IP address 192.168.10.254 to the correct MAC address of 00-10-7b-cc-57-eb, as shown in Example 2-41. Although the commands shown in Example 2-41 are on a Windows platform, the syntax should work on Linux as well.

Example 2-41. Manipulating the arp Table

 # Delete the current arp entry for 192.168.10.254            c:\windows\system32> arp -d 192.168.10.254 # add a static entry for 192.168.10.254                      c:\windows\system32> arp -s 192.168.10.254 00-10-7b-cc-57-eb # Display the arp table                                      c:\windows\system32> arp -a Interface: 192.168.10.151 --- 0x2   Internet Address      Physical Address     Type   192.168.10.254        00-10-7b-cc-57-eb    static 

Note that the manually added entry for 192.168.10.254 shows up as static. The arp entries that are automatically learned show up as dynamic in the arp table. After manually mapping the MAC address, the local host is able to communicate with the rest of the network beyond the default gateway.