However, because nobody remembered to update the batch file, it was still populating the arp cache of each client machine with static entries for the server which contained the incorre
Trang 1In between the names of the routers in a tracert output, you see a “|”
(pipe) character like this one:
13 25ms 0/100 = 0% 0/100 = 0% demarc.company.com [10.28.30.202]
0/100 = 0% |
14 24ms 1/100 = 1% 1/100 = 1% seo1-ge2.router mycompany.com [192.168.217.12]
This represents the link between the router and the next-hop router
When there is a large percentage of lost pings for the link, it indicates
con-gestion on the network between hops In this case, you would want to investigate problems with network congestion, rather than with the router itself
In Exercise 11.2, you will use the pathping command to view the path to
www.yahoo.com
Log onto a Windows Vista machine
1
Click on
2 Start | All Programs | Accessories.
Right-click on the
3 Command Prompt and choose Run as administrator.
In the
4 User Account Control dialog box click Continue.
In the
5 Administrator: Command Prompt screen type pathping www.yahoo.com and hit Enter on the keyboard.
Watch the trace route complete and then wait for the statistics to
6
be generated
Review the output of the statistics
7
utilizing the arp Command
The arp utility allows you to view and manipulate entries in the TCP/IP arp cache The arp cache is a list of MAC addresses for computers that
have been recently contacted Their IP-to-MAC address mapping is stored
by the local computer so it can be located again quickly The arp utility
is helpful when troubleshooting problems that are related to duplicate IP addresses or duplicate MAC addresses on a particular network segment For example, suppose that Computer A and Computer B have inad-vertently been given the same IP address: 192.168.1.10 Computer A
Trang 2is supposed to be 192.168.1.10, and Computer B is supposed to be
192.168.1.11 When machines on the same segment as these two
comput-ers try to contact 192.168.1.10, they’ll send an arp broadcast to resolve the
IP address to a MAC address Depending on which computer responds first,
that will be the computer that they connect to However, because there are
two machines with the same IP address, you might connect to different
machines at different times You can see the contents of the arp cache by
typing arp-a at the command prompt You’ll see output similar to the image
depicted in Figure 11.8
SECurITy AlErT
The dangers of Static Arp Entries
Although they have their uses, static arp entries can
get you in trouble For example, a situation existed
on a network where each client on a segment was
able to connect to any other client on the segment,
but just not to one particular server The search was
on to determine why no machines on the segment
were able to contact a particular server As it turned
out, to reduce arp broadcast traffic on the
net-work, an administrator had created a batch file that
automatically placed static entries for each server
on the same segment, as well as the default gateway
for the segment in the client’s local arp cache He
then placed the batch file in each client machine’s
startup folder, so that when a machine was restarted,
the entries would be placed in the arp cache
again.
The connectivity problem first began troubling the environment when the NIC on the server was replaced
Because the MAC address of a computer is tied to
the NIC that’s installed, this meant that the static arp
entries in the batch file now referenced the old MAC address However, because nobody remembered to
update the batch file, it was still populating the arp
cache of each client machine with static entries for the server which contained the incorrect MAC address information for the server Because of this, most clients
on the network had become unable to connect to the server Once the batch file was discovered and brought
up to date, normal communications resumed.
FIGurE 11.8 Utilizing the arp Command.
Trang 3The arp utility also allows you to add and delete entries in the arp cache When you add an entry into the arp cache, you create a static entry A static entry will be listed with “static” in the type field when you view the arp cache as shown in Figure 11.8 You might want to create static arp entries
for frequently accessed servers on the segment, or perhaps for the default gateway When you create static entries, the source machine won’t need to
issue arp broadcasts to resolve IP addresses to MAC addresses Be aware that static entries are not truly static because they are removed from the arp
cache when a machine is rebooted
utilizing the netstat Command
The netstat utility will give you a great deal of useful information about the
active connections on a particular computer It provides you detailed infor-mation about each protocol and port on a computer that is listening or that has established a connection with another computer You should remember that TCP/IP-based applications like FTP and Telnet will communicate using
a particular TCP or UDP port When one of these programs or services is running on a computer, it means that the service is listening on a particular port for new connection attempts from other computers A connection listed
in netstat can be in one of four states:
■
■ Listening means that a particular port is open and waiting for
con-nections, but no active connections have been made to it
■
■ Established means that a particular connection is active – an FTP
client has connected to an FTP server, a client’s Web browser has connected to a World Wide Web (WWW) service, and the like
■
■ Time–Wait means that a connection has been made, but it hasn’t
received any data for some time and is in the process of timing out
■
■ Close–Wait means that an active connection is being closed.
The netstat command has a number of command-line switches that will
produce different types of troubleshooting output The full syntax and
pos-sible switches available with netstat are as follows:
NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]
■
■ netstat –a displays all TCP/IP connections and listening ports on
the local computer, and produces output similar to what is depicted
in Figure 11.9
Trang 4FIGurE 11.9 Utilizing the netstat Command to Display All Connections and Listening Ports.
Exam warning
Make sure that you understand what you are looking at when you see the output of the
netstat command For example: TCP 192.168.1.3:42 192.168.1.185:3919
ESTABLISHED
This means that the computer has ESTABLISHED or created a connection that’s
using the TCP protocol The connection has been made between 192.168.1.3:42 and
168.1.185:3919, which means that the computer at IP address 192.168.1.3 is sending
information using TCP port 42, and 168.1.185 is receiving information using port 3919.
Trang 5netstat –b displays the name of the executable that created each
connection or listening port See Figure 11.10 for a sample output
netstat –e
■
■ displays Ethernet statistics for the local computer The output generated by this command is shown in Figure 11.11
■
■ netstat –p protocol will show you the same information displayed
by the –a option, restricted to a specific protocol You can restrict
FIGurE 11.10 Utilizing the netstat Command to View Connections and Listening Ports by Executable.
FIGurE 11.11 Utilizing the netstat Command to View Ethernet Statistics.
Trang 6your output to TCP, UDP, TCPv6, or UDPv6 You can combine the
–p switch with the –s switch to display three additional protocols,
IP, ICMP, and ICMPv6 For example, netstat –p TCP produces the
output shown in Figure 11.12 Notice how only TCP is displayed in
the protocol column
netstat –n
■
■ diplays addresses and port numbers in numerical form
instead of using hostnames
■
■ netstat –r displays the routing table for the local computer.
netstat –s
■
■ provides detailed statistics about the local computer’s
network connections You can restrict which statistics are displayed
by combining this with the –p option and specifying a particular
protocol The command netstat –s will produce the information
such as how many packets have been sent and received, the number
of errors and type of error, and much more An example is displayed
in Figure 11.13
utilizing the nbtstat Command
nbtstat is quite similar to netstat, except that it displays information
specifi-cally relating to NetBIOS over TCP (NetBT) nbtstat will show you NetBT
protocol statistics and NetBIOS name tables for local and remote
comput-ers nbtstat will also allow you to display and refresh the NetBIOS cache Be
FIGurE 11.12 Utilizing the netstat Command to Display Protocol Specific Connections.
Trang 7FIGurE 11.13 Utilizing the netstat Command to Display Detailed Statistics.
Trang 8aware that nbtstat is one of the few command line tools in Windows that is
case sensitive nbtstat uses the following command-line switches:
■
■ nbtstat –a Computername will display the NetBIOS name cache for
a remote computer, specified by the computer’s NetBIOS hostname
A sample output from nbtstat –a <computer name> is shown in
Figure 11.14
■
■ nbtstat –A IP Address will display the same information as nbtstat
–a, but will allow you to specify the target machine by IP address
instead of NetBIOS name
■
■ nbtstat –c will display the NetBIOS name cache of NetBIOS names
that have already been resolved on the local computer This
com-mand will show you a table of NetBIOS names and their associated
IP addresses
■
■ nbtstat –n displays the NetBIOS names that are registered for the
local computer The command nbtstat –n displays information as
shown in Figure 11.15
■
■ nbtstat –r will display NetBIOS statistics for the local computer
This will display the number of NetBIOS names that have been
registered using broadcast and a WINS (Windows Internet Name
Service) server, and the number of NetBIOS names that have been
resolved using both of these methods The –r switch displays
infor-mation as shown in Figure 11.16
■
■ nbtstat –R will purge the current contents of the NetBIOS cache
on the local machine In addition to removing any entries in the
local cache, nbtstat –R will also reload any entries in the local
FIGurE 11.14 Utilizing nbtstat Remotely.
Trang 9LMHOSTS file that have the “#PRE” tag Remember that “#PRE”
is used in the LMHOSTS file to preload a NetBIOS name mapping
into a machine’s NetBIOS cache when it first starts up
■
■ nbtstat –RR will release and refresh any NetBIOS names that are
registered on the local computer
■
■ nbtstat –s will display any existing NetBIOS sessions.
■
■ nbtstat –S will display the same information as using the –s switch,
but it will display the local name as an IP address only
Test day Tip
The nbtstat -RR command is especially useful for troubleshooting, as you may
encoun-ter a situation where a compuencoun-ter’s NetBIOS name has been updated and you need to quickly remove any cached entries.
FIGurE 11.16 Utilizing nbtstat to Display Statistics.
FIGurE 11.15 Utilizing nbtstat to Display Registered NetBIOS Names.
Trang 10utilizing the ipconfig Command
The ipconfig utility works at the command line to provide you with IP
configuration data for all NICs installed on your local computer You can
simply type ipconfig by itself to see basic information about the NICs in
your computer, or you can use a number of switches to retrieve more detailed
information At its most basic, the output for the ipconfig command will
resemble the image displayed in Figure 11.17
As you can see, the basic ipconfig command provides you the IP address,
subnet mask, and default gateway for the NICs installed on a particular
machine This information can be handy as a quick reference when trying to
figure out what IP address and subnet mask has been assigned to a particular
computer, particularly if it receives its IP configuration from Dynamic Host
Control Protocol (DHCP) You can get more detailed information using the
ipconfig /all command, as you can see in Figure 11.18.
By using the ipconfig /all command, you get information about the DNS
and WINS servers that your computer has been configured with, as well
as the MAC address of each installed NIC If you’re troubleshooting
related problems, for example, this is a quick way to determine the
host-name and primary DNS suffix that your machine is using
You can use the ipconfig /flushdns command to clear the DNS cache on
the local computer This will force the computer to contact a DNS server for
any hostnames that it tries to connect to This is particularly useful if you’ve
recently made changes to your DNS records so that your clients can access
FIGurE 11.17 Ipconfig Output.
Test day Tip
You can also use ipconfig /release and ipconfig /renew to force a DHCP client to request
a new IP address lease from a DHCP server.