TCP/IP Analysis and Troubleshooting Toolkit Kevin Burns Executive Publisher: Robert Ipsen Vice President and Publisher: Joe Wikert Editor: Carol A Long Developmental Editor: Kevin Kent Editorial Manager: Kathryn Malm Production Editor: Pamela M Hanley Text Design & Composition: Wiley Composition Services This book is printed on acid-free paper ∞ Copyright © 2003 by Kevin Burns All rights reserved Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700 Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail: permcoordinator@wiley.com Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages For general information on our other products and services please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002 Trademarks: Wiley, the Wiley Publishing logo and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book Screenshot(s) Copyright © 2002 Wildpackets, Inc All rights reserved Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Library of Congress Cataloging-in-Publication Data: is available from the publisher ISBN: 0-471-42975-9 Printed in the United States of America 10 To my parents, who always believed in me Contents Acknowledgments About the Author Introduction xi xiii xv Part I Foundations of Network Analysis Chapter Introduction to Protocol Analysis A Brief History of Network Communications OSI to the Rescue Defining the Layers Layer 1: Physical Layer Layer 2: Data Link Layer Layer 3: Network Layer Layer 4: Transport Layer Layer 5: Session Layer Layer 6: Presentation Layer Layer 7: Application Layer Protocol Analysis of the Layers Layer 1: The Physical Layer Layer 2: The Data Link Layer Layer 3: Network Layer Layer 4: Transport Layer Layer 5: Session Layer Layer 6: Presentation Layer Layer 7: Application Layer Putting It All Together Chapter 6 7 7 8 8 10 18 21 23 23 24 24 History of TCP/IP Summary 26 28 Analysis Tools and Techniques 29 Reviewing Network Management Tools 30 Categorizing Network Management Tools by Function Fault Management Systems Performance Management and Simulation 30 31 31 v vi Contents Protocol Analyzers Application-Specific Tools Classifying Tools by How They Perform Functions 32 33 33 Protocol Analyzers—Problem-Solving Tools 35 Why Protocol Analysis? Protocol Analyzer Functions Data Capture Network Monitoring Data Display Notification Logging Packet Generator Configuring and Using Your Analyzer Capture Configuration Filtering Expert Analysis Measuring Performance Analysis Tips Placing Your Analyzers Using Proper Filters Troubleshooting from the Bottom Up Knowing Your Protocols Comparing Working Traces Analyzing after Each Change 36 37 37 42 42 44 45 45 45 45 48 52 56 61 61 62 63 63 63 65 Summary 65 Part II The Core Protocols 67 Chapter Inside the Internet Protocol 69 Reviewing Layer Communications 70 Multiplexing Error Control Addressing Case Study: NetBEUI Communications Name Resolution Reliable Connection Setup NetBIOS Session Setup Application Process Limitations of Layer Communication Networks Network Layer Protocols Internet Protocol Addressing IP Addressing Reserved Addressing Classful Addressing Classless Addressing IP Communications Address Resolution Protocol (ARP) ARP Packet Format Case Study: Troubleshooting IP Communications with ARP and PING ARP Types ARP in IP Communication Case Study: Incomplete ARP 70 71 71 72 73 74 75 75 76 77 79 81 85 85 88 92 93 94 97 100 101 101 Contents IP Routing The Routing Table Route Types Router Routing Tables The Forwarding Process Case Study: Local Routing IP Packet Format Version Header Length Type of Service Datagram Length Fragment ID Fragmentation Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Address Destination IP Address Options Data Case Study: TTL Expiring Case Study: Local Routing Revisited Chapter 117 117 117 117 119 119 119 119 120 120 121 121 121 121 121 122 124 A Word about IP Version 126 The IPv6 Header IPv6 Address Format Other Changes to IPv6 128 129 130 Summary 130 Internet Control Message Protocol 131 Reliability in Networks 132 Connection-Oriented versus Connectionless Networks Feedback Exploring the Internet Control Messaging Protocol ICMP Header ICMP Types and Codes ICMP Message Detail Destination Unreachable (Type 3) Diagnostic Messages Redirect Codes (type 5) Time Exceeded (Type 11) Informational Messages Network Diagnostics with ICMP Chapter 104 104 108 110 112 114 132 133 134 134 135 137 137 144 146 151 151 152 Summary 154 User Datagram Protocol 155 Revisiting the Transport Layer UDP Header 156 157 Source Port Destination Port UDP Length UDP Checksum Data UDP Communication Process 157 157 158 158 159 160 vii viii Contents Case Studies in UDP Communications Name Resolution Services Routing Information Protocol Simple Network Management Protocol UDP and Firewalls Case Study: Failed PCAnywhere Session Case Study: NFS Failures Traceroute Caveats Chapter 164 165 166 169 169 170 171 173 Summary 174 Transmission Control Protocol 175 Introduction to TCP 175 Requirements for a Reliable Transport Protocol Fast Sender and Slow Receiver Packet Loss Data Duplication Priority Data Out-of-Order Data The TCP Header Source Port Destination Port Sequence Number Acknowledgment Number Header Offset Reserved Bits Connection Flags Window Size TCP Checksum Urgent Pointer Options Data TCP Implementation Multiplexing Data Sequencing and Acknowledgment Flow Control TCP Connection Management TCP Open Initial Sequence Number (ISN) TCP Connection States TCP Options TCP Close Half-Close TCP Reset Case Study: Missing Drive Mappings Case Study: No Telnet Case Study: Dropped Sessions TCP Data Flow Management Data Sequencing and Acknowledgment TCP Retransmissions Retransmission Time-Out Case Study: Bad RTO Delayed Acknowledgments Case Study: Slow Surfing 176 177 177 178 178 179 179 180 180 181 181 181 181 182 182 182 182 183 183 183 183 183 183 184 185 185 189 189 192 193 194 194 196 197 200 200 202 202 203 204 206 Contents The Push Flag TCP Sliding Windows Slow Start and Congestion Avoidance Nagle Algorithm Data Protection Case Study: TCP Checksum Errors TCP Expert Symptoms TCP Application Analysis TCP and Throughput Segment Size Latency Window Size Case Study: Slow Web Server Case Study: Bad Windowing Case Study: Inefficient Applications High-Performance Extensions to TCP Selective Acknowledgments Window Scale Option Timestamp Option Summary Part III Chapter 207 209 212 213 215 215 217 218 218 218 219 220 221 222 224 225 225 227 229 229 Related TCP/IP Protocols 231 Upper-Layer Protocols 233 Introduction to Upper-Layer Protocols 233 Analyzing Upper-Layer Protocols Chapter Goals 235 238 Domain Name System (DNS) DNS Database DNS Message Format Using NSLookup Name Servers ROOT Name Servers Name Server Caching Resource Records Analyzing DNS IPCONFIG CyberKit DNS Expert Common DNS Configuration Mistakes File Transfer Protocol (FTP) FTP Commands and Responses Case Study: Active Transfer Failure Case Study: Passive Transfer Failure Case Study: FTP Failures through Firewall Case Study: Revisiting FTP Transfer Failures Hypertext Transport Protocol (HTTP) HTTP Requests HTTP Responses HTTP Headers and Messages Host Header Redirection Cookies Cache Control Headers 240 242 244 247 249 250 254 254 260 260 261 262 264 265 265 269 272 273 276 278 278 281 284 285 285 285 288 ix ... Size TCP Checksum Urgent Pointer Options Data TCP Implementation Multiplexing Data Sequencing and Acknowledgment Flow Control TCP Connection Management TCP Open Initial Sequence Number (ISN) TCP. .. States TCP Options TCP Close Half-Close TCP Reset Case Study: Missing Drive Mappings Case Study: No Telnet Case Study: Dropped Sessions TCP Data Flow Management Data Sequencing and Acknowledgment TCP. .. The Push Flag TCP Sliding Windows Slow Start and Congestion Avoidance Nagle Algorithm Data Protection Case Study: TCP Checksum Errors TCP Expert Symptoms TCP Application Analysis TCP and Throughput