CHAPTER 12 : Network Troubleshooting Methodology 606 Table 12.1 Well-Known TCP Ports Port Number Application 20 FTP (data) 21 FTP(control) 22 SSH 23 Telnet 25 SMTP 53 DNS 80 HTTP 88 Kerberos 110 POP3 119 NNTP 139 NetBIOS 443 SSL layer. Table 12.1 illustrates some of the more common TCP applications and the ports they use: Understanding UDP A connectionless transport protocol like UDP doesn’t provide the same acknowledgment of receipt process as the connection-oriented TCP does. Because UDP doesn’t sequence the packets that the data arrives in, an application program that uses UDP has to be able to make sure that the entire message has arrived and is in the right order. To save processing time, network applications that have very small data units to exchange, and thus very little message reassembling to do, may use UDP instead of TCP. For example, Domain Name System (DNS) hostname lookup messages that will always fit in a single datagram can effectively use UDP. For these very short queries, you don’t need all the complexity of TCP; if you don’t receive an answer after a few seconds, you can just ask again. UDP doesn’t split data into multiple datagrams, as TCP does. It also doesn’t keep track of what it has sent. Data can be resent if needed, and UDP doesn’t guarantee delivery or protect against duplication. However, it is not completely irresponsible: it does provide for a checksum capability to ensure that data arrives intact, and it provides port numbers to distinguish between the requests sent by different user applications. Examples of applications that use UDP for communication include Trivial File Transfer Troubleshooting the Transport Layer 607 The Three-Way Handshake Computers using TCP to communicate have both a send window and a receive window. At the begin- ning of a TCP communication, the protocol uses a three-way handshake to establish the session between the two computers. Because TCP (unlike its transport layer sibling, UDP) is connection-oriented, a session, or direct one-to-one communication link, must be created prior to sending and receiving data. The client computer initiates the communication with the server (the computer whose resources it wants to access). The handshake includes the following steps: A SYN (synchronization request) segment is 1. sent by the client machine. An initial sequence number, sometimes just referred to as the ISN, is generated by the client and sent to the server, along with the port number the client is requesting to connect to on the server. An ACK message and a SYN message are sent 2. back to the client from the server. The ACK segment is the client’s original ISN plus 1, and the server’s SYN is an unrelated number generated by the server itself. The ACK acknowledges the client’s SYN request, and the server’s SYN indicates the intent to establish a session with the client. The client and server machines must synchronize one another’s sequence numbers. An ACK is sent from the client back to the 3. server, acknowledging the server’s request for synchronization. This ACK from the client is, as you might have guessed, the server’s ISN plus 1. When both machines have acknowledged each other’s requests by returning ACK messages, the handshake has been successfully completed and a connection is established between the two. You can see an example of this three-way hand- shake in Figure 12.6. FIGURE 12.6 The TCP Three-Way Handshake. HEAD OF THE CLASS… CHAPTER 12 : Network Troubleshooting Methodology 608 Protocol (TFTP), RIP, RADIUS accounting, and some implementations of Kerberos authentication. Table 12.2 illustrates some of the more common UDP-based applications and ports: Table 12.2 Well-Known UDP Ports Port Number Application 7 Echo 53 DNS query 69 TFTP 123 Network Time Protocol 161 SNMP Active Connections Proto Local Address Foreign Address State TCP IBM-A38375FF22E:epmap IBM-A38375FF22E:0 LISTENING TCP IBM-A38375FF22E:microsoft-ds IBM-A38375FF22E:0 LISTENING TCP IBM-A38375FF22E:netbios-ssn IBM-A38375FF22E:0 LISTENING TCP IBM-A38375FF22E:1202112.25.12.64.in-addr.arpa:5190 ESTABLISHED TCP IBM-A38375FF22E:1299workstation.office.com:3389 ESTABLISHED TCP IBM-A38375FF22E:1025IBM-A38375FF22E:0 LISTENING TCP IBM-A38375FF22E:5180IBM-A38375FF22E:0 LISTENING UDP IBM-A38375FF22E:snmp*:* UDP IBM-A38375FF22E:microsoft-ds *:* UDP IBM-A38375FF22E:isakmp *:* UDP IBM-A38375FF22E:1032*:* UDP IBM-A38375FF22E:1033*:* UDP IBM-A38375FF22E:1048*:* UDP IBM-A38375FF22E:1300*:* UDP IBM-A38375FF22E:2361*:* UDP IBM-A38375FF22E:4500*:* Layer 4 Troubleshooting Troubleshooting the transport layer is quite similar to working at the application layer, because the TCP and UDP protocols form the basis of the ports that are used by all network applications. So you can use the telnet command to see if a particular port is listening on the destination machine, and you can use the netstat utility to see a list of all ports that are listening on a particular machine. You should remember from Chapter 11 that you can use netstat –a to view listening ports. Here is an example of sample output: Troubleshooting the Session Layer 609 UDP IBM-A38375FF22E:ntp *:* UDP IBM-A38375FF22E:netbios-ns *:* UDP IBM-A38375FF22E:netbios-dgm *:* UDP IBM-A38375FF22E:1900*:* UDP IBM-A38375FF22E:ntp *:* UDP IBM-A38375FF22E:1305*:* UDP IBM-A38375FF22E:1311*:* UDP IBM-A38375FF22E:1900*:* UDP IBM-A38375FF22E:2242*:* UDP IBM-A38375FF22E:2313*:* UDP IBM-A38375FF22E:4519*:* If you run the netstat –a command on a server that’s functioning as a Web server, you should see at least one entry in the netstat output to indicate that it’s listening on port 80; if it’s not, the WWW service might be stopped or disabled. Test Day Tip It’s important to remember that you can’t pick and choose which applications use TCP versus UDP. A test question might try to trip you up by talking about configuring HTTP to use UDP to solve a troubleshooting issue. This simply isn’t possible, as HTTP uses TCP port 80 and not UDP. Be very aware of the well-known ports listed throughout this guide as you prepare for the exam. TROUBLESHOOTING THE SESSION LAYER The session layer handles the task of establishing a one-to-one session between the sending and the receiving computers. The session layer sets up and tears down application-to-application dialogs, and synchronizes the data flow for the applications. The session layer also controls whether a transmission is established as half-duplex or full-duplex. Full-duplex is bidirectional communication in which both sides can send and receive simultaneously. Half-duplex is also bidi- rectional communication, but the signals can flow in only one direction at a time. To illustrate the difference, think of how a telephone conversation works. Both parties can talk at the same time, and you can still hear the other person’s voice while you’re talking. That’s full-duplex. But with most two-way radios like walkie-talkies, when you key the microphone to speak, you can’t hear any- thing the other person might be saying while you’re speaking. This means that only one of you can broadcast over the channel at a time. That’s half-duplex. Another important responsibility of the session layer is to define the rules for data exchange between the applications. In this respect, you CHAPTER 12 : Network Troubleshooting Methodology 610 might think of the session layer as a referee or mediator who makes sure both parties, which are the sending and receiving computers, are aware of and agree to follow the rules of the game for that particular session. When two family members are at odds and seek counseling to help them communicate with one another, a good counselor or mediator will start the visit by getting both people to agree to certain rules. These might include who gets to talk first, and for how long, as well as the format of the communication. For example, no yelling, screaming, or name-calling may be a ground rule in a counseling session, whereas computers will have to agree on things like a transmission rate and sliding window size before they can communicate effectively. Part of what is negotiated includes all appropriate communications guidelines. Otherwise, machines may bombard each other with too much data to be processed, or both try to “talk” at the same time. The session layer works to controls this flow of conversation so that the message will get through clearly. In this way, the session layer provides for flow control. The most common protocols that exist at the session layer are usually application program interfaces, or APIs, that control how an application will set up, manage, and tear down sessions between two computers. The most common APIs you’ll encounter are NetBIOS, TCP/IP sockets, and remote pro- cedure calls. These three APIs make it easier for software developers to create applications that can function over a network connection by standardizing how such an application should behave. You’ve already heard of TCP/IP sock- ets as the combination of an IP address and port number that’s used by one computer to communicate with another: this is the session layer at work. Layer 5 Troubleshooting Just as the functions of the presentation layer are often swallowed up by application layer protocols, the functions of TCP/IP from the session layer up to the application layer will often span all three layers – the difference between them can sometimes get a bit fuzzy. Because of this, it’s not particularly common to perform troubleshooting that’s geared only toward the session layer of the OSI model. The most common issues you’ll see at the session layer involve slow network transmissions between two computers, which is caused by one com- puter in a connection using a half-duplex connection instead of a full-duplex connection. This is especially troublesome on Windows-based machines because they will normally default to using autodetect, where the NIC will attempt to automatically detect the duplex type that it should be using. In Exercise 12.2, we’ll configure a NIC on a Windows XP workstation to use a full-duplex connection. Troubleshooting the Session Layer 611 EXERCISE 12.2 Configuring Full-Duplex Click 1. Start | Connect To | Show All Connections. Right-click the 2. Local Area Connection icon and select Properties. On the General tab, click 3. Configure to configure the NIC. Access the 4. Advanced tab and scroll to Link Speed & Duplex. You’ll see the screen shown in Figure 12.7. By default, this is set to auto detect. Change the setting to FIGURE 12.7 Configuring a Full-Duplex Connection. CHAPTER 12 : Network Troubleshooting Methodology 612 100 Mbps/full-duplex to force the NIC to use a 100 Mbps connection that allows the sending and receiving computers to communicate simultaneously. Click 5. OK to save your changes. TROUBLESHOOTING THE PRESENTATION LAYER No, the presentation layer doesn’t turn your data into PowerPoint slides! However, as the name suggests, it is responsible for the way in which data is presented, or formatted. The presentation layer handles such things as encryption, which presents the data in such a way as to keep it from being readable by unauthorized persons, and compression which packages the data in such a way as to get more of it through at a time. On the receiving side, the presentation layer is responsible for translating data into a format understandable by the application, and then presenting it to the application layer. Identifying the Cause of Client and Server Environment Problems Because the presentation layer handles the very important task of protocol translation, this layer is where many gateways operate. One of the purposes of a network protocol is to provide a single language that different computers can use to talk to each other. In this case, a gateway acts as a translator between two separate protocols, so that computers that are running different protocols can communicate with each other. Gateways allow this process to take place transparently, so that Computer A doesn’t realize that it needs a translator to communicate with Computer B; from the end user’s perspective it just works automatically. Examples of gateways include:  E-mail gateway This software translates the messages from diverse, noncompatible e-mail systems into a common Internet format such as the Simple Mail Transfer Protocol (SMTP). Thus, Cousin Mary is able to read your letter even though you were using Microsoft Outlook with an Exchange server and she is on a NetWare network using Groupwise mail.  SNA gateway Systems Network Architecture (SNA) is a proprietary IBM architecture used in mainframe computer systems such as the AS/400. An SNA gateway allows personal computers on a LAN to access files and applications on the mainframe computer. Troubleshooting the Presentation Layer 613  Gateway Services for NetWare (GSNW) This software is included with the Windows 2000 and Windows NT Server operating systems to allow the Windows server ’s clients to access files on a Novell NetWare server. It translates between the Server Message Block (SMB) file sharing protocol used on Microsoft networks and NetWare Core Protocol (NCP), the file sharing protocol used by the NetWare networks. There are almost as many gateway products available as there are different protocol combinations, and more are being developed all the time as interoperability becomes increasingly important to connect the diverse systems that are available. For example, there are services that you can install on a Windows server or client to allow access to the AppleTalk protocol for Macintosh and OSX resources, UNIX and Linux servers and clients, as well as the Gateway Services for NetWare. Another common function of the presentation layer is translating text and graphics from one format to another. So the presentation layer might translate text from a computer using extended binary-coded decimal interchange code (EBCDIC) encoding so that it can be understood by a computer using American Standard Code for Information Interchange (ASCII) encoding, and vice versa. The following are some types of text and image encoding operate at the presentation layer: EBCDIC ASCII JPEG MPEG Layer 6 Troubleshooting You won’t run into a great many problems with troubleshooting at the presen- tation layer, because most of the duties handled by this layer are stable tech- nologies that have been around for decades. Additionally, the functions of the Exam Warning You should remember from the previous chapter that the Ethernet frame type is often a common culprit when tracking down connectivity issues with a NetWare server. Versions of NetWare prior to version 4 used Ethernet 802.3 as their default frame type. NetWare 4.0 and later use 802.2 as the default. CHAPTER 12 : Network Troubleshooting Methodology 614 presentation layer will often actually be performed by a protocol that you would normally think of as functioning at the application layer, so that troubleshoot- ing will all take place using the steps we’ll describe in the next section. Some examples of problems you may find at the presentation layer include: An image file becomes garbled or corrupted when it’s sent via  e-mail from one person to another. E-mail messages between two different server types (exchange and  groupwise, for example) become scrambled or unreadable. You are unable to copy or move files between two different network  types, usually Microsoft and Novell, or you are unable to open a file once it’s been copied. In most cases, you can resolve these issues by restarting or re-installing the gateway service that’s creating these errors: restarting the Gateway Services for Netware on your Windows 2003 server, for example. TROUBLESHOOTING THE APPLICATION LAYER Especially where the application is concerned, be sure to keep in mind that the OSI model describes only the logical networking components, not any specific programs that you’ll use like Internet Explorer or Microsoft Outlook. By remembering this, you won’t make the common mistake of thinking the application layer actually represents user application software. What the application layer really does to is define how a user’s application will interact with a network protocol. In other words, application layer protocols accept user data to be transmitted on the network, that is, the data that’s created by the user application that’s operating above the networking layers. For example, if you want to send an e-mail message, your user application might be Microsoft Outlook. A user sending e-mail will see only the application interface, not any underlying protocol. They can type their letters to Cousin Mary, perhaps attach graphics files containing photos of Exam Day Tip Remember that the OSI model is just that: a model. Some protocols will map to more than one layer of the OSI model, and some layers of the model won’t be used at all in some cases. Troubleshooting the Application Layer 615 the grizzly bear that almost ate Uncle Joe from their last family outing to Yellowstone National Park, and then click Send. Assuming that they typed the correct e-mail address in the “to” field, they’ve configured their e-mail software properly, their hardware is working, their phone lines aren’t down, and their ISP is on the ball, the message goes through and arrives in Mary’s e-mail Inbox. Neither the user sending the message nor Cousin Mary needs to know anything about what the networking components of their respective operating systems are doing to communicate via e-mail. That’s because the application itself sends the data to the application layer, and the application layer takes it from there. In this case, the application is represented by Outlook, and the data is the e-mail message that has been composed. The application layer adds header information, which will be used by the application layer on the receiving end, and then passes the information down to the presentation layer. The application layer is the top level of the OSI model, and it is the layer that resides closest to the user. The application layer is different from the lower layers of the model because it doesn’t provide services to any other OSI layer. Instead, it provides network services to user applications such as spreadsheet programs, word processing, and e-mail programs. Application Layer Protocols TCP/IP provides several protocols that operate at the application layer to provide services such as news, mail and file transfer, and monitoring/ diagnostics capability. The most common protocols that operate at the application layer are as follows:  FTP The File Transfer Protocol (FTP) is used for copying files from one computer to another. Windows 2000, XP, and Windows Server 2003 include both a command-line FTP client program, and the FTP server service that is installed as part of the Microsoft Internet Information Server (IIS). If you haven’t installed the FTP server service on a Windows computer, you will only have access to the FTP client, which is available from the Windows command line when TCP/IP is installed.  SNMP The Simple Network Management Protocol (SNMP) provides a way to gather statistical and troubleshooting information about devices such as PCs, routers, switches, and hubs. An SNMP man- agement system sends requests to an SNMP agent, and the informa- tion is stored in a Management Information Base (MIB). The MIB is a database that holds information about a networked computer . command to see if a particular port is listening on the destination machine, and you can use the netstat utility to see a list of all ports that are listening on a particular machine. You. referee or mediator who makes sure both parties, which are the sending and receiving computers, are aware of and agree to follow the rules of the game for that particular session. When two family. sliding window size before they can communicate effectively. Part of what is negotiated includes all appropriate communications guidelines. Otherwise, machines may bombard each other with