4.2. Identifying Network Utilities and Their Output

Now that we have discussed the general function and use of each of the most common network utilities, you may be wondering what you should be looking for when you use each of the utilities. Each utility has a specific purpose and an expected output of which you should be aware. In other words, if you know what you are looking for in the output, then you can spot a detail that doesn't seem to fit and that could indicate a problem.

4.2.1. Critical Information

You should be able to identify the output from each of the main network utilities as having originated from that utility. In addition, you should be able to interpret the output of the most common network utilities and spot inconsistencies that may signal a problem. In this section, we will discuss each network utility's expected output and possible inconsistencies in detail.

4.2.1.1. ping

When you ping a network host from a Microsoft computer, four echo request packets are sent with the destination address of the host. If the ping is completely successful, all four packets will receive a reply and the packet percentage loss will be 0 percent, as shown in Figure 4.7.

Figure 4.7. A completely successful ping

If the ping is not completely successful, some of the packets may be replied to while others are not. This would most likely indicate a failing NIC or a flapping connection. Still another possibility is that the ping is not replied to at all. If you pinged the IP address, no reply would indicate that there is no physical connectivity between the two computers, but the output could come back in a few different forms such as a request timed out message or a destination host unreachable message. A request timed out message usually indicates that no other entity replied to the packets at all, whereas a destination host unreachable message is a message from a router indicating that the host is recognized on the network but that it cannot be contacted at this time. In either case, your next step should be to attempt to isolate the problem further by using another tool such as tracert.

4.2.1.2. tracert/traceroute

As we mentioned before, the main purpose of the tracert (traceroute) utility is to isolate a network issue to a specific interface on a specific router. The expected output of the utility is a list of the routers that the packets are encountering as they traverse the network to their destination. The time (in milliseconds) should also be relatively even between each router interface, as shown in Figure 4.8. If the trace does not complete, then the last router that is listed is the best place to start troubleshooting the problem; the problem will likely be the next router in the path. The error could be due to an improper configuration or to filtering, such as a firewall or an access list. In addition, if any of the hops seem to take a significantly longer period of time, this may indicate a problem with a device or a problem regarding too much traffic in a network segment.

Figure 4.8. A healthy trace

4.2.1.3. arp

The arp cache in most computers should contain the dynamic entries that have been added by the system for hosts that have been resolved within the last 10 minutes. In rare cases, the arp cache might also contain static entries added by an administrator, but static entries are usually not recommended and are rarely used on most computers. (Refer to the information about arp in section 4.1 of this chapter.) Since most, if not all, of the entries are dynamic, the arp cache should be expected to change frequently. You can test the arp cache by simply pinging a computer in your network that is not currently listed in the arp cache. After you ping the computer and successfully get a reply, the computer's IP address and MAC address should be listed in your arp cache as a dynamic entry. This entry will also contain the physical (MAC) address of the computer that you pinged.

4.2.1.4. netstat

Depending on the options or switches that you have chosen, a netstat command could have many different looks. The common thread between looks, however, will be that it will focus on ports. Some netstat commands display active and listening ports while other commands focus on specifics about the ports, such as the protocols that are being used on them. Figure 4.9 shows a netstat command with the -s switch to display perprotocol statistics.

Figure 4.9. netstat -s

4.2.1.5. nbtstat

Since nbtstat is a utility that enables you to view and manage the NetBIOS name cache, most nbtstat output will be directly related to NetBIOS over TCP/IP. As with netstat, the output may differ greatly depending on the options or switches that you choose. All of the output, however, will relate to NetBIOS names or statistics. Figure 4.10 shows the nbtstat -S command, which displays a list of current NetBIOS sessions and their status.

Figure 4.10. nbtstat -S

4.2.1.6. ipconfig

As mentioned before, the ipconfig command with no switches simply displays the IP address, subnet mask, and default gateway of all of the adapters on the computer. If the computer is configured for IPv6 as well as IPv4, then the ipconfig command will display both addresses. When used with switches, the ipconfig command is a very flexible tool that can be used to clear the DNS cache, release and renew IP addresses, and so on. The output from this command will be specific to the type of command, but all output will in some way relate to IP address configuration or name resolution configuration. Figure 4.11 shows the output of an ipconfig /all command.

Figure 4.11. ipconfig /all

4.2.1.7. nslookup

Since the nslookup utility is specifically focused on hostname resolution, all output from the nslookup command will be related to hostname resolution files and/or services. If a computer is a member of an Active Directory domain, and you simply type nslookup at the command prompt, then you should expect to see output indicating the authoritative DNS server for that domain. This action will also put you into the interactive mode of nslookup, where you can type ? to determine your other options. Figure 4.12 shows the results of typing nslookup on computer that is a member of a domain.

4.2.2. Exam Essentials

Be able to identify and interpret the output of the pingcommand. Be able to identify the output of a ping command and interpret whether the ping was successful or unsuccessful. If the ping was unsuccessful, then you should be able to interpret whether it was actually received by any other network host. You should also be able to interpret a partially successful ping as related to a failing NIC or a flapping network connection.

Figure 4.12. Running nslookup on a domain

Be able to identify and interpret the output of the tracert /traceroute command. The expected output of a tracert command is a list of routers that the echo request packets must traverse on their way to their destination. The times at each router should be fairly consistent; an unusually high amount of time might indicate a failing device or too much traffic in that part of the network. A trace that does not complete will generally isolate the network problem as the last router on its list or the next router in the path.

Be able to identify and interpret the output of the arp command. The arp cache in most computers should contain only the dynamic entries that have been added by the system for hosts for which it has resolved a MAC address in the last 10 minutes. It is possible to add a static (permanent) entry to an arp cache, but it's not recommended in most cases. On your computer you can test the arp cache by pinging a computer on the network that is not currently listed and then viewing the arp cache to make sure that the computer's IP address and MAC address are listed.

Be able to identify and interpret the output of the netstat command. A netstat command's output can have many different looks, depending on the options that are chosen with the command. The common thread will be that each relates in some way to ports. The netstat command output may just list the active ports, or it may have very specific statistics about the protocols used on the ports.

Be able to identify and interpret the output of the nbtstat command. The output of the nbtstat command may vary depending on the options or switches selected. The common thread of all output types is that they will relate to NetBIOS over TCP/IP. You can use some nbtstat commands to make changes to the NetBIOS name cache, such as the -R command, which purges the cache.

Be able to identify and interpret the output of the ipconfig command. The output from an ipconfig command with no switches or options shows only the IP address (IP v4 and/or IP v6), subnet mask, and default gateway of each of the adapters in the computer. The ipconfig command switches make it a very flexible tool that you can use to view the entire IP configuration of a computer and even to make changes, such as releasing and renewing dynamic IP addresses.

Be able to identify and interpret the output of the nslookup command. The nslookup command output can take on many looks, depending on the options that you select. The common thread will be that they are related to hostname resolution. The nslookup utility has two basic modes: noninteractive and interactive. You enter the interactive mode simply by typing nslookup at the command prompt.