4.1. Troubleshooting Using the Appropriate Network Utility

There are many troubleshooting utilities built into the most common operating systems. Most of these utilities are based on the command line and are not obvious to the common user. As a network administrator, your knowledge of the existence and the proper use of these tools will set you apart from your competition. In this section, we will discuss and illustrate the proper use of the most common troubleshooting utilities.

4.1.1. Critical Information

Given a troubleshooting scenario, you should be able to select the appropriate network utility. This means that you should know the function and most common use of each of the main network utilities. In this section, we discuss each of these networking tools in detail.

4.1.1.1. ping

The ping tool is one of the most common utilities used by network administrators. It is primarily used to establish general network connectivity, but it can also be used to test name resolution in a network. The ping tool includes switches that allow you to customize your test. You should know how the ping tool operates and its most common uses in network troubleshooting.

You initiate a ping request by simply typing the word ping at a command prompt followed by a space and then the IP address or hostname of the host to which you would like to test connectivity. You can also use many options in ping to make a request more specific, as shown in Figure 4.1.

For example, to ping a host with the IP address of 192.168.1.105, type the following at the command prompt:

ping 192.168.1.105

Similarly, to ping a host with the hostname of xpclient, type the following at the command prompt:

ping xpclient

When you ping a host from a system using a Microsoft client, four packets are transmitted onto the wire with the destination address that you specified. These are referred to as echo request packets. When the host identified by the destination address receives the packets, it will reply with special packets called echo reply packets. When the computer from which you are initiating the ping request receives the echo reply packets, this establishes the fact that there is general network connectivity between the two computers. An error message such as destination host unreachable or request timed out indicates that there is no connectivity between your computer and the other computer.

If you only want to establish general network connectivity, then you should ping the IP address of the host on the network. To take the ping tool a step further, you can also ping the hostname of the client instead of just the IP address. In order for a ping request with a hostname to be interpreted by the network, the hostname must be resolved to an IP address by a name resolution mechanism such as DNS or WINS (discussed in Chapter 2). After the hostname is resolved to an IP address, then the packets can be delivered to the computer with that IP address. In this way, pinging the hostname of a computer on the network will test both your name resolution systems as well as the general connectivity of the computer to the network.

Now let's put this into practice. Suppose that you have a troubleshooting scenario whereby a client cannot connect to a server using a specific application, for instance an e-mail application such as Microsoft Outlook. Since the essence of all troubleshooting is isolation, you might first want to make sure the client has general connectivity to the server. By successfully pinging the IP address of the server from the client that is having the problem, you can eliminate the options that the problem is of a physical nature, such as wiring, cable connections, and so on. You will also eliminate the option that the IP address of the client is not configured properly. On the other hand, if you do not get a reply, then you will know that the problem is either of a physical nature or due to an improper configuration, and therefore probably has little to do with Outlook.

To take the test a little further, you could also ping the hostname of the server from the client that is having the problem. If you received a reply when you pinged the IP address but you do not receive a reply when you ping the hostname, then the problem is likely related to name resolution. This test does not completely solve your problem, but it's a first step that does make sure that you are setting off in the right direction to solve it. To customize your ping request, you can use the switches provided with the tool. The switches give you the option to send a set number of packets, a continuous ping, and so on. To see a list of the all of the switches, type the following at the command prompt:

ping /?

4.1.1.2. tracert/traceroute

Suppose that you use the ping tool and find that you have a problem with connectivity in your network. Now let's suppose that your network is a complex configuration of hubs, switches, and routers that carry information to all of the hosts within it. Furthermore, suppose that the computer that you are pinging is located on the other side of your network and that you have to transmit through multiple routers to get to the subnet of the destination computer. If you simply did not get a reply, then how could you possibly know where the communication broke down? The answer is, you couldn't—at least not with the ping tool.

The tracert tool (also called the traceroute tool) is a network utility that uses the same technologies as the ping tool, but takes them a step further. Using the tracert tool, you can determine not only that the connection cannot be made to a computer, but also which router could not for-ward the packet to the next subnet. In other words, you can isolate a network failure to a specific location in your network.

The traceroute tool works in much the same way as the ping tool in that it sends echo request packets through the network. The difference is that the tracert tool uses the time to live (TTL) mechanism built into each packet to determine where the communication failure exists. You should know how the tracert tool operates and the most common uses of the tool.

You initiate the tracert tool on a Microsoft client by typing tracert followed by a space and then the IP address or hostname of the computer to which you want to test connectivity. You can find a complete list of tracert commands by typing tracert /? as shown in Figure 4.2.

For example, if you wanted to perform a tracert to mct.billfergusonv.net, you could type the following at the command prompt:

tracert mct.billfergusonv.net

The tracert tool sends echo request packets just as the ping tool does, but it makes a very important change in each of the packets. This change affects the TTL of the packet, which is the number of hops that it can take through a network without being delivered before it is discarded by a network device.

In a normal ping request from a Microsoft client, each echo request packet has a TTL of 128. This means that it can bounce around a network until it has gone through 128 router interfaces (sometimes through the same interfaces many times) before it will be discarded. The reason that packets have a TTL is so that they can be discarded by the network in the event that they cannot be delivered. Each router decrements the TTL as it forwards the packet. If the result of decrementing the TTL is that the TTL will be reduced to a value of 0, then the router is responsible for discarding the packet and sending a message back to the network identifying itself by its IP address and noting that it has discarded the packet. The tracert tool uses this fact to gather information about the route the packets are taking through the network.

When you initiate the tracert request, an echo request packet is first sent out with a TTL value of 1. This means that the first router that it encounters will discard it and send a message back through the network indicating that it has done so. The message that the router sends back is recorded as the first hop that the packet has to take through the network. The time (in milliseconds) that elapses between the sending of the packets and the return of the message is also recorded. After this is done, the tracert tool automatically sends out a new packet with the TTL value of 2. The first router simply processes the packet normally, decrementing the TTL to 1 and forwarding it to the next router. The second router, however, discards the packet and sends a message back through the network identifying itself by its IP address. This becomes the second hop on the tracert report. This process continues until all of the hops between the local computer and the destination host are listed or one of the routers fails to reply. If a router fails to reply, then you have isolated the source of your problem.

As you may have guessed, the best scenario in which to use the traceroute utility is when you are troubleshooting a connectivity problem that must communicate through multiple routers. You would likely use the ping tool first to establish connectivity, or in this case the lack of it, and then use the traceroute tool to isolate the problem. In addition, since the traceroute tool records statistics regarding the time that routers take to forward packets, it can also assist you in discovering network weaknesses before they become a large problem. In other words, if the times seem unusually high, then you might want to take a closer look at the routers or the interfaces with higher times.

4.1.1.3. arp

As we discussed in Chapter 2, arp is a service that works in the background and resolves IP addresses to MAC addresses so that packets can be delivered to their destination. As you may recall, each computer keeps an arp cache of entries that have been recently resolved (within the last 10 minutes). The computer checks the arp cache first, and then, if the entry is not in the cache, arp will be used to broadcast into the local network and request that the computer with a specific IP address respond with its MAC address so that the packet can be addressed and delivered.

Since the packets cannot be delivered until the MAC address is discovered, arp is a crucial component in the system. Because of this fact, you should know how to identify problems that might be caused by an errant arp cache. In addition, you should know how to troubleshoot the arp cache when necessary.

You can access the arp tool and the syntax for its use by typing the following at a command prompt:

arp /?

The two general types of entries found in an arp cache are dynamic and static, as shown in Figure 4.3. Your knowledge of both types of entries is essential to understanding how arp operates and therefore how to troubleshoot it. You should be able to distinguish between dynamic and static entries in an arp cache. Static entries are indicated with an "s" whereas dynamic entries are indicated with a "d".

Dynamic entries are automatically added to the cache when arp is used to resolve an IP address to a MAC address. The lifetime of these entries varies between operating systems but is generally no more than about 10 minutes, unless they are used within the 10 minutes, in which case the clock starts again. Dynamic entries typically do not cause problems. They are clearly marked as dynamic.

Static entries, on the other hand, are very different from dynamic entries. Static entries must be added by an administrator and, once added, become a permanent entry in the cache unless they are deleted. For example, if you wanted to add a static entry to an arp cache for a computer with of an IP address of 192.168.1.10 and a MAC address of 00-aa-00-62-c6-09, you would type the following at the command prompt:

arp -s 192.168.1.10 00-aa-00-62-c6-09

Now, before you start adding static entries to all of your computers, let's discuss the advantages and disadvantages of static entries. There is only one reason to add a static entry to an arp cache: faster IP-to-MAC address resolution between two computers on the same network. Adding a static entry might increase performance, but this is very doubtful on today's modern networks. In addition, adding a static entry to resolve an IP address to a MAC address does not affect the name resolution time to resolve the hostname to an IP address, which usually must occur first.

While the advantages of adding a static entry are ambiguous, the disadvantages are very real. Adding a static entry to an arp cache ties a specific MAC address to a specific IP address. This might be fine as long as you don't change the NIC on the computer identifying the entry. If the NIC should fail and be replaced by another NIC, the static entry for the IP address will override the dynamic entry that would otherwise be created in the cache. In other words, since the IP address of the computer will already be listed in the static entry, another IP address and MAC address (the dynamic entry) will not be added. Of course, the new NIC would have a different MAC address, so the arp cache would be incorrect. Consequently, computers with the static entry would not be able to communicate with the computer containing the new NIC.

To troubleshoot the problem, you should remove the static entry from the arp cache. You can remove the static entry for the previous example by typing the following at a command prompt:

arp -d 192.168.1.10 00-aa-00-62-c6-09

4.1.1.4. netstat

Suppose that you are troubleshooting an application for a user and you know the application uses a specific protocol and therefore a specific port or ports, for example, FTP and ports 20 and 21. If the user's computer is having a problem running the application, you might want to make sure that computer is active and listening on the appropriate ports. This is the type of scenario that might require your use of the netstat tool.

You can use the netstat tool to display protocol statistics and current TCP/IP connections, as shown in Figure 4.4. The netstat tool has many switches, or options, that you can use to customize the output for your situation. Table 4.1 lists the options available in netstat and the general function of each option. You can list the syntax and all of the options by typing the following at the command prompt:

netstat /?

When you use it with no options, netstat simply displays active TCP/IP connections.

Table 4.1. Common netstat Options

netstat Option	Display
netstat -a	Displays all connections.
netstat -r	Creates a routing table of computer and all active connections.
netstat -o	Processes IDs so you can view the owner of the port for each connection.
netstat -e	Displays Ethernet statistics, such as packet discards and errors.
netstat - s	Displays perprotocol statistics, such as detailed TCP and UDP statistics.
netstat -n	Does not convert addresses and port numbers to names but instead shows them as IP addresses.

4.1.1.5. nbtstat

NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. As we discussed in Chapter 2, TCP/IP provides many options for NetBIOS name resolution, including cache lookup, WINS server query, broadcast, DNS server query, and Lmhosts and Hosts file lookup. Since name resolution can become very complex, you need a tool that can assist you in sorting out what is working and what is not working. The nbtstat utility lets you troubleshoot name resolution problems. In addition, you can use this tool to remove or correct a preloaded entry in the NetBIOS name cache.

The nbtstat utility has a fairly complex syntax, which allows you to customize a query. You can also keep it simple and just use the beginning of the syntax to obtain a broader range of out-put. You can view the syntax of nbtstat and the options available by simply typing nbtstat at a command prompt and pressing Enter. Table 4.2 lists the most common options used with nbtstat.

4.1.1.6. ipconfig/ifconfig

The ipconfig command is a tool that displays network configuration values and refreshes addresses configured by DHCP servers on Microsoft computers. It can also be used for a wide range of other troubleshooting scenarios. The ifconfig command is the same sort of command that is used by Unix and Linux systems. You should know the purpose and main functionality of both of these commands.

Table 4.2. Common nbtstat Options

nbtstat Option	Display
nbtstat -n	Displays names registered locally by the system.
nbtstat -c	Displays NetBIOS name cache entries.
nbtstat -R	Purges the NetBIOS name cache and reloads it from the Lmhosts file.
nbtstat -RR	Releases NetBIOS names registered with the WINS server and then renews their registration.
nbtstat - a name	Performs a NetBIOS adapter status command against the computer specified by name. Displays the local NetBIOS name table for the computer and the MAC address of the computer.
nbtstat -S	Lists the current NetBIOS sessions and their status, including statistics.

4.1.1.6.1. ipconfig

The ipconfig command used without any switches, or options, displays the IP address, subnet mask, and default gateway of all of the network adapters on a computer. It can be used as a very quick method of verifying a basic IP configuration. By adding switches to the ipconfig command, you can get much more information about the configuration, and you can control other network parameters such as the DNS resolver cache on a computer. In addition, you can release and renew IP addresses that are assigned by a DHCP server, provided that the computer is configured to obtain an IP address automatically. Table 4.3 shows the additional switches or parameters available with the ipconfig command and what each one enables you to do.

4.1.1.6.2. ifconfig

The ifconfig command is used in Unix and Linux operating systems to configure interfaces and view information about configured interfaces. The syntax of ifconfig is very different from that of ipconfig. You will be glad to know that you will not have to memorize the syntax of the ifconfig command, but you should know the general uses of the command as we discussed. You can, however, find information about the entire syntax and use of the ifconfig command on the Web at www.linux.com.

Table 4.3. Common ipconfig Commands

ipconfig Command	Purpose
ipconfig /all	Displays the full TCP/IP configuration for all adapters. (Adapters include physical interfaces as well as dialup connections.)
ipconfig /renew	Releases and renews the IP address on an adapter. (Computer must be configured to obtain an IP address automatically.)
ipconfig /release	Releases an IP address that was obtained automatically but does not renew an address. This is a useful tool when moving a computer from one subnet to another.
ipconfig /flushdns	Flushes the DNS client resolver cache. This can be a useful tool when you're troubleshooting name resolution problems.
ipconfig /displaydns	Displays the contents of the DNS client resolver cache. Includes entries that are preloaded from the Hosts file as well as recently obtained resource records.
ipconfig / registerdns	Initiates manual dynamic registration for the DNS names and IP addresses that are configured on a computer. Especially useful when troubleshooting DNS name resolution problems.
ipconfig /showclassid	Shows special DHCP server configuration options on the client when it is configured. This tells the DHCP server to give the client a different set of options based on its class.
ipconfig /setclassid	Used to configure the class of a client so as to match the configured classes in a DHCP server. Ensures that the client will receive the appropriate options from the DHCP server based on its class.
ipconfig /?	Displays help and syntax for the command.

4.1.1.7. winipcfg

A GUI-based tool, winipcfg can be used to view IP configuration and to release and renew IP addresses. It is rarely used in today's networks because it is only available on Windows 9x systems, such as Windows 95, Windows 98, and Windows Me. In fact, Windows 98 and Windows Me have both winipcfg and ipconfig.

You initiate winipcfg on a Windows 9x computer by clicking Start Run and typing winipcfg. This opens a GUI tool, as shown in Figure 4.5. You can view the MAC address and assigned IP address of each of the adapters on the computer. You can also release and renew the IP addresses. While this GUI tool does provide some convenience, it does not offer the capability that the new ipconfig command provides.

4.1.1.8. nslookup

As we have discussed many times, DNS is an essential component in most networks. This is especially true if you are using Windows 2000 Server or Windows Server 2003 with Active Directory. The nslookup utility allows you to troubleshoot problems related to DNS. You can use nslookup to research information about a DNS server or to set a DNS configuration on server. You can use nslookup in either noninteractive or interactive mode. You should know the difference between these two methods of use.

To use nslookup in noninteractive mode, simply type the command that you want to initiate. At the command prompt, you can enter interactive mode to determine what to type. To do this, type nslookup, press Enter, and then type ? to see a list of all of the commands that you can execute. Determine the command that you want to use and then type exit to get out of interactive mode. There are many commands that you can use with nslookup. It's not necessary that you know all of them (thank goodness!), but you should know that they all relate to hostname resolution in one way or another and that the tool is generally used on large domain-based networks.

To use nslookup in interactive mode, type nslookup and then press Enter. You can then execute multiple nslookup queries and commands from within the nslookup utility. To exit the utility, simply type exit. The commands in interactive mode are the same as those in noninteractive mode, except that you don't have to type nslookup before each command. Figure 4.6 shows the nslookup tool in interactive mode.

4.1.2. Exam Essentials

Know when to use the ping utility. The ping utility is one of the most commonly used of all network tools. It is typically used to verify physical network connectivity between computers but can also be used to test name resolution by pinging the hostname of a computer instead of the IP address.

Know when to use the tracert (traceroute) utility. The tracert (also referred to as traceroute) utility is typically used to determine more information about a network problem after a ping was unsuccessful. This utility manipulates the TTL of the packets that it sends onto the network so as to force each of the routers to send its identity when it discards the packet. The tracert utility can be used to isolate a network failure to a specific interface on a router.

Know when to use the arp utility. The arp utility is primarily used to modify the arp cache, which is used to resolve IP addresses to MAC address. There are two types of arp entries: dynamic and static. Dynamic entries are much less likely to cause a problem than static entries. Changing a NIC on a computer for which other computers have a static arp entry can cause the computer to be unavailable on the network.

Know when to use the netstat utility. The netstat utility displays protocol statistics for active and listening ports. It can be used to determine whether an application is failing because the ports that it requires are not functional. The netstat utility has many options or switches that enable you to customize a query.

Know when to use the nbtstat utility. The nbtstat utility displays information about the Net-BIOS name cache, which is a factor in NetBIOS name resolution. The nbtstat tool can be used to troubleshoot name resolution problems by displaying information as well as by clearing invalid information from the cache. You should be able to list the most common options or switches for the nbtstat command.

Know when to use ipconfig/ifconfig. The ipconfig and ifconfig commands enable you to view information about interfaces and to configure interfaces. The ipconfig command is used on Microsoft systems, whereas the ifconfig command is used on Unix and Linux systems. Be familiar with the most common options or switches used with these commands.

Know when to use the winipcfg utility. The winipcfg utility is a GUI-based tool that is only available on Windows 95, Windows 98, and Windows Me. This utility enables you to view configuration information and to release and renew IP addresses for computers that are configured to obtain an IP address automatically, but it does not have the flexibility of the command line–based ipconfig utility.

Know when to use the nslookup utility. The nslookup utility is a tool that you can use to troubleshoot hostname resolution. You can use this utility in either noninteractive or interactive mode. The nslookup tool would most likely be used to troubleshoot name resolution in a large domain-based network.