9 :)6/6[ZOROZOKY  5HPKIZO\KY When you have completed study of this chapter you should able to apply the following utilities: • Ping • ARP • NETSTAT • NBTSTAT • IPCONFIG • WINIPCFG • tracert • ROUTE  /TZXUJ[IZOUT The TCP/IP utilities are discussed throughout the book. This section is designed to bring them all together in one section for ease of reference, as they are very important in network management and troubleshooting. Most of the older utilities are DOS-based. However, more and more Windows-based utilities are becoming available, many of them as freeware or shareware.  6OTMVGIQKZ/TZKXTKZMXUVKX ‘Pinging’ is one of the easiest ways to test connectivity across the network and confirm that an IP address is reachable. The DOS ping utility (ping.exe) uses ICMP to forward an echo request packet to the destination address. The destination then responds with an ICMP echo response packet. Although the test seems trivial at first sight, it is a powerful diagnostic tool and can demonstrate correct operation between the Internet layers of two :)6/6[ZOROZOKY   hosts across a WAN regardless of the distance and number of intermediate routers involved. Technically speaking, the ping utility can only ‘ping’ an IP address. This is due to the fact that the ICMP messages are carried within IP datagrams, which require the source and destination IP addresses in the header. Without this feature, it would have been impossible to ‘ping’ across a router. If, therefore, the user does not know the IP address, the name resolver on the local host system has to look it up e.g. via the domain name system or in the hosts file. The IP datagram, in turn, is transported by means of a network interface layer frame (e.g. Ethernet), which requires, in its header, the MAC, addresses of the source and destination nodes on the local network. If this is not to be found in the ARP cache, the ARP protocol is invoked in order to obtain the MAC address. The result of this action (the mapping of MAC address against IP address) is then stored in the ARP cache. The easiest way to get an overall impression of the process is to capture the events described here by means of a protocol analyzer. If the IP address is known, the following format can be used: • ping <IP Address> e.g. ping 192.100.100.4 Ping 192.100.100.255 will cause all hosts on network 192.100.100.0 to respond and will cause unnecessary traffic If the IP address is unknown, one of the following ways can be used to define the target machine: • ping <host name> e.g. ping computer1 This can be done provided computer1’s IP address has already been resolved by NetBIOS • ping <own machine> e.g. ping 127.0.0.1 This is a reserved IP address for loopback testing • ping <own machine> e.g. ping localhost This is a reserved name for loopback testing • ping <domain name> e.g. ping www.idc-online.com This will be resolved by the domain name system There are several options available under the ping command, as shown below: C:\WINDOWS.000>ping Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list 5VZOUTY • t Ping the specified host until stopped To see statistics and continue – type Control-Break To stop – type Control-C • a Resolve addresses to hostnames • n count Number of echo requests to send • l size Send buffer size • f Set don’t fragment flag in packet • i TTL Time to live  6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM   • v TOS Type of service • r count Record route for count hops • s count Time-stamp for count hops • j host-list Loose source route along host-list • k host-list Strict source route along host-list • w timeout Timeout in milliseconds to wait for each reply C:\WINDOWS.000> The following examples show how some of the ping options can be applied: • Ping 193.2.45.66 -t will ‘ping’ the specified IP address repetitively until stopped by typing Ctrl-C • Ping 193.2.45.66 -n 10 will ‘ping’ the specified IP address 10 times instead of the default of 4 • Ping 193.2.45.66 -l 3500 will ‘ping’ the specified IP address with 3500 bytes of data instead of the default of 32 bytes Here are some examples of what could be learned by using the ping command. Example 1: A host with IP address 207.194.66.100 is being ‘pinged’ by another host on the same subnet, i.e. with the same NetID. In this example both addresses are conventional class C addresses. Note that the screen display differs between operating systems, even between Windows95 and Windows98, although the basic parameters are the same. The following response is obtained: C:\WINDOWS.000>ping 207.194.66.100 Pinging 207.194.66.100 with 32 bytes of data: Reply from 207.194.66.100: bytes=32 time<10ms TTL=128 Reply from 207.194.66.100: bytes=32 time=1ms TTL=128 Reply from 207.194.66.100: bytes=32 time=1ms TTL=128 Reply from 207.194.66.100: bytes=32 time=1ms TTL=128 Ping statistics for 207.194.66.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms C:\WINDOWS.000> From the result, the following can be observed: • The ICMP message contained 32 bytes • The average RTT (round trip time) to the target host and back is in the vicinity of 1 millisecond • The TTL (time to live) remaining in the IP header after its return is 128. Since TTL is normally set at an initial value representing 2 5 (i.e. 32), 2 6 (i.e. 64) or 2 7 (i.e. 128), it can be safely assumed that the TTL value was not altered, and hence there are no routers between the source and destination hosts Example 2: A host with IP address 207.194.66.101 now ‘pinged’. Although this host is, in fact, nonexistent, it seems ‘legitimate’ since the NetIDs match. The originating host will therefore attempt a ping, but a timeout will occur. C:\WINDOWS.000>ping 207.194.66.101 Pinging 207.194.66.101 with 32 bytes of data: :)6/6[ZOROZOKY   Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 207.194.66.101: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\WINDOWS.000> Example 3. As before, but this time the NetID differs i.e. the target host is assumed to reside on a different network. Since, in this case, no default gateway has not been specified, the originating host does not even attempt to issue an ICMP message, and immediately issues a ‘host unreachable’ response. C:\WINDOWS.000>ping 208.194.66.100 Pinging 208.194.66.100 with 32 bytes of data: Destination host unreachable. Destination host unreachable. Destination host unreachable. Destination host unreachable. Ping statistics for 208.194.66.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\WINDOWS.000> The DOS ping command is not particularly ‘user friendly’. It is, for example, not possible to ping a large number of hosts sequentially. There are, however, several Windows-based Ping utilities available as freeware or shareware, of which TJPingPro is an example. The following example shows how a block of contiguous IP addresses can be pinged with a single ‘click’, after setting up ‘start’ and ‘end’ IP addresses on the options screen. Figure 9.1 TJPingPro sequential scan (courtesy of Top Jimmy Software)  6XGIZOIGR:)6/6GTJ+ZNKXTKZ4KZ]UXQOTM    '86 The arp utility (arp.exe) is used to display the arp cache which holds the IP to MAC address translation of hosts on the local subnet. This utility is not to be confused with the ARP (address resolution protocol) that actually determines the IP to MAC address translation. The ARP utility can also be used to manually add entries to the cache, using the -s option. C:\WINDOWS.000>arp Displays and modifies the IP-to-physical address translation tables used by address resolution protocol (ARP). ARP -s inet_addr eth_addr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr] -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as -a. inet_addr Specifies an Internet address. -N if_addr Displays the ARP entries for the network interface specified by if_addr. -d Deletes the host specified by inet_addr. -s Adds the host and associates the Internet address inet_addr with the physical address eth_addr. The physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies a physical address. if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Example: > arp -s 157.55.85.212 00-aa-00-62-c6-09 Adds a static entry. > arp -a Displays the arp table. The following shows a typical display in response to the arp -a command. Note the third column, which indicates type. Entries in the arp cache can be entered manually as static entries, but that poses a problem as IP addresses can be changed and physical Network cards (and hence MAC addresses) can be swapped, rendering the stored IP to MAC address mapping useless unless updated. For this reason the ARP protocol (not to be confused with the utility by the same name) binds IP addresses and physical (MAC) addresses in a temporary (dynamic) way. Dynamic entries are deleted from the cache after a few minutes, if not used. C:\WINDOWS.000>arp -a Interface: 0.0.0.0 on Interface 0x1000002 Internet Address Physical Address Type 192.100.100.7 00-00-c6-f6-34-43 static 192.100.100.99 00-00-fe-c6-57-a8 dynamic C:\WINDOWS.000> . reference, as they are very important in network management and troubleshooting. Most of the older utilities are DOS-based. However, more and more Windows-based utilities are becoming available,. powerful diagnostic tool and can demonstrate correct operation between the Internet layers of two :)6/6[ZOROZOKY   hosts across a WAN regardless of the distance and number of intermediate. transported by means of a network interface layer frame (e.g. Ethernet) , which requires, in its header, the MAC, addresses of the source and destination nodes on the local network. If this is not