When it comes to network troubleshooting, the most important layers of the model are the physical, data link, network, and transport layers.. The physical layer The physical layer is the
Trang 1ChApTEr 11: Network Troubleshooting Tools
526
own header to the packet When a network packet is passed from one host to another, the receiving host will read or analyze the packet one layer at a time, with the application layer reading the application layer header, the presenta-tion layer reading the header from the presentapresenta-tion layer, and so forth You can use your understanding of the OSI model to improve your trou-bleshooting techniques It’s important to understand what takes place at each layer of the OSI model, and which devices operate at these layers When
it comes to network troubleshooting, the most important layers of the model are the physical, data link, network, and transport layers Let’s take a look at each of these layers in turn
The physical layer
The physical layer is the lowest layer of the OSI model, and it involves the actual electrical signals that are going from the network cables into the NIC
of a computer, switch, router, or hub A failure at the hardware level will usually involve the physical components of a computer or device, such as the cable that connects the computer to the network or the network card itself Network hubs also operate at the physical layer, so a failure in a net-work hub could also lead to connectivity issues that occur at the physical layer The physical layer is responsible for a number of different functions, including:
The type of signal transmission used
■
■ The cable type
■
■ The actual layout or path of the network wiring
■
■ The voltage and electrical signals being used by the network cabling
■
■ When using the OSI model for troubleshooting, you should know which devices operate at which layer The following physical devices function at the physical layer of the OSI model:
Network cabling
■
■ Network interface cards
■
■ Active and passive hubs
■
■ Repeaters
■
■
Note
We are only going to touch on the function of each layer here – refer back to previous chapters for an in-depth look at the layers of the OSI model.
Trang 2When troubleshooting at the physical layer, be on the lookout for issues
with NIC drivers, as well as physical failures of a NIC, hub, or length of
cabling
The data link layer
The data link layer is responsible for taking the information from the
physical layer and organizing it into frames The data link layer takes the
information that it receives from higher up in the OSI model and passes it
down to the physical layer to be transmitted across the wire The functions
of the data link layer include error checking, where the data link layer will
add error-checking information onto each frame of data that it transmits
The data link layer is also responsible for error-free delivery of these data
frames as well as maintaining the reliability of the communications between
two computers
The two types of devices that operate at the data link layer of the OSI
model are switches and bridges Bridges are able to divide a network into
multiple segments, but they aren’t able to actually subnet a network the
way that a router does So, if you use a bridge to physically separate two
areas of the network, it will still appear to be one big network to
higher-level protocols in the network layer, transport layer, and above Bridges and
switches are useful for cutting down on network congestion because they can
do some basic filtering of data traffic based on the MAC address of the
des-tination computer When a transmission reaches the bridge, the bridge will
not pass it across to the other side of the network if the MAC address of the
destination computer is known to be on the same side of the network as the
sending computer As a part of this process, the bridge or switch will build
tables (similar to a routing table) indicating which addresses are on which
side, and use them to determine whether to let the transmission across
Test day Tip
An active hub will boost the signal that’s being sent before transmitting it to the nodes
attached to the hub A passive hub will simply transmit the information without any sort
of boost.
Test day Tip
At the data link layer, frames are addressed from one computer to another by way of the
physical MAC address that’s burned into every NIC card.
Trang 3ChApTEr 11: Network Troubleshooting Tools
528
The Network layer
The network layer is where the majority of troubleshooting issues will occur The network layer takes the frames it receives from the data link
layer and organizes them into packets The network layer is also the layer
where physical MAC addresses are translated into IP addresses Unlike MAC addresses, which are physically assigned to each NIC and can never be
changed, IP addresses are logical addresses that can be added, modified, and
removed as often as you want This allows a single computer to be moved and reconfigured to belong to many different IP subnets throughout the course of its life This flexibility comes at a price, because these IP addresses are assigned by human administrators and are therefore somewhat prone to misconfiguration and error If you misconfigure a network card’s IP address
or subnet mask by even a single digit, that computer will experience con-nectivity issues and may not be able to connect with other local and remote computers The most important physical device at the network layer is the
router This is the device that uses the logical IP addresses of the network
layer to transmit network packets from one subnet to another
Depending on where the problem occurs, failures at the network layer can create connectivity issues for a single client or an entire subnet When this happens, the devices in question will not be able to communicate with another portion of a network, either because of a physical device failure or because a router has been configured with an incorrect route, subnet mask,
or some other key piece of information Because network layer issues can render a computer entirely unable to communicate on a routed network, they tend to be the most visible troubleshooting issues, so you should have
a firm grasp of the functions of the network layer and the tools you can use
to troubleshoot here The best tools to check connectivity at the network
layer are ping, tracert, traceroute, and pathping, which we’ll discuss in a later
section
The Transport layer
Once a packet has left the network layer, the transport layer takes over This
is where network packets are even further differentiated by the port
num-ber that they are using to communicate – these port numnum-bers can be for
either connection-oriented TCP communications or low-overhead connec-tionless User Datagram Protocol (UDP) applications Any application that has to communicate between two networked computers will have to use a particular port number, and the most common services all have well-known port numbers that have been assigned by the Internet Assigned Numbers Authority (IANA) Firewalls and proxy servers will often work at the transport
Trang 4layer to filter traffic based on the TCP or UDP port that it’s using If you’re
having issues at the transport layer, you’ll probably find individual network
applications that aren’t functioning properly – like a user who can Telnet to
a particular host, but is unable to connect to the Web server running on the
same computer
The transport layer is responsible for making sure that data sent by one
computer arrives at its intended destination in good condition Sending and
receiving computers also need a way to differentiate between different
com-munications that may be addressed to different applications on the same
computer, which is where TCP and UPD port numbers become useful
Trou-bleshooting the transport layer is quite similar to working at the application
layer, as the TCP and UDP protocols form the basis of the ports that are
used by all network applications So you can use telnet to see if a particular
port is listening on the destination machine, and you can use the netstat
utility, which will be discussed in the next section, to see a list of all ports
that are listening on a particular machine
wINdowS ToolS
Because TCP/IP has become the default network protocol for Windows
operating systems, it’s important to have a good understanding of TCP/IP
troubleshooting when working with any of the Microsoft operating systems
Windows computers have a number of built-in utilities that will assist you
in troubleshooting TCP/IP problems relating to basic connectivity and name
resolution The most common tools that you should be aware of include the
following:
■
■ ping
■
■ nslookup
■
■ tracert
■
■ arp
■
■ ipconfig
■
■ nbtstat
■
■ netstat
■
■ pathping
In this section, we’ll take a detailed look at each of these tools, including
what the tool is used for and what type of output it produces We’ll also look
Trang 5ChApTEr 11: Network Troubleshooting Tools
530
at some examples of how to apply these tools, and other more advanced tools that won’t necessarily appear on the Network+ exam, but can still be used
to troubleshoot a particular problem
utilizing the ping Command
The ping command, which stands for Packet INternet Groper, uses Internet Control Message Protocol (ICMP) echo messages to communicate with other computers You will usually use the ping command to test basic TCP/IP
con-nectivity between two computers You can ping a computer using either its
IP address or its hostname
In Figure 11.3, we are using a hostname to test connectivity with a target machine
The ping command has the following switches:
■
■ ping–t will ping a specified host continuously until you stop it by
typing Ctrl + C Typing Ctrl + Break will show you statistics on
the ping results and then continue
■
■ –a resolves IP addresses to hostnames For example, if you ping a
computer with the IP address 192.168.1.101 and you need to find out its Domain Name System (DNS) name, you can ping using the –a switch The output of utilizing this switch is displayed in Figure 11.4
■
■ –n will let you specify the number of ping packets to send For
example, the command ping –n 10 192.168.1.101 will send 10 ping
packets to the specified host
FIGurE 11.3 Utilizing a Hostname with the ping Command.
Trang 6FIGurE 11.4 Utilizing the ping Command with the – a Switch.
■
■ –w specifies how long each packet should wait before it times out and
returns a “Request timed out” error The default value is 1000 ms
■
■ –i will change the default Time To Live (TTL) for the ICMP echo
messages used by the ping command By default, the TTL is 252,
which means that a ping command can pass through 252 router hops
before the packet is dropped You can alter this value using the –i
switch
utilizing the tracert Command
The tracert utility allows you to trace the path that a network packet will
take from one host to another A network packet will often have to pass
through several routers or hops to reach its destination, and you can use
tracert to determine whether one of these routers, or a link between two
routers, is overloaded or has failed The tracert utility works by sending a
series of ICMP echo requests, much like the ping utility For example, when
you type tracert www.digitalthink.com at the command prompt, you’ll see
output that resembles the output displayed in Figure 11.5 Each line in the
tracert output indicates one hop on the path between your local computer
and the destination
The second column of each row in Figure 11.5 indicates the round-trip
response time for a single ping to get to that router and back As you can see
in the example mentioned earlier, this ping is sent three times to each router
Trang 7ChApTEr 11: Network Troubleshooting Tools
532
FIGurE 11.5 Utilizing the tracert Command.
hEAd oF ThE ClASS…
understanding ICMp
The ICMP is documented in RFC 792, which
you can read online at www.freesoft.org/CIE/RFC/
792/index.htm ICMP is part of the TCP/IP
proto-col suite that operates at the network layer ICMP
messages are primarily used to send messages related
to network troubleshooting, so an understanding of
ICMP is a critical part of the network
troubleshoot-ing process Some of ICMP’s main functions are as
follows:
■ Reporting network connectivity issues For
instance if a particular computer or a larger
portion of a network becomes unavailable or
unreachable Whenever a computer or router
forwards an IP datagram to a remote host, the
forwarding device will decrement the TTL field
of an IP header by one If this TTL ever reaches
0, ICMP will create a “time to live exceeded in
transit” message and send it back to the host that initiated the message.
■ Inform users of network congestion If a router
is receiving too many packets to process effi-ciently, it will create an ICMP Source Quench message and forward this message to the host that is sending the large number of packets This message will cause the source machine to slow down how quickly it is sending packets to allow the router to “catch up”.
■ Provide Information for Network Troubleshooting
Most common network utilities use ICMP to communicate, including ping, tracert, and tra-ceroute These utilities will look for ICMP “time
to live exceeded in transit” messages, as well as
“destination unreachable” messages, to deter-mine whether a particular host or group of hosts
is reachable.
Trang 8so there are three column depicting millisecond response time There are also
command line switches that you can use to customize the tracert output:
■
■ tracert–d will instruct tracert not to resolve IP addresses to
host-names (this will increase the speed of the tracert).
■
■ tracert–h maximum_hops will indicate the maximum number of
hops that tracert will use to search for a target If tracert reaches
this maximum number and hasn’t reached the target yet, it will
quit The default value is 30 hops
■
■ tracert–w timeout indicates the amount of time each ping will wait
for each reply in milliseconds The default value is 1000 ms
utilizing the pathping Command
The pathping utility is an updated and expanded version of ping The pathping
utility will send ICMP echo request messages to each router along the path
to the destination host and will calculate how long it takes each router to
reply The pathping tool combines the capabilities of both tracert and ping,
and gives you additional information that you can’t get easily from using
either tool individually Pathping will calculate the following information
each time it runs:
The amount of time it takes the ping packet to get to the
■
■
destination host and back, called the round-trip.
The amount of time it takes to ping each individual router
■
■
The percent of ping requests that are lost at each router
■
■
The percent of ping requests lost between the routers
■
■
Pathping provides some interesting statistics for network
troubleshoot-ing because it gives you information regardtroubleshoot-ing where packet loss is taktroubleshoot-ing
place, which can indicate that a particular router may be overloaded or
mal-functioning You can see an illustration of this in Figure 11.6
Exam warning
Do not get confused between tracert and traceroute; they are essentially the same tool
with different names Tracert is used on Microsoft Windows systems and traceroute is
used on other systems such as Cisco’s Internetwork Operating System (IOS) as well as
UNIX and Linux.
Trang 9ChApTEr 11: Network Troubleshooting Tools
534
One thing to be aware of before running pathping on a Windows
Vista machine is that you will need to launch the command window as administrator for the command to execute properly Once you run the
command, you should notice that pathping first runs a tracert to the remote
host and identifies all of the routers along the path to the destination, and
FIGurE 11.6 Following a Packet Through a Large Network.
Trang 10shows you a list of those routers in the first section of the output Then,
pathping provides statistics about each router and each link between the
routers For example, when you enter the command pathping
www.micro-soft.com, you’ll see the output shown in Figure 11.7
From this information, you can assess whether an individual router is
being overworked, or whether there is congestion on a link between routers
The last two columns of the pathping output provide the most useful
infor-mation when you’re troubleshooting routers and the links between them
Notice in the last column you can see the name of the router, the IP address,
and a percentage listed to the left of the router If this percentage is a high
number, it means that a large number of ping packets are being lost when
they’re sent to that router This is an indication that the router itself may
be overloaded
FIGurE 11.7 Utilizing the pathping Command.