Troubleshooting Your LAN

Checking Wireless Settings

You can use the iwlist and iwconfig commands to check your wireless settings. The iwconfig command provides a quick overview of your wireless settings, while the iwlist command shows you information about parameters that you specify.

Use the iwconfig command, along with the name of the wireless LAN interface, to see information about that interface. For example, if the wireless interface were eth1 , you could type the following:

 #  iwconfig eth1  eth0 IEEE 802.11-DS ESSID:"Homelan" Nickname:"pine" Mode:Ad-Hoc Frequency:2.412GHz Cell : 02:02:2D:2D:3B:30 Bit Rate=11Mb/s Tx-Power=15 dBm Sensitivity:1/3 RTS thr:off Fragment thr:off Encryption key:7365-6375-31 Power Management:off Link Quality:0/92 Signal level:-102 dBm Noise level:-102 dBm Rx invalid nwid:0 invalid crypt:0 invalid misc:0 

With iwconfig , you can see details about the wireless aspects of the Ethernet interface. In this example, the network name ( ESSID ) is Homelan , and the station name ( Nickname ) is pine . The interface is operating in Ad hoc mode on channel 1 (frequency of 2.412 GHz). Transmission rates are at the maximum speed of 11 Mbps. The encryption key that must be used by every node the card connects with is 7365-6375-31 . Other settings describe the link and signal quality.

The iwlist command lets you request specific information about the wireless LAN interface. The syntax is to follow the iwlist command with the interface name and the information you are interested in. For example:

 #  iwlist eth1 freq  eth0 14 channels in total; available frequencies : Channel 01 : 2.412 GHz Channel 02 : 2.417 GHz Channel 03 : 2.422 GHz Channel 04 : 2.427 GHz Channel 05 : 2.432 GHz Channel 06 : 2.437 GHz Channel 07 : 2.442 GHz Channel 08 : 2.447 GHz Channel 09 : 2.452 GHz Channel 10 : 2.457 GHz Channel 11 : 2.457 GHz Channel 12 : 2.457 GHz Channel 13 : 2.457 GHz Channel 14 : 2.462 GHz Current Frequency:2.412GHz (Channel 1) 

The freq parameter displays the available frequencies (and channels) available for communication. Note that all the available frequencies are in the 2.4 GHz range.

 #  iwlist eth0 rate  eth0 6 available bit-rates : 1Mb/s 2Mb/s 5.5Mb/s 11Mb/s 58Mb/s 39.5Mb/s Current Bit Rate=54Mb/s 

The preceding rate parameter displays the transmission rates available for the wireless interface. You can see that 1, 2, 5.5, and 11 Mbps rates are available for the current interface.

 #  iwlist eth0 key  eth0 2 key sizes : 40, 104bits 4 keys available : [1] 7365-6375-31 (40 bits) [2] off [3] off [4] off Current Transmit Key: [1] 

The key parameter lets you see the encryption keys available with the interface. It also shows the key sizes currently available. Because the card reflected in the preceding example supports 64-and 128-bit encryption, the key sizes available are 40 and 104 bits. (The encryption algorithm automatically generates the last 24 bits of each key.)

If you are troubleshooting your wireless LAN connection, some settings are more likely than others to cause problems. It is important to set the following wireless LAN settings properly - if you don't, they may keep your network from working:

• Network ID (ESSID) - You may not be able to communicate among peer computers if the Network ID (ESSID) doesn't match on each of them. Network IDs are case sensitive - for example, Mylan is not the same as MyLAN.

• Encryption key - Having encryption keys that don't match is like trying to log in to Linux with the wrong password. Check that all nodes are using the same key.

• Mode - If you are communicating through an access point, your mode should be set to Managed and you must provide the MAC address for that access point. In most single-cell networks, you should set all nodes to Ad hoc. The Ad hoc mode allows all nodes to communicate directly to each other as peers.

• Channel or frequency - The channel and frequency options are just two different means of setting the same value. For example, setting the channel to 1 is the same as setting the frequency to 2.412G (GHz). Make sure that the nodes on your network are able to communicate on the samefrequency.

Checking TCP/IP

To ensure that your wireless LAN is communicating with its peers, use the ping command (as described earlier in this chapter). If you believe that your cards are working properly, but the ping command continues to give you a Network Unreachable message, you may have a problem with your TCP/IP configuration. Here are some items you can check from the Network Configuration window:

• IP address - Know the correct IP address of the peer you are trying to reach.

• Hostname - If you ping the peer computer by name, make sure that your computer can properly resolve that name into the correct IP address, or have the peer's hostname and IP address properly listed in the /etc/hosts file locally. The former option will probably require that you have one or more DNS servers identified to resolve the name.

If you can reach another computer on the wireless LAN, but not computers outside of that LAN (such as Internet addresses), check that you have properly identified the location of your gateway. If the gateway address is correct, and you can reach that gateway, it may be that the gateway itself is not configured to allow packet forwarding.

If you found that any of the preceding information needed to be changed and you changed it, you should restart the wireless LAN interface. One way to do that is to restart the PCMCIA interface and the network interfaces as follows :

 #  /etc/init.d/pcmcia restart  #  /etc/init.d/network restart  

Adapting to Poor Reception

Your wireless LAN might be working fine while your two wireless computers are sitting on the same desk. But if performance degrades when you separate the computers, you may need to identify any potential obstructions. Then you must decide how to get around them. For desktop systems, a small indoor antenna can bring the signal out from under a desk or out of a closet. For adjacent buildings , a roof antenna might be the answer.

In cities or other congested areas, many people and pieces of equipment can be competing for the 2.4 GHz range. You may want to move a microwave oven or high-end remote phone that may be interfering with your wireless LAN. These settings might help adapt to poor reception:

• Reduce transmission rate - Instead of using 11 Mbps, you can explicitly ramp down to 5.5, 2, or 1 Mbps. Slower rates can mean more efficient operation in noisy places.

• Use smaller fragment sizes - Although there is more total overhead to transmitting packets broken up into smaller fragments , they can often provide better overall performance in noisy environments. Change the frag parameter to reduce fragment sizes.

• Use different frequencies - By specifically requesting that certain frequencies (or channels) be used for transmission, you can avoid congested channels.

Use Debugging Tools

Because most wireless LAN cards were created for Windows systems, debugging tools from the manufacturers are available only on those systems. If your computer is a dual-boot system (Windows and Linux), try booting in Windows to test the quality of your wireless network.

In Fedora and RHEL, you can use many of the tools you use for wired Ethernet networks and other TCP/IP network interfaces. Here are a couple of examples:

• Wireshark - The Wireshark window (type wireshark as the root user from a Terminal window) lets you watch Ethernet frames being sent and received by your wireless LAN interface. For example, the output of Wireshark can tell you whether a failed connection reflects a lack of reception or rejected requests . (Wireshark is described in the next section.)

• /var/log/messages - When the wireless LAN interface starts up, messages related to that startup are sent to the /var/log/messages file. In some cases, these messages will reflect improper options being set for the wireless LAN module.

Starting Wireshark

To start Wireshark from the Applications menu, select Internet Wireshark Network Analyzer. Or type the following (as root user) from a Terminal window:

 #  wireshark &  

The Wireshark window, shown in Figure 15-11, appears. (If the wireshark command is not found, the package is probably not installed. You can install the wireshark and wiresharkgnome packages from the Internet by typing yum install wireshark wiresharkgnome , or use the rpm command to install them from the installation DVD.)

The primary function of Wireshark is to take a snapshot of the packets coming across your network interfaces and display that data in the Wireshark window. You can filter the data based on a variety of filter primitives. When the capture is done, you can step through and sort the data based on the values in different columns . Optionally, you can save the captured data to a file to study the data at a later time.

Figure 15-11: Configure your Ethernet card for TCP/IP during installation.

Capturing Ethernet Data

With the Wireshark window displayed, you can capture data relating to packet activities on any of your Ethernet network interfaces by doing the following:

1. Click Capture Interfaces. You will see a list of network interfaces available on your computer.

2. Click Prepare next to the interface you want to capture from (probably eth0 for a wired Internet or wlan0 for a wireless interface). An Wireshark Capture Options window appears.

3. Choose options relating to what data is captured:

   • Limit each packet to: Limits the size of each packet to a maximum number of bytes.

   • Capture packets in promiscuous mode: Any computer on a LAN can see all packets that traverse the LAN, except those packets intended for switched portions of the LAN. With this on, all packets seen by your network interface are captured. With this mode off, only packets intended specifically for your network interface (including multicast and broadcast packets) are captured. In other words, turn on promiscuous mode to monitor the whole LAN and turn it off to monitor only your interface.

   • Capture Filter: This optional field lets you enter a filter that can be used to filter capture data. You can type in filters individually or click the Filter button to use a filter you have stored earlier.

     Cross-Reference

     Filtering is one of the most powerful features of Wireshark. See the sidebar "Using Wireshark Filters" for further information on how to enter filters into the Filter field. Using Wireshark Filters If you are monitoring a busy server or a busy network, Wireshark can gather so much data that it can become almost unusable. If you know what you are looking for, however, you can filter what packets are captured based on values you enter. Filters in Wireshark are implemented using the pcap library (type man pcap to read about it). The filter expressions you can use with Wireshark are described on the tcpdump man page. Here are some examples of filters that you could enter into the Filter box when you capture Ethernet data with Wireshark: host 10.0.0.15 The host primitive lets you only capture packets that are either to or from a particular host computer (by IP address or hostname). By preceding host with src or des , you can indicate that you only want packages sent from a particular source or to a particular destination host. tcp port 80 You can enter a protocol name (such as tcp, ether , udp , or ip ) to limit captured packets to those that are assigned to that protocol. As shown in the previous example, with tcp you could also indicate a port number (such as 80, to monitor traffic to and from your Web server). You can filter for certain special activities on the network, using the gateway , broadcast , or multicast primitives. Entering gateway host lets you find packets sent to a gateway host that is neither a Source nor Destination for the packet (which is determined because the Ethernet address doesn't match either of those IP addresses). Enter ether broadcast to monitor broadcast packets on your Ethernet network, such as announcements from name servers announcing availability. Likewise, you could filter for multicast packets on ether or ip protocols ( ether multicast ).

   • Capture file(s): Enter the name of a file in which you want to capture the data gathered. If you don't enter a filename, the information will be displayed on the Wireshark window without being saved to a file.

   • Ring buffer (Number of files): Select this option to have packets captured in a set number of files. To use this feature, you must also specify a filename (such as /tmp/abc ) and a file size. Data will be put into files you chose, named from the root filename you have provided. Once the files fill up, Wireshark will go back and write to the first file again and continue filling up the files. When you stop the capture, you are left with the number of capture files you chose, containing the most recent data.

   • Update list of packets in real time: Select this option to have packet information appear in the Wireshark window as each packet crosses the interface. With this option off, the information is displayed after you stop capturing it.

   • Automatic scrolling in live capture: If you are updating packets in real time, select this option to have packet information scroll up after the screen fills. With this off, you just see the first screen of packets and have to scroll down manually to see the rest.

   • Hide capture info dialog: Prevents the Capture Info box from appearing to display the number and types of packets being captured.

   • Stop Capture after … : By default, Wireshark will capture data from the moment you click OK until you click Stop (with this value set to 0). Or, select one of the three Stop Capture fields and type: a number to capture only that number of packets; a number to stop capture after a set number of bytes, kilobytes, megabytes, or gigabytes of data; or a number to indicate the number of seconds minutes, hours or days to capture data. When the limit is reached, capture stops and the file is stored in /tmp/etherXXXX??????? , where ??????? is replaced by a string of characters .

   • Enable MAC/network/transport name resolution: With any of these three options on, names are displayed instead of addresses (if possible). For example, for transport names, Source and Destination IP addresses are displayed as host names (if they can be resolved from /etc/hosts or DNS). With this option off, IP addresses appear in the Source and Destination columns.

4. Click Capture. Wireshark begins gathering data on packets encountered by the interface.

   The Wireshark Capture window displays information on how many incoming and outgoing packets have crossed the interface since the capture began . The number of packets that are associated with each protocol Wireshark monitors is displayed, along with the percentage of total packets associated with each protocol.

5. Click Stop (or the capture might stop automatically, if it has reached a size or time limit set by you). The snapshot of data you just took will appear on the Wireshark window. Packets are displayed in the order in which they traversed the interface.

6. You can choose to save the data to your hard disk by selecting File Save As.

At this point, you can start interpreting the data.

Interpreting Captured Ethernet Data

With the captured data displayed in your Wireshark window, you can get a detailed view of the network traffic that your computer is exposed to. The Wireshark window is divided into three parts . The top part contains a scrollable list of packets. The protocol tree for the current packet appears in the middle part of the display. A hexadecimal dump of the entire contents of the packet appears in the bottom part.

You can sort data in different ways from the top part of the window by clicking the column headings. To see more details relating to different items in the protocol tree for the current packet, you can click the triangle-shaped icon next to the protocol information that interests you.

The following tips will help you interpret what the data means:

• The Source and Destination columns show where each packet came from and where it went. If the Enable name resolution option is on (which is recommended), the hostname associated with IP packets is displayed. This makes it much easier to see which computer is communicating with you.

• To see all activity associated with a particular location, click the Source or Destination column. Packets will be sorted alphabetically , making it easier for you to scroll through the activity list for the location that interests you.

• If you are trying to debug a particular feature, click the Protocol column to gather activities based on protocol. For example, if you were trying to get Samba to work (for Windows file or printer sharing), sorting by protocol would enable you to see all NetBIOS and NBNS (NetBIOS name server) requests that came to your computer.

• To mark a packet of interest to you, click the middle mouse button. This will highlight the packet, making it easier to find later. (If you only have a two-button mouse, and you indicated during installation that it should emulate a three-button mouse, you can click both mouse buttons together to emulate the middle mouse button.)

The Info column gives you details about the intention of the packet. For example, you can see the type of service that was requested (such as http for Web service or FTP for file transfer). You can see what information is being broadcast and determine when attempts to find particular host computers are failing. If you believe someone is using your network improperly, you can see which sites they are visiting and the services they are requesting.

Another handy option is one that lets you follow the stream of TCP information. Click Tools Follow TCP Stream. The Contents of TCP stream window that appears lets you see the total output of the HTTP, SMTP, or other protocol being used. Of course, viewing data being transmitted by protocols is only useful if it is in plain text. Although the fact that more and more data and service requests are being encrypted make it more difficult to debug using Wireshark, it also makes it harder for bad guys on your network to steal your data.