Wi-Fi Analyzers

When deploying and troubleshooting wireless networks, you must have some way to determine signal levers, noise readings, SSIDs, and interference to resolve most Wi-Fi related issues. Wi-Fi analyzers can look into the air and gather valuable information so you can see what is healthy and what is not. Using Wi-Fi analyzers, you can see the Wi-Fi coverage in an area and use that information for optimal access-point placement to get complete coverage and avoid dead spots.

Many vendors now have Wi-Fi analyzers built into access points and client software running on your laptop. Wireless controllers that manage multiple access points can also act as an analyzer and gather data from many access points in your network to give you a consolidated view of coverage, interference, and signal reception levels.

Protocol Analyzer/Packet Capture

Protocol analyzers, also called sniffers or network monitors, are used to capture packets in their raw format as they cross the network. Windows desktop operating systems before Windows Vista came with a built-in protocol analyzer called Network Monitor, but that is no longer the case, although you can download one for free that will work with the newer operating systems.

The Network Monitor tool that comes with these operating systems will capture only packets that are sourced from or destined to the computer on which the tool is running. Commercial sniffers like Wireshark and Omnipeek can capture any packets because they set the NIC to operate in promiscuous mode, which means the NIC processes all packets that it sees.

Protocol analyzers can be used to determine the type of traffic that you have in your network, and depending on the product and the bells and whistles contained therein, you may be able to sort the results based on port numbers, protocols, and so on. Another use of a sniffer is to examine the traffic that should be occurring on the network when something is not working to aid in troubleshooting. These devices can capture and display all packets involved in the connection setup, including, for example, request and response headers to a web server.

Let's review the series of four packet types that must occur for a DHCP client to receive an IP configuration from the server. As a review, those packets are as follows:

• DHCP Discover
• DHCP Offer
• DHCP Request
• DHCP ACK

If you turned on the analyzer and then executed the ipconfig/release and ipconfig/renew commands on the client (more on those commands later in this chapter), you should see these four packets in the analyzer's capture file. The packets would be interspersed with the hundreds and perhaps thousands of other packet types that would be captured, but by using the display filtering options in the software, you can easily segregate out the DHCP traffic. An example of the DHCP process, as seen in a capture, is shown in Figure 25.1.

If all you saw in the capture were the DHCP Discover packets with no DHCP Offer packets, you could reasonably assert that the DHCP server is not receiving the DHCP Offer packets (perhaps the DHCP server is located in another broadcast domain or perhaps it is not on). Additionally, you could examine fields in the DHCP Offer packets that may tell you that the DHCP server is out of addresses. The point is that the tool can be used to troubleshoot the issue.

Bandwidth Speed Testers

Users of a network often complain about the speed of the network. Network “speed” is in some ways a personal perception because some people have more patience than others. To determine when a network slowdown is real as opposed to perceived, you need to actually measure the throughput. That's what throughput testers are used for.

These devices, typically software based, work much like a protocol analyzer in that they measure the traffic seen on the network and can also classify the types of traffic that are eating up your bandwidth (which is probably what you really need to know). Figure 25.2 shows one version of this software by TamoSoft.

This software is installed on a server and also on a client. In the figure, the software is measuring traffic between the client and a server. It shows the throughput for traffic in real time and in this shot is breaking that traffic up by unicast (TCP) and broadcast (UDP) types and by direction.

Earlier in this book, I discussed the importance of baselines, and this is another area where they are important. Network throughput figures mean little without a baseline with which comparisons can be made. How do you know what is abnormal when you don't know what normal is? Baselines should be taken when the network is operating well, but they should also be taken when the traffic load is normal.

IPerf is an open-source software tool that measures network throughput and is very handy for testing and creating baselines of your network. The software runs as a server on one end and a client on the other.

IPerf can run on both Linux and Windows operating systems. It is highly customizable, allowing you to specify if you want to use TCP or UDP and also the port numbers and packet size to use.

After the test is run, reports are generated that give you throughput, the parameters used, and a timestamp.

Port Scanners

A port scanner is a software tool designed to search a host for open ports. Those of us administering our networks use port scanners to ensure their security, but bad guys use them to find a network's vulnerabilities and compromise them. To port scan means to scan for TCP and UDP open ports on a single target host either to legitimately connect to and use its services for business and/or personal reasons or to find and connect to those ports and subsequently attack the host and steal or manipulate it for nefarious reasons.

In contrast, port sweeping means scanning multiple hosts on a network for a specific listening TCP or UDP port, like SQL. (SQL injection attacks are super common today.) This just happens to be a favorite approach used by hackers when trying to invade your network. They port sweep in a broad manner, and then, if they find something—in this case, SQL—they can port scan the particular host they've discovered with the desired service available to exploit and get what they're after. This is why it's a really good idea to turn off any unused services on your servers and routers and to run only the minimum services required on every host machine in your network. Do yourself a big favor and make sure this is in your security policy.

NetFlow Analyzers

The NetFlow protocol allows for the viewing and analysis of application-level traffic across an interface. NetFlow is a step above SNMP in that it looks at the actual conversations taking place on your network and, based on that information, allows you to gain deep visibility of what traffic is moving across your network.

NetFlow collects information on each unique traffic flow into and out of a network device interfaces. NetFlow collects source and destination addresses, application information, and quality of service (QoS) data and is very helpful in troubleshooting causes of networking problems.

A flow exporter is a network device such as a router that monitors traffic flowing in and out of an interface and exports not the complete packet but a summary of its contents to a flow collector. A flow collector is a server on the network that receives the flows from multiple exporters and consolidates the NetFlow data in a centralized storage location.

A NetFlow application then analyzes the data and creates reports, charts, graphs, and sometimes analytics on the received information.

Trivial File Transfer Protocol (TFTP) Server

When the time comes to upgrade the software on a piece of networking equipment such as a switch or router, the code is downloaded from the vendor site to your laptop or a management server. Then steps are taken to transfer the code to the actual device. One of the most common methods is to use the Trivial File Transfer Protocol (TFTP) as it is supported by all vendors.

A TFTP server is a small application that is available from a wide variety of developers as freeware for Windows and Linux computers. All that is needed is to run the TFTP server on your local machine and point its source directory to the location of the file to upload. Then from the network device, specify the IP address of the TFTP server and the name of the file you want to upload. TFTP is designed to be a simple, effective, and fast method to upload code to a network device.

Connectivity Software

There are times when you need to make a remote connection to a machine to perform troubleshooting but you are miles away. Connectivity software is designed to allow you to make a connection to the machine, see the desktop, and perform any action you could perform if you were sitting in front of it.

Microsoft has made what it calls Remote Desktop software available for free with Windows products since Windows NT. When this software is installed (by default in later versions) on both source and destination computers, a remote desktop connection can be made.

Commercial tools are also available that (of course) claim to have more functionality, and they probably do have a few extra bells and whistles. These include LogMeIn.com, GoToMyPC, and others. Figure 25.3 shows the window for a LogMeIn.com session.

The advantages of these connectivity tools are obvious. With these tools, you can do anything you need to on the machine as long as you can connect. They also allow you to see what a user is actually doing when they encounter a problem rather than having to rely on what they tell you they are doing. You can even show a user what they are doing wrong. Most of these tools allow for chat sessions and for either end of the connection to take control of the machine. You can also transfer files to them if required (maybe a DLL got deleted, for example).

For networking, it is common to access the device’s command-line interface remotely. This will require you to use terminal emulation software. Today the Telnet protocol is rarely used because it has no security and all data is sent unencrypted. Secure Shell (SSH) is the preferred method of accessing a remote device command line from across a network. There are many free and commercial terminal emulation packages for you to use. The most common open-source emulator is PuTTY, and it supports Telnet, SSH, and serial interfaces. PuTTY is widely used and found in almost every networking shop. As for commercial packages, SecureCRT is popular and has an extensive feature set.

IP Scanner

It is often very helpful to know what is running on a server or networking device. Scanners can tell you what IP addresses are active and what they are “listening for.” All IP applications have an associated port number that is open for incoming connections, such as port 80 for HTTP and 443 for HTTPS. An IP scanner can be run on your local computer and will scan for open ports on each IP host. However, be very careful doing this on live production networks because security appliances such as Intrusion and firewall systems may generate an alarm when they detect scans as it may be an indication of fingerprinting your network by hackers.

Scanners can be used for network mapping by listing all of the active IP addresses in each subnet and what applications are running on them. There are many commercial and open-source scanners available on the market. Many have advanced features such as listing bugs and vulnerabilities of a scanned device and providing information on remediation.

Using the ipconfig Utility

With the new Mac, Windows 10, and Windows Server 2019 operating systems, you can now see the IPv6 configuration because IPv6 is enabled by default. The output of the ipconfig command provides the basic routed protocol information on your machine. From a DOS prompt, type ipconfig, and you'll see something like this:

C:Users	lammle>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : domain.actdsltmp
   Link-local IPv6 Address . . . . . : fe80::2836:c43e:274b:f08c%11
   IPv4 Address. . . . . . . . . . . : 192.168.0.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
 
Wireless LAN adapter Wireless Network Connection:
   Connection-specific DNS Suffix  . : qwest.net
   Link-local IPv6 Address . . . . . : fe80::20e7:7fb8:8a00:832b%10
   IPv4 Address. . . . . . . . . . . : 10.0.1.198
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::21b:63ff:fef3:3694%10
                                       10.0.1.1
 
Tunnel adapter Local Area Connection* 6:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
 
Tunnel adapter Local Area Connection* 7:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
 [output cut for brevity]

Wow, there sure are a lot of options in this output compared to the output for earlier versions of Windows! First, what's up with all these interfaces showing? I only have two—one Ethernet and one wireless. You can see that my Ethernet adapter shows up first, and it has an IP address, a mask, and a default gateway plus an IPv6 address and a DNS suffix. The next configured interface is the wireless local area network (LAN) adapter, which has an IP address, a mask, a default gateway, an IPv6 address, and the IPv6 default gateway as well. This IPv6 default gateway address is simply my router advertising that it runs IPv6 and saying, “I am the way out of the local LAN!”

The next adapters are disconnected because they are logical interfaces and I'm not using them—my machine actually shows eight, but I cut the output because it provides no new information. They're automatically inserted because IPv6 is installed and running on my machine, and these adapters allow me to run IPv6 over an IPv4-only network.

But just in case the ipconfig command doesn't provide enough information for you, try the ipconfig /all command—talk about details. Here's the beginning of that output:

C:Users	lammle>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : globalnet-todd
   Primary Dns Suffix  . . . . . . . : globalnet.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : globalnet.local
                                       domain.actdsltmp
                                       qwest.net
 
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : domain.actdsltmp
   Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit 
Network Connection
   Physical Address. . . . . . . . . : 00-1E-37-D0-E9-35
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2836:c43e:274b:f08c%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, October 20, 2008 9:08:36 AM
   Lease Expires . . . . . . . . . . : Tuesday, October 21, 2008 9:08:39 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       205.171.3.65
   NetBIOS over Tcpip. . . . . . . . : Enabled
 

Wireless LAN adapter Wireless Network Connection:
   Connection-specific DNS Suffix  . : qwest.net
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-1F-3B-3F-4A-D9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::20e7:7fb8:8a00:832b%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.1.198(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, October 20, 2008 10:43:53 AM
   Lease Expires . . . . . . . . . . : Monday, October 20, 2008 2:43:53 PM
   Default Gateway . . . . . . . . . : fe80::21b:63ff:fef3:3694%10
                                       10.0.1.1
   DHCP Server . . . . . . . . . . . : 10.0.1.1
   DNS Servers . . . . . . . . . . . : 10.0.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter Local Area Connection* 6:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.globalnet.local
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 7:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{9572A79F-3A58-4E9B- 
9BD0-8F6FF2F058FC}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
[output cut]

As you can see, it's more of the same—a whole lot more. The most important thing I want you to notice is that I've received the hardware information about each interface, including the Media Access Control (MAC) address. Also significant is that I can see the Dynamic Host Configuration Protocol (DHCP) lease times and DNS addresses now.

But why stop here? There are two more valuable options you need to use with the ipconfig command. They are /release and /renew.

When you change networks, you need to get the IP address of that subnet and/or virtual LAN (VLAN). Windows 10 works most of the time without doing anything, but sometimes I do have to renew the IP configuration when changing networks. But that's easy—just type ipconfig /renew from a command prompt, and if you're connected to a DHCP server that's available, you'll then magically receive an IP address.

Now, if it still doesn't work, you'll need to release and renew your TCP/IP settings. To release your current DHCP TCP/IP information, you must elevate your command prompt or you'll get this warning:

C:Users	lammle>ipconfig /release
The requested operation requires elevation.
C:Users	lammle>

Should this happen to you, left-click in the search box in the lower-left menu bar, then type in command prompt, right-click on the command prompt icon, and choose Run As Administrator. (Of course, you'll have to enter your name and password to do this if you are using Windows 10. But we love Windows 10, right? Okay, maybe not always.) Figure 25.4 shows how I did this.

Once your command prompt has been duly elevated, you can use the ipconfig /release command and then the ipconfig /renew command to get new TCP/IP information for your host.

Using the ifconfig Utility

There is a utility in Linux/Unix/Mac that will give you information similar to what ipconfig shows. It's called ifconfig (short for interface configuration). Although ipconfig and ifconfig show similar information, there are major differences between these two utilities. The ipconfig utility is mainly used to view the TCP/IP configuration for a computer. You can use ifconfig to do the same thing, but ifconfig can also be used to configure a protocol or a particular network interface.

The general syntax of the ifconfig command is as follows:

ifconfig interface [address [parameters]]

The interface parameter equals the Unix name of the interface, such as eth0. If the optional address parameter is specified, the ifconfig command sets the IP address for the interface to the address you've specified. When the ifconfig command is used by itself with no parameters, all configured interfaces will be reported on. But if only the interface name is specified, you'll get output that looks like this:

# ifconfig eth0
eth0  Link encap 10Mbps Ethernet  HWaddr 00:00:C0:90:B3:42
inetaddr 172.16.0.2 Bcast 172.16.0.255 Mask 255.255.255.0 UP 
BROADCAST RUNNING  MTU 1500  Metric 0
   RX packets 3136 errors 217 dropped 7 overrun 26
   TX packets 1752 errors 25 dropped 0 overrun 0

Looking at this, we can see that the eth0 interface is a 10 Mbps Ethernet interface. The interface's MAC and IP address information is displayed in this output as well. And, although not shown in the output, the ifconfig tool can show you the DNS information configured on the host.

Using the ip Utility

Newer versions of the Linux operating system have added the ip utility to replace the ifconfig command. This command serves the same purpose as ifconfig and is used to assign an address to a network interface and/or configure network interface parameters on Linux operating systems.

The ip command allows us to find out what interfaces are configured on the computer, view and configure their IP values, take an interface up or down, configure routing, display network status information, view and configure multicast values, view the ARP table, add or remove static routes, and view the host's routing table.

For example, to add the IP address of 192.168.1.1 to interface Ethenrnet0, use the following command:

#ip a add 192.168.1.1/255.255.255.0 dev eth0Using the iptables utility

Examples of iptables

To block a connection from the device at 192.168.10.1, use this command:

iptables -A INPUT -s 192.168.10.1 -j DROP

To block all connections from all devices in the 172.16.0.0/16 network, use this command:

iptables -A INPUT -s 172.16.0.0/16 -j DROP

Here is the command to block SSH connections from 10.110.61.5:

iptables -A INPUT -p tcp --dport ssh -s 10.110.61.5 -j DROP

Use this command to block SSH connections from any IP address:

iptables -A INPUT -p tcp --dport ssh -j DROP

The following command is used to save the changes in Ubuntu:

sudo /sbin/iptables-save

In Red Hat/CentOS, use either of the following commands:

/sbin/service iptables save
/etc/init.d/iptables save

The Windows ARP Table

The ARP table in Windows includes a list of TCP/IP addresses and their associated physical (MAC) addresses. This table is cached in memory so that Windows doesn't have to perform ARP lookups for frequently accessed TCP/IP addresses like those of servers and default gateways. Each entry contains an IP address and a MAC address plus a value for TTL that determines how long each entry will remain in the ARP table.

Remember that the ARP table contains two kinds of entries:

• Dynamic
• Static

Dynamic ARP table entries are created whenever the Windows TCP/IP stack performs an ARP lookup but the MAC address isn't found in the ARP table. When the MAC address of the requested IP address is finally found, or resolved, that information is then added into the ARP table as a dynamic entry. Whenever a request to send a packet to the host is sent to the Data Link layer, the ARP cache is checked first before an ARP broadcast is sent out. Remember, the ARP request is broadcast on the local segment—it does not go through a router.

Static ARP table entries serve the same function as dynamic entries but are made manually using the arp utility.

Using the route Command Options

Let's start with the switches you can use:

• -f   Using this switch with any of the options like add, change, or delete will clear the routing table of all entries that aren't host routes (routes with the subnet mask 255.255.255.255), the loopback network route or routes (routes with a destination of 127.0.0.0 and the subnet mask 255.0.0.0), and any multicast routes (those with a destination of 224.0.0.0 and the subnet mask 240.0.0.0).

  

• -p   If you use this with the add command, the individual route will be added to the Registry and then used to initialize the IP routing table whenever TCP/IP is started. Important to remember that by default, the routes you've statically added won't remain in the routing table the next time TCP/IP boots. And if you use -p with the print command, you'll get shown a list of the persistent routes that are stored in the Registry location of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersPersistentRoutes.

Now, let's take a look at how and when you would use the route command. Table 25.4 shows the command options available and what they do when you are using the route command with them.

Here's a description of some other tasks you can accomplish via the rest of the command's options:

• Destination   This will give you the network destination of a given route. If the host bits of the network address are set to 0, it will be depicted with the destination's IP network address, an IP address for a specific host route, or the default route of 0.0.0.0.
• mask netmask   This will provide you with the netmask—often referred to as the subnet mask—that's associated with the destination network. The default destination subnet mask is 0.0.0.0, and typically you'll see 255.255.255.255 representing a host route. It's really important to remember that the destination address can't be more specific than its corresponding subnet mask. What I'm saying is that there absolutely can't be a bit set to 1 in the destination address if the equivalent bit in the subnet mask is a 0.
• Gateway   The gateway also depends on the network address and subnet mask, but it's even more specific and delimits what's called the next-hop IP address. For routes located on a local subnet, the gateway address maps directly to a particular interface. If the destination is on a remote network, the gateway IP address will direct packets to the neighboring router.
• metric metric   Metric refers to the cost of a given route from the sending to the receiving device, and it's a value between 1 and 9999. Devices use this value to choose the best, or most efficient, routes among those in its routing table—the route with the lowest value wins. This decision can also include factors like the number of hops and the speed, reliability, and available bandwidth of the path being considered plus the various administrative aspects associated with it.
• if interface   This tool depends on information from the gateway address and determines the interface index for the specific interface that needs to receive the data. You can get a list of interfaces along with their relevant interface indexes by typing the route print command.
• /?   Using this will allow you to view help at the command prompt.

Some Examples of the route Command

Even though the finer points of the route command demand that you use caution when deploying some of the options, I'll still list the basics of the route command because it can be really useful. I highly recommend that you spend some time practicing them on a non-production server, though—especially at first.

• To display the entire IP routing table, type route print.
• To add a default route with the default gateway address 192.168.10.1, type route add 0.0.0.0 mask 0.0.0.0 192.168.10.1.
• To add a route to the destination 10.1.1.0 with the subnet mask 255.255.255.0 and the next-hop address 10.2.2.2, type route add 10.1.1.0 mask 255.255.255.0 10.2.2.2.
• If you want to, let's say, add a persistent route to the destination 10.100.0.0 with the subnet mask 255.255.0.0 and the next-hop address 10.2.0.1, type route -p add 10.100.0.0 mask 255.255.0.0 10.2.0.1. If you want to delete the route to the destination 10.100.0.0 with the subnet mask 255.255.0.0, enter route delete 10.100.0.0 mask 255.255.0.0.
• And finally, if you want to change the next-hop address of a route with the destination 10.100.0.0 and the subnet mask 255.255.0.0 from 10.2.0.1 to 10.7.0.5, type route change 10.100.0.0 mask 255.255.0.0 10.7.0.5.

Let's move on to some other important Windows utilities.

The – a Switch

Making use of the –a switch will get you a remote machine's NetBIOS name table consisting of a list of every NetBIOS name the machine from which you've deployed the switch knows of. The –a switch produced the output from server S1 shown in Figure 25.7.

So, using this switch arranges the NetBIOS name-table information in table form with output in four columns. The Name column displays the NetBIOS name entry for the remote host machine.

The next column gives you a unique two-digit hexadecimal identifier for the NetBIOS name. This identifier represents the last byte of the NetBIOS name depicted in the Name column, and it's important because the same name could actually be used several times for the same machine. Plus, it identifies the specific service on the particular host that the name is referencing. Table 25.5 and Table 25.6 list the hexadecimal identifiers for unique and group hostnames.

The Type column refers to (surprise) the type of NetBIOS name being referenced. Unique NetBIOS names refer to individual hosts, and group names refer to logical groupings of workstations—either domains or workgroups.

The Status column gives you information about the status of a host's NetBIOS even if it hasn't been registered with the rest of the network.

The – A Switch

The –A switch works just like the –a switch and will give you the same output, but the syntax of the command is different. Obviously, you use an uppercase A instead of a lowercase one, and you also have to include the host's IP address instead of its NetBIOS name. To use it, type nbtstat followed by –A and finally the IP address of the specific host whose NetBIOS table you want to check out:

nbtstat –A 199.153.163.2

The – c Switch

Use the –c switch to display the local NetBIOS name cache on the workstation it's running on. Figure 25.8 shows sample output of the nbtstat –c command.

Each entry in this display shows the NetBIOS name, the hex ID for the service that was accessed, the type of NetBIOS name (unique or group), the IP address that the name resolves to, and its life. The Life value shows how many seconds each entry will live in the cache. When this time expires, the entry will be deleted.

The – n Switch

The –n switch will give you the local NetBIOS name table on a Windows device. Figure 25.9 shows output that's similar to the output of the –a switch except for one important thing: What you're seeing is the NetBIOS name table for the machine you're running the command on instead of that of another host. Check it out.

The – r Switch

This switch is probably the one you'll use most often when you want to get a hold of NetBIOS over TCP/IP (NBT) statistics because it tells you exactly how many NetBIOS names have been resolved to TCP/IP addresses. Figure 25.10 shows sample output of the nbtstat –r command.

What you can see here is that the statistics are divided into two categories. First, there are the NetBIOS names resolution and registration statistics. This is how many names have been resolved or registered either by broadcasts on the local segment or via lookup from a DNS server.

Next you have the NetBIOS unique and group names and their associated hex IDs that were resolved or registered. In Figure 25.10, you can see that there's a distinct lack of information regarding names resolved by a name server. What this means is that the output is telling you that there's no WINS server operating—instead, all NetBIOS names were resolved by broadcast only.

The – R Switch

Unlike the –a and –A switches, -r and -R use the same letter but do not have anything in common.

Here's an example. Let's say you have a bad name in the NetBIOS name cache but the right name is in the LMHOSTS file instead. (The LMHOSTS file contains NetBIOS names of stations and their associated IP addresses.) Because the cache is consulted before the LMHOSTS file is, that bad address will remain in the cache until it expires.

This command is used when you want to purge the NetBIOS name table cache and reload the LMHOSTS file into memory. You do that by using the nbtstat command with the –R switch, like so:

nbtstat –R

You can practice this nbtstat -R command on your host to purge the NBT remote cache table.

The – S Switch

Using the -S switch will display the NetBIOS sessions table that lists all NetBIOS sessions to and from the host from which you issued the command. The –S switch displays both workstation and server sessions but lists remote addresses by IP address only.

Figure 25.11 shows sample output of the nbtstat –S command.

Here you can see the NetBIOS name being displayed along with its hex ID and the status of each session. An entry in the In/Out column determines whether the connection has been initiated from the computer on which you're running nbtstat (outbound) or whether another computer has initiated the connection (inbound). The numbers in the Input and Output columns indicate in bytes the amount of data transferred between the stations.

The – s Switch

As with the –A and –a switches, the lowercase –s switch is similar to its uppercase sibling. The nbtstat –s command produces the same output as nbtstat –S except that it will also attempt to resolve remote-host IP addresses into hostnames. Figure 25.12 shows sample output from the nbtstat –s command.

Note the similarities between Figure 25.11 and Figure 25.12.

The – a Switch

When you use the –a switch, the netstat utility displays all TCP/IP connections and all UDP connections. Figure 25.13 shows sample output produced by the netstat –a command.

The last two entries in Figure 25.13 show that the protocol is UDP and give the source-port nicknames nbname and nbdatagram. These are the well-known port numbers of 137 and 138, respectively. These port numbers are commonly seen on networks that broadcast the NetBIOS name of a workstation on the TCP/IP network. You can tell that this is a broadcast because the destination address is listed as *:* (meaning “any address, any port”).

The most common use for the –a switch is to check the status of a TCP/IP connection that appears to be hung. You can determine if the connection is simply busy or is actually hung and no longer responding.

The – e Switch

The -e switch displays a summary of all the packets that have been sent over the Network Interface Card (NIC) as of an instance. The Received and Sent columns show packets coming in as well as being sent:

C:Users	lammle>netstat -e
Interface Statistics
                           Received            Sent
 
Bytes                       7426841         7226953
Unicast packets               25784           35006
Non-unicast packets            1115           12548
Discards                          0               0

Errors                            0              71
Unknown protocols                 0

You can use the –e switch to display the following categories of statistics:

• Bytes   The number of bytes transmitted or received since the computer was turned on. This statistic is useful for finding out if data is actually being transmitted and received or if the network interface isn't doing anything at all.
• Unicast Packets   The number of packets sent from or received at this computer. To register in one of these columns, the packet must be addressed directly from one computer to another and the computer's address must be in either the source or destination address section of the packet.
• Non-unicast Packets   The number of packets that weren't directly sent from one workstation to another. For example, a broadcast packet is a non-unicast packet. The number of non-unicast packets should be smaller than the number of unicast packets. If the number of non-unicast packets is as high as or higher than that of unicast packets, too many broadcast packets are being sent over your network. Definitely find the source of these packets and make any necessary adjustments to optimize performance.
• Discards   The number of packets that were discarded by the NIC during either transmission or reception because they weren't assembled correctly.
• Errors   The number of errors that occurred during transmission or reception. (These numbers may indicate problems with the network card.)
• Unknown Protocols   The number of received packets that the Windows networking stack couldn't interpret. This statistic only shows up in the Received column because if the computer sent them, they wouldn't be unknown, right?

Unfortunately, statistics don't mean much unless they can be colored with time information. For example, if the Errors row shows 71 errors, is that a problem? It might be if the computer has been on for only a few minutes. But 71 errors could be par for the course if the computer has been operating for several days. Unfortunately, the netstat utility doesn't have a way of indicating how much time has elapsed for these statistics.

The – r Switch

You use the –r switch to display the current route table for a workstation so that you can see exactly how TCP/IP information is being routed. This will give you the same output as the route print command that we covered earlier in this chapter.

The – s Switch

Using the –s switch displays a variety of TCP, UDP, IP, and ICMP protocol statistics. But be warned—the output you'll get is really long, which may or may not be okay for you. For this book, it's way too long for me to insert. With that in mind, we can add another modifier called the -p switch.

The – p Switch

Like the –n switch, the –p switch is a modifier that's usually used with the –s switch to specify which protocol statistics to list in the output (IP, TCP, UDP, or ICMP). For example, if you want to view only ICMP statistics, you use the –p switch like so:

netstat –s –p ICMP

The netstat utility then displays the ICMP statistics instead of the entire gamut of TCP/IP statistics that the –s switch will typically flood you with. For a different example, let's use the -s and -p switches to retrieve some IPv6 information:

C:Users	lammle>netstat -s -p IPV6
 
IPv6 Statistics
 
  Packets Received                   = 1400
  Received Header Errors             = 0
  Received Address Errors            = 6
  Datagrams Forwarded                = 0
  Unknown Protocols Received         = 0
  Received Packets Discarded         = 451
  Received Packets Delivered         = 10441
  Output Requests                    = 24349
  Routing Discards                   = 0
  Discarded Output Packets           = 3575
  Output Packet No Route             = 41
  Reassembly Required                = 0
  Reassembly Successful              = 0
  Reassembly Failures                = 0
  Datagrams Successfully Fragmented  = 0
  Datagrams Failing Fragmentation    = 0
  Fragments Created                  = 0
 
C:Users	lammle>

Nice! Gets right to the point. Now, let's see the TCP connections my host has:

C:Users	lammle>netstat -s -p tcp
 
TCP Statistics for IPv4
 

  Active Opens                        = 7832
  Passive Opens                       = 833
  Failed Connection Attempts          = 1807
  Reset Connections                   = 2428
  Current Connections                 = 11
  Segments Received                   = 1391678
  Segments Sent                       = 1340994
  Segments Retransmitted              = 6246
 
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    10.100.10.54:54737     gnt-exchange:1151      ESTABLISHED
  TCP    10.100.10.54:54955     gnt-exchange:1026      ESTABLISHED
  TCP    10.100.10.54:55218     gnt-exchange:epmap     TIME_WAIT
  TCP    127.0.0.1:2492         globalnet-todd:54840   ESTABLISHED
  TCP    127.0.0.1:54516        globalnet-todd:62514   ESTABLISHED
  TCP    127.0.0.1:54840        globalnet-todd:2492    ESTABLISHED
  TCP    127.0.0.1:62514        globalnet-todd:54516   ESTABLISHED
  TCP    192.168.0.6:2492       blugro2relay:2492      ESTABLISHED
  TCP    192.168.0.6:2492       blugro3relay:2492      ESTABLISHED
  TCP    192.168.0.6:54527      64.12.25.26:5190       ESTABLISHED
  TCP    192.168.0.6:54531      oam-d05c:5190          ESTABLISHED
  TCP    192.168.0.6:55163      207.123.44.123:http    CLOSE_WAIT
 
C:Users	lammle>

This kind of efficiency is exactly why it's good to use the -p modifier with the -s switch.

The – n Switch

The -n switch is a modifier for the other switches. When used with them, it reverses the natural tendency of netstat to use names instead of network addresses. In other words, when you use the –n switch, the output always displays network addresses instead of their associated network names. Following is output from the netstat command used with the netstat -n command. It's showing the same information but with IP addresses instead of names:

C:Users	lammle>netstat
 
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    10.100.10.54:54737     gnt-exchange:1151      ESTABLISHED
  TCP    10.100.10.54:54955     gnt-exchange:1026      ESTABLISHED
  TCP    127.0.0.1:2492         globalnet-todd:54840   ESTABLISHED
  TCP    127.0.0.1:54516        globalnet-todd:62514   ESTABLISHED
  TCP    127.0.0.1:54840        globalnet-todd:2492    ESTABLISHED
  TCP    127.0.0.1:62514        globalnet-todd:54516   ESTABLISHED
  TCP    192.168.0.6:2492       blugro2relay:2492      ESTABLISHED
  TCP    192.168.0.6:2492       blugro3relay:2492      ESTABLISHED
  TCP    192.168.0.6:54527      64.12.25.26:5190       ESTABLISHED
  TCP    192.168.0.6:54531      oam-d05c:5190          ESTABLISHED
  TCP    192.168.0.6:55163      207.123.44.123:http    CLOSE_WAIT
 
C:Users	lammle>netstat -n
 
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    10.100.10.54:54737     10.100.36.13:1151      ESTABLISHED
  TCP    10.100.10.54:54955     10.100.36.13:1026      ESTABLISHED
  TCP    127.0.0.1:2492         127.0.0.1:54840        ESTABLISHED
  TCP    127.0.0.1:54516        127.0.0.1:62514        ESTABLISHED
  TCP    127.0.0.1:54840        127.0.0.1:2492         ESTABLISHED
  TCP    127.0.0.1:62514        127.0.0.1:54516        ESTABLISHED
  TCP    192.168.0.6:2492       65.55.239.100:2492     ESTABLISHED
  TCP    192.168.0.6:2492       65.55.248.110:2492     ESTABLISHED
  TCP    192.168.0.6:54527      64.12.25.26:5190       ESTABLISHED
  TCP    192.168.0.6:54531      205.188.248.163:5190   ESTABLISHED
  TCP    192.168.0.6:55163      207.123.44.123:80      CLOSE_WAIT
 
C:Users	lammle>

Examples of Using tcpdump

Use this command to capture traffic on all interfaces:

# tcpdump -i any

Here is the command to capture traffic on a particular interface:

# tcpdump -i eth0

And to filter traffic by IP, whether it's the source or the destination, use this command:

# tcpdump host 192.168.5.5

Starting FTP and Logging In to an FTP Server

Of the two FTP file operations (download and upload), the ability to download files is definitely the more crucial for you to have down as a network technician or sys admin. The reason it's so important for you to master is that network and client operating system drivers and patches are located on FTP servers all over the Internet.

The first steps in starting an FTP download session are to determine the address of the FTP site and start the ftp utility. The FTP site typically has the same name as the website except that the first three characters are ftp instead of www. For example, Microsoft's website is www.microsoft.com. Its FTP site, on the other hand, is ftp.microsoft.com. We'll use my personal FTP site as an example for the rest of this section because it works, so I can actually log in to it.

First, start the ftp utility as demonstrated earlier, and then follow these steps:

1. At the ftp command prompt, type open, a space, and the name of the FTP server, like this:

   C:Users	lammle>ftp
   ftp>open ftp.lammle.com
   Connected to ftp.lammle.com.
   220---------- Welcome to Pure-FTPd [TLS] ----------
   220-You are user number 1 of 50 allowed.
   220-Local time is now 11:45. Server port: 21.
   220-IPv6 connections are also welcome on this server.
   220 You will be disconnected after 15 minutes of inactivity.
   User (ftp.lammle.com:(none)):enter
   230 Anonymous user logged in
   ftp>
   

   As shown here, if the FTP server is available and running, you'll receive a response welcoming you to the server and asking you for a username. Right now, I just have Anonymous as the username (enabled by default on the FTP server), which means that anyone can log in to it. (By the way, don't bother trying this on my server because I disabled it for obvious reasons as soon as I finished writing this section.)

   You can also start an FTP session by typing ftp, a space, and the address of the FTP server (for example, ftp ftp.globalnettraining.com). This allows you to start the ftp utility and open a connection in one step. Here's an example:

   C:Users	lammle>ftp ftp.globalnettraining.com
   Connected to ftp.globalnettraining.com.
   220 Microsoft FTP Service
   User (ftp.globalnettraining.com:(none)):todd
   331 Password required for todd.
   Password:not shown when typed
   230 User todd logged in.
   ftp>quit
   
2. Enter a valid username, and press Enter.
3. Enter your password, and press Enter. (The password won't show up when you type it.)

All good, but if you want to access a private FTP server, as I'll demonstrate in a minute, you'll need to use the username and password given to you by the site's administrator. Oh, and sometimes you can use your email address as a password when accessing a public FTP server with a username like anonymous.

If you enter the wrong username and/or password, the server will tell you so by displaying the following and leaving you at the ftp command prompt:

530 Login Incorrect
Login failed.

This means you've got to try again and must start the login process over. If you're successful, the FTP server will welcome you and drop you back at the ftp command prompt. You're now ready to start uploading or downloading files.

Downloading Files

After you log in to the FTP server, you'll navigate to the directory that contains the files you want. Thankfully, the FTP command-line interface is similar to the DOS command-line interface. This is no surprise because DOS is based on Unix and FTP is a Unix utility. Table 25.8 lists and describes the common navigation commands for FTP. (Remember that these are also case sensitive.)

After you navigate to the directory and find the file you want to download, it's time to set the parameters for the type of file. Files come in two types:

• ASCII, which contains text
• Binary, which is all other files

If you set ftp to the wrong type, the file you download will contain gibberish. So if you're in doubt, set ftp to download files as binary files. Check out Table 25.8.

To set the file type to ASCII, type ascii at the ftp command prompt. ftp will respond by telling you that the file type has been set to A (ASCII):

ftp>ascii
Type set to A

To set the file type to binary, type binary at the ftp command prompt. ftp will respond by telling you that the file type has been set to I (binary):

ftp>binary
Type set to I

To download the file, just use the get command like this:

ftp>get lammlepress.exe
200 PORT command successful.
150 Opening BINARY mode data connection for 'scrsav.exe'
(567018 bytes).

The file will start downloading to your hard drive. Unfortunately, with its default settings, the ftp utility doesn't give you any indication of the progress of the transfer. When the file has downloaded, the ftp utility will display the following message and return you to the ftp command prompt:

226 Transfer complete.
567018 bytes received in 116.27 seconds (4.88 Kbytes/sec) 

Uploading Files

To upload a file to an FTP server, you've got to have rights on that specific server. These rights are assigned on a directory-by-directory basis. To upload a file, log in and then follow these steps:

1. At the ftp command prompt, type lcd to navigate to the directory on the local machine where the file resides.
2. Type cd to navigate to the destination directory.
3. Set the file type to ASCII or binary.
4. Use the put command to upload the file.

The syntax of the put command looks like this:

ftp>put local file destination file

Let's say you want to upload a file called 1.txt on the local server but you want it to be called my.txt on the destination server. To accomplish that, use the following command:

ftp>put 1.txt my.txt

You'll get the following response:

200 PORT command successful.
150 Opening BINARY mode data connection for collwin.zip
226 Transfer complete.
743622 bytes sent in 0.55 seconds (1352.04 Kbytes/sec) 

When you're finished with the ftp utility, just type quit to return to the command prompt.

How to Enable Telnet in Windows

Because most people have the Windows 10 operating system running on their PCs these days, it's good to know that, by default, this operating system installs without Telnet available. But there's a way around that one—if you really must have a Telnet client enabled in the Windows operating system, here's how to do it:

1. Open Control Panel.
2. Select Programs And Features.
3. In the left column, select Turn Windows Features On Or Off (get ready for the annoying User Account Control [UAC] prompt, and then enter your name and password).
4. Select the Telnet check box (and any other obscure services you may want enabled), and wait while Windows thinks for a while and then reboots.

Nice—now you can go to Start and then type telnet in the Start search box to get a Telnet window to open for you. You can also open a DOS prompt and just type telnet from there. Here are the options that Windows provides with Telnet:

Microsoft Telnet> ?
Commands may be abbreviated. Supported commands are:
 
c    - close                    close current connection
d    - display                  display operating parameters
o    - open hostname [port]     connect to hostname (default port 23).

q    - quit                     exit telnet
set  - set                      set options (type 'set ?' for a list)
sen  - send                     send strings to server
st   - status                   print status information
u    - unset                    unset options (type 'unset ?' for a list)
?/h  - help                     print help information

Now that we've finished talking about Telnet, my personal recommendation is that you never use it again. What? Yes, you read that right, and here's why.

Don't Use Telnet, Use Secure Shell

What? I just told you how to use Telnet, and now I am telling you not to use it. That's right, don't use Telnet! Telnet is totally insecure because it sends all data in crystal-clear text—including your name and password. And I'm pretty sure you know that's a really bad thing these days. If Microsoft doesn't even enable it on its latest OSs, then you know it really must be insecure.

So if you shouldn't use Telnet, what should you use instead? Secure Shell (SSH) is your answer. It provides the same options as Telnet, plus a lot more; but most important, it doesn't send any data in clear text. The thing is, your servers, routers, and other devices need to be enabled with SSH, and it's not configured by default on most devices.

Some configuration is usually necessary if you want things to work as they really should, and yes, sometimes it's a little painful to get everything running smoothly, but it's all worth it in the long run. Personally, I disable Telnet on all my routers and use SSH exclusively. No lie—I never use Telnet anymore if I can help it. Even so, you should still understand Telnet and get in some practice with it in case you do ever need it.

1. What command can you type from a command prompt to see the hops a packet takes to get to a destination host?
2. What tool would you use to verify a complaint about a slow network?
3. You need your IP address, subnet mask, default gateway, and DNS information. What command will you type from a Windows command prompt?
4. You need to log in as a dumb terminal to a server or Unix host and run programs. What application will you use?
5. You need to add a route to your Windows server's routing table. What command will you use?
6. You want to log in to a server and transfer files. What application will you use?
7. You need to check your name-resolution information on your host. What command will you type from the command prompt?
8. You want to use netstat, but you want to see only the IP address, not the names of the hosts. Which modifier will you use?
9. You want the IP configuration on a Unix host. What command will you type at the command prompt?
10. Which Windows command will show you the routing table of your host or server?

1. Which TCP/IP utility is most often used to test whether an IP host is up and functional?
   1. ftp
   2. telnet
   3. ping
   4. netstat
2. Which TCP/IP utility will produce the following result?

   Interface: 199.102.30.152
   Internet Address   Physical Address   Type
   199.102.30.152     A0–ee–00–5b–0e–ac   dynamic
   
   1. arp
   2. netstat
   3. tracert
   4. nbtstat
3. Which Windows utility can you use to connect to a machine 50 miles away to troubleshoot?
   1. Remote Desktop
   2. netstat
   3. arp
   4. Wireshark
4. Which TCP/IP utility might produce the following output?

   Reply from 204.153.163.2: bytes=32 time=1ms TTL=128
   Reply from 204.153.163.2: bytes=32 time=1ms TTL=128
   Reply from 204.153.163.2: bytes=32 time=1ms TTL=128
   Reply from 204.153.163.2: bytes=32 time<10ms TTL=128
   
   1. tracert
   2. ping
   3. WINS
   4. ipconfig
5. Which utility can you use to find the MAC and TCP/IP addresses of your Windows workstation?
   1. ping
   2. ipconfig
   3. ipconfig /all
   4. tracert
   5. telnet
6. Which ping commands will verify that your local TCP/IP interface is working? (Choose all that apply.)
   1. ping 204.153.163.2
   2. ping 127.0.0.1
   3. ping localif
   4. ping localhost
   5. ping iphost
7. Which new Linux command was added recently to configure IP and interface parameters?
   1. nbtstat
   2. ipconfig
   3. ip
   4. ifconfig
8. You need to find a NIC's specific MAC address and IP address. Which command-line tool can you use to find this information without physically going to the computer?
   1. ping
   2. nbtstat
   3. arp
   4. netstat
   5. ftp
9. Which netstat utility switch displays all connections and listening ports?
   1. –a
   2. –f
   3. -p
   4. -t
10. Wireshark is an example of a ___________________ .
    1. Throughput tester
    2. Protocol analyzer
    3. Remote connection tool
    4. IDS
11. Which utility produces output similar to the following?

    1  110 ms  96 ms  107 ms fgo1.corpcomm.net [209.74.93.10]
    2  96 ms  126 ms  95 ms someone.corpcomm.net [209.74.93.1]
    3  113 ms  119 ms  112 ms Serial5–1–1.GW2.MSP1.alter.net     [157.130.100.185]
    4  133 ms  123 ms  126 ms 152.ATM3–0.XR2.CHI6.ALTER.NET      [146.188.209.126]
    5  176 ms  133 ms  129 ms 290.ATM2–0.TR2.CHI4.ALTER.NET   [146.188.209.10]
    6  196 ms  184 ms  218 ms 106.ATM7–0.TR2.SCL1.ALTER.NET   [146.188.136.162]
    7  182 ms  187 ms  187 ms 298.ATM7–0.XR2.SJC1.ALTER.NET   [146.188.146.61]
    8  204 ms  176 ms  186 ms 192.ATM3–0–0.SAN–JOSE9– GW.ALTER.NET [146.188.144.133]
    9  202 ms  198 ms  212 ms atm3–0–622M.cr1.sjc.globalcenter.net [206.57.16.17]
    10 209 ms  202 ms  195 ms pos3–1–155M.br4.SJC.globalcenter.net [206.132.150.98]
    11 190 ms   *   191 ms pos0–0–0–155M.hr3.SNV.globalcenter.net [206.251.5.93]
    12 195 ms  188 ms  188 ms pos4–1–0–   155M.hr2.SNV.globalcenter.net [206.132.150.206]
    13 198 ms  202 ms  197 ms www10.yahoo.com [204.71.200.75]
    
    1. arp
    2. tracert
    3. nbtstat
    4. netstat
12. You are the network administrator. A user calls you complaining that the performance of the intranet web server is sluggish. When you try to ping the server, it takes several seconds for the server to respond. You suspect that the problem is related to a router that is seriously overloaded. Which workstation utility could you use to find out which router is causing this problem?
    1. netstat
    2. nbtstat
    3. tracert
    4. ping
    5. arp
13. Which ipconfig switch will display the most complete listing of IP configuration information for a station?
    1. /all
    2. /renew
    3. /release
    4. /?
14. Which utility will display a list of all the routers that a packet passes through on the way to an IP destination?
    1. netstat
    2. nbtstat
    3. tracert
    4. ping
    5. arp
15. Which Windows TCP/IP utility could you use to find out whether a server is responding on TCP port 21?
    1. tcp
    2. port
    3. ping
    4. netstat
    5. telnet
16. Which arp command can you use to display the currently cached ARP entries?
    1. arp
    2. arp –all
    3. arp -a
    4. ipconfig -arp
    5. arp -ipconfig
17. Which command-line tool would best be used to verify DNS functionality in Linux?
    1. netstat
    2. nbtstat
    3. dig
    4. icmp
    5. arp
18. Which of the following arp utility switches perform the same function? (Choose all that apply.)
    1. –g
    2. –A
    3. –d
    4. –a
19. Which of the following is not a chain type used by iptables?
    1. Forward
    2. Backward
    3. Input
    4. Output
20. Which command captures traffic on all interfaces?
    1. tcpdump -i any
    2. tcpdump -i eth0
    3. tcpdump host 192.168.5.5
    4. tcpdump host all