ptg 254 HOUR 14: TCP/IP Utilities If you are working at a computer and you don’t know its hostname, use the hostname command. hostname is a simple command available on most operating systems that returns the hostname of the local computer. There are no options or parameters to hostname. Simply enter the command hostname and view the one- word response. Network Performance Problems Network performance problems are problems that cause your network to respond slowly. Because TCP/IP protocols commonly use TTL (Time to Live) settings limiting the age of a packet on the network, slow performance can cause lost packets and, therefore, loss of connectivity. Even if you don’t lose connectivity, slow network per- formance can be an irritation and a source of lost productivity. A common cause for poor network performance is excessive traffic. Your network might be experiencing heavy traffic because there are too many computers on the network, or the cause might be a malfunctioning device such as a network adapter creating unnecessary traffic on the network in what is known as a broadcast storm. Sometimes the cause for poor network performance is a downed router that has stopped forwarding traffic and caused a bottleneck somewhere else in the network. TCP/IP offers a number of utilities that let you see where packets are going and display statistics related to network performance. The following sections discuss these utilities. traceroute The traceroute utility is used to trace the path taken by datagrams as they travel from your computer through multiple gateways to their destinations. The path traced by this utility is just one path between the source and destination; there is no guarantee or assumption that datagrams will always follow this path. If you are configured to use DNS, you can often determine the names of cities, regions, and common carriers from the responses. traceroute is a slow command; you need to give it as much as 10–15 seconds per router. The traceroute (or tracert if you are using Windows) utility makes use of the ICMP protocol to locate each router that stands between your client computer and the destination computer. The TTL value tells you the number of routers or gateways that a packet has passed through. By manipulating the TTL value that is used in the original outgoing ICMP Echo message, traceroute is able to find each router along the path, as follows: From the Library of Athicom Parinayakosol ptg Network Performance Problems 255 1. An ICMP Echo message is sent to the destination IP address with a TTL value set to 1. The first router subtracts 1 from the TTL value, which results in a new TTL value of 0. 2. Because the TTL value is now set to 0, the router knows that it should not make any attempt to forward the datagram and simply discards it. The data- gram’s Time to Live value has expired. The router sends an ICMP Time Exceeded—TTL Expired In Transit message back to the client computer. 3. The client computer that issued the traceroute command displays the name of this router and then sends out another ICMP Echo message with the TTL value set to 2. 4. The first router subtracts 1 from the TTL value and, if it can, forwards the datagram to its next hop along the path. When the datagram reaches the sec- ond router, the TTL value is again decremented by 1, resulting in a 0 value. 5. The second router, like the first, simply discards the packet and returns an ICMP message to the sender in the same way the first router did. 6. This process continues, with traceroute incrementing the TTL value and routers decrementing this value until the datagram finally reaches its intended destination. 7. When the destination computer receives the ICMP Echo message, it sends back an ICMP Echo Reply message. In addition to locating each router or gateway the datagram travels through, the traceroute utility also records the round-trip time that it takes to reach each router. Depending on the implementation, traceroute might actually send more than a single Echo message to each router. For example, in the Windows version of this util- ity ( tracert), two additional Echo messages are sent to each router so that it can better judge the round-trip time. However, you shouldn’t use this round-trip time value to judge your network’s per- formance precisely. Many routers simply give a lower priority to ICMP traffic and spend most of their processing time forwarding more important datagrams. The syntax for the traceroute command is simply traceroute followed by an IP address, a DNS name, or even a URL: traceroute 198.137.240. 91 traceroute www.whitehouse.gov tracert yahoo.com (on a Windows system) From the Library of Athicom Parinayakosol ptg 256 HOUR 14: TCP/IP Utilities traceroute and tracert are useful for showing you the path a datagram traverses on the way to its destination. These helpful commands can also provide some diag- nostic capabilities. route As you learned in Hour 8 “Routing,” each computer and each router contains a routing table. Most routers use special routing protocols to exchange routing infor- mation and dynamically update their tables periodically. However, there are many times when it is necessary to add entries manually to route tables on routers and host computers. The route command has many uses in TCP/IP networking. You can use route to display the routing table in cases where packets from a host are not being routed efficiently. If the traceroute command reveals an abnormal or inefficient path, you might be able to use route to determine why that path is being used and possibly to configure a more efficient route. The route command is also used to add, delete, and change entries in routing tables manually. Some options include the following: . route print—This form of the route command displays the current entries in the routing table. See Figure 14.4 for an example of output from a route print command. As you can see, several entries refer to various networks, for example 0.0.0.0, 127.0.0.0, and 192.59.66.0; some are used for broadcast- ing 255.255.255.255 and 192.59.66.255; and others are for multicasting 224.0.0.0. All of these entries were added automatically as a result of config- uring network adapters with IP addresses. FIGURE 14.4 A route print command displays the cur- rent information in the routing table. . route add—Use this form of the route command to add a new routing entry to a routing table. For example, to specify a route to a destination network 207.34.17.0 that is five router hops away and passing first through a router From the Library of Athicom Parinayakosol ptg Network Performance Problems 257 with an IP address on the local network of 192.59.66.5 and the subnet mask of 255.255.255.224, you would enter the following command: route add 207.34.17.0 mask 255.255.255.224 192.59.66.5 metric 5 The route information added in this way is volatile and is lost if the computer or router reboots. Often a series of route add commands is contained in startup scripts so that it is reapplied every time the computer or router boots. . route change—You can use this syntax to change entries in the routing table. The following example changes the routing of the data to a different router that has a more direct three-hop path to the destination: route change 207.34.17.0 mask 255.255.255.224 192.59.66.7 metric 3 . route delete—Use this command syntax to delete an entry from the routing table: route delete 207.34.17.0 netstat The netstat utility displays statistics related to the IP, TCP, UDP, and ICMP proto- cols. The statistics display numerical counts for items such as datagrams sent, data- grams received, and a wide variety of errors that could have occurred. You should not be surprised if your computer occasionally receives datagrams that cause errors, discards, or failures. TCP/IP is tolerant of these types of errors and auto- matically resends the datagram. Discards occur when a datagram is delivered to the wrong location. If your computer acts as a router, it will also discard datagrams when TTL reaches zero on a routed datagram. Reassembly failures occur when all the fragments fail to arrive within a time period based on the TTL value in received fragments. Again, like errors and discards, occasional reassembly failures should not be a reason for concern. In all three cases, accumulated counts that are a significant percentage of the total IP packets received or that rapidly accumulate should cause you to investigate why this is occurring. The following list describes various netstat command options: . netstat -s—This option displays statistics on a protocol-by-protocol basis. If user applications such as web browsers seem unusually slow or are incapable of displaying data such as web pages, you might want to use this option to see what information is displayed. You can look through the rows of statistics for the words error, discard, or failure. If the counts in these rows are By the Way From the Library of Athicom Parinayakosol ptg 258 HOUR 14: TCP/IP Utilities significant relative to the IP packets received, this should prompt further investigation. . netstat -e—This option displays statistics about ethernet. Items listed include total bytes, errors, discards, number of directed datagrams, and num- ber of broadcasts. These statistics are provided for datagrams both sent and received. . netstat -r—This option displays routing table information similar to what is seen with the route print command. In addition to the active routes, current active connections are also displayed. . netstat -a—This option displays the list of all active connections, including both established connections and those that are listening for a connection request. The following three options provide subset information of what is displayed with the -a option: . netstat -n—This option displays all established active connections. . netstat -p TCP—This option displays established TCP connections. . netstat -p UDP—This option displays established UDP connections. See Figure 14.5 for an example of the statistics displayed by netstat -s. FIGURE 14.5 netstat dis- plays protocol- by-protocol statistics. From the Library of Athicom Parinayakosol ptg Network Performance Problems 259 Nbtstat As you learned in Hour 11, NetBIOS is a name resolution system used on many legacy Windows networks. The nbtstat (NetBIOS over TCP/IP statistics) utility pro- vides statistics about NetBIOS over TCP/IP. nbtstat allows you to view the NetBIOS name table on the local computer or on a remote computer. The following command options are used in relation to the local computer: . nbtstat -r—This command causes the NetBIOS name cache to be purged and reloaded. This is done to load recently added entries from the LMHosts file. (LMHosts entries are covered in Hour 11.) . nbtstat -n—This command displays the names and services registered on the local computer. . nbtstat -c—This command displays the contents of the NetBIOS name cache that holds the NetBIOS names to IP address pairs of other computers with which this computer has had recent communication. . nbtstat -r—This command lists the count of registrations and resolved names of other computers and whether they were registered or resolved by broadcast or by a name server. See Figure 14.6 for an example of nbtstat output. FIGURE 14.6 nbtstat com- mands and responses. From the Library of Athicom Parinayakosol ptg 260 HOUR 14: TCP/IP Utilities The nbtstat command can also be used to view the NetBIOS name table of remote computers. The output is similar to nbtstat -n on the local computer. . nbtstat -A <IP address>—Displays the name table including physical addresses from another computer by using its IP address. . nbtstat -a <NetBIOS name>—Displays the name table including physical addresses from another computer by using its NetBIOS name. Similarly, two other nbtstat command options enable you to view the list of NetBIOS connections that a remote computer has open. This list is called a connec- tions table: . nbtstat -S <IP address>—Displays the NetBIOS connections table of another computer using its IP address. . nbtstat -s <NetBIOS name>—Displays the NetBIOS session table of another computer using its NetBIOS name. Packet Sniffers Utilities known as sniffers capture data from the network into a buffer or a file. After the data is captured, you can display the contents one frame or datagram at a time. Packet sniffers are useful for analyzing subtle problems with network traffic. You can also use sniffers to find the source of corrupt packets that might have come from a malfunctioning device. You can trace an ethernet frame by its physical address. You can analyze header information from any protocol level (see Hours 3, “The Network Access Layer,” 4, and 6) to look for clues. Figure 14.7 shows the sequence of 10 datagrams that was initiated by entering a ping command. The top window shows the 10 datagrams starting with an ARP request and an ARP reply followed by four ICMP request/reply pairs. The middle window decodes the ICMP header, and in the bottom frame you can see the 32 bytes of data in the datagram. The data includes the complete alphabet followed by the letters abcdef, for a total of 32 bytes of data. From the Library of Athicom Parinayakosol ptg Using Connectivity Utilities to Troubleshoot Problems 261 Using Connectivity Utilities to Troubleshoot Problems By trying various applications that operate at different levels of the protocol stack, you can often pinpoint which component in the stack is causing a problem. As I mentioned when discussing the ping utility, there is a definite order you should follow when troubleshooting network problems. In troubleshooting, you typically start with simple basic commands. If these commands work as expected, you then continue to build on what you know by using commands that require progressively more network functionality. To troubleshoot a network problem, follow these steps: 1. Start with ifconfig, ipconfig, or a similar tool to ensure you know the current IP address, subnet mask, and default gateway parameters. 2. Move on to the ping command and follow the sequence of ping commands described earlier. If the ping commands work as expected, you have gained some confidence in the two lower layers, including the network adapter and the network cabling. 3. Use an application such as a web browser to access a web server. If this works, you know that TCP and the sockets interface work; if it doesn’t work, try another application that uses TCP and sockets, such as the FTP client. If this doesn’t work either, you probably want to concentrate on TCP or sockets as a source of the problem. FIGURE 14.7 A view of traffic following a ping command. From the Library of Athicom Parinayakosol ptg 262 HOUR 14: TCP/IP Utilities File Transfer Protocol (FTP) The File Transfer Protocol (FTP) is a widely used protocol that enables a user to transfer files between two computers on a TCP/IP network. A file transfer application (typically also called ftp) uses the FTP protocol to transfer files. The user runs an FTP client application on one computer, and the other computer runs an FTP server pro- gram such as ftpd (FTP daemon) on a Unix/Linux computer, or an FTP service on other platforms. Many FTP client programs are command-line based, but graphical versions are available as well. FTP is used primarily to transfer files, although it can perform other functions such as creating directories, removing directories, and listing files. In the Unix world, a daemon is a process that runs in the background and per- forms a service when that service is requested. A daemon is called a service in the Windows world. FTP uses the TCP protocol and, therefore, operates through a reliable, connection- oriented session between the client and server computers. The standard FTP daemon (on the server) listens on TCP port 21 for a request from a client. When a client sends a request, a TCP connection is initiated (see Hour 6). The remote user is then authenticated by the FTP server, and a session begins. A classic text-based FTP ses- sion requires the remote user to interact with the server through a command-line interface. Typical commands start and stop the FTP session, navigate through the remote directory structure, and upload or download files. Newer GUI-based FTP clients offer a graphic interface (rather than a command interface) for navigating directories and moving files. FTP is also widely used on the World Wide Web, and the FTP protocol has been integrated into most web browsers. Sometime when you’re downloading a file through a web browser, you might notice the URL in the address box begins with ftp://. On most computers, you start a text-based FTP session by entering ftp followed by the hostname or IP address of the FTP server. FTP then prompts you for a user ID and a password, which are used by the FTP server to validate you as an authorized user and determine your rights. For example, the user account you log on with might be assigned read-only access, or it might be configured for both read and write operations. Many FTP servers are available for public use and allow you to log on with a user ID called anonymous. When the anonymous account is used as the user ID, you can enter virtually any password. However, it is customary to enter By the Way By the Way From the Library of Athicom Parinayakosol ptg File Transfer Protocol (FTP) 263 your email account name as the password. When FTP servers are not intended for general public use, the servers are configured to not allow anonymous access. In that case, you must enter a user ID and password to gain access. The user ID and pass- word are typically set up and provided by the FTP server administrator. Many FTP client implementations allow you to enter either Unix-based commands or DOS-based commands. The actual commands available depend on the client soft- ware being used. When you transfer files using FTP, you must specify to FTP the type of file that you are about to transfer; the most common choices are binary and ASCII. Choose ASCII when the type of file you want to transfer is a simple text file. Choose binary when the type of file you want to transfer is either a program file, a word processing document, or a graphics file. The default file transfer mode is ASCII. Be aware that many FTP servers reside on Unix and Linux computers. Because Unix and Linux are case-sensitive—that is, they distinguish between uppercase and lower- case letters—you must match the case exactly when entering filenames. The current directory on the local computer from which you start an FTP session is the default location where files are transferred to or from. The following is a list of commonly used FTP commands and explanations of the commands. . ftp—The ftp command is used to start the FTP client program. You can enter ftp by itself, or you can follow it with an IP address or domain name. In Figure 14.8, an FTP session to rs.internic.net was started by typing ftp rs.internic.net. As you can see, a lot of information was returned. FIGURE 14.8 Starting an FTP session. From the Library of Athicom Parinayakosol [...]... MIB has been described in several RFCs, including RFC 1158 and RFC 1213 You’ll find the official description of SNMP in RFC 11 57 The latest version, SNMP v3, is described in RFC 2 570 and a number of other RFCs The majority of the addressable locations within the MIB refer to counters, which are obviously numeric An example of a counter is ipForwarding, shown in Figure 15 .7, or ipInReceives (not shown),... number of inbound IP datagrams received since either the networking software was started or the counter was last reset MIB information could be in any of several forms: numeric, textual, IP addresses, and so on Another example of MIB configuration information is ipDefaultTTL The ipDefaultTTL setting holds the numeric value of the TTL (Time to Live) parameter inserted into every IP datagram that originates... toward monitoring ethernet and token ring LANs All groups within RMON 1 are concerned with monitoring the bottom two layers, for example, the Physical and Data Link layers of the OSI reference model (corresponding to the Network Access layer in the TCP/ IP model) RMON 1 is described in RFC 175 7, which updates RFC 1 271 , which was published in November 1991 From the Library of Athicom Parinayakosol ... following commands and view the responses on your computer: ipconfig /all or ifconfig -a (Not all TCP/ IP stacks implement these.) ping 1 27. 0.0.1 ping w.x.y.z—Replace w.x.y.z with the IP address of your computer ping w.x.y.z—Replace w.x.y.z with the IP address of another local computer ping w.x.y.z—Replace w.x.y.z with the IP address of your default gateway ping w.x.y.z—Replace w.x.y.z with the IP address... Athicom Parinayakosol Simple Network Management Protocol 2 87 The MIB structure is addressed by always starting at the root and progressing down through the hierarchy until you have uniquely identified the setting you want to read For example, to address the ipDefaultTTL and ipInReceives MIBs, the SNMP monitor would send the following MIB addresses to the SNMP agent: iso.org.dod.internet.mgmt.mib .ip. ipDefaultTTL... understanding the development of networking, and no discussion of TCP/ IP would be complete without mention of it Berkeley Remote Utilities The Berkeley Systems Design (BSD) Unix implementation, known as BSD Unix, was a major step in Unix’s development Many innovations that began with BSD Unix are now standard on other Unix systems and have been incorporated into other operating systems in the world of TCP/ IP. .. parameters of this Management Information Base (MIB) to request information from the agent and change configuration settings The SNMP Address Space The SNMP process is predicated on both the monitor and agent software being capable of exchanging information regarding specific addressable locations within the MIB The MIB, shown in Figure 15 .7, allows the monitor and agent to exchange information accurately... be capable of uniquely identifying a specific unit of information From the Library of Athicom Parinayakosol 286 HOUR 15: Monitoring and Remote Access FIGURE 15 .7 root (unnamed) A small portion of the MIB ccitt (0) iso (1) ccitt-iso (2) org (3) dod (6) internet (1) directory (1) mgmt (2) experimental (3) mib (1) system (1) interfaces (2) ipForwarding (1) at (3) ip (4) ipDefaultTTL (2)… private (4) enterprises... the Library of Athicom Parinayakosol 268 HOUR 14: TCP/ IP Utilities filename1—Indicates the path and filename of the source file hostname2—Optionally indicates the hostname or FQDN of the destination computer Use this hostname if the destination file is located on a remote computer filename2—Indicates the path and filename of the destination file The following are examples using the rcp command This... transfer files between two computers In addition to transferring files, the FTP utility can create and remove directories and display the contents of directories Hostname—A utility that outputs the hostname of the local host ifconfig—A Unix/Linux utility that displays TCP/ IP configuration information ipconfig—A Windows utility that displays TCP/ IP configuration information nbtstat—A utility that . This process continues, with traceroute incrementing the TTL value and routers decrementing this value until the datagram finally reaches its intended destination. 7. When the destination computer. the local host. . ifconfig—A Unix/Linux utility that displays TCP/ IP configuration information. . ipconfig—A Windows utility that displays TCP/ IP configuration information. . nbtstat—A utility. IP address or domain name. In Figure 14.8, an FTP session to rs.internic.net was started by typing ftp rs.internic.net. As you can see, a lot of information was returned. FIGURE 14.8 Starting