CHAPTER 11: Network Troubleshooting Tools 536 In between the names of the routers in a tracert output, you see a “|” (pipe) character like this one: 13 25ms 0/100 = 0% 0/100 = 0% demarc.company.com [10.28.30.202] 0/100 = 0% | 14 24ms 1/100 = 1% 1/100 = 1% seo1-ge2.router. mycompany.com [192.168.217.12] This represents the link between the router and the next-hop router. When there is a large percentage of lost pings for the link, it indicates con- gestion on the network between hops. In this case, you would want to investigate problems with network congestion, rather than with the router itself. In Exercise 11.2, you will use the pathping command to view the path to www.yahoo.com. EXERCISE 11.2 Utilizing the pathping command Log onto a Windows Vista machine.1. Click on 2. Start | All Programs | Accessories. Right-click on the 3. Command Prompt and choose Run as administrator. In the 4. User Account Control dialog box click Continue. In the 5. Administrator: Command Prompt screen type pathping www.yahoo.com and hit Enter on the keyboard. Watch the trace route complete and then wait for the statistics to 6. be generated. Review the output of the statistics.7. Utilizing the arp Command The arp utility allows you to view and manipulate entries in the TCP/IP arp cache. The arp cache is a list of MAC addresses for computers that have been recently contacted. Their IP-to-MAC address mapping is stored by the local computer so it can be located again quickly. The arp utility is helpful when troubleshooting problems that are related to duplicate IP addresses or duplicate MAC addresses on a particular network segment. For example, suppose that Computer A and Computer B have inad- vertently been given the same IP address: 192.168.1.10. Computer A Windows Tools 537 is supposed to be 192.168.1.10, and Computer B is supposed to be 192.168.1.11. When machines on the same segment as these two comput- ers try to contact 192.168.1.10, they’ll send an arp broadcast to resolve the IP address to a MAC address. Depending on which computer responds first, that will be the computer that they connect to. However, because there are two machines with the same IP address, you might connect to different machines at different times. You can see the contents of the arp cache by typing arp-a at the command prompt. You’ll see output similar to the image depicted in Figure 11.8. SECURITY ALERT The Dangers of Static ARP Entries Although they have their uses, static arp entries can get you in trouble. For example, a situation existed on a network where each client on a segment was able to connect to any other client on the segment, but just not to one particular server. The search was on to determine why no machines on the segment were able to contact a particular server. As it turned out, to reduce arp broadcast traffic on the net- work, an administrator had created a batch file that automatically placed static entries for each server on the same segment, as well as the default gateway for the segment in the client’s local arp cache. He then placed the batch file in each client machine’s startup folder, so that when a machine was restarted, the entries would be placed in the arp cache again. The connectivity problem first began troubling the environment when the NIC on the server was replaced. Because the MAC address of a computer is tied to the NIC that’s installed, this meant that the static arp entries in the batch file now referenced the old MAC address. However, because nobody remembered to update the batch file, it was still populating the arp cache of each client machine with static entries for the server which contained the incorrect MAC address information for the server. Because of this, most clients on the network had become unable to connect to the server. Once the batch file was discovered and brought up to date, normal communications resumed. FIGURE 11.8 Utilizing the arp Command. CHAPTER 11: Network Troubleshooting Tools 538 The arp utility also allows you to add and delete entries in the arp cache. When you add an entry into the arp cache, you create a static entry. A static entry will be listed with “static” in the type field when you view the arp cache as shown in Figure 11.8. You might want to create static arp entries for frequently accessed servers on the segment, or perhaps for the default gateway. When you create static entries, the source machine won’t need to issue arp broadcasts to resolve IP addresses to MAC addresses. Be aware that static entries are not truly static because they are removed from the arp cache when a machine is rebooted. Utilizing the netstat Command The netstat utility will give you a great deal of useful information about the active connections on a particular computer. It provides you detailed infor- mation about each protocol and port on a computer that is listening or that has established a connection with another computer. You should remember that TCP/IP-based applications like FTP and Telnet will communicate using a particular TCP or UDP port. When one of these programs or services is running on a computer, it means that the service is listening on a particular port for new connection attempts from other computers. A connection listed in netstat can be in one of four states:  Listening means that a particular port is open and waiting for con- nections, but no active connections have been made to it.  Established means that a particular connection is active – an FTP client has connected to an FTP server, a client’s Web browser has connected to a World Wide Web (WWW) service, and the like.  Time–Wait means that a connection has been made, but it hasn’t received any data for some time and is in the process of timing out.  Close–Wait means that an active connection is being closed. The netstat command has a number of command-line switches that will produce different types of troubleshooting output. The full syntax and pos- sible switches available with netstat are as follows: NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]  netstat –a displays all TCP/IP connections and listening ports on the local computer, and produces output similar to what is depicted in Figure 11.9. Windows Tools 539 FIGURE 11.9 Utilizing the netstat Command to Display All Connections and Listening Ports. Exam Warning Make sure that you understand what you are looking at when you see the output of the netstat command. For example: TCP 192.168.1.3:42 192.168.1.185:3919 ESTABLISHED This means that the computer has ESTABLISHED or created a connection that’s using the TCP protocol. The connection has been made between 192.168.1.3:42 and 168.1.185:3919, which means that the computer at IP address 192.168.1.3 is sending information using TCP port 42, and 168.1.185 is receiving information using port 3919. CHAPTER 11: Network Troubleshooting Tools 540  netstat –b displays the name of the executable that created each connection or listening port. See Figure 11.10 for a sample output. netstat –e displays Ethernet statistics for the local computer. The output generated by this command is shown in Figure 11.11.  netstat –p protocol will show you the same information displayed by the –a option, restricted to a specific protocol. You can restrict FIGURE 11.10 Utilizing the netstat Command to View Connections and Listening Ports by Executable. FIGURE 11.11 Utilizing the netstat Command to View Ethernet Statistics. Windows Tools 541 your output to TCP, UDP, TCPv6, or UDPv6. You can combine the –p switch with the –s switch to display three additional protocols, IP, ICMP, and ICMPv6. For example, netstat –p TCP produces the output shown in Figure 11.12. Notice how only TCP is displayed in the protocol column. netstat –n diplays addresses and port numbers in numerical form instead of using hostnames.  netstat –r displays the routing table for the local computer. netstat –s provides detailed statistics about the local computer’s network connections. You can restrict which statistics are displayed by combining this with the –p option and specifying a particular protocol. The command netstat –s will produce the information such as how many packets have been sent and received, the number of errors and type of error, and much more. An example is displayed in Figure 11.13. Utilizing the nbtstat Command nbtstat is quite similar to netstat, except that it displays information specifi- cally relating to NetBIOS over TCP (NetBT). nbtstat will show you NetBT protocol statistics and NetBIOS name tables for local and remote comput- ers. nbtstat will also allow you to display and refresh the NetBIOS cache. Be FIGURE 11.12 Utilizing the netstat Command to Display Protocol Specific Connections. CHAPTER 11: Network Troubleshooting Tools 542 FIGURE 11.13 Utilizing the netstat Command to Display Detailed Statistics. Windows Tools 543 aware that nbtstat is one of the few command line tools in Windows that is case sensitive. nbtstat uses the following command-line switches:  nbtstat –a Computername will display the NetBIOS name cache for a remote computer, specified by the computer ’s NetBIOS hostname. A sample output from nbtstat –a <computer name> is shown in Figure 11.14.  nbtstat –A IP Address will display the same information as nbtstat –a, but will allow you to specify the target machine by IP address instead of NetBIOS name.  nbtstat –c will display the NetBIOS name cache of NetBIOS names that have already been resolved on the local computer. This com- mand will show you a table of NetBIOS names and their associated IP addresses.  nbtstat –n displays the NetBIOS names that are registered for the local computer. The command nbtstat –n displays information as shown in Figure 11.15.  nbtstat –r will display NetBIOS statistics for the local computer. This will display the number of NetBIOS names that have been registered using broadcast and a WINS (Windows Internet Name Service) server, and the number of NetBIOS names that have been resolved using both of these methods. The –r switch displays infor- mation as shown in Figure 11.16.  nbtstat –R will purge the current contents of the NetBIOS cache on the local machine. In addition to removing any entries in the local cache, nbtstat –R will also reload any entries in the local FIGURE 11.14 Utilizing nbtstat Remotely. CHAPTER 11: Network Troubleshooting Tools 544 LMHOSTS file that have the “#PRE” tag. Remember that “#PRE” is used in the LMHOSTS file to preload a NetBIOS name mapping into a machine’s NetBIOS cache when it first starts up.  nbtstat –RR will release and refresh any NetBIOS names that are registered on the local computer.  nbtstat –s will display any existing NetBIOS sessions.  nbtstat –S will display the same information as using the –s switch, but it will display the local name as an IP address only. Test Day Tip The nbtstat -RR command is especially useful for troubleshooting, as you may encoun- ter a situation where a computer’s NetBIOS name has been updated and you need to quickly remove any cached entries. FIGURE 11.16 Utilizing nbtstat to Display Statistics. FIGURE 11.15 Utilizing nbtstat to Display Registered NetBIOS Names. Windows Tools 545 Utilizing the ipconfig Command The ipconfig utility works at the command line to provide you with IP configuration data for all NICs installed on your local computer. You can simply type ipconfig by itself to see basic information about the NICs in your computer, or you can use a number of switches to retrieve more detailed information. At its most basic, the output for the ipconfig command will resemble the image displayed in Figure 11.17. As you can see, the basic ipconfig command provides you the IP address, subnet mask, and default gateway for the NICs installed on a particular machine. This information can be handy as a quick reference when trying to figure out what IP address and subnet mask has been assigned to a particular computer, particularly if it receives its IP configuration from Dynamic Host Control Protocol (DHCP). You can get more detailed information using the ipconfig /all command, as you can see in Figure 11.18. By using the ipconfig /all command, you get information about the DNS and WINS servers that your computer has been configured with, as well as the MAC address of each installed NIC. If you’re troubleshooting DNS- related problems, for example, this is a quick way to determine the host- name and primary DNS suffix that your machine is using. You can use the ipconfig /flushdns command to clear the DNS cache on the local computer. This will force the computer to contact a DNS server for any hostnames that it tries to connect to. This is particularly useful if you’ve recently made changes to your DNS records so that your clients can access FIGURE 11.17 Ipconfig Output. Test Day Tip You can also use ipconfig /release and ipconfig /renew to force a DHCP client to request a new IP address lease from a DHCP server. . installed on a particular machine. This information can be handy as a quick reference when trying to figure out what IP address and subnet mask has been assigned to a particular computer, particularly. will communicate using a particular TCP or UDP port. When one of these programs or services is running on a computer, it means that the service is listening on a particular port for new connection. states:  Listening means that a particular port is open and waiting for con- nections, but no active connections have been made to it.  Established means that a particular connection is active