WINDOWS 2000 TROUBLE SHOOTING TCP/I P phần 4 doc

A more full-featured version of Network Monitor that allows forpromiscuous mode is included with Microsoft System Management ServerSMS.Filtering The Network Monitor program allows you to

Log File Format

In the “Log file type:” drop-down list box, you can choose what format youwant the log file to be saved in The main choices are binary format anddelimited text formats If you save the logs in delimited text formats, youcan import the data into an Excel or Access database Regardless of theformat you choose, you can still bring the information back to the SystemMonitor Console for later analysis in the same way you were able to openlog files for later viewing using the Windows NT 4.0 Performance Monitor

Alerts

To create an alert, you click the Alerts object in the left pane and thenright-click in the right pane and select New Alert Settings from the con-text menu Enter the name of the alert and click OK You will see whatappears in Figure 5.8

Figure 5.8 The General tab in the Alert dialog box.

You add counters for which you want to be alerted by clicking ADD;

in this example, we have selected the Pages/sec counter in the Memoryobject After selecting the counter, you need to set parameters that willtrigger the alert In this case, we want to be alerted if the number ofpages/sec exceeds 20 per second The sample interval is every 5 sec-onds by default Click the Action tab and you will see what appears inFigure 5.9

You set what actions should take place after an alert is triggered Inthis case, we have configured the alert to be sent to the Application logand a network message to be sent to the administrator’s workstation.

This is a NetBIOS name, and NetBIOS must be enabled on both themachine generating the alert and the machine receiving an alert as a net-work message in order for this to work This is something to keep in mindwhen you feel that your network has reached a point where you can com-pletely disable NetBIOS If you do reach that point, you must reenableNetBIOS on the source and destination machines, at least temporarily, inorder for alerts to be sent via network messages

You also have the choice of starting a log that you have already createdafter an alert condition has been met We might want to create a log thattracks other memory-related parameters if the number of pages/sec exceeds

20 In that case, we would choose to “Start performance data log” and selectthe name of the log from the drop-down list You could also choose to start aprogram after the alert condition parameters have been met

Click the Schedule tab and you will see what appears in Figure 5.10.Here you can schedule when you want to the system to look for alertconditions In this instance, we have selected the date and time when thesystem should start looking for the alert condition, and set that the sys-tem should stop looking after one day You can see from the dialog boxthe other options you have when scheduling alerts

Figure 5.9 The Action tab in the Alert dialog box.

of affairs is that promiscuous mode capturing can potentially overtaxyour computer’s processor.

Even with these limitations, the Network Monitor is a very useful toolfor assessing the activity on the network You can use the tool to collectnetwork data and analyze it on the spot, or save your recording activitiesfor a later time Network Monitor allows you to monitor network activityand set triggers for when certain events or data cross the wire This could

be useful, for instance, if you are looking for certain “key words” in e-mailcommunications moving through the network (we’ll look at an example ofhow to do this later in this section)

Figure 5.10 The Schedule tab in the Alert dialog box.

A more full-featured version of Network Monitor that allows forpromiscuous mode is included with Microsoft System Management Server(SMS).

Filtering

The Network Monitor program allows you to capture only those framesthat you are interested in, based on protocol or source or destinationcomputer You can apply even more detailed and exacting filters to datathat you have finished collecting, which allows you to pinpoint the preciseelements you might be looking for in the captured data We’ll discuss how

to filter what data you want to capture, and how to fine-tune the tured data after you’ve collected it

cap-Security Issues

The Network Monitor program is a network sniffer Any person withadministrative privileges can install it on a Windows 2000 server familycomputer and start “listening” to activity on the wire If you feel this is acause for concern, you are correct This easy availability of such a power-ful tool should lead to even further consideration of the security implica-tions when you give someone administrative rights Fortunately, theNetwork Monitor is able to detect when someone else on the segment isusing Network Monitor, and provide you with his or her location

However, don’t stake your career on this working correctly, because wehave had very rare success at it actually identifying all computers run-ning Network Monitor on the same segment

Installation

Network Monitor is not installed by default If it isn’t installed on yourcomputer, you can install it via the Add/Remove Programs applet in theControl Panel

Using the Program

After you have installed the program, go to the Administrative Tools menuand click Network Monitor; you will see what appears in Figure 5.11

This Capture Window is the starting point on your adventure of work monitoring Note that there are four panes to this window

net-NOTE

Capture Window Panes

The top left pane is in the “gas gauge” type format, which provides mation on percent network utilization, broadcasts per second, and otherparameters in real time

infor-Just under that is a pane that provides information about individualsessions as they are established, showing who established a session withwhom, and how much data was transferred between the two

The right pane is the local machine’s session statistics pane, and vides detailed summary (is that an oxymoron?) information about the cur-rent capturing session

pro-The bottom pane provides information about each detected host onthe segment, and statistics gathered on the host’s behavior

First, select the Tools menu, and then click Identify Network MonitorUsers You will see the Identify Network Monitor Users dialog box as itappears in Figure 5.12.

Figure 5.12 The Identify Network Monitor Users dialog box.

This dialog box provides you with the username and NetBIOS name of themachine or machines currently running Network Monitor

As mentioned earlier, you might not always get accurate readings rightaway when running this utility The Microsoft documentation regardinghow it finds other Network Monitor users is not clear on how the identifi-cation process takes place Machines running either the Network MonitorApplication or Agent are supposed to register NetBIOS names with theservice identifier of [BFh] and [BEh], respectively, but if you look at thefollowing, you will be led to think otherwise:

Local Area Connection:

Node IpAddress: [192.168.1.186] Scope Id: []

NetBIOS Local Name Table

- - - - - - - - - - - - EXETER <00> UNIQUE Registered

NOTE

TACTEAM <00> GROUP Registered EXETER <03> UNIQUE Registered EXETER <20> UNIQUE Registered TACTEAM <1E> GROUP Registered INet~Services <1C> GROUP Registered IS~EXETER <00> UNIQUE Registered ADMINISTRATOR <03> UNIQUE Registered

Local Area Connection:

Node IpAddress: [192.168.1.3] Scope Id: []

NetBIOS Local Name Table

- - - - - - - - - - - - DAEDALUS <00> UNIQUE Registered TACTEAM <00> GROUP Registered DAEDALUS <03> UNIQUE Registered DAEDALUS <20> UNIQUE Registered TACTEAM <1E> GROUP Registered TSHINDER <03> UNIQUE Registered INet~Services <1C> GROUP Registered IS~DAEDALUS <00> UNIQUE Registered DAEDALUS <01> UNIQUE Registered

These are the printouts of the nbtstat –n commands run on two of theWindows 2000 computers identified by Network Monitor as runningNetwork Monitor Neither of them has registered NetBIOS names indicat-ing that they are running either the Network Monitor Agent or

Application The WINS database on this network also contains no entries

to this effect

The moral of this story? Take advantage of this application, but take acouple of precautions: 1) Let it run for an hour or so before concludingthat no other Network Monitor users are on the network, and 2) Don’t betyour job on it!

The default value is 1MB, but you can choose up to 1024MB (1GB).

However, since this data is stored in memory during the recording phase,your practical limit is the amount of available RAM

Even if you are running Network Monitor on a machine with a byte of RAM, you still need to be careful because it needs to write thisinformation to disk You need the equivalent amount of free disk space aswell You can also choose how much of each frame you want to capture

giga-Typically, you’ll choose Full to maximize your ability to find the thingsyou’re looking for

Select the Options menu, and then click the Change TemporaryCapture Directory command You’ll see a scary message like the one inFigure 5.14

Figure 5.13 The Capture Buffer Settings dialog box.

TIP

Figure 5.14 A scary message about changing the Temporary Capture Directory.

The whole program is for advanced users only! We’re still trying to figureout what the danger is that they want to communicate regarding changing the

location of the temporary folder, which is the temporary folder locationdefined in the system environment variable

Click OK and you can then choose another folder to contain the porary capture files You might want to do this if you’ve chosen a buffersize that is larger than the amount of disk space you have available onthe partition that contains your temp directory

tem-Collecting Data

Now that we’re finished with the preliminaries, let’s get to the job of lecting some data The first thing you should try out is to start a capturewithout filters, just to get a feel for how the capture process works

col-There are a couple of ways to get the capture started: You can select theCapture menu, and then click Start, or you can click the little right-pointingarrow in the toolbar Either one will begin the capture When it is running,you’ll see the gas gauges moving, and the statistics being collected on therecording session

After letting the capture run for a little bit, or after the % Buffer Usedvalue is 100, click the button that has the eyeglasses next to a square(the stop and view button) This stops the capturing process and allowsyou to see the frames that have been captured You’ll see the CaptureSummary window as seen in Figure 5.15

This window provides a list of all the frames that were captured ing the session If you scroll to the bottom of the list, you’ll note thatthere is a summary frame that contains statistics about the current cap-ture Take note of the column headers, which all should be self-explana-tory

dur-Notice something unusual about the data in Figure 5.15? How aboutthe information that appears in the “Src MAC Addr” and “Dst MAC Addr”fields? Those don’t look like MAC addresses to me

If you did notice this seeming anomaly, congratulations! MAC

address-es aren’t much fun to look at, so we took advantage of another utility thattranslates the MAC addresses to Machine Names Select the Displaymenu, and then click the Find All Names command It will search fornames and then inform you of its results, and transform the fields con-taining MAC addresses to NetBIOS names if it can find this information.Now, double-click one of the frames, and you will see the displaytransform into a tripane view as seen in Figure 5.16

NOTE

The top pane is just like the one you just saw The middle pane tains translated information from the captured frame that provides details

con-of the frame headers and protocol information The bottom pane showsthe raw Hex and translations of the collected frame data At the very bot-tom of the windows, in the status bar area, there is a description of theframe selected in the top pane (which in this case is Ethernet/802.3 MACLayer), the frame number out of the total number of frames, and an “off-set” value for the selected character in the bottom pane

In the preceding example, we selected frame number 244, which is anARP broadcast frame Notice in the middle pane some of the details Itindicates the hardware type and speed, and the source and destination IPand hardware address Note that the destination hardware address is theEthernet broadcast address [FFFFFFFFFFFF] because the whole purpose

of the ARP broadcast is to resolve the IP address to a hardware address

The capture was taken from EXETER The ARP broadcast was issued

by CONSTELLATION for DAEDALUS, which is the machine with the IPaddress of 192.168.1.3 Do you think we would find the ARP reply later inthe capture? The answer is no That is because the reply will not be sent

Figure 5.15 The Capture Summary window.

to the hardware broadcast address, but to CONSTELLATION’s hardwareaddress; therefore, the Network Monitor on EXETER will not be able tocapture that conversation The only reason we were able to see the ARPRequest is because it was directed to the hardware broadcast address,which means that every machine on the segment had to evaluate therequest to see if it was for them.

The bottom pane in this instance isn’t very exciting It shows the Hexdata on the left and an ASCII translation on the right However, it can getinteresting, as shown in Figure 5.17

Looking at the ASCII translation in this case, we see that we have aproblem user on the network, perhaps an overly enthusiastic Linux fan

We are able to actively search for text strings in captured data in order tofind out about the existence of just this kind of communication In thiscase, the offensive text string was found embedded in an SMB packettransmitting a Microsoft Mail message from the e-mail server to the desti-nation computer Other frames in the capture indicate the source of themessage

Figure 5.16 Tripane view in the Capture Summary window.

Filtered Captures

The capture we did earlier was an unfiltered capture The advantage ofdoing an unfiltered capture is that you can gather data on every commu-nication into and out of the computer doing the capture, so you can besure that you’re not missing anything However, you could end up collect-ing a whole lot of information that you don’t need, and the extra informa-tion only serves to obscure the data that you’re actually looking for

Perhaps you’re only interested in the information exchange taking placebetween your computer and one other computer, or two other computers

You can limit the frames that are captured by creating a capture filter.

A capture filter is one of the two types of filters you’ll be working with, the other being the display filter, which we’ll explore in a little bit

Figure 5.17 Capture file with revealing ASCII data.

NOTE

The purpose of the capture filter is to limit the frames that are

actual-ly saved in the capture buffer This allows you to make better use of yourbuffer space, because the limited amount of buffer you have can be

devoted to looking at the precise targets of interest It also reduces theamount of “extraneous” information that could cause you to overlooksomething important during your investigations

To create a capture filter, select the Capture menu, and click Filter.First you’ll see a warning that tells you that for “security” reasons, youcan only capture traffic moving to and from the machine running NetworkMonitor Click OK to move away from that dialog box, and you’ll see whatappears in Figure 5.18

Figure 5.18 The Capture Filter dialog box.

There are two ways you can filter the capture information:

■ By machine address pairs

■ By a specified pattern in the frames that is examined during thecapture sequence

Filtering by Address Pairs

Let’s first see how we filter via address pairs We can define up to fouraddress pairs to filter For example, suppose there are 30 computers onthe segment that’s running Network Monitor, and we don’t want to cap-ture information destined to and coming from all 30 of those machines,just four of them We can do that

To start adding address pairs, double-click the [AND] (Address Pairs)statement You should see what appears in Figure 5.19.

Take a close look at the elements of this dialog box Near the top aretwo option buttons for Include and Exclude Any address pair that youselect for Include will be included in the capture Any address pair thatyou set for Exclude will be excluded from the capture For example, if youchoose to include *Any (which indicates all frames coming to and leavingthis computer), you could choose to exclude a pair of computers so thatyou can ignore messages being sent to and arriving from that machine

Figure 5.19 The Address Expression dialog box.

Under the Include and Exclude options are three panes: Station 1,Direction, and Station 2 Station 1 and Station 2 will define the comput-ers named in the address pairs that will be included or excluded from thefilter, with Station 1 always being the machine running the NetworkMonitor application The Direction arrows allow you to filter based on thedirection of the traffic The "# symbol represents traffic leaving Station

1 to Station 2 and arriving from Station 2 to Station 1, the # representstraffic leaving Station 1 to Station 2, and the " represents traffic arrivingfrom Station 2 to Station 1

If we were using the full version of Network Monitor that comes withMicrosoft Systems Management Server, Station 1 could be any computer onthe network and not just the local machine

NOTE

The chance is good that the machine you want to designate as Station

2 is not included on the list To add the machine of interest to the list,click EDITADDRESSES You will see what appears in Figure 5.20

Figure 5.20 The Addresses Database dialog box.

This shows the Addresses Database in its current state on themachine running the Network Monitor The first column gives the

machine’s NetBIOS name, the second column the machine’s addresses,the third column denotes the type of address included in the second col-umn, and the fourth column includes a comment about the entry in thedatabase

What we want to do is add an entry, so therefore we need to click ADD.You will see what appears in Figure 5.21

Figure 5.21 The Add Address Information dialog box.

In the Add Address Information dialog box you enter the name of themachine, whether this is a permanent name for the machine, the

address, the type of address you are entering, and an optional comment

A hint here is that before you enter the address, you must choose whattype of address you wish to enter The dialog box defaults to a MACaddress, and if you try to enter an IP address when it says “ETHERNET” inthe type box, it won’t work

Click OK and the address is entered into the database

These addresses will only stay in the database for the time that youhave Network Monitor open If you find that you’ve created a lot ofaddresses for machines on your network, you certainly don’t want to have

to do that again To prevent such a waste of time, you can save theseaddresses To do so, click SAVE, choose a location and a name for the file,and these addresses will be saved so that you can load them on a subse-quent monitoring session

Click CLOSE, which returns you to the Address Expression dialog boxthat you were at previously I’m going to select EXETER for Station 1, CON-STELLATION for Station 2, and choose the double arrow for the direction oftraffic After doing so, the screen looks like it does in Figure 5.22

TIP

Figure 5.22 The completed Capture Filter.

With this capture filter in place, only traffic between EXETER andCONSTELLATION will be retained in the capture filter, and all other pack-ets will be rejected This implies that all packets continue to be examined

by the application, and that is true

The filtering process can be processor-intensive, especially if you have set

up complex filters Keep this in mind before running an extended capturesession on a machine that is already heavily taxed

Now we’re ready to start the capture session Click OK in the CaptureFilter dialog box to remove it from sight To start the capture, we’ll clickthe right-pointing arrow in the toolbar

After letting the capture run for a very short period of time, you canclick the “stop and view” button on the toolbar The collected data appear

in Figure 5.23

TIP

Figure 5.23 The results of a filtered data collection.

Display FiltersNow that we have some captured data, we’ll look at a second type of filter,

known as a display filter The display filter allows us to look for very

spe-cific elements of the captured data, and allows for a much more refinedfiltering than we can accomplish with the capture filter

A display filter can be used as a database search tool, where the capturedframes are the data in our database

Imagine that we had captured this data because we wanted to seewhat types of messages were being passed around the network regardingWindows 2000 First, we’d have to decide what kind of messages we want

to look for In this case, let’s assume that we want to see if users have

been using the net send command to exchange ideas or opinions

regard-ing Windows 2000

To get started, select the Display menu, and click Filter You shouldsee what appears in Figure 5.24

NOTE

Figure 5.24 The Display Filter dialog box.

What we want to do is filter out everything except the protocol of est, and then identify a key phrase contained within the protocol of

inter-interest Since we’re looking at net send messages being sent between theusers, we know that they use the SMB protocol That’s where we’ll start.Double-click the line that says “Protocol==Any” You will see theExpression dialog box as it appears in Figure 5.25.

Figure 5.25 The Expression dialog box.

Notice that the Protocol tab is where we are located By default, allprotocols are enabled, which means that the filter is letting frames fromall protocols appear Our goal is to allow only frames from the SMB proto-col to appear, so we can sift through just those frames to find what ourusers are saying about Windows 2000

The first step is to disable all the protocols by clicking DISABLE ALL.After clicking DISABLE ALL, all the protocols are moved to the right side,into the Disabled Protocols section Now, scroll through the list of dis-abled protocols and find the SMB protocol Click on the SMB protocol andthen click ENABLE Your screen should appear as it does in Figure 5.26.When the display filter is enabled, we will see only the SMB frames

However, we don’t want to see all the SMB frames, we just want to see

those that have the term “Windows 2000” in them In order to drill down

to just those frames, click the Property tab

After clicking the Property tab, scroll down the list of protocols untilyou find the SMB protocol Double-click the protocol to see all the SMBframe properties Then scroll down the list of SMB frame properties untilyou find the Data property You should see what appears in Figure 5.27

In Figure 5.27, we have selected the “contains” option in the Relationtext box, and then entered the value “Windows 2000.” This will filter outany SMB frames that do not contain the text string “Windows 2000.” Notetoward the bottom of this dialog box there are two option buttons, Hexand ASCII, and that ASCII is selected

Figure 5.26 The SMB protocol is now the only enabled protocol.

Figure 5.27 The SMB protocol Properties dialog box.

Click OK, then click OK again, and we see a single frame that contains areference to Windows 2000, as it appears in Figure 5.28

Apparently, our rollout of Windows 2000 on the network is being wellreceived!

Event Viewer

The Event Viewer can be used to check on the status of a number of work services Windows 2000 systems are configured to report significantfault situations to the Event Viewer You should make it a regular prac-tice, perhaps the first thing you do every day, to check out the EventViewer on all of your primary servers to see if any of the Windows 2000services running on these servers are reporting error conditions (seeFigure 5.29)

net-Normal status events are reported with a blue “i”; hence the phrase,

“may your Event Viewer always show blue.”

Red and white “Xs” indicate an error condition serious enough to rant investigation In this example, we can see that two important net-work services, the DHCPServer and WINS, are both reporting error

war-conditions

Figure 5.28 The result of the display filter.

We are viewing the System Log in this case Most of the networkingservices will report fault conditions to the System Log; however, you shouldinvestigate the Application Log as well.

To find out the nature of the problem, double-click one of the errors tosee the details of the problem (see Figure 5.30)

The Event Viewer reports that the Jet Database returned error ber 1032 Now, how do we figure out what Event 1032 might be? The key

num-is the Windows 2000 Resource Kit

Interpreting Error MessagesThe Resource Kit contains a section called “Error and Event MessagesHelp,” which provides a comprehensive list of error messages that youmight encounter in the Event Viewer We can’t guarantee that all the

Figure 5.29 The Windows 2000 Event Viewer.

NOTE

errors you encounter will be found here, but this one was When we did asearch for this error, we came up with the following:

Event Message:

The DHCP service encountered the following error when backing up the registry configuration: code

Event Source Log Event ID Event Type

Look up the indicated error in the event log in Event Viewer, and take

appropriate action If this message appears often, you might want to restore

an earlier version of your DHCP database from backup, or reinstall DHCP

In this case, we have to take a leap of faith, since it recommends that

we look in the Event Viewer, which is where we found the error in thefirst place However, it does sound like our DHCP database might be dam-aged, and we are given a couple of options: either restore the DHCP

Server database from a backup, or reinstall the DHCP server service—notvery encouraging

Figure 5.30 Details of a DHCPServer error.

DNS LogThe Event Log does contain an added feature in addition to what was notfound in Windows NT: the DNS log Because of the added importance ofDNS in the normal functioning of domain-related activity, Microsoftdeemed the DNS service important enough to warrant its own log in theEvent Viewer

If you are experiencing any DNS-related problems, you should checkhere first before getting into more involved DNS monitoring (such as DNStrace logs)

Using TCP/IP Utilities

The group of command-line TCP/IP utilities included with Windows 2000

is similar to those available in Windows NT 4.0 We have the familiar set

of TCP/IP tools such as:

In addition to these tools, Windows 2000 offers some new line TCP/IP tools, including PATHPING and NETDIAG

command-We will see what each of these tools can do, and then look at someexamples of how to apply their functionality to investigate a particularproblem

PING

The PING (Packet INternet Groper) command uses ICMP echo messages tocommunicate with destination computers The PING command is usedmost often to test basic TCP/IP connectivity You can ping a computer by

IP address or by host name The PING command has the following es:

switch t Ping the specified host until stopped.

To see statistics and continue - type Control-Break

To stop - type Control-C.

-a Resolve addresses to hostnames.

-n count Number of echo requests to send.

-l size Send buffer size.

-f Set Don’t Fragment flag in packet.

-i TTL Time To Live.

-v TOS Type Of Service.

-r count Record route for count hops.

-s count Timestamp for count hops.

-j host-list Loose source route along host-list.

-k host-list Strict source route along host-list.

-w timeout Timeout in milliseconds to wait for each reply.

-t Switch

The –t switch is useful when you want to continuously monitor a tion For example, you want to restart a machine remotely, and then want

connec-to know when the machine is up again so you can reestablish your

remote connection Use the ping –t command and watch when the nation computer begins to respond, and then reestablish the connection

desti n Switch

If you don’t want to continuously ping a remote host, you can specify thename of echo request messages sent to the destination by using the –nswitch For example, if we want to ping constellation.tacteam.net 10times, we would type at the command prompt:

we get the following output:

Pinging shinder.net [204.215.60.153] with 32 bytes of data:

Reply from 204.215.60.153: bytes=32 time=100ms TTL=252

Route: 209.44.40.10 ->

209.44.40.69 ->

204.215.60.1 ->

204.215.60.153 ->

209.44.40.70 ->

209.44.40.9 ->

209.44.40.10 Reply from 204.215.60.153: bytes=32 time=100ms TTL=252 Route: 209.44.40.54 ->

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 150ms, Average = 110ms

Notice how the path changes with each ping? Think of this as a and-dirty way to investigate your routing configuration

prob-192.168.2.5 and a subnet mask of 255.255.255.0 She tells you that they

were able to connect to each other yesterday, but since they’ve been

“playing with the network,” the machines haven’t been able to connect.The first thing you should do is go to Computer A and check it out foryourself Ping 192.168.2.5 and confirm that there is indeed no networkconnectivity Far too many users and neophyte administrators considerthe inability to browse a destination computer as a sign of lost networkconnectivity Remember, Microsoft did not put the browser service intoplace as a network diagnostic tool!

If you fail to get a response from Computer B, ping the loopbackaddress, 127.0.0.1, to assess whether TCP/IP was installed correctly.Then trying pinging another machine on the same segment, such as192.168.1.2 If you get a response from that machine, you know that theproblem isn’t related to errors in the local machine’s protocol stack itself Now, ping the default gateway, which had better be on the same seg-ment as Computer A! You might try pinging the default gateway beforepinging another machine on the same segment, if you’re in a hurry Now ping the far side of the default gateway In this case, you shouldknow what interface the router table uses to forward packets to the desti-

nation network ID 192.168.2.0 Be sure that you ping that interface

If you ping an interface on the router that doesn’t route packets to yourdestination host, you aren’t getting the information you need If the routerhas multiple interfaces, the interface you are interested in could be down,while the other ones are up This means you may need to check out therouting tables on the router itself

If the far side of the gateway responds, try pinging another host on thesame segment as the machine that is failing to respond If you get aresponse, you know that there are no problems related to the segmentitself, such as excessive traffic that might cause the pings to time-out

In our present case, everything worked fine except pinging the nation host, Computer B When we went to Computer B, we found that itwas a Linux box that had the default gateway misconfigured We correct-

desti-ed the problem by removing Linux and upgrading the machine to

Windows 2000 Another happy ending (Another solution might have been

to correct the configuration of the default gateway on the Linux

machine—but why miss a golden opportunity?)

NOTE

The nslookup command is the tool you use to investigate problems withyour DNS server and zone databases You can use the nslookup tool toprobe the contents of your zone database files, and investigate problemswith host name resolution We will cover this tool in detail in Chapter 7,

“Troubleshooting Windows 2000 DNS Problems.”

PATHPING

Think of the PATHPING utility as the PING utility on steroids The PING utility sends ICMP echo request messages to each router along thepath to the destination host and calculates how long it takes the round-trip from request to reply The default number of hops is 30, period 250milliseconds, and queries to each router 100

PATH-The PATHPING tool combines the capabilities of both TRACERT and PING,and gives you additional information that you can’t get easily from usingeither tool individually PATHPING will calculate round-trip times, percent ofrequests that were lost at each router, and percent of requests lost betweenthe routers

PATHPING provides some interesting statistics because it gives youinformation regarding where the packet loss is taking place, and the level

of stress a particular router may be experiencing

For example, when I type in the command:

pathping shinder.net

I get the following output:

Tracing route to shinder.net [204.215.60.153]

over a maximum of 30 hops:

Computing statistics for 125 seconds

Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address

NOTE

Note that PATHPING first does a tracert and identifies all the routers

in the path to the destination, and provides a list of those routers in thefirst section Then, PATHPING provides statistics about each router andeach link between routers From this information, you can assess

whether a router is being “overloaded,” or whether there is congestion inthe link between the routers

The last two columns provide the most useful information when bleshooting routers and links Notice in the last column the name of therouter, the IP address, and the percentage to the left of the router If there

trou-is a high number of lost pings to a router, that trou-is an indication that therouter itself may be overloaded

Just under the name of the router you see a | character This sents the link between the router and the next-hop router When there is

repre-a lrepre-arge percentrepre-age of lost pings for the link, it indicrepre-ates congestion on thenetwork between hops In this case, you would want to investigate prob-lems with network congestion rather than with the router itself

The PATHPING algorithm takes advantage of the fact that there are twopaths the ping request can take: the “fast path” and the “slow path.” Thefast path is that taken when a router just passes the packet to the nexthop, without actually doing any “work” on that packet This is in contrast

to the slow path, where the router is the recipient of the ICMP echo requestand must use processing resources to respond to the request by issuing anICMP echo reply

NOTE

The tracert utility allows you to trace the path of routers to a destinationhost You can use the tracert utility to assess whether a router or link onthe path to the destination host may be congested

The tracert utility sends a series of ICMP echo requests, with eachrequest having a incrementally higher TTL value The first echo requesthas a TTL of 1 When the first router receives the message, it willdecrease the TTL by 1 Since the TTL on the request was 1, it now is 0,and the router will return a “Time Exceeded” message to the requestingcomputer

The tracert utility then increases the TTL to 2 on the ICMP echorequest message When the message hits the first router, the TTL isdecreased by 1, and when it hits the second router, it is decreased by 1again The second router then sends a “Time Exceeded” message to thesource host The process continues until the all routers have been tra-versed to the destination host Figure 5.31 demonstrates how the tracertutility works

Figure 5.31 How the tracert utility works.

TTL=1

Time Exceeded Message

TTL=2 TTL=1

Time Exceeded Message TTL=3 TTL=2 TTL=1 Time Exceeded

Message

Tracert

Tracert increments the TTL on the ICMP Echo Request with each attempt When the TTL reaches zero, the destination router returns

a "Time Exceeded" message.

For example, when we type

tracert www.digitalthink.com

at the command prompt, we get the following output:

C:\>tracert www.digitalthink.com

Tracing route to www.digitalthink.com [216.35.144.147]

over a maximum of 30 hops:

C:\>tracert

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Options:

-d Do not resolve addresses to hostnames.

-h maximum_hops Maximum number of hops to search for target.

-j host-list Loose source route along host-list.

-w timeout Wait timeout milliseconds for each reply.

The –d switch prevents tracert from resolving the IP address of therouter to a host name, which can speed up your tracerts significantly.The default number of hops is 30, but you can change the number ofhops by using the –h switch The default timeout period is 1000ms, butyou can change the timeout period by using the –w switch and specifyingthe number of milliseconds you want to the timeout to be

The ARP utility allows you to view and manipulate entries in the arpcache The arp cache is a list is MAC addresses for computers that havebeen recently contacted The ARP utility is helpful when troubleshootingproblems that are related to duplicate IP addresses or duplicate MACaddresses on a segment

Using ARP

For example, suppose that Computer A and Computer B have tently been given the same IP address 192.168.1.10 Computer A is sup-posed to be 192.168.1.10, and Computer B is supposed to be

inadver-192.168.1.11 When machines on the same segment as these two puters try to contact 192.168.1.10, an ARP broadcast is done to resolvethe IP address to a MAC address Depending on which computer

com-responds first, that will be the computer to which the connection will bemade Depending on which computer’s MAC address is in the arp cache,that will be the computer that is contacted Another ARP broadcast will

be done after the entries “age out” of the arp cache, which can lead to theother computer’s MAC address being included in the arp cache

You can see the contents of the arp cache by typing:

arp –a

You will then see something like the following:

Interface: 192.168.1.3 on Interface 0x1000003 Internet Address Physical Address Type 192.168.1.1 00-00-1c-3a-64-68 dynamic 192.168.1.2 00-40-05-37-c6-18 dynamic 192.168.1.16 00-40-f6-54-d7-43 dynamic 192.168.1.185 00-50-da-0d-f5-2d dynamic

Static ARP Cache Entries

The ARP utility allows you to add and delete entries in the arp cache

When you add an entry into the arp cache, you create a static entry A

static entry will appear as static in the type field in the arp cache Youmight want to create static arp entries for frequently accessed servers onthe segment, or perhaps for the default gateway When you create staticentries, the source machine does not need to issue ARP broadcasts toresolve IP addresses to MAC addresses

Static entries can get you in trouble

We were once consulted to assess why no machines on a particularsegment were able to contact a particular server Each client on thesegment was able to connect to any other client on the segment, and theserver itself was able to connect to any of the clients The only problem wasthat the clients were unable to connect to this server

To reduce ARP broadcast traffic on the network, the administrator hadcreated a batch file that automatically placed static entries for each server

on the same segment, and the default gateway for the segment He thenplaced the batch file in the startup group, so that when a machine wasrestarted, the entries would be placed in the arp cache again The problemswith connectivity started after they replaced the NIC on the server

The administrator who created the batch file was no longer at thecompany, and the new administrator was unaware of the batch file Only

by doing an ipconfig on the server, and then checking the arp caches onthe clients did we discover the existence of the batch file, which weupdated The clients were again able to connect to the server

ipconfig

The ipconfig utility included with Windows 2000 has all the functionality

of that included with Windows NT 4.0, but with some added features Theipconfig utility with switches provides you basic IP configuration data forthe installed interfaces on your computer, as seen in Figure 5.32

WARNING

Figure 5.32 Basic IP configuration information provided by the ipconfig utility.

The basic ipconfig command gives only the IP address, subnet mask,and default gateway for network interfaces on a particular machine Thiscan be handy when trying to figure out what IP address and subnet maskhas been assigned to a DHCP client computer.

You can get detailed information by using the ipconfig /all command,and see output similar to that in Figure 5.33

Figure 5.33 Comprehensive IP configuration information provided by the ipconfig

/all command

By using the /all switch, you get information about the DNS servers, thePrimary and Secondary WINS servers, and the MAC address If you aretroubleshooting DNS-related problems, it’s a quick way to ascertain thehost name and Primary DNS suffix the machine uses when issuing DNSqueries to its DNS servers

Like previous versions of ipconfig, you can use the /renew and/release switches to renew and release DHCP leases, respectively

However, there are some new switches included with ipconfig that you willfind very useful At the command prompt, type ipconfig /? and you willsee what appears in Figure 5.34

The /flushdns switch is used to clear the client DNS cache This isparticularly useful if you’ve made some changes to the DNS zone

TIP

database files, and now find that clients are not able to resolve hostnames correctly because old entries are included in the DNS cache

Figure 5.34 ipconfig switches included with Windows 2000

This is also a good way to clear out “negatively cached” entries from theDNS cache

The /displaydns switch allows you to see the contents of the localDNS cache After typing the ipconfig /displaydns command at the com-mand prompt, you should see output similar to the following:

C:\>ipconfig /displaydns

Windows 2000 IP Configuration

localhost.

Record Name : localhost

-Record Type : 1 Time To Live : 31517057 Data Length : 4

Section : Answer

A (Host) Record :

127.0.0.1

TIP

Record Name : constellation.tacteam.net Record Type : 1

-Time To Live : 2715 Data Length : 4 Section : Answer

A (Host) Record :

192.168.1.185 daedalus.tacteam.net.

Record Name : daedalus.tacteam.net Record Type : 1

-Time To Live : 31517057 Data Length : 4

Section : Answer

A (Host) Record :

192.168.1.3 3.1.168.192.in-addr.arpa.

Record Name : 3.1.168.192.in-addr.arpa Record Type : 12

-Time To Live : 31517057 Data Length : 4

Section : Answer PTR Record :

daedalus.tacteam.net boris.prognet.com.

Record Name : BORIS.PROGNET.com

-Record Type : 1 Time To Live : 1632 Data Length : 4 Section : Answer

A (Host) Record :

209.66.98.16 dns6.cp.msft.net.

Record Name : DNS6.CP.MSFT.NET

-Record Type : 1 Time To Live : 1435 Data Length : 4 Section : Answer

A (Host) Record :

207.46.138.20 dns.prognet.com.

Record Name : DNS.PROGNET.com

-Record Type : 1 Time To Live : 1560 Data Length : 4 Section : Answer

A (Host) Record :

205.219.198.34 1.0.0.127.in-addr.arpa.

Record Name : 1.0.0.127.in-addr.arpa Record Type : 12

-Time To Live : 31517056 Data Length : 4

Section : Answer PTR Record :

Localhost

The /registerdns switch will refresh DHCP leases for all adapters forthe machine, and re-register the machine’s host name and IP addresswith a Dynamic DNS server The is a helpful switch to use when you’vemade changes to the local machine’s IP address configuration and want

to quickly re-register with the DNS server After running this switch, youwill see the following output:

Windows 2000 IP Configuration

Registration of the DNS resource records for all adapters of this computer has been initiated Any errors will be reported in the Event Viewer in 15 minutes.

Two additional DHCP-related switches are /showclassid and sid You can use these switches to manipulate what classid information aDHCP client sends to a DHCP server to identify it as a member of a par-ticular user class or vendor class

/setclas-For a detailed explanation of DCHP vendor and user classes, you might find

Managing Windows 2000 Network Services, published by Syngress Media,

very helpful

NOTE