Exploring Network Issues

In order to properly create a troubleshooting plan, you need to understand various network configuration and performance components. Understanding these elements assists in creating theories about problem causes as well as helps your exploration process through the OSI model.

Viewing Network Performance

Starting the troubleshooting process requires knowledge of the various tools to use. Here we provide a few tables to assist in your tool selection.

Since high latency (slowness) and network saturation tend to occur together, Table 20.1 shows tools you should use to tackle or monitor for these problems. Keep in mind that you should already know the bandwidth of the network segment(s) you are troubleshooting prior to using these tools.

To employ the iperf utility for testing throughput, you’ll need two systems—one to act as the server and the other as a client. The utility must be installed on both systems, and you’ll need to allow access to its default port 5001 (port 5201 for iperf3) through their firewalls. A snipped example of setting up and starting the iperf server on an Ubuntu system is shown in Listing 20.1.

Listing 20.1: Setting up the iperf server

$ sudo ufw allow 5001
Rule added
Rule added (v6)
$
$ iperf -s -t 120
------------------------------------------------------------
Server listening on TCP port 5001
[…]

The iperf command’s -s option tells it to run as a server. The -t option is handy, because the service will stop after the designated number of seconds. This helps to avoid using Ctrl+C to stop the server.

Once you have the server side ready, configure the client side and perform a throughput test. A snipped example of setting up and starting an iperf client on a Fedora system is shown in Listing 20.2. Though the last output summary lists a Bandwidth column header, it is really showing you the achieved throughput.

Listing 20.2: Setting up the iperf client and conducting a throughput test

$ sudo firewall-cmd --add-port=5001/udp
success
$ sudo firewall-cmd --add-port=5001/tcp
success
$
$ iperf -c 192.168.0.104 -b 90Kb -d -P 5 -e -i 10
------------------------------------------------------------
Server listening on TCP port 5001 with pid 3857
[…]
Client connecting to 192.168.0.104, TCP port 5001 with pid 3857
[…]
[ ID] Interval        Transfer    Bandwidth       Write/Err  Rtry    Cwnd/RTT
[…]
[SUM] 0.00-10.04 sec   640 KBytes   522 Kbits/sec  5/0         2
[..]
[SUM] 0.00-11.40 sec  1.19 MBytes   873 Kbits/sec  850    5:5:0:0:0:0:0:835
$

Notice that a firewall rule was added for UDP traffic as well as TCP. This is necessary due to the use of the -b switch on the iperf client, which requires UDP. There are many options available with the iperf and iperf3 utilities. The ones used in Listing 20.2 are described in Table 20.2.

Another handy utility to test throughput is the Netcat utility, whose command name is nc. Like iperf, you need to set up both a server and a client to perform a test. Listing 20.3 shows an example of setting up a Netcat server on an Ubuntu system. Notice how the firewall is modified to allow traffic to the port selected (8001) for the Netcat server.

Listing 20.3: Setting up the nc server

$ sudo ufw allow 8001
Rule added
Rule added (v6)
$
$ nc -l 8001 > /dev/null

The -l option on the nc command tells it to go into listening mode and act as a server. The 8001 argument tells Netcat to listen on port 8001. Because Netcat is being used to test throughput, there is no need to display any received data. Thus, the data received is thrown into the black hole file (/dev/null).

To conduct a test with Netcat, employ a utility that will send packets to the server and allow you to see the throughput rate. The dd command (covered in Chapter 12) works well, and an example of conducting a test on a Fedora system is shown in Listing 20.4.

Listing 20.4: Setting up the nc client and conducting a throughput test

$ dd if=/dev/zero bs=1M count=2 | nc 192.168.0.104 8001 -i 2
2+0 records in
2+0 records out
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.10808 s, 19.4 MB/s
Ncat: Idle timeout expired (2000 ms).
$

Notice for the dd command, no output file (of) switch is used. This forces the command’s output to go to STDOUT, which is then redirected via the pipe (|) into the nc command. The nc command sends the output as packets through the network to the Netcat server’s IP address (192.168.0.104) at port 8001, where the listening server receives the packets. The -i 2 option tells Netcat to quit and return to the command line after 2 seconds of idle time.

The throughput rate is displayed when dd completes its operation. You can increase the test traffic sent by increasing the data amount designated by the dd command’s bs option and the number of times it is sent via the count switch. In the Listing 20.4 example, only 1Mb was sent two times.

High latency is sometimes caused by overloaded routers. Faulty hardware or improper configurations, such as the router’s MTU being set too low, also contribute to the problem. The tracepath and traceroute utilities not only display what path a packet takes through the network’s routers but can provide throughput information as well allow you to pinpoint potential problem areas.

The mtr utility can provide a nice graphical display or a simple report showing a packet’s path, travel times, and items such as jitter. Listing 20.5 shows an example of using mtr to produce a static report.

Listing 20.5: Producing router performance reports with the mtr utility

$ mtr -o "L D A J" -c 20 -r 96.120.112.205
Start: 2018-12-21T13:47:39-0500
HOST: localhost.localdomain       Loss%  Drop    Avg  Jttr
  1.|-- _gateway                   0.0%     0    0.8   0.1
  2.|-- _gateway                   0.0%     0    3.8   7.1
  3.|-- 96.120.112.205             0.0%     0   15.5   1.8
$

The mtr command’s -o option allows you to specify what statistics to view. In this example, packet loss (L), drop (D), travel time average (A), and jitter (J) are chosen. The -c switch lets you set the number of times a packet is sent through the routers, and the -r option designates that you want a static report. To show a continuous graphical display, leave off the -c and -r options. The last mtr argument is the destination IP address.

A faulty or failing adapter also can contribute to high latency. If you suspect that errors, packet drops, or timeouts are causing network problems, try employing the utilities in Table 20.3 to display these statistics.

Using the ip utility is shown snipped in Listing 20.6. Notice that even though no packets have been dropped, it does show error rates hovering around 0.05% (RX or TX packets / RX or TX errors). Any rate over 0.01% is enough to consider the adapter faulty.

Listing 20.6: Viewing network adapter statistics with the ip utility

$ ip -s link show enp0s8
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 […]
[…]
    RX: bytes  packets  errors  dropped overrun mcast
    201885893  3023900  1510    0       0       318
    TX: bytes  packets  errors  dropped carrier collsns
    24443239380 15852137 7922   0       0       0
$

If you have a rather tricky network problem, it may be worth your while to directly look at the packets traveling over it. The tools to do so go by a variety of names, such as network sniffers and packet analyzers. Three popular ones are Wireshark, tshark, and tcpdump.

Wireshark (a GUI program) and tshark (also called terminal-based Wireshark) are closely linked and that causes confusion when it comes to their installation. Table 20.4 lists the packages names needed to obtain the correct tool for each distribution covered by this book.

Once you have the proper package installed, you can employ the tool to analyze packets. A simple snipped example of using tshark on an Ubuntu system is shown in Listing 20.7. The tshark command’s -i option allows you to specify the interface from which to sniff packets. The -c switch lets you specify the number of packets to capture.

Listing 20.7: Using tshark to view packets

$ sudo tshark -i enp0s8 -c 10
[…]
Capturing on 'enp0s8'
    1 0.000000000 192.168.0.100 → 239.255.255.250 […]
    2 0.493150205 fe80::597e:c86f:d3ec:8901 → ff02[…]
    3 0.683985479 192.168.0.104 → 192.168.0.101 SSH[…]
    4 0.684261795 192.168.0.104 → 192.168.0.101 SSH[…]
    5 0.684586349 192.168.0.101 → 192.168.0.104 TCP[…]
[…]
   10 1.198757076 192.168.0.104 → 192.168.0.101 SSH[…]
198 Server: Encrypted packet (len=144)
10 packets captured
$

Both tshark and tcpdump allow you to store the sniffed data into a file. Later the packet information can be viewed using the Wireshark utility, if you prefer viewing data via a GUI application.

Reviewing the Network’s Configuration

In the network troubleshooting process, you might want to check your various network configurations. Network adapter configurations were covered in Chapter 7. You can use the tools listed earlier in Table 20.3 as well as the nmcli utility to review adapter settings.

Within a local network segment, routers do not use an IP address to locate systems. Instead they use the system’s network adapter’s media access control (MAC) address. MACs are mapped to their server’s IPv4 address via the Address Resolution Protocol (ARP) table or IPv6 address Neighborhood Discovery (NDISC) table. An incorrect mapping or duplicate MAC address can wreak havoc in your network. Table 20.5 has the commands to use to investigate this issue.

Incorrect DNS information for your own servers is troublesome. Also, if you are considering changing your client-side DNS configuration, there are some utilities that can help you investigate slow query responses. The commands in Table 20.6 are good utilities to guide your investigations.

The nslookup utility is very handy for testing DNS lookup speeds. You follow the command with the FQDN to look up and then the DNS server you desire to test. Use it along with the time command to gather lookup time estimates as shown snipped in Listing 20.8.

Listing 20.8: Testing DNS lookup speeds with the nslookup utility and time command

$ time nslookup www.linux.org 8.8.8.8
[…]
Name:   www.linux.org
Address: 104.27.166.219
[…]
real    0m0.099s
[…]
$ time nslookup www.linux.org 9.9.9.9
[…]
Name:   www.linux.org
Address: 104.27.167.219
[…]
real    0m0.173s
[…]
$

The Network Mapper (nmap) utility is often used for pen testing. However, it is also very useful for network troubleshooting. Though it’s typically not installed by default, most distros have the nmap package in their standard repositories.

There are a number of different scans you can run with nmap. The snipped example in Listing 20.9 shows using nmap inside the system’s firewall to see what ports are offering which services via the -sT options.

Listing 20.9: Viewing TCP ports and services using the nmap utility

$ nmap -sT 127.0.0.1
[…]
PORT    STATE SERVICE
22/tcp  open  ssh
631/tcp open  ipp
[…]
$

You can use nmap to scan entire network segments and ask for the mapper to fingerprint each system in order to identify the operating system running there via the -O option. To perform this scan, you need super user privileges as shown in snipped Listing 20.10.

Listing 20.10: Viewing network segment systems’ OSs using the nmap utility

$ sudo nmap -O 192.168.0.*
[…]
Nmap scan report for 192.168.0.102
[…]
Running: Linux 3.X|4.X
[…]
Nmap scan report for Ubuntu1804 (192.168.0.104)
[…]
Running: Linux 3.X|4.X
[…]

Running Out of Filesystem Space

Nothing can ruin system uptime statistics like application crashes due to drained disk space. Two utilities that assist in troubleshooting and monitoring filesystem space are the du and df commands, which were covered in Chapter 11.

The df utility allows you to view overall space usage. In the example in Listing 20.11, only the ext4 filesystems are viewed via the -t option, and the results are displayed in human-readable format (-h), providing a succinct display.

Listing 20.11: Viewing filesystem space totals using the df utility

$ df -ht ext4
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       9.8G  7.3G  2.0G  79% /
$

If you see a filesystem whose usage is above desired percentages, locate potential problem areas on the filesystem via the du command. First obtain a summary by viewing the filesystem’s mount point directory and only display space used by first-level subdirectories via the -d 1 option. An example is shown snipped in Listing 20.12 for a filesystem’s whose mount point is the / directory.

Listing 20.12: Viewing subdirectory space summaries using the du utility

$ sudo du -d 1 /
[…]
2150868 /var
[…]
48840   /home
{…]

After you find potential problem subdirectories, start digging down into them via du to find potential space hogs, as shown snipped in Listing 20.13.

Listing 20.13: Finding potential space hogs using the du utility

$ sudo du /var/log
[…]
499876  /var/log/journal/e9af6ca5a8fb4a70b2ddec4b1894014d
[…]

If you find that the filesystem actually needs the disk space it is using, the only choice is to add more space. If you set up the original filesystem on a logical volume, adding space via LVM tools is fairly simple (creating a logical volume was covered in Chapter 11).

If you don’t have an extra physical volume in your volume group to add to the filesystem volume needing disk space, do the following:

1. Add a spare drive to the system, if needed.
2. Create a physical volume with the pvcreate command.
3. Add the new physical volume to the group with vgextend.
4. Increase the logical volume size by using the lvextend command.

Waiting on Disk I/O

If a disk is experiencing I/O beyond what it can reasonably handle, it can slow down the entire system. You can troubleshoot this issue by using a utility that displays I/O wait times, such as the iostat command. I/O wait is a performance statistic that shows the amount of time a processor must wait on disk I/O.

The syntax for the iostat command is as follows:

iostat [OPTION] [INTERVAL] [COUNT]

If you simply enter iostat at the command line and press Enter, you’ll see a static summary of CPU, filesystem, and partition statistics since the system booted. However, in troubleshooting situations, this is not worthwhile. There are a few useful iostat options to use for troubleshooting:

• -y: Do not include the initial “since system booted” statistics.
• -N: Display registered device mapper names for logical volumes.
• -z: Do not show devices experiencing no activity.
• -p device: Only show information regarding this device.

The iostat command’s two arguments allow viewing of the statistics over time. The [INTERVAL] argument specifies how many seconds between each display, and [COUNT] sets the number of times to display. Keep in mind that if you use the -y option, you will not see the first statistics until after the set interval.

An example using iostat with appropriate options for a troubleshooting situation is shown snipped in Listing 20.14. In this case, only two statistics are shown 5 seconds apart. You can see that there is a rather high I/O wait (%iowait column) percentage indicating a potential problem.

Listing 20.14: Troubleshooting I/O wait using the iostat utility

$ iostat -yNz 5 2
[…]
avg-cpu:  %user   %nice %system %iowait  %steal   %idle
          26.80    0.00   42.27   30.93    0.00    0.00

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
sda             409.90         3.30      9720.72         16      47145
[…]
avg-cpu:  %user   %nice %system %iowait  %steal   %idle
          22.67    0.00   65.79   11.54    0.00    0.00

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
sda             535.83         0.00      9772.77          0      48277
[…]

For problems with high I/O, besides employing different disk technologies, you will want to review the Linux kernel’s defined I/O scheduling. I/O scheduling is a series of kernel actions that handle I/O requests and their associated activities. How these various operations proceed is guided by selecting a particular I/O scheduler, shown in Table 20.7, within a configuration file.

The configuration file used for determining which I/O scheduler to use is in a directory associated with each disk. Listing 20.15 shows how to find the various disk directories and their associated scheduler file on a CentOS distribution.

Listing 20.15: Locating a disk’s scheduler file

# ls /sys/block
dm-0  dm-1  sda  sdb  sdc  sdd  sr0
#
# cat /sys/block/sda/queue/scheduler
noop [deadline] cfq
#

The scheduler used for the sda disk, deadline, is in brackets. To change the current I/O scheduler, you simply employ super user privileges and the echo command as shown in Listing 20.16.

Listing 20.16: Changing a disk’s scheduler file temporarily

# echo "cfq" > /sys/block/sda/queue/scheduler
#
# cat /sys/block/sda/queue/scheduler
noop deadline [cfq]
#

If you determine that due to hardware limitations, a new and different hard drive is needed to handle the required I/O levels, the ioping utility can help you in the testing process. The ioping utility is typically not installed by default, but it is commonly available in a distribution’s standard repositories.

Via the ioping command, you can test disk I/O latency, seek rates, and sequential speeds. You can also try out asynchronous, cache, and direct I/O rates.

A snipped example in Listing 20.17 shows a simple test that reads random data chunks (non-cached) from a temporary file using the ioping command.

Listing 20.17: Conducting a non-cached read test using the ioping utility

# ioping -c 3 /dev/sda
4 KiB <<< /dev/sda […]: request=1 time=20.7 ms (warmup)
4 KiB <<< /dev/sda […]: request=2 time=32.9 ms
4 KiB <<< /dev/sda […]: request=3 time=25.5 ms

--- /dev/sda (block device 15 GiB) ioping statistics ---
2 requests completed in 58.4 ms, 8 KiB read, 34 iops, 137.0 KiB/s
generated 3 requests in 2.03 s, 12 KiB, 1 iops, 5.92 KiB/s
min/avg/max/mdev = 25.5 ms / 29.2 ms / 32.9 ms / 3.72 ms
#

The added -c 3 option specifies three tests. More thorough ioping tests help to determine if a disk will work for a particular application’s needs.

Failing Disks

If a small chunk of an HDD or SSD will not respond to I/O requests, the disk controller marks it as a bad sector. When a bad sector is marked, typically the controller’s firmware will attempt to move the data from the marked sector to a new location and remap the logical sector to the new sector. Thus, the data is safe.

A random bad sector does not indicate a drive is failing. However, if you are seeing bad sectors more and more on your disk, then it needs to be replaced. Thus, you should monitor this situation.

Occasionally a file on the drive loses its matching inode number (covered in Chapter 3), or some other corruption occurs. This leaves the data in place, but nothing can access it, and the problem must be repaired manually.

One utility that will allow you to check and repair an ext2, ext3, or ext4 filesystem is the fsck command (covered in Chapter 11). The disk partition must be unmounted before you can run the utility on it.

Physical damage or wear can sometimes cause unusual sounds from a drive. You may hear clicking, grinding, or scratching noises. These indicate a drive is failing and should be replaced as soon as possible.

In the cases where you do need to replace a drive and rebuild your partition(s), keep in mind that you can use the partprobe command. This nice utility allows your system to reread a disk’s partition table without rebooting the system. You do need to use super user privileges to invoke it.

Swapping

Memory is divided up into chunks called pages. When the system needs more memory, using a memory management scheme, it takes an idle process’s memory pages and copies them to disk. This disk location is a special partition called swap space or swap or virtual memory. If the idle process is no longer idle, its memory pages are copied back into memory. This process of copying memory pages to/from the disk swap space is called swapping.

If your system does not have properly sized memory, you should see high RAM usage via the free command. In addition, the system will increase swapping, which results in increased disk I/O. The vmstat tool is handy in this case because it will allow you to view disk I/O specific to swapping as well as total blocks in and blocks out to the device. An example of using the vmstat utility is shown in Listing 20.20.

Listing 20.20: Displaying virtual memory statistics with the vmstat utility

$ vmstat
procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 2  0      0 3149092   3220 355180    0    0  1978    43  812  783 27 17 26 29  0
$

On a Linux system, swap space is either a disk partition or a file. A swap partition is a special disk partition that acts as the system’s swap space.

A useful utility for viewing memory and determining if swap is a file or a partition is the swapon -s command. If it’s available, you can obtain the same information from the /proc/swaps file. An example of using the swapon -s command on a CentOS distribution is shown in Listing 20.21

Listing 20.21: Displaying a swap partition with the swapon utility

$ swapon -s
Filename         Type            Size    Used    Priority
/dev/dm-1        partition       1572860 0       -1
$

Notice that on this CentOS distro, the swap space is a partition. The priority column within the preceding example’s swap space statistics is shown as a negative one (-1). If there are multiple swap spaces, this priority number determines which swap is used first.

Another swapon -s example is enacted on an Ubuntu distribution and shown in Listing 20.22. Notice that in this case, the swap space is a file.

Listing 20.22: Displaying a swap file with the swapon utility

$ swapon -s
Filename        Type            Size    Used    Priority
/swapfile       file            483800  0       -2
$

During the Linux OS installation, typically a swap partition or file is created and added to the /etc/fstab configuration file. However, you may need to create additional swap partitions/files—for example, if you increase your system’s RAM.

For a new partition swap space, once you’ve created a new disk partition, use the mkswap command to “format” the partition into a swap partition. You use the same command for a new swap file and a logical volume. An example on a CentOS system, using super user privileges, is shown in Listing 20.23.

Listing 20.23: Making a swap partition with the mkswap command

# mkswap /dev/sde1
Setting up swapspace version 1, size = 1048572 KiB
no label, UUID=e5bd150a-2f06-42ed-a0a9-a7372abd9dee
#
# blkid /dev/sde1
/dev/sde1: UUID="e5bd150a-2f06-42ed-a0a9-a7372abd9dee" TYPE="swap"
#

Now that the swap partition or file has been properly prepared, activate it using the swapon command. The free command is very useful here because it provides a simple view of your current free and used memory. An example of these two commands is shown in Listing 20.24.

Listing 20.24: Activating a swap partition with the swapon command

# free -h
              total        used        free      shared  buff/cache   available
Mem:           3.7G        359M        3.0G        9.3M        352M        3.1G
Swap:          1.5G          0B        1.5G
#
# swapon /dev/sde1
#
# swapon -s
Filename           Type            Size    Used    Priority
/dev/dm-1          partition       1572860 0       -1
/dev/sde1          partition       1048572 0       -2
#
# free -h
              total        used        free      shared  buff/cache   available
Mem:           3.7G        366M        3.0G        9.3M        352M        3.1G
Swap:          2.5G          0B        2.5G
#

You can see that the swap space size has increased 1GB by adding a second swap partition. The -h option on the free command displays memory information in a more human-readable format.

If desired, change the new swap partition’s priority from its current negative two (-2) to a higher priority, using the swapon command as shown in Listing 20.25. A higher number designates that the swap partition is used before other partitions for swap.

Listing 20.25: Changing a swap priority with the swapon command

# swapoff /dev/sde1
#
# swapon -p 0 /dev/sde1
#
# swapon -s
Filename        Type            Size    Used    Priority
/dev/dm-1       partition       1572860 0       -1
/dev/sde1       partition       1048572 0       0
#

You must first use the swapoff command on the swap partition to disengage it from swap space. After that the swapon -p priority is used to change the preference priority. You can set priority to any number between 0 and 32767.

If all is well with the new swap partition, add it to the /etc/fstab file so it is persistent through system reboots. You can closely mimic the current swap file record’s settings, but be sure to change the name to your new swap partition/file.

Running Out of Memory

By default, the Linux kernel allows itself to overcommit memory to various processes. This is done for efficiency and performance. However, due to this allowance, the system can become very low on free memory. In a critical low-memory situation, Linux first reclaims old memory pages. If it doesn’t reclaim enough RAM to come out of a critical status, it employs the out of memory killer (also called the OOM killer).

When triggered, the OOM killer scans through the various processes using memory and creates a score. The score is based on the total memory a process (and its child processes) is using and the smallest number of processes that can be killed to come out of a critical low-memory status. The kernel, root, and crucial system processes are automatically given low scores. If a process has a high score, it is killed off. The OOM killer scans and kills off high scoring processes until the system is back to normal memory status.

You can force the kernel to prevent memory overcommit via the sysctl command, changing the vm.overcommit_memory kernel parameter from its default of 0 to 1. However, this may not be the best solution. In many systems, it is better to fine-tune the memory overcommit by setting vm.overcommit_memory to 2. This allows you to allocate as much memory as defined in another kernel parameter, the overcommit_ratio. In this case, when a process requests memory that causes system to exceed the set overcommit ratio, the allocation fails.