Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 17
Troubleshooting Tools

THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

✓ 5.2 Given a scenario, use the appropriate tool

Software tools
- Command line
  - ping
  - tracert, traceroute
  - nslookup
  - ipconfig
  - ifconfig
  - iptables
  - netstat
  - tcpdump
  - pathping
  - nmap
  - route
  - arp
  - dig

Most of us are running Transmission Control Protocol/Internet Protocol (TCP/IP) version 4 on our networks these days, so we absolutely need a way to test IP connectivity. But we also need to be able to test and verify IPv6 networks. The reason for this is that even though Microsoft makes the majority of client platforms, a lot of the commands used to test IP connectivity are really platform independent, and most of the platforms can now use both IPv4 and IPv6. Even so, keep in mind that the Network+ exam focuses on the basic concepts of the function and use of the TCP/IP utilities that come with Windows.

You can use several utilities, both command line and GUI, to verify TCP/IP function on Windows workstations, and most of them are listed in the chapter objectives. Here’s a list of all the utilities I’m going to discuss:

Traceroute (tracert in Microsoft)
ipconfig/winipcfg (ifconfig in Unix)
ping
arp
nslookup (dig in Unix)
Mtr (pathping)
route
nbtstat
netstat
ftp
telnet

And by the way, it’s very important that you don’t just blow through the output that I’ve supplied for each command. Instead, pay serious attention to it because to meet the Network+ objectives, you’ll be required to correctly identify each command’s output.

So, let’s cut right to the chase and take a look at some of these commands and their output. Oh, and do try and have fun with it!

To find Todd Lammle CompTIA videos and practice questions, please see www.lammle.com/network+.

Protocol Analyzers

Protocol analyzers, also called sniffers or network monitors, are used to capture packets in their raw format as they cross the network. Windows desktop operating systems before Windows Vista came with a built-in protocol analyzer called Network Monitor, but that is no longer the case, although you can download one for free that will work with the newer operating systems.

The Network Monitor tool that comes with these operating systems will capture only packets that are sourced from or destined to the computer on which the tool is running. Commercial sniffers like Wireshark and Omnipeek can capture any packets because they set the NIC to operate in promiscuous mode, which means the NIC processes all packets that it sees.

Protocol analyzers can be used to determine the type of traffic that you have in your network, and depending on the product and the bells and whistles contained therein, you may be able to sort the results based on port numbers, protocols, and so on. Another use of a sniffer is to examine the traffic that should be occurring on the network when something is not working to aid in troubleshooting. These devices can capture and display all packets involved in the connection setup, including, for example, request and response headers to a web server.

For example, earlier in the book we discussed the operation of DHCP, and you learned that there are a series of four packet types that must occur for a DHCP client to receive an IP configuration from the server. As a review, those packets are as follows:

DHCP Discover
DHCP Offer
DHCP Request
DHCP ACK

If you turned on the analyzer and then executed the ipconfig/release and ipconfig/renew commands on the client (more on those commands later in this chapter), you should see these four packets in the analyzer’s capture file. The packets would be interspersed with the hundreds and perhaps thousands of other packet types that would be captured, but by using the display filtering options in the software, you can easily segregate out the DHCP traffic. An example of the DHCP process, as seen in a capture, is shown in Figure 17.1.

Image shows DHCP capture that displays list of details such as no., time, source, destination, protocol, and info. — **Figure 17.1** DHCP capture

If all you saw in the capture were the DHCP Discover packets with no DHCP Offer packets, you could reasonably assert that the DHCP server is not receiving the DHCP Discover packets (perhaps it is located in another broadcast domain or perhaps it is not on). Additionally, you could examine fields in the DHCP Offer packets that may tell you that the DHCP server is out of addresses. The point is that the tool can be used to troubleshoot the issue.

Throughput Testers

Users of a network often complain about the speed of the network. Network “speed” is in some ways a personal perception because some people have more patience than others. To determine when a network slowdown is real as opposed to perceived, you need to actually measure the throughput. That’s what throughput testers are used for.

These devices, typically software based, work much like a protocol analyzer in that they measure the traffic seen on the network and can also classify the types of traffic that are eating up your bandwidth (which is probably what you really need to know). Figure 17.2 shows one version of this software by TamoSoft.

Image shows TamoSoft throughput test - client screen that has information such as server IP or IPv6 address, server port, QoS traffic type, TCP up, TCP down, UDP up, UDP down, round-trip time, and so on. — **Figure 17.2** Throughput

This software is installed on a server and also on a client. In the figure, the software is measuring traffic between the client and a server. It shows the throughput for traffic in real time and in this shot is breaking that traffic up by unicast (TCP) and broadcast (UDP) types and by direction.

Earlier in this book, I discussed the importance of baselines, and this is another area where they are important. Network throughput figures mean little without a baseline with which comparisons can be made. How do you know what is abnormal when you don’t know what normal is? Baselines should be taken when the network is operating well, but they should also be taken when the traffic load is normal.

Connectivity Software

There are times when you need to make a remote connection to a machine to perform troubleshooting but you are miles away. Connectivity software is designed to allow you to make a connection to the machine, see the desktop, and perform any action you could perform if you were sitting in front of it.

Microsoft has made what it calls Remote Desktop software available for free with Windows products since Windows NT. When this software is installed (installed by default in later versions) on both source and destination computers, a remote desktop connection can be made.

Commercial tools are also available that (of course) claim to have more functionality, and they probably do have a few extra bells and whistles. These include LogMeIn.com, GoToMyPC, and others. Figure 17.3 shows the session window for a LogMeIn.com session.

Image shows LogMe page screen that has homepage of msn with tab for web search, news, advertisements, and log in column. — **Figure 17.3** LogMeIn

The advantages of these connectivity tools are obvious. With these tools, you can do anything you need to on the machine as long as you can connect. They also allow you to see what a user is actually doing when they encounter a problem rather than having to rely on what they tell you they are doing. You can even show a user what they are doing wrong. Most of these tools allow for chat sessions and for either end of the connection to take control of the machine. You can also transfer files to them if required (maybe a DLL got deleted, for example).

Using traceroute

For starters, let’s pose these questions: Where do all those packets really go when we send them over the Internet? And, how do all the packets actually get to their destinations? Well, we can use the TCP/IP traceroute (tracert with Windows) command-line utility to help us answer both questions because its output will show us every router interface a TCP/IP packet passes through on the way to its destination.

Traceroute (trace for short) displays the path a packet takes to get to a remote device in all its glory by using something we call IP packet Time to Live (TTL) time-outs and Internet Control Message Protocol (ICMP) error messages. And it’s also a handy tool for troubleshooting an internetwork because we can use it to figure out which router along a path through that internetwork happens to be causing a network failure when a certain destination machine or network is, or suddenly becomes, unreachable.

To use tracert, at a Windows command prompt, type tracert, a space, and the Domain Name Service (DNS) name or IP address of the host machine to which you want to find the route. The tracert utility will respond with a list of all the DNS names and IP addresses of the routers that the packet is passing through on its way. Plus, tracert uses TTL to indicate the time it takes for each attempt.

Following is the tracert output from my workstation in Boulder, Colorado, to my Lammle.com server in Dallas, Texas:

Were you able to see that the packet bounces through several routers before arriving at its destination? Good! This utility is useful if you are having problems reaching a web server on the Internet and you want to know if a wide area network (WAN) link is down or if the server just isn’t responding. What this means to you is that, basically, wherever the trace stops is a great place to start troubleshooting. No worries here, though—the previous output shows that every router is up and responding. Last, notice in the output the ms. This is the latency of each hop, meaning the delay. Tracert (or traceroute) is a great troubleshooting tool you can use to find out where your network bottlenecks are.

If you use traceroute or tracert and receive an asterisk, this indicates that the attempt to reach that router took longer than the default time-out value. This is very good to know because it can mean that either the router is extremely busy or a particular link is slow. Another reason for getting an asterisk could be that the administrator has disabled ICMP on the router that the packet is trying to hop through.

Why would someone want to do that? For security reasons, that’s why. It happens to be a typical strategic move done on the routers that interface to the ISP to conceal their actual location so bad guys can’t hack into them and therefore into your internetwork. It’s a good idea, and I highly recommend doing it.

If you are running traceroute and see repeating addresses and TTL time-outs, you probably have a routing loop.

In addition to traceroute and tracert, you can use pathping, which is a lot like traceroute:

This provides a nice feedback at the end of the output.

In addition to traceroute and tracert, which show the path of an IPv4 packet, you can use tracert -6 for a Windows trace, traceroute6 for MAC and Unix, and traceroute -6 for Cisco routers to trace an IPv6 packet through an internetwork.

Using ipconfig and ifconfig

The utilities known as ipconfig (in Windows) and ifconfig (in Unix/Linux/Mac) will display the current configuration of TCP/IP on a given workstation—including the current IP address, DNS configuration, Windows Internet Naming Service (WINS) configuration, and default gateway. In the following sections, I will show you how to use both.

Using the ipconfig Utility

With the new Mac, Windows 10, and Windows Server 2016 operating systems, you can now see the IPv6 configuration because IPv6 is enabled by default. The output of the ipconfig command provides the basic routed protocol information on your machine. From a DOS prompt, type ipconfig, and you’ll see something like this:

Wow, there sure are a lot of options in this output compared to the output for earlier versions of Windows! First, what’s up with all these interfaces showing? I only have two—one Ethernet and one wireless. You can see that my Ethernet adapter shows up first, and it has an IP address, a mask, and a default gateway plus an IPv6 address and a DNS suffix. The next configured interface is the wireless local area network (LAN) adapter, which has an IP address, a mask, a default gateway, an IPv6 address, and the IPv6 default gateway as well. This IPv6 default gateway address is simply my router advertising that it runs IPv6 and saying, “I am the way out of the local LAN!”

The next adapters are disconnected because they are logical interfaces and I’m not using them—my machine actually shows eight, but I cut the output because it provides no new information. They’re automatically inserted because IPv6 is installed and running on my machine, and these adapters allow me to run IPv6 over an IPv4-only network.

But just in case the ipconfig command doesn’t provide enough information for you, try the ipconfig /all command—talk about details. Here’s the beginning of that output:

As you can see, it’s more of the same—a whole lot more. The most important thing I want you to notice is that I’ve received the hardware information about each interface, including the Media Access Control (MAC) address. Also significant is that I can see the Dynamic Host Configuration Protocol (DHCP) lease times and DNS addresses now.

But why stop here? There are two more valuable options you need to use with the ipconfig command. They are /release and /renew.

When you change networks, you need to get the IP address of that subnet and/or virtual LAN (VLAN). Windows 10 works most of the time without doing anything, but sometimes I do have to renew the IP configuration when changing networks. But that’s easy—just type ipconfig /renew from a command prompt, and if you’re connected to a DHCP server that’s available, you’ll then magically receive an IP address.

Now, if it still doesn’t work, you’ll need to release and renew your TCP/IP settings. To release your current DHCP TCP/IP information, you must elevate your command prompt or you’ll get this warning:

C:Users lammle>ipconfig /release

The requested operation requires elevation.

C:Users lammle>

Should this happen to you, choose Start ➢ All Programs ➢ Accessories ➢ Command Prompt, right-click, and choose Run As Administrator. (Of course, you’ll have to enter your name and password to do this if you are using Windows 7 or 10. But we love Windows 7 and 10, right? Okay, maybe not always.) Figure 17.4 shows how I did this.

Once your command prompt has been duly elevated, you can use the ipconfig /release command and then the ipconfig /renew command to get new TCP/IP information for your host.

Imahge described by caption and surrounding text — **Figure 17.4** Elevating your command prompt

Using the ifconfig Utility

There is a utility in Linux/Unix/Mac that will give you information similar to what ipconfig shows. It’s called ifconfig (short for interface configuration). Although ipconfig and ifconfig show similar information, there are major differences between these two utilities. The ipconfig utility is mainly used to view the TCP/IP configuration for a computer. You can use ifconfig to do the same thing, but ifconfig can also be used to configure a protocol or a particular network interface.

The general syntax of the ifconfig command is as follows:

ifconfig interface [address [parameters]]

The interface parameter equals the Unix name of the interface, such as eth0. If the optional address parameter is specified, the ifconfig command sets the IP address for the interface to the address you’ve specified. When the ifconfig command is used by itself with no parameters, all configured interfaces will be reported on. But if only the interface name is specified, you’ll get output that looks like this:

# ifconfig eth0

eth0 Link encap 10Mbps Ethernet HWaddr 00:00:C0:90:B3:42

inetaddr 172.16.0.2 Bcast 172.16.0.255 Mask 255.255.255.0 UP

BROADCAST RUNNING MTU 1500 Metric 0

RX packets 3136 errors 217 dropped 7 overrun 26

TX packets 1752 errors 25 dropped 0 overrun 0

Looking at this, we can see that the eth0 interface is a 10 Mbps Ethernet interface. The interface’s MAC and IP address information is displayed in this output as well. And, although not shown in the output, the ifconfig tool can show you the DNS information configured on the host.

Using the iptables utility

The iptables firewall utility is built for the Linux operating system. It is a command-line utility that uses what are called chains to allow or disallow traffic. When traffic arrives, iptables looks for a rule that addresses that traffic type, and if none exists, it will enforce the default rule. There are three different chain types:

Input: Controls behavior for incoming connections
Forward: Used for incoming connections that aren’t being delivered locally (like a router would receive)
Output: Used for outgoing connections

You can set the default action to accept, drop, or reject, with the difference between reject and drop being that reject sends an error message back to the source.

Examples of iptables

To block a connection from the device at 192.168.10.1, use this command:

iptables -A INPUT -s 192.168.10.1 -j DROP

To block all connections from all devices in the 172.16.0.0/16 network, use this command:

iptables -A INPUT -s 172.16.0.0/16 -j DROP

Here is the command to block SSH connections from 10.110.61.5:

iptables -A INPUT -p tcp --dport ssh -s 10.110.61.5 -j DROP

Use this command to block SSH connections from any IP address:

iptables -A INPUT -p tcp --dport ssh -j DROP

The following command is used to save the changes in Ubuntu:

sudo /sbin/iptables-save

In Red Hat/CentOS, use either of the following commands:

/sbin/service iptables save

/etc/init.d/iptables save

Using the ping Utility

The ping utility is the most basic TCP/IP utility, and it’s included with most TCP/IP stacks for most platforms. Windows, again, is no exception. In most cases, ping is a command-line utility, although there are many GUI implementations available. You use the ping utility for two primary purposes:

To find out if a host is responding
To find out if you can reach a host

Here’s the syntax (you can use either command):

ping hostname

ping IP address

If you ping any station that has an IP address, the ICMP that’s part of that particular host’s TCP/IP stack will respond to the request. The ICMP test and response looks something like this:

ping 204.153.163.2

Pinging 204.153.163.2 with 32 bytes of data:

Reply from 204.153.163.2: bytes=32 time<10ms TTL=128

Reply from 204.153.163.2: bytes=32 time=1ms TTL=128

Reply from 204.153.163.2: bytes=32 time<10ms TTL=128

Because I’ve received a reply from the destination station (204.153.163.2, in this case), I know that I can reach the host and that it’s responding to basic IP requests. Don’t forget that you can use name resolution and ping to a name, such as ping www.sybex.com, and as long as that name can be resolved, you’re golden.

Most versions of ping work the same way, but there are some switches you can use to specify certain information, like the number of packets to send, how big a packet to send, and so on. And if you’re running the Windows command-line version of ping, just use the /? or –? switch to display a list of the available options like this:

C:Users lammle>ping /?

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]

[-r count] [-s count] [[-j host-list] | [-k host-list]]

[-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

The command will also output a table showing what each of the options does, presented here in Table 17.1.

Table 17.1 Options for ping switches

Option	Description
-t	Pings the specified host until stopped. To see statistics and continue, press Ctrl+Break; to stop, press Ctrl+C.
-a	Resolves addresses to hostnames.
-n count	Specifies the number of echo requests to send.
-l size	Sends the buffer size.
-f	Sets the Don’t Fragment flag in the packet (IPv4 only).
-i TTL	Specifies the Time to Live of the packet.
-v TOS	Specifies the type of service (IPv4 only).
-r count	Records the route for count hops (IPv4 only).
-s count	Specifies the time stamp for count hops (IPv4 only).
-j host-list	Uses a loose source route along the host list (IPv4 only).
-k host-list	Uses a strict source route along the host list (IPv4 only).
-w timeout	Specifies the time-out to wait for each reply in milliseconds.
-R	Uses the routing header to test the reverse route also (IPv6 only).
-S srcaddr	Specifies the source address to use.
-4	Forces using IPv4.
-6	Forces using IPv6.

You can ping your local TCP/IP interface by typing ping 127.0.0.1 or ping localhost. Understand that both addresses represent the local interface. Really, you can use any address in the 127.0.0.0 network range to provide a loopback test.

As you can see, there’s a plethora of options you can use with the ping command from a Windows DOS prompt. But I really want you to focus on a few from the previous output. (I’m going to go over only a few of them, but you can get on your host machine and play with all the options.)

The -a switch is very cool because if you have name resolution (such as a DNS server), you can see the name of the destination host even if you only know its IP address. The -n switch sets the number of echo requests to send, where four is the default, and the -w switch allows you to adjust the time-out in milliseconds. The default ping time-out is 1 second (1,000 ms).

The -6 is also nice if you want to ping an IPv6 host. By the way, unless you really love typing 128-bit addresses, this is a wonderful example of how important name resolution is. And then there’s -t, which keeps the ping running. Here’s an example of a ping to an IPv6 address:

C:Users lammle>ping &hyphen;6 fe80::1063:16af:3f57:fff9

Pinging fe80::1063:16af:3f57:fff9 from fe80::1063:16af:3f57:fff9%25

with 32 bytes of data:

Reply from fe80::1063:16af:3f57:fff9: time<1ms

Ping statistics for fe80::1063:16af:3f57:fff9:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:Users lammle>

From a MAC, you can use the ping6 command. Here are the options:

$ ping6

usage: ping6 [-DdfHmnNoqrRtvwW] [-a addrtype] [-b bufsiz] [-B boundif]

[-c count][-g gateway] [-h hoplimit] [-I interface] [-i wait] [-l preload][-p pattern] [-S sourceaddr] [-s packetsize] [-z tclass]

[hops ...] host

And if I want to have a continuous ping, I just use that -t option like this:

C:Users lammle>ping &hyphen;t 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time=7ms TTL=255

Reply from 192.168.0.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.0.1:

Packets: Sent = 6, Received = 6, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 7ms, Average = 2ms

Control-C

^C

C:Users lammle>

This ping will just keep going and going like the Energizer Bunny until you press Ctrl+C. And by the way, it’s an awesome tool for troubleshooting links.

Using the Address Resolution Protocol

The Address Resolution Protocol (ARP) is part of the TCP/IP protocol stack. It’s used to translate TCP/IP addresses to MAC addresses using broadcasts. When a machine running TCP/IP wants to know which machine on an Ethernet network is using a certain IP address, it will send an ARP broadcast that says, in effect, “Hey…exactly who is IP address xxx.xxx.xxx.xxx?” The machine that owns the specific address will respond with its own MAC address, supplying the answer. The machine that made the inquiry will respond by adding the newly gained information to its own ARP table.

In addition to the normal usage, the ARP designation refers to a utility in Windows that you can use to manipulate and view the local workstation’s ARP table.

The Windows ARP Table

The ARP table in Windows includes a list of TCP/IP addresses and their associated physical (MAC) addresses. This table is cached in memory so that Windows doesn’t have to perform ARP lookups for frequently accessed TCP/IP addresses like those of servers and default gateways. Each entry contains an IP address and a MAC address plus a value for TTL that determines how long each entry will remain in the ARP table.

Remember that the ARP table contains two kinds of entries:

Dynamic
Static

Dynamic ARP table entries are created whenever the Windows TCP/IP stack performs an ARP lookup but the MAC address isn’t found in the ARP table. When the MAC address of the requested IP address is finally found, or resolved, that information is then added into the ARP table as a dynamic entry. Whenever a request to send a packet to the host is sent to the Data Link layer, the ARP cache is checked first before an ARP broadcast is sent out. Remember, the ARP request is broadcast on the local segment—it does not go through a router.

The ARP table is cleared of dynamic entries whose TTL has expired to ensure that the entries are current.

Static ARP table entries serve the same function as dynamic entries but are made manually using the arp utility.

Using the arp Utility

You now know that ARP is a protocol included in the TCP/IP suite. You also understand that ARP is used by IP to determine the MAC address of a device that exists on the same subnet as the requesting device. When a TCP/IP device needs to forward a packet to a device on the local subnet, it first looks in its own table, called an ARP cache or mac address lookup table, for an association between the known IP address of the destination device on the local subnet and that same device’s MAC address. The cache is called that because the contents are periodically weeded out.

If no association that includes the destination IP address can be found, the device will then send out an ARP broadcast that includes its own MAC and IP information as well as the IP address of the target device and a blank MAC address field. Filling in that blank is the object of the whole operation—it’s the unknown value that the source device is requesting to be returned to it in the form of an ARP reply. Windows includes a utility called arp that allows us to check out the operating system’s ARP cache. To view this, from a Windows DOS prompt, use the arp command like this:

C:Uses lammle>arp

Displays and modifies the IP-to-Physical address translation tables used

by address resolution protocol (ARP).

ARP -s inet_addr eth_addr [if_addr]

ARP -d inet_addr [if_addr]

ARP -a [inet_addr] [-N if_addr] [-v]

Table 17.2 describes the various options that you can use with the arp command.

Table 17.2 arp options

Option	Description
-a	Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed.
-g	Same as -a.
-v	Displays current ARP entries in verbose mode. All invalid entries and entries on the loopback interface will be shown.
inet_addr	Specifies an Internet address.
-N	Displays the ARP entries for the network interface specified by if_addr.
-d	Deletes the host specified by inet_addr. inet_addr may be wildcarded with * to delete all hosts.
-s	Adds the host, and associates the Internet address inet_addr with the physical address eth_addr. The physical address is given as six hexadecimal bytes separated by hyphens. The entry is permanent.
eth_addr	Specifies a physical address.
if_addr	If present, specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used.

Sheesh. Looking at that output really makes me wish we were all just running IPv6 because, as you already should know, IPv6 doesn’t need ARP as well as many other annoying features and protocols required when running IPv4.

Of note, the Windows arp utility is primarily useful for resolving duplicate IP addresses. For example, let’s say your workstation receives its IP address from a DHCP server but it accidentally receives the same address that some other workstation gets. And so, when you try to ping it, you get no response. Your workstation is basically confused—it’s trying to determine the MAC address, and it can’t because two machines are reporting that they have the same IP address. To solve this little snag, you can use the arp utility to view your local ARP table and see which TCP/IP address is resolved to which MAC address.

To display the entire current ARP table, use the arp command with the –a switch like so to show you the mac address lookup table:

By the way, the –g switch will produce the same result.

Now, from this output, you can tell which MAC address is assigned to which IP address. Then, for static assignments, you can tell which workstation has a specific IP address and if it’s indeed supposed to have that address by examining your network documentation—you do have that record, right?

For DHCP-assigned addresses, you can begin to uncover problems stemming from multiple DHCP scopes or servers doling out identical addresses and other common configuration issues. And remember that under normal circumstances, you shouldn’t see IP addresses in the ARP table that isn’t a member of the same IP subnet as the interface.

If the machine has more than one network card (as may happen in Windows servers and on laptops with both Ethernet and wireless cards), each interface will be listed separately.

It’s good to know that in addition to displaying the ARP table, you can use the arp utility to manipulate the table itself. To add static entries to the ARP table, you use the arp command with the –s switch. These static entries will stay in the ARP table until the machine is rebooted. A static entry essentially hardwires a specific IP address to a specific MAC address so that when a packet needs to be sent to that IP address, it will automatically be sent to that MAC address. Here’s the syntax:

arp –s [IP Address] [MAC Address]

Simply replace the [IP Address] and [MAC Address] sections with the appropriate entries, like so:

arp –s 204.153.163.5 00–a0–c0–ab–c3–11

Now, take a look at your new ARP table by using the arp –a command. You should see something like this:

Finally, if you want to delete entries from the ARP table, you can either wait until the dynamic entries time out or use the –d switch with the IP address of the static entry you’d like to delete, like this:

arp –d 204.153.163.5

Doing so effectively deletes the entry from the ARP table in memory.

The arp utility doesn’t confirm successful additions or deletions (use arp -a or arp -g for that), but it will give you an error message if you use incorrect syntax.

Using the nslookup Utility

Whenever you’re configuring a server or a workstation to connect to the Internet, you’ve got to start by configuring DNS if you want name resolution to happen (that is, if you want to be able to type www.sybex.com instead of an IP address). When configuring DNS, it’s a very good thing to be able to test what IP address DNS is returning to ensure that it’s working properly. The nslookup utility allows you to query a name server and quickly find out which name resolves to which IP address.

The Unix dig (short for domain information groper) utility does the exact same thing as nslookup. It’s primarily a command-line utility that allows you to perform a single DNS lookup for a specific entity, but it can also be employed in batch mode for a series of lookups. Detailed information on this command is beyond the scope of this study guide, but you can find more information on the Web by searching for “unix dig.”

The nslookup utility comes with Windows NT and later as well as most versions of Unix and Linux, but not with Windows 95/98. You can run it from a Windows command prompt. At the command prompt, you can start the nslookup utility by typing nslookup and pressing Enter. When you’re inside this utility, the command prompt will change from something similar to a C:> sign to a shorter > sign. It will also display the name and IP address of the default DNS server you will be querying (you can change it, if necessary). Then you can start using nslookup. The following output gives you a sample of the display after the nslookup command has been entered at the C:> prompt.

C:Users lammle>nslookup

Default Server: gnt-corpdc1.globalnet.local

Address: 10.100.36.12

>

The primary job of nslookup is to tell you the many different features of a particular domain name, the names of the servers that serve it, and how they’re configured. To get that, just type in a domain name at the > prompt, and the nslookup utility will then return this information:

> lammle.com

Server: dslmodem.domain.actdsltmp

Address: 192.168.0.1

The non-authoritative answer is as follows:

Name: lammle.com

Address: 206.123.114.186

What this tells you is that the server that returned the information is not responsible (authoritative) for the zone information of the domain for which you requested an address and that the name server for the domain lammle.com is located at the IP address 206.123.114.186.

You can also ask nslookup for other information by setting a different option within nslookup. Just type set option at the > prompt and replace option with the actual option you want to use—for example, use >set type=mx to determine the IP address of your email server. If you can’t decide which one you want, use the question mark (?) at the greater than sign (>) to see all available options.

If you type in nslookup and receive the reply

NS request timed out.

timeout was 2 seconds.

***Can't find server name for address 206.123.114.186: Timed out

Default Server: UnKnown

Address: fec0:0:0:ffff::1

then you know your DNS servers are not answering. You need to get over to the DNS server, stat!

Resolving Names with the Hosts Table

The Hosts table is really a lot like DNS, except its entries are static for each and every host and server. Within the Hosts table, you’ll find a collection of hostnames that devices reference for name-resolution purposes. And even though it works in both IPv4 and IPv6 environments, it’s unlikely you will use it these days because the Hosts table is a way-ancient relic left over from old Unix machines.

But just because it’s museum quality doesn’t mean you won’t run into it now and then, which is the main reason I’m showing it to you. You can find the Hosts table in C:WindowsSystem32driversetc. Just double-click the file, and then choose to open the file in Notepad or another text editor. Here’s the default information—it’s really nothing more than an explanation of how to use it and the local hosts for both IP and IPv6:

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

::1 localhost

Any information entered to the right of a pound sign (#) in a Hosts file is ignored, so you can use this space for comments.

Because it’s a plain ASCII text file, you add the IP address under the local hosts and then the name to which you want to resolve the IP address. It’s a pretty simple configuration, and again, one I don’t recommend using because you have to type in the names of every host on every machine in your network. DNS is definitely the name resolution of choice for networks today.

Do not get the Hosts table confused with the hostname command. The hostname command doesn’t do much but display the name of your host, as shown here:

C:Users lammle>hostname /?

Prints the name of the current host.

hostname

C:Users lammle>hostname

globalnet-todd

Using the Mtr Command (pathping)

Mtr, or My traceroute, is a computer program that combines the functions of the traceroute and ping utilities in a single network diagnostic tool. It also adds round-trip time and packet loss to the output—very cool.

Mtr probes routers on the route path by limiting the number of hops individual packets are allowed to traverse and listening to news of their termination. It will regularly repeat this process (usually once per second) and keep track of the response times of the hops along the path.

Mtr is great if you have Linux or Unix, but by default, it’s not installed on Windows devices. Third-party applications of Mtr are available to install on Windows, but Microsoft did respond with its own version of Mtr—it’s called pathping and it provides the same functions as Mtr. Here’s a look at the output and the options:

C:Users lammle>pathping

Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n]

[-p period] [-q num_queries] [-w timeout]

[-4] [-6] target_name

Table 17.3 lists the options of the Windows pathping command.

Table 17.3 pathping options

Option	Description
-g host-list	Uses a loose source route along the host list.
-h maximum_hops	Specifies the maximum number of hops to search for the target.
-i address	Uses the specified source address.
-n	Does not resolve addresses to hostnames.
-p period	Waits period milliseconds between pings.
-q num_queries	Specifies the number of queries per hop.
-w timeout	Waits timeout milliseconds for each reply.
-4	Forces using IPv4.
-6	Forces using IPv6.

The Mtr utility is basically the same as traceroute and ping, but it does give you some additional output that can help you troubleshoot your network.

Using the Nmap Utility

Nmap is one of the most popular port scanning tools used today. After performing scans with certain flags set in the scan packets, security analysts (and hackers) can make certain assumptions based on the responses received. These flags are used to control the TCP connection process and so are present only in TCP packets. Figure 17.5 show a TCP header with the important flags circled. Normally flags are “turned on” because of the normal TCP process, but hackers can craft packets to check the flags they wants to check.

Image shows TCP flags with details such as source port, destination port, sequence number, acknowledgement number, data offset, reserved, flags (URG, ACK, PSH, RST, SYN, and FIN), and so on. — **Figure 17.5** TCP flags

Figure 17.5 shows these flags, among others:

URG: Urgent pointer field significant
ACK: Acknowledgment field significant
PSH: Push function
RST: Reset the connection
SYN: Synchronize sequence numbers
FIN: No more data from sender

While application of a scan and interpretation of the responses are beyond the scope of this book, security analysts and hackers alike can perform scans with these flags set in the scan packets to get responses that allow them to determine the following information:

If a port is open on a device
If the port is blocked by a firewall before its gets to the device

Nmap can also be used as follows:

To determine the live hosts on a network
To create a logical “map” of the network

Using the route Command

I went over static routing in Chapter 9, “Introduction to IP Routing,” so you know that Windows devices like routers perform routing. Most of the time, it’s a good idea to leave Windows alone, but it’s still good to know how to add and delete routes on your Windows machines.

Probably the biggest reason for manipulating the routing table on a Windows server is to create a firewall. For instance, let’s say we’re running an Application layer firewall on a Windows server located between the demilitarized zone (DMZ) and the internal network. This scenario would mean the routing that’s happening on the server or hosts located in the DMZ wouldn’t be able to reach the internal network’s hosts and vice versa.

To circumvent this problem, we would need to employ both static and default routing because while Windows 10 and Windows Server versions support some routing protocols, running routing protocols on hosts and servers wouldn’t be a good solution for today’s networks, and Microsoft knows that.

To view the routing table on a Windows device, use the route print command, as shown in Figure 17.6.

In this output, you can see that each of the routes were added automatically when the system booted up. (This is all based on the configuration of your IP stack.) To see all the options available with the route command, type the route command and then press Enter. To add a route to your routing table, use the following syntax:

route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]]

Using the route Command Options

Let’s start with the switches you can use:

-f Using this command with any of the options like add, change, or delete will clear the routing table of all entries that aren’t host routes (routes with the subnet mask 255.255.255.255), the loopback network route or routes (routes with a destination of 127.0.0.0 and the subnet mask 255.0.0.0), and any multicast routes (those with a destination of 224.0.0.0 and the subnet mask 240.0.0.0).

-p If you use this with the add command, the individual route will be added to the Registry and then used to initialize the IP routing table whenever TCP/IP is started. Important to remember is that by default, the routes you’ve statically added won’t remain in the routing table the next time TCP/IP boots. And if you use -p with the print command, you’ll get shown a list of the persistent routes that are stored in the Registry location of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersPersistentRoutes.

Now, let’s take a look at how and when you would use the route command. Table 17.4 shows the command options available and what they do when you are using the route command with them.

Table 17.4 route command options

Command	Purpose
add	Adds a route
change	Modifies an existing route
delete	Deletes a route (or routes)
print	Prints a route (or routes)

Here’s a description of some other tasks you can accomplish via the rest of the command’s options:

Destination This will give you the network destination of a given route. If the host bits of the network address are set to 0, it will be depicted with the destination’s IP network address, an IP address for a specific host route, or the default route of 0.0.0.0.

mask netmask This will provide you with the netmask—often referred to as the subnet mask—that’s associated with the destination network. The default destination subnet mask is 0.0.0.0, and typically you’ll see 255.255.255.255 representing a host route. It’s really important to remember that the destination address can’t be more specific than its corresponding subnet mask. What I’m saying is that there absolutely can’t be a bit set to 1 in the destination address if the equivalent bit in the subnet mask is a 0.

Gateway The gateway also depends on the network address and subnet mask, but it’s even more specific and delimits what’s called the next-hop IP address. For routes located on a local subnet, the gateway address maps directly to a particular interface. If the destination is on a remote network, the gateway IP address will direct packets to the neighboring router.

metric metric Metric refers to the cost of a given route from the sending to the receiving device, and it’s a value between 1 and 9999. Devices use this value to choose the best, or most efficient, routes among those in its routing table—the route with the lowest value wins. This decision can also include factors like the number of hops and the speed, reliability, and available bandwidth of the path being considered plus the various administrative aspects associated with it.

if interface This tool depends on information from the gateway address and determines the interface index for the specific interface that needs to receive the data. You can get a list of interfaces along with their relevant interface indexes by typing the route print command.

/? Using this will allow you to view help at the command prompt.

Some Examples of the route Command

Even though the finer points of the route command demand that you use caution when deploying some of the options, I’ll still list the basics of the route command because it can be really useful. I highly recommend that you spend some time practicing them on a non-production server, though—especially at first.

To display the entire IP routing table, type route print.
To add a default route with the default gateway address 192.168.10.1, type route add 0.0.0.0 mask 0.0.0.0 192.168.10.1.
To add a route to the destination 10.1.1.0 with the subnet mask 255.255.255.0 and the next-hop address 10.2.2.2, type route add 10.1.1.0 mask 255.255.255.0 10.2.2.2.
If you want to, let’s say, add a persistent route to the destination 10.100.0.0 with the subnet mask 255.255.0.0 and the next-hop address 10.2.0.1, type route -p add 10.100.0.0 mask 255.255.0.0 10.2.0.1. If you want to delete the route to the destination 10.100.0.0 with the subnet mask 255.255.0.0, enter route delete 10.100.0.0 mask 255.255.0.0.
And finally, if you want to change the next-hop address of a route with the destination 10.100.0.0 and the subnet mask 255.255.0.0 from 10.2.0.1 to 10.7.0.5, type route change 10.100.0.0 mask 255.255.0.0 10.7.0.5.

Let’s move on to some other important Windows utilities.

Using the nbtstat Utility

Microsoft Windows uses an interface called Network Basic Input/Output System (NetBIOS), which relates names with workstations and is an upper-layer interface that requires a transport protocol—usually TCP/IP. But IPv6 can be used as well. Deploying the nbtstat utility will achieve these three important things:

Track NetBIOS over TCP/IP statistics
Show the details of incoming and outgoing NetBIOS over TCP/IP connections
Resolve NetBIOS names

Understand that because NetBIOS name resolution is primarily a Windows network utility, the nbtstat command is available only in Windows-based operating systems.

To display a basic description of nbtstat and its associated options, type nbtstat at the command line. Then, use these options to get a display of information about NetBIOS over TCP/IP hosts. Here are some of the tools, or switches, you can use:

–a	–A
–c	–n
–r	–R
–S	–s

All nbtstat switches are case sensitive. Generally speaking, lowercase switches deal with NetBIOS names of hosts, and the uppercase ones deal with the TCP/IP addresses of hosts.

The –a Switch

Making use of the –a switch will get you a remote machine’s NetBIOS name table consisting of a list of every NetBIOS name the machine from which you’ve deployed the switch knows of. The –a switch produced the output from server S1 shown in Figure 17.7.

So, using this switch arranges the NetBIOS name-table information in table form with output in four columns. The Name column displays the NetBIOS name entry for the remote host machine.

The next column gives you a unique two-digit hexadecimal identifier for the NetBIOS name. This identifier represents the last byte of the NetBIOS name depicted in the Name column, and it’s important because the same name could actually be used several times for the same machine. Plus, it identifies the specific service on the particular host that the name is referencing. Table 17.5 and Table 17.6 list the hexadecimal identifiers for unique and group hostnames.

Table 17.5 Last-byte identifiers for unique names

Hex ID	Description
00	General name for the computer.
03	Messenger service ID used to send messages between a WINS server and a workstation. This is the ID registered with a WINS server.
06	Remote Access Server (RAS) server service ID.
20	File-serving service ID.
21	RAS client.
53	DNS.
123	Network Time Protocol (NTP).
1B	Domain master browser ID. A NetBIOS name with this ID indicates the domain master browser.
1F	Network Dynamic Data Exchange (NetDDE) service ID.
BE	Network monitor agent ID.
BF	Network monitor utility ID.

The Type column refers to (surprise) the type of NetBIOS name being referenced. Unique NetBIOS names refer to individual hosts, and group names refer to logical groupings of workstations—either domains or workgroups.

The Status column gives you information about the status of a host’s NetBIOS even if it hasn’t been registered with the rest of the network.

Table 17.6 Last-byte identifiers for group names

Hex ID	Description
01	Master browser for a domain to other master browsers.
20	Internet group name ID. This ID is registered with the WINS server to indicate which computers are used for administrative purposes.
1C	Domain group name ID.
1D	Master browser name.
1E	Normal group name.

The –A Switch

The –A switch works just like the –a switch and will give you the same output, but the syntax of the command is different. Obviously, you use an uppercase A instead of a lowercase one, and you also have to include the host’s IP address instead of its NetBIOS name. To use it, type nbtstat followed by –A and finally the IP address of the specific host whose NetBIOS table you want to check out:

nbtstat –A 199.153.163.2

The –c Switch

Use the –c switch to display the local NetBIOS name cache on the workstation it’s running on. Figure 17.8 shows sample output of the nbtstat –c command.

Image shows sample output of nbtstat -c command that displays “Node IpAddress: [204.153.163.4] Scope Id: [] NetBIOS Remote Cache Name Table, Name, Type, Host address, Life,..” — **Figure 17.8** Sample output of the nbtstat –c command

Each entry in this display shows the NetBIOS name, the hex ID for the service that was accessed, the type of NetBIOS name (unique or group), the IP address that the name resolves to, and its life. The Life value shows how many seconds each entry will live in the cache. When this time expires, the entry will be deleted.

Sometimes, deploying nbtstat to display the cache will get you the response “No names in the cache” because all entries in the cache have expired. This is what happens if you don’t regularly access machines or services with NetBIOS names.

The –n Switch

The –n switch will give you the local NetBIOS name table on a Windows device. Figure 17.9 shows output that’s similar to the output of the –a switch except for one important thing: What you’re seeing is the NetBIOS name table for the machine you’re running the command on instead of that of another host. Check it out.

Image shows sample output of nbtstat -n command that displays “Node IpAddress: [204.153.163.4] Scope Id: [] NetBIOS Local Name Table, Name, Type, Status,..” — **Figure 17.9** Sample output of the nbtstat –n command

The –r Switch

This switch is probably the one you’ll use most often when you want to get a hold of NetBIOS over TCP/IP (NBT) statistics because it tells you exactly how many NetBIOS names have been resolved to TCP/IP addresses. Figure 17.10 shows sample output of the nbtstat –r command.

What you can see here is that the statistics are divided into two categories. First, there are the NetBIOS names resolution and registration statistics. This is how many names have been resolved or registered either by broadcasts on the local segment or via lookup from a WINS name server.

Next you have the NetBIOS unique and group names and their associated hex IDs that were resolved or registered. In Figure 17.10, you can see that there’s a distinct lack of information regarding names resolved by a name server. What this means is that the output is telling you that there’s no WINS server operating—instead, all NetBIOS names were resolved by broadcast only.

Image shows sample output of nbtstat -r command that displays “C:>nbtstat -r NetBIOS Name Resolution and Registration Statistics, Resolved by Broadcast,..” — **Figure 17.10** Sample output of the nbtstat –r command

The –r switch comes in handy when you want to determine how a workstation is resolving NetBIOS names and whether WINS is configured correctly. If WINS isn’t configured correctly or it’s simply not being used, the numbers in the Resolved By Name Server and Registered By Name Server categories will always be zero.

The –R Switch

Unlike the –a and –A switches, -r and -R use the same letter but do not have anything in common.

Here’s an example. Let’s say you have a bad name in the NetBIOS name cache but the right name is in the LMHOSTS file instead. (The LMHOSTS file contains NetBIOS names of stations and their associated IP addresses.) Because the cache is consulted before the LMHOSTS file is, that bad address will remain in the cache until it expires.

This command is used when you want to purge the NetBIOS name table cache and reload the LMHOSTS file into memory. You do that using the nbtstat command with the –R switch, like so:

nbtstat –R

You can practice this nbtstat -R command on your host to purge the NBT remote cache table.

The –S Switch

Using the -S switch will display the NetBIOS sessions table that lists all NetBIOS sessions to and from the host from which you issued the command. The –S switch displays both workstation and server sessions but lists remote addresses by IP address only.

Figure 17.11 shows sample output of the nbtstat –S command.

Here you can see the NetBIOS name being displayed along with its hex ID and the status of each session. An entry in the In/Out column determines whether the connection has been initiated from the computer on which you’re running nbtstat (outbound) or whether another computer has initiated the connection (inbound). The numbers in the Input and Output columns indicate in bytes the amount of data transferred between the stations.

The –s Switch

As with the –A and –a switches, the lowercase –s switch is similar to its uppercase sibling. The nbtstat –s command produces the same output as nbtstat –S except that it will also attempt to resolve remote-host IP addresses into hostnames. Figure 17.12 shows sample output from the nbtstat –s command.

Image shows sample output of nbtstat -s command that displays “C:>nbtstat -s NetBIOS connection table, Local Name, State, In/Out, Remote Host, Input, and Output. — **Figure 17.12** Sample output of the nbtstat –s command

Note the similarities between Figure 17.11 and Figure 17.12.

As with the netstat command, with the nbtstat command you can place a number for an interval at the end to direct it to deploy once every so many seconds until you press Ctrl+C.

Using the netstat Utility

Using netstat is a great way to check out the inbound and outbound TCP/IP connections on your machine. You can also use it to view packet statistics like how many packets have been sent and received, the number of errors, and so on.

When used without any options, netstat produces output similar to the following, which shows all the outbound TCP/IP connections. This utility is a great tool to use to determine the status of outbound web connections. Take a look:

The Proto column lists the protocol being used. You can see that I’m connected to my Exchange server and an FTP server and that I have some HTTP sessions open; by the way, all of them use TCP at the Transport layer.

The Local Address column lists the source address and the source port (source socket). The Foreign Address column lists the address of the destination machine (the hostname if it’s been resolved). If the destination port is known, it will show up as the well-known port. In the previous output, you see http instead of port 80 and ftp instead of port 21.

The State column indicates the status of each connection. This column shows statistics only for TCP connections because User Datagram Protocol (UDP) establishes no virtual circuit to the remote device. Usually, this column indicates ESTABLISHED when a TCP connection between your computer and the destination computer has been established. All sessions eventually time out and then close, and you can see that I have all of these listed in my netstat output.

If the address of either your computer or the destination computer can be found in the HOSTS file on your computer, the destination computer’s name, rather than the IP address, will show up in either the Local Address or Foreign Address column.

The output of the netstat utility depends on the switch. By using the netstat /? command, we can see the options available to us.

C:Users lammle>netstat /?

All of the netstat switch options are listed in Table 17.7.

Table 17.7 netstat options

Option	Description
-a	Displays all connections and listening ports.
-b	Displays the executable involved in creating each connection or listening port. In some cases, well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. Note that this option can be time consuming and will fail unless you have sufficient permissions.
-e	Displays Ethernet statistics. This may be combined with the -s option.
-f	Displays fully qualified domain names (FQDNs) for foreign addresses.
-n	Displays addresses and port numbers in numerical form.
-o	Displays the owning process ID associated with each connection.
-p proto	Shows connections for the protocol specified by proto; proto may be TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r	Displays the routing table.
-s	Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.
-t	Displays the current connection offload state. Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics. If -t is omitted, netstat will print the current configuration information once.

Simply type netstat followed by a space and then the particular switch you want to use. Some switches have options, but no matter what, the syntax is basically the same.

Note that with Unix-type switches, the hyphen absolutely must be included. This is common in Microsoft operating systems for TCP/IP utilities that originate from Unix systems. I’m not going to exhaustively go over each and every switch, but make sure you practice all of these on your own Windows machine.