CHAPTER 11: Network Troubleshooting Tools 526 own header to the packet. When a network packet is passed from one host to another, the receiving host will read or analyze the packet one layer at a time, with the application layer reading the application layer header, the presenta- tion layer reading the header from the presentation layer, and so forth. You can use your understanding of the OSI model to improve your trou- bleshooting techniques. It’s important to understand what takes place at each layer of the OSI model, and which devices operate at these layers. When it comes to network troubleshooting, the most important layers of the model are the physical, data link, network, and transport layers. Let’s take a look at each of these layers in turn. The Physical Layer The physical layer is the lowest layer of the OSI model, and it involves the actual electrical signals that are going from the network cables into the NIC of a computer, switch, router, or hub. A failure at the hardware level will usually involve the physical components of a computer or device, such as the cable that connects the computer to the network or the network card itself. Network hubs also operate at the physical layer, so a failure in a net- work hub could also lead to connectivity issues that occur at the physical layer. The physical layer is responsible for a number of different functions, including: The type of signal transmission used The cable type The actual layout or path of the network wiring The voltage and electrical signals being used by the network cabling When using the OSI model for troubleshooting, you should know which devices operate at which layer. The following physical devices function at the physical layer of the OSI model: Network cabling Network interface cards Active and passive hubs Repeaters Note We are only going to touch on the function of each layer here – refer back to previous chapters for an in-depth look at the layers of the OSI model. The OSI Model 527 When troubleshooting at the physical layer, be on the lookout for issues with NIC drivers, as well as physical failures of a NIC, hub, or length of cabling. The Data Link Layer The data link layer is responsible for taking the information from the physical layer and organizing it into frames. The data link layer takes the information that it receives from higher up in the OSI model and passes it down to the physical layer to be transmitted across the wire. The functions of the data link layer include error checking, where the data link layer will add error-checking information onto each frame of data that it transmits. The data link layer is also responsible for error-free delivery of these data frames as well as maintaining the reliability of the communications between two computers. The two types of devices that operate at the data link layer of the OSI model are switches and bridges. Bridges are able to divide a network into multiple segments, but they aren’t able to actually subnet a network the way that a router does. So, if you use a bridge to physically separate two areas of the network, it will still appear to be one big network to higher- level protocols in the network layer, transport layer, and above. Bridges and switches are useful for cutting down on network congestion because they can do some basic filtering of data traffic based on the MAC address of the des- tination computer. When a transmission reaches the bridge, the bridge will not pass it across to the other side of the network if the MAC address of the destination computer is known to be on the same side of the network as the sending computer. As a part of this process, the bridge or switch will build tables (similar to a routing table) indicating which addresses are on which side, and use them to determine whether to let the transmission across. Test Day Tip An active hub will boost the signal that’s being sent before transmitting it to the nodes attached to the hub. A passive hub will simply transmit the information without any sort of boost. Test Day Tip At the data link layer, frames are addressed from one computer to another by way of the physical MAC address that’s burned into every NIC card. CHAPTER 11: Network Troubleshooting Tools 528 The Network Layer The network layer is where the majority of troubleshooting issues will occur. The network layer takes the frames it receives from the data link layer and organizes them into packets. The network layer is also the layer where physical MAC addresses are translated into IP addresses. Unlike MAC addresses, which are physically assigned to each NIC and can never be changed, IP addresses are logical addresses that can be added, modified, and removed as often as you want. This allows a single computer to be moved and reconfigured to belong to many different IP subnets throughout the course of its life. This flexibility comes at a price, because these IP addresses are assigned by human administrators and are therefore somewhat prone to misconfiguration and error. If you misconfigure a network card’s IP address or subnet mask by even a single digit, that computer will experience con- nectivity issues and may not be able to connect with other local and remote computers. The most important physical device at the network layer is the router. This is the device that uses the logical IP addresses of the network layer to transmit network packets from one subnet to another. Depending on where the problem occurs, failures at the network layer can create connectivity issues for a single client or an entire subnet. When this happens, the devices in question will not be able to communicate with another portion of a network, either because of a physical device failure or because a router has been configured with an incorrect route, subnet mask, or some other key piece of information. Because network layer issues can render a computer entirely unable to communicate on a routed network, they tend to be the most visible troubleshooting issues, so you should have a firm grasp of the functions of the network layer and the tools you can use to troubleshoot here. The best tools to check connectivity at the network layer are ping, tracert, traceroute, and pathping, which we’ll discuss in a later section. The Transport Layer Once a packet has left the network layer, the transport layer takes over. This is where network packets are even further differentiated by the port num- ber that they are using to communicate – these port numbers can be for either connection-oriented TCP communications or low-overhead connec- tionless User Datagram Protocol (UDP) applications. Any application that has to communicate between two networked computers will have to use a particular port number, and the most common services all have well-known port numbers that have been assigned by the Internet Assigned Numbers Authority (IANA). Firewalls and proxy servers will often work at the transport Windows Tools 529 layer to filter traffic based on the TCP or UDP port that it’s using. If you’re having issues at the transport layer, you’ll probably find individual network applications that aren’t functioning properly – like a user who can Telnet to a particular host, but is unable to connect to the Web server running on the same computer. The transport layer is responsible for making sure that data sent by one computer arrives at its intended destination in good condition. Sending and receiving computers also need a way to differentiate between different com- munications that may be addressed to different applications on the same computer, which is where TCP and UPD port numbers become useful. Trou- bleshooting the transport layer is quite similar to working at the application layer, as the TCP and UDP protocols form the basis of the ports that are used by all network applications. So you can use telnet to see if a particular port is listening on the destination machine, and you can use the netstat utility, which will be discussed in the next section, to see a list of all ports that are listening on a particular machine. WINDOWS TOOLS Because TCP/IP has become the default network protocol for Windows operating systems, it’s important to have a good understanding of TCP/IP troubleshooting when working with any of the Microsoft operating systems. Windows computers have a number of built-in utilities that will assist you in troubleshooting TCP/IP problems relating to basic connectivity and name resolution. The most common tools that you should be aware of include the following: ping nslookup tracert arp ipconfig nbtstat netstat pathping In this section, we’ll take a detailed look at each of these tools, including what the tool is used for and what type of output it produces. We’ll also look CHAPTER 11: Network Troubleshooting Tools 530 at some examples of how to apply these tools, and other more advanced tools that won’t necessarily appear on the Network+ exam, but can still be used to troubleshoot a particular problem. Utilizing the ping Command The ping command, which stands for Packet INternet Groper, uses Internet Control Message Protocol (ICMP) echo messages to communicate with other computers. You will usually use the ping command to test basic TCP/IP con- nectivity between two computers. You can ping a computer using either its IP address or its hostname. In Figure 11.3, we are using a hostname to test connectivity with a target machine. The ping command has the following switches: ping–t will ping a specified host continuously until you stop it by typing Ctrl + C. Typing Ctrl + Break will show you statistics on the ping results and then continue. –a resolves IP addresses to hostnames. For example, if you ping a computer with the IP address 192.168.1.101 and you need to find out its Domain Name System (DNS) name, you can ping using the –a switch. The output of utilizing this switch is displayed in Figure 11.4. –n will let you specify the number of ping packets to send. For example, the command ping –n 10 192.168.1.101 will send 10 ping packets to the specified host. FIGURE 11.3 Utilizing a Hostname with the ping Command. Windows Tools 531 FIGURE 11.4 Utilizing the ping Command with the – a Switch. –w specifies how long each packet should wait before it times out and returns a “Request timed out” error. The default value is 1000 ms. –i will change the default Time To Live (TTL) for the ICMP echo messages used by the ping command. By default, the TTL is 252, which means that a ping command can pass through 252 router hops before the packet is dropped. You can alter this value using the –i switch. Utilizing the tracert Command The tracert utility allows you to trace the path that a network packet will take from one host to another. A network packet will often have to pass through several routers or hops to reach its destination, and you can use tracert to determine whether one of these routers, or a link between two routers, is overloaded or has failed. The tracert utility works by sending a series of ICMP echo requests, much like the ping utility. For example, when you type tracert www.digitalthink.com at the command prompt, you’ll see output that resembles the output displayed in Figure 11.5. Each line in the tracert output indicates one hop on the path between your local computer and the destination. The second column of each row in Figure 11.5 indicates the round-trip response time for a single ping to get to that router and back. As you can see in the example mentioned earlier, this ping is sent three times to each router CHAPTER 11: Network Troubleshooting Tools 532 FIGURE 11.5 Utilizing the tracert Command. HEAD OF THE CLASS… Understanding ICMP The ICMP is documented in RFC 792, which you can read online at www.freesoft.org/CIE/RFC/ 792/index.htm. ICMP is part of the TCP/IP proto- col suite that operates at the network layer. ICMP messages are primarily used to send messages related to network troubleshooting, so an understanding of ICMP is a critical part of the network troubleshoot- ing process. Some of ICMP’s main functions are as follows: Reporting network connectivity issues For instance if a particular computer or a larger portion of a network becomes unavailable or unreachable. Whenever a computer or router forwards an IP datagram to a remote host, the forwarding device will decrement the TTL field of an IP header by one. If this TTL ever reaches 0, ICMP will create a “time to live exceeded in transit” message and send it back to the host that initiated the message. Inform users of network congestion If a router is receiving too many packets to process effi- ciently, it will create an ICMP Source Quench message and forward this message to the host that is sending the large number of packets. This message will cause the source machine to slow down how quickly it is sending packets to allow the router to “catch up”. Provide Information for Network Troubleshooting Most common network utilities use ICMP to communicate, including ping, tracert, and tra- ceroute. These utilities will look for ICMP “time to live exceeded in transit” messages, as well as “destination unreachable” messages, to deter- mine whether a particular host or group of hosts is reachable. Windows Tools 533 so there are three column depicting millisecond response time. There are also command line switches that you can use to customize the tracert output: tracert–d will instruct tracert not to resolve IP addresses to host- names (this will increase the speed of the tracert). tracert–h maximum_hops will indicate the maximum number of hops that tracert will use to search for a target. If tracert reaches this maximum number and hasn’t reached the target yet, it will quit. The default value is 30 hops. tracert–w timeout indicates the amount of time each ping will wait for each reply in milliseconds. The default value is 1000 ms. Utilizing the pathping Command The pathping utility is an updated and expanded version of ping. The pathping utility will send ICMP echo request messages to each router along the path to the destination host and will calculate how long it takes each router to reply. The pathping tool combines the capabilities of both tracert and ping, and gives you additional information that you can’t get easily from using either tool individually. Pathping will calculate the following information each time it runs: The amount of time it takes the ping packet to get to the destination host and back, called the round-trip. The amount of time it takes to ping each individual router. The percent of ping requests that are lost at each router. The percent of ping requests lost between the routers. Pathping provides some interesting statistics for network troubleshoot- ing because it gives you information regarding where packet loss is taking place, which can indicate that a particular router may be overloaded or mal- functioning. You can see an illustration of this in Figure 11.6. Exam Warning Do not get confused between tracert and traceroute; they are essentially the same tool with different names. Tracert is used on Microsoft Windows systems and traceroute is used on other systems such as Cisco’s Internetwork Operating System (IOS) as well as UNIX and Linux. CHAPTER 11: Network Troubleshooting Tools 534 One thing to be aware of before running pathping on a Windows Vista machine is that you will need to launch the command window as administrator for the command to execute properly. Once you run the command, you should notice that pathping first runs a tracert to the remote host and identifies all of the routers along the path to the destination, and FIGURE 11.6 Following a Packet Through a Large Network. Windows Tools 535 shows you a list of those routers in the first section of the output. Then, pathping provides statistics about each router and each link between the routers. For example, when you enter the command pathping www.micro- soft.com, you’ll see the output shown in Figure 11.7. From this information, you can assess whether an individual router is being overworked, or whether there is congestion on a link between routers. The last two columns of the pathping output provide the most useful infor- mation when you’re troubleshooting routers and the links between them. Notice in the last column you can see the name of the router, the IP address, and a percentage listed to the left of the router. If this percentage is a high number, it means that a large number of ping packets are being lost when they’re sent to that router. This is an indication that the router itself may be overloaded. FIGURE 11.7 Utilizing the pathping Command. . and other more advanced tools that won’t necessarily appear on the Network+ exam, but can still be used to troubleshoot a particular problem. Utilizing the ping Command The ping command, which. OF THE CLASS… Understanding ICMP The ICMP is documented in RFC 792, which you can read online at www.freesoft.org/CIE/RFC/ 792/index.htm. ICMP is part of the TCP/IP proto- col suite that operates. ICMP is a critical part of the network troubleshoot- ing process. Some of ICMP’s main functions are as follows: Reporting network connectivity issues For instance if a particular computer