Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 LESSON E19_EN. INTERNET TROUBLESHOOTING, DISTURBANCES, MAINTENANCE.

Parent Entity: IPA SA, Bucharest, Romania, 167 bis, Calea Floreasca; Fax: + 40 21 316 16 20 Authors: Gheorghe Mincu Sandulescu, University Professor Dr., IPA SA, Bucharest, Romania, 167 bis, Calea Floreasca, Mariana Bistran, Principal Researcher, IPA SA, Bucharest, Romania, 167 bis, Calea Floreasca, e-mail: [email protected]. Consultations: Every working day between 9.00 a.m. and 12.00 p.m.

After studying this lesson, you will acquire the following knowledge: Understanding the troubleshooting methodology and procedures. Ethical, economic and managerial aspects of the troubleshooting activities. Essential diagnosis tools for troubleshooting and their mode of use. The control of connectivity through the use of powerful and simple to apply troubleshooting tools. The use of the Microsoft ©®WINDOWS environment for troubleshooting. The use of elements from the Unix / Linux environment for troubleshooting.

CONTENT OF THE LESSON 1. TROUBLESHOOTING PROCEDURES. 2. UNIX UTILITIES AND SYSTEM FILES RELATED TO NETWORKING AND TROUBLESHOOTING. 3. DIAGNOSIS TOOLS AND UTILITIES IN MICROSOFT ®WINDOWS. 4. PATHPING MICROSOFT ®WINDOWS DIAGNOSIS TOOL FOR TROUBLESHOOTING CONNECTIVITY. 5. THE DIAGNOSIS TOOL. MICROSOFT ®WINDOWS 6. OTHER DIAGNOSIS TOOLS. MICROSOFT ®WINDOWS

LEARNING OBJECTIVES: After learning this lesson you will accomplish the ability to: apply the troubleshooting methodology and procedures. respect the ethical constraints and take into consideration the economic and managerial aspects of the troubleshooting activities. accomplish the necessary information for troubleshooting actions inside your specific activities, to apply the troubleshooting tools.. The control of connectivity through the using of the powerful and simple to apply troubleshooting tools. The using of diagnosis tools for troubleshooting of the Microsoft ©®WINDOWS environment. The using of elements and tools of Unix / Linux environment for troubleshooting.

1. TROUBLESHOOTING PROCEDURES.

Troubleshooting is the basis of the Network Administration profession. This profession includes two categories of actions: configuring and troubleshooting. Troubleshooting has to be solved systematically, methodically, based on thorough TCP/IP knowledge, on splitting the problem into manageable parts, and on understanding phenomena.

In troubleshooting activities, security barriers must be taken into consideration: firewalls and other security devices may block Ping, Tracert ( in Unix), ICMP error messages.

Normally, these simple tools may diagnose the troubles. Small things such as plugs, connectors etc., may cause big problems.

The troubleshooting consists of 3 parts: collecting information, also through the application of the adequate collecting / diagnosis tools, the evaluation of the situation and the application of the troubleshooting actions, and testing the efficiency of the applied actions.

The troubles are of two types: normal failures and system failures (as a result of the interaction of different parts of the system).

1.) The management of troubleshooting.

The troubles are easier to be solved if the system is understood and the failures indication tools and diagnosis tools are used. Troubleshooting has to be proactive: it is better to prevent than to repair.

The network troubleshooting is in the strong connection with the mode of management of the network. 317 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 Between the elements which the troubleshooting actions are:

Troubleshooting management includes: The resources for the troubleshooting accomplishment: o Documentation. The management of documentation includes the dating of all elements which enter the system (software, printed materials etc) and the recording of all the changes of the system.

Maintaining up-to-date, correct, omission- and error-free documentation, the of the network’s evolution is one of the principal responsibilities of the worker / network administrator.

o Software sources. Hardware and hybrid sources. o Diagnosis tools. Knowledge, training, professionalism.

2.) Legal and ethical aspects. With troubleshooting actions, attention must be paid to respecting privacy, confidentiality, and other ethical and legal aspects. If you collect information by using the Data packets capture software, you may be aware that collecting the Data may be illegal and you have to convene, in advance, the related aspects with your customers.

3.) Economic aspects. Among the important aspects one should be aware of, here are a few: Troubleshooting may be in strong connection with economic consequences. The aspects are connected to the mode of achievement of the contracts with the clients. The contract may be under SLA – Service-Level Agreement form. The SLA may specify [7.]: o Responsibilities and expectations, o Network metrics: speed, MTTR – Mean Time to Repair, MRBF-Mean Time Between Failures, Availability, where o Availability = 1000 [ / (Uptime + Downtime)], and possible Five Nine (possible availability of 99,999%). o Other.

The delays in solving failures may be related to financial losses.

Another important aspect consists of the costs of repairing.

New investment must also include the costs of maintenance, training of people, spare parts etc.

4.) The general procedures for troubleshooting. 4.1.) The system resetting. In the complex software / hardware systems, the resetting of the system is considered as one important means for troubleshooting, for some classes of troubles. The resetting of the system is necessary to be achieved while taking into consideration the implications and dangers. Resetting may be achieved through: warm reboot, without power cycling, and cold reboot, with power cycling.

4.2.) The use of diagnosis tools and of monitoring systems. See the next chapters.

2. UNIX UTILITIES AND SYSTEM FILES RELATED TO TROUBLESHOOTING.

1.) The evaluation of the environment of one server of ISP through UNIX/LINUX UTILITIES [4.].

The UTILITIES are UNIX commands, which work on your UNIX server, inform about the status of the configuration and of the networking environment.

At the address www.die.net/doc/linux/man/ you can a consistent alphabetical directory and explanations about thousands of Linux commands. The address: www.sauronz.com/imprimir/OReilly%20-20Network%20Troubleshooting%20Tools.pdf presents the important Handbook: Joseph D. Sloan Network Troubleshooting Tools, O-Reilly, ISBN: 0-596-00186-X [4.].

318 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 One important excerpt of these utilities is presented below.

1.1.) ps. Displaying all processes owned by a specific user. Details on the web address indicated at [4.] depend on the software system used. ps commands offer, on screen, the listing of the processes which are running on the system and are owned by a specific user. Syntax and complete description at: [www.die.net/doc/linux/man/man1/ps.1.html]; [www.kingston.ac.uk/support/unix/man/ps.txt]:

Example when running the FreeBSD command: $ ps -aux where: $ represents the prompt (initially set by the user), -a all processes involving terminals, and (-x) without controlling terminals, and in detail (-u). -u print user information

Example: $ ps PID TTY TIME CMD 331 1 0:06 vi test where PID is the process identifier; TTY is the number of the terminal from which the process is launched; TIME represents the time interval allocated cyclically for the respective process.

You can also use the syntax "ps U username"[http://www.softpanorama.org/Utilities/index.shtml; Febr.2006]

The ps command with the 'o' parameter can tell the ps command what you want to see: e.g. $ ps -o "%u : %U : %p : %a" where the %u represents the Runame; %U represents USER; p% represents PID (Process Identifier); %a represents COMMAND. The system responds, for instance, with:

RUSER :USER :PID :COMMAND mary : mary :4 : :bash

1.2.) top [www.die.net/doc/linux/man/man1/top.1.html; Feb.2006]. Details on the web address indicated at [4.]. top command updates the listing of processes in the order of the CPU usage. Example of command: $ top Indications will be given of: the number of running and sleeping processes, CPU (Central Processing Unit) states; memory status, PID, USER, PRI - Priority of the task, NI (or NICE) – Nice values for the process, SIZE, RES- Resident size (kb)/ The non-swapped physical memory a task has used, STATE, CPU Time – Total CPU time the task has used since it started, CPU COMMAND – Command line or Program name, and others. top also works with arguments.

1.3.) netstat [www.die.net/doc/linux/man/man8/netstat.8.html; Feb. 2006. Details on the web address indicated at [4.]. netstat command indicates a variety of information including the essential data structure of the net system. netstat command indicates net connections, routing tables, interface statistics, masquerade connections, and multicast memberships. netstat works with arguments. Example of command: $ netstat –a where -a : Displays all active TCP connections and the TCP and UDP ports on which the is listening http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx?mfr=true.

The netstat is intensive used (with the argument –i) when it is suspected that the connection to the LAN is not reliable. The command is: $ netstat –i and the following will be indicated: Ierrs- Input Errors, Oerrs- Output errors, Queue- Packets which cannot be transmitted; Collis- collision rate. Based on the above indications it may be concluded whether the cable (or connectors) must be replaced, interfaces troubles. Oerrs may indicate either the saturated local network, either interfacing (physical) troubles. Ierrs may indicate either the network saturation, or interfacing troubles (physical troubles). Collis may indicate the saturation of the local (Ethernet) network.

319 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 1.4.) lsof [www.die.net/doc/linux/man/man8/lsof.8.html] is used for listing the open files of one UNIX system. Details on the web address indicated at [4.]. Example of command: $ lsof -i Where option –i (without other values) selects the listing of all Internet and X.25 (HP-UX) network files.

1.5.) [http://www.die.net/doc/linux/man/man1/nslookup.1.html] offers information about the DNS system and Server. It indicates if the Server is working correctly. For instance for detecting the IP Address of the host: $ nslookup fish.mary.com [Enter] Server: crab.mary.com Address: 192.3.2.2. Name: nslookup fish.mary.com Address: 192.3.2.2

In the above example the user has required the address of fish.mary.com. The nslookup has responded, firstly, with the name of the server, and next with the IP Address of the indicated host. nslookup is based on the BIND software (Berkeley Internet Name Domain). dig is quite similar to nslookup.

1.6.) ifconfig [http://www.die.net/doc/linux/man/man8/ifconfig.8.html]. Details on the web address indicated at [4.]. ifconfig is used for the listing (and, possibly, altering) of the current configuration of interfaces. Example of command: $ ifconfig -a Where the argument –a displays all intefaces, including those which are down.

1.7.) arp [www.die.net/doc/linux/man/man7/arp.7.html]. Details on the web address indicated at [4.]. arp offers information about the translation from IP Addresses to Ethernet (Physical) Addresses. arp displays the list of the devices, IP Addresses, Masks, Flags and MAC / Physical addresses. arp implements the Address Resolution Protocol defined in RFC 826. arp is applied and functions on the connecting at the respective LAN devices. The devices separated by the router are not listed. arp works by broadcasting the Data Packet, having in its header the IP Address of the machine of interest. Because the broadcast is achieved towards all the Physical addresses of the LAN, the Data Packet is read and taken by the NICs of all the LAN’s machines. The machine which has the indicated IP Address returns one Data Packet towards the requester node. Also placed in the response Data Packet, for the information of the sender machine, is the Physical Address of the searched node. arp works with arguments. Example of command: $ arp -a [Enter] The argument -a indicates that the arp table will be listed.

1.8.) whois. Locating the Administrator. whois obtains information from the Internet White Pages. Internet White Pages are maintained by the Internet registrars. The command syntax is: $ whois [server name] [Enter]

1.9.) Other (hundreds commands) as in www.die.net/doc/linux/man/ .

2.) The evaluation of the environment of one server of ISP through UNIX/LINUX SCANING TOOLS..

The scanning tools indicate which ports are active on your system or on an external system scanned.

Be aware: The scanning of other systems is dangerous. The administrators may consider that the scanning of the port of their systems is an incorrect operation and they may cut the connection and block your traffic. For instance the detection of the scanning is achieved with tools indicated at www.snort.org and at wiki.linuxquestions.org/wiki/Detecting_portscans

Between the scanning tools are:

3.1.) portscan. Details on the web address indicated at [4.]. portscan sends one connection request towards each port number in the range to be tested. The ports which respond are listed as open ports of the respective IP Address. portscan lists the port numbers and the name of the service of each port which answers.

3.2.) Other scanning tools [4.]: 320 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 gtkportscan nessus strobe.

4.) The configuration of the system files in UNIX.

4.1.) The essential configuration files. The standard configuration files are placed in the directory: /etc The files must be identified and inventoried. Of special importance is the file: inetd.conf The essential configuration file is efficiently analysed by using the ps and netstat commands [4].

Other files must also be analysed (at the beginning of work as net administrator) such as: host.conf; resolv.conf; nsswitch.conf, host.allow, tcpwrappers, rc and other [4.].

3. DIAGNOSIS TOOLS AND UTILITIES IN MICROSOFT ®WINDOWS.

3.1. EXCERPT OF THE INVENTORY OF THE MS XP TOOLS FOR THE TESTING OF THE NETWORK CONNECTIVITY.

The tools may be used on all the different station machines (starting form Windows 98) and not only on the Server.

Inside the MS-DOS are developed important Internet diagnosis tools. These MS-DOS diagnosis tools are present in all the Microsoft ©® Operating systems starting with the Windows 98. You may use these important diagnosis tools immediately. They are placed on your own machine: PC, laptop etc.

A description of each of these tools is achieved, inside the MS-DOS windows, with the command: C:\> Name of the Tool /? [Enter]

In Lesson E_1 and Lesson E_2 we explained how to open the MS-DOS prompt: C:\> and how to interrupt the action of the MS-DOS diagnosis tools, through the command: CTRL C.

The syntax. How to interpret the syntax of the connectivity commands?

In MS-DOS will be the helping indication about Ping. C:\>Ping /? [Enter] The response of the machine is: Usage: ping [-t] [-a] [-n count]…….target-name. The elements inside the brackets are optional arguments and start correspondent effects. The target-name is compulsory.

One extended list of the MICROSOFT ® tools is presented at the web address: www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/sur_util.mspx . Some applications are illustrated at http://support.microsoft.com/kb/325487

In the following table one excerpt is illustrated of the principal tools used for testing the connectivity and the troubleshooting accomplishment [6.] .

NAME OF THE SHORT PRESENTATION USED FOR: USUAL Comparative No SOFTWARE USE Unix tools TOOL (excerpt, non- limitative) ARP It permits: DIAGNOSTICS Normal ARP 1 Address The visualization of the ARP use Resolution Tables, Protocol The detection of the invalid entries.

2 Hostname Is offering the machine name of the INDIRECTLY, also Normal machine on which the test is achieved. for DIAGNOSTICS use 321 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 3 Indicates extremely important DIAGNOSTICS Normal IPConfig parameters of the connection inside the use network, such as: Own machine IP address, Preferably: Own machine physical IPConfig /All /MAC address of the NIC (Network Interface Card) The IP address of the DNS Servers The IP address of the Gateway which ensures the connection towards the Internet, others. 4 Nbtstat Indicates: DIAGNOSTICS the NETBIOS connections, Statistical protocol, Others. 5 Netstat Multiple indications about the situation DIAGNOSTICS Normal Netstat in the net. use 6 Nslookup Indicates multiple information such as: DIAGNOSTICS DNS, The , Others. 7 Ping Testing of the connectivity with DIAGNOSTICS Normal Ping Packet Internet different IP or DNS addresses. use (and ping; Gopher echoping) 8 Display, print and modify of the Local WORK + Traceroute Routing Table. DIAGNOSTICS 9 Tracert The control of the packets path from DIAGNOSTICS hop to hop up to the end address. 10 FTP The transfer of files. CONNECTIVITY File Transfer COMMAND Protocol 11 TFTP Similar with FTP CONNECTIVITY Trivial File COMMAND Transfer Protocol 12. Telnet Real Time emulation on the local CONNECTIVITY machine of the operation of the remote COMMAND machine 13. Finger The accomplishment of information from another host which supports Finger. 14. The copying of files between two RCP remotely placed hosts Remote Protocol 15. RSH Allows the authentication and running on the UNIX host. 16. Rexec The authentication and working in remote mode 17. Microsoft ©® The control of functioning of the CONNECTIVITY Normal Internet navigation component and e-mail COMMAND use Explorer component 18. PathPing The complex evaluation of the quality CONNECTIVITY Normal of the path and the detection of the COMMAND use congested routers. 19. Other Other

322 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 3.2. MICROSOFT ®WINDOWS DIAGNOSIS TOOLS.

1.) MS-DOS in line commands for the diagnosis tools. The important diagnosis tools Ping, Tracert, IPConfig and Hostname, of the important Microsoft © ® XP Operating System diagnosis tools Ping, Tracert, IPConfig and Hostname, were described in Lesson 1 and Lesson 2.

2.) The practising of the Ping (when using the Microsoft © ® XP Operating System). You may use this important and extremely efficient diagnosis tool from your own machine: PC, laptop etc.

2.1) The types of the Ping unsuccessful responses. If the test result is clearly unsuccessful, the wrong situation is indicated by one of the two messages: “Request timed out” or “Destination host is unreachable”. The differences between the two Ping error messages are the following:

“Request timed out” indicates that the diagnosis Data Packets have been sent to the network and the destination computer does not respond in the allowed interval of time. The causes may be: failures or disturbances at the remote computer, such as: the remote computer is not powered on, or is crashed, or has its NIC is not connected to the network, or has another IP Address or other subnet mask, if the test of the own NIC (ping towards 127.0.0.1) works well your PC might have an incorrect IP Address or an incorrect subnet mask. Also it is possible that the , the Switch or the Hub may not function correctly. This aspect may be evaluated through pinging towards the IP Address of the Gateway (fig.3.1.), or towards the IP Address of the nearest (inside the flux of Data) device. if the Ping works well towards the Gateway IP Address, but not towards the Internet IP Addresses, the cause may be in the gateway (the side towards the Internet) or Router.

“Destination host is unreachable” indicates that the own computer: either is disconnected from the network, either the default Gateway or the Router are non-in-functioning or disconnected, either the Router do not known how to send the data packages toward the IP Address of destination. This follows the wrong Router programming [5.].

The Bus of the LAN 3 5 2 Internet The Gateway with Internet 4 1 Router

Fig. 3 .1. Testing different control points with Ping. 1: th e test of the connectivity with the own NIC, by pinging towards 127.0.0.1 2: the connectivity between the own PC and the Gateway, 2, through Pinging towards the IP address of the Gateway, viewed from the LAN side, 3: the connectivity up to the Router, through Pinging towards the Router IP Address, In the above image, the woman working on the PC achieves: 4: the connectivity up to the remote IP Address (for instance a DNS Server). 5: receiving a Ping test from the other machine.

The connectivity is tested, as above, systematically and quickly.

2.2.) Pinging towards the Host Name Ping can be used also towards the URL name (URL address) and also towards the Host Name: own Host Name or the Host Name of the machine placed on the Internet. The own Hostname is obtained immediately with the command: C:\>HostName (Press Enter)

The Host name of one machine placed on the Internet can be known with the Ping command (if the IP Address is known): C:\>Ping -a (the IP Address of the respective Host Name) (Press Enter). 323 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

Example: C:\>Ping -a 192.123.32.32 (Press Enter) will lead to the response: C:\>Pinging NANA [192.123.32.32] (Press Enter) ……………………………………………………. Where NANA is the Host Name of the machine from the IP Address: 192.123.32.32.

2.3.) Checking your internal connectivity towards the NIC – Network interface card. C:\>Ping 127.0.0.1 (Press Enter)

2.4.) Ping and network security. ICMP requests, on which Ping is based, is considered a security threat. In some cases, Ping is considered as an intrusion. Many systems or routers block the response to the ping. Therefore connectivity may exist also in the cases of unsuccessful response to the Ping test.

Firewalls may also block the sending and arriving of Ping Data Packets.

2.5.) The Ping diagnosis tool may be used for the measurements and for the evaluation of the network performance. The RTT-Round Trip Time, indicated by the Ping tests, represents one of the most important parameters of networking.

2.6.) The Ping diagnosis tool offers a very powerful and efficient means for testing the network.

3.) Consolidation of the practising the Tracert (when using the Microsoft © ® XP Operating System). You may use this diagnosis tool from your own machine: PC, laptop etc.

The Tracert traces the entire route, Hop by Hop, from the Source Device to the Destination device. The Hop represents each step of the travel from Source to Destination.

Tracert is usable for many tests, including: • problems when connecting to a particular host, • for situations of intermittent connectivity, • for following the routes of the Data packets, • to detect where the breakdown of the communication channel is, • others.

Similarly with the Ping the Tracert may be send toward: IP Address of destination, URL (DNS Address), The Host name of the destination (if the Host Name may be used).

With Tracert it is possible to detect the faulty intermediary router (where the transfer is broken). If the number of indicated Hops is large or quasi-infinite, then there may be some trouble with the ISP. The Tracert diagnosis tool has many options.

4. PATHPING: MICROSOFT ®WINDOWS DIAGNOSIS TOOL DESTINED FOR THE COMPLEX TESTS OF CONNECTIVITY.

You may use this important and extremely efficient diagnosis tool from your own machine: PC, laptop etc.

The PathPing diagnosis tool is an extremely powerful and simple to use tool, which seems generated by the impact of Ping and Tracert, and which offers new facilities compared with Ping, or with Tracert.

The PathPing traces the route from the Source to the Destination (as Tracert). But PathPing indicates the Routers on the path and at the same time (statistic) information about the Hop’s (Router’s) behaviour.

The PathPing characterises the behaviour of each Hop (Router): the PathPing permits to view the behaviour in time of each Hop.

The Routers which create problems along the path (for instance, are congested) can be detected.

324 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

The PathPing offers the important possibility to see the entire behaviour of the network, from your desk up to thousands of kilometres away.

The commands of the PathPing are similar to the commands of Ping or Tracert:

PathPinging may be directed towards the IP Address of Destination or towards the URL Address of the Destination.

Options of the PathPing are illustrated [5.] in the following Table.

No The Option The contents of the option (excerpt) 1 -h maximum_hops The specification of the maximum number of Hops to be traversed. The value will the maximum_hops. Example: C:\> PathPing -h 10 www.holidayn.com [Press Enter] 2 -n This option allows avoiding the resolution of the Host Name addresses. The Host Name addresses will be not displayed. 3 -6 The use of the IPv6 Protocol (for testing the nets working with this protocol) 4 -g host-list Lose source route along host test 5 -p period The period of waiting in milliseconds, between Pings. 6 -P Test for the RSVP PATH connectivity 7 -R Test if each Hop is RSVP aware Other

Example of the PathPing command:

C:\> PathPing www.holidayn.com [Press Enter]

As it results from the image illustrated in the following fig. 4.1., the test was achieved on the 100 packets sent towards each Hop. The statistics indicate the behaviour of each hop and RTT – Round Trip Time for each trip. If one Router lost Data Packets, the statistics indicates the percentage of lost Data Packets, offering n important image about the congestion and Routers’ behaviour. The essential advantage of the PathPing consists in the possibility to achieve the tests in a period of hundreds of seconds (for instance 250 seconds). In this time interval are achieved many tests (for instance 100 tests, respective sends of test Data Packets toward each Hop / Router).

The repeated tests confer to PathPing the advantage of indicating the behaviour of the Internet path’s devices in time.

As it results from the image illustrated in the following fig. 4.1., the test was achieved on the 100 packets sent towards each Hop.

325 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

Fig. 4.1. The results of the application, in a specific situation, of the PathPing diagnosis test. 5 Routers have not lost any Data Packets, from 100 send-receive tests and the 6-th Router has lost all the Data Packets. Test with MICROSOFT ©®WINDOWS.

The statistics indicates the behaviour of each hop and the RTT – Round Trip Time for each trip. The statistics indicates the percentage of lost Data Packets, offering an important image about the congestion and Routers’ behaviour.

The essential advantage of the PathPing consists in the possibility to achieve the tests on relatively long periods of hundred s of seconds (for instance 250 seconds). In this time interval many repeated tests are achieved. The repeated tests confer the PathPing test the advantage of indicating the behaviour of the Internet path’s devices in time.

5. THE Netstat DIAGNOSIS TOOL. MICROSOFT ©®WINDOWS

You may use this important and extremely efficient diagnosis tool from your own machine: PC, laptop etc. Netstat presents on screen all the active connections of the machine.

1.) The functions and the syntax. The Netstat indicates on your display: the active connections achieved by your machine; the bits sent and received by your machine, the statistics per protocols, the transferred and the dropped Data Packets, other.

The Netstat diagnosis tool is launched with the command:

C:\> Netstat [Press Enter]

2.) Netstat options. Netstat works with arguments. The options and explanations about the Netstat diagnosis tool may be accomplished with the command:

C:\> Netstat /? [Press Enter] The short presentation of the Netstat options, after the above command, includes: NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval] ………………………………………………………………………….

326 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 The principal Netstat options are explained in the following Table.

No The The contents of the option Option 1 -a Netstat displays: all connections; all listening ports Example of command: C:\> Netstat –a [Press Enter] Practical example of the displayed results is illustrated in the fig. 5.1. 2 -b Netstat displays : the titles of the executable software programmes involved in the creation of connections and in the creation of the listening ports. These executable programs may be one chain of programs. The executable programs are presented (on screen) in the bottom part, between brackets []. The chains of the software executable programs up to the TCP/IP programs are illustrated. This operation may be time consuming and may fail if the time limit is exceeded. Example of command C:\> Netstat –b [Press Enter] A practical example of the displayed results is illustrated in the fig. 5.2. 3 -e Netstat illustrates the Ethernet statistics on display.

The command may be associated with the –s command, in which case the statistics per protocol is accomplished. Example of command C:\> Netstat –e [Press Enter] -e -s C:\> Netstat –e –s [Press Enter] Practical examples of the displayed results are illustrated in fig. 5.3. and fig. 5.4. 4 -n Netstat presents ports numbers. Example of command C:\> Netstat n [Taste Enter] Practical example of the displayed results is illustrated in the fig. 5.5.. 5 -o Netsat presents on display the process of ID associated to each connection. Example of command C:\> Netstat -o [Taste Enter] A practical example of the displayed results is illustrated in the fig. 5.6..

This option permits to know which process maintains the IP connection generated by your machine or generated towards your machine. 6 -p Netsat presents on display the connections for the respective protocol, indicated through the replacement of proto the word proto, with the name of the respective protocol: TCP, UDP, TCPv6, UDPv6. It may be used with -s so that statistics per protocol could also be presented. Example of command C:\> Netstat -p TCP -s (Taste Enter) -p -s The protocols taken into consideration are: IP, IPv6, ICMP, ICMPv6, TCP, UDP, TCPv6, UDPv6 A practical example of the displayed results is illustrated in fig. 5.7. 7 -r Netsat presents the routing table on display. Example of command C:\> Netstat -r [Taste Enter] A practical example of the displayed results is illustrated in fig. 5.8. 8 -s Netsat presents statistics per protocol. The default protocols are: IP, IPv6, UDP, UDPv6, TCP, TCPv6, ICMP, ICMPv6, Example of command C:\> Netstat -s [Press Enter] A practical example of the displayed results is illustrated in fig. 5.9. 9 -v Ii is used together with -b in order to: - display sequences of components involved in the creation of the connections, or - to display the listening ports for all executables. In fact, the current status of each connection is thus indicated, starting from the local MAC address towards the external IP address. Example of command C:\> Netstat –b -v [Press Enter] A practical example of the displayed results is illustrated in fig. 5.10. 327 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 No The The contents of the option Option 10 Inter Used for the successive, continuous displaying of the above selected options. val

Fig. 5.1. Netstat presentation of all connections and of the listening ports. Test with MICROSOFT ©®WINDOWS.

Fig. 5.2. Netstat indication of the titles of the executable software programmes involved in the creation of connections and in the creation of listening ports. Test with MICROSOFT ©®WINDOWS. PID- signifies Process identifier.

328 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 Fig. 5.3. Netstat indication of the Ethernet statistics. Test with MICROSOFT ©®WINDOWS.

Fig. 5.4. Netstat indication of the extended Ethernet statistics. Test with MICROSOFT W®WINDOWS.

329 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

Fig. 5.5. Netstat presentation of the ports number (in this case 1026 and 18350).Test with MICROSOFT ©®WINDOWS.

Fig. 5.6. Netstat presentation of the PID – process identifier, associated with each connection. This option permits to know which process maintains the IP connection, generated by your machine or generated towards your machine. Test with MICROSOFT ©®WINDOWS.

330 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

Fig. 5.7. Netstat presentation of the protocol statistics (excerpt). Test with MICROSOFT ©®WINDOWS.

331 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

Fig. 5.8. Netstat presentation of the routing table of the work station. Test with MICROSOFT ©®WINDOWS.

332 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

Fig. 5.9. The Netstat statistics per protocols.

333 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006

Fig. 5.10. Netstat extended presentation of the executable software programmes involved in the creation of connections. Test with MICROSOFT ©®WINDOWS.

3. Netstat uses in security. Netstat uses to observe IP connections [5.].

The Netstat may be used to detect if an attack is under way (through the network) against your machine. The detection is achieved by viewing the TCP/IP connections established between your machine and the remote host of the possible aggressor.

With this target the following have to be viewed: TCP/IP connections and The software Windows XP application which creates each connection. To solve the above aspects, the following command has to be launched: C:\> Netstat -ao [Taste Enter] Where -a allows the identification of the connections and the listening ports, and -o indicates the process ID (process identifier) which has generated the respective TCP /IP connection.

Displaying the results of the above command is achieved on five columns: of protocol, UDP or TCP; local address or host name for connection, the port and the host name of the remote machine which has generated the connection, the status of connection and the PID (which indicates which XP process ID, from the local machine, is responsible for the connection).

The suspect addresses of the remote machines may be one indication of intrusion.

6. OTHER DIAGNOSIS TOOLS. MICROSOFT ®WINDOWS. EXCERPT.

Other tools are, for instance, presented at: http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en- us/net/sur_util.mspx

6.1. ARP.

You may use this important and extremely efficient diagnosis tools from your own machine: PC, laptop etc.

1.) arp (the test tool for the addresses resolution protocol).

The arp tool allows the viewing and modifying of the content of the arp table which contains the correspondence between the IP Addresses and the Physical Addresses of the machines of the LAN in which your machine is involved.

2.) arp options. arp options may be accomplished with the following command:

334 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 C:\> arp /? (Press Enter)

3.) Example. The simple arp command is: C:\> arp –a [Press Enter], which displays the IP Addresses and the Physical Addresses. These addresses are taken into consideration by your machine inside the LAN environment. For instance, by typing the above command, the arp displays:

Interface: 192.168.2.1. ---0x3 Internet Address Physical Address Type 193.168.2.20 00-60-57-06-20-20 dynamic

6.2. NBTSTAT. MICROSOFT ®WINDOWS You may use this diagnosis tools from your own machine: PC, laptop etc.

1.) Nbtstat (Net bios statistics on TCP/IP).

The Nbtstat helps the troubleshooting of NetBios names over TCP /IP.

2.) Nbtstat options.

Nbtstat options may be accomplished with the following command:

C:\> Nbtstat /? [Press Enter] 3.) Example. The simple Nbtstat command is: C:\> Nbtstat –n [Press Enter], which displays the local NetBios names. For instance, by typing the above command the Netbios displays: ……………………………… Name Type Status SAND <20>UNIQUE R. registered.

6.3. ROUTE. MICROSOFT ®WINDOWS Route enables handling the network routing tables. The Route options may be accomplished with the command: C:\> Route /? (Press Enter). The Route is permitting the view and the modification of the routing tables.

6.4. UTILITIES. MICROSOFT ®WINDOWS.

Among the important files involved in networking there are the files related to the MS ® UTILITIES. For instance, the files dedicated for hosts, protocol, services.

For configuring and troubleshooting in MICROSOFT ©®WINDOWS XP the following MS ® utility software programs are emphasised: My Network Places (presented in the next lesson). This utility program is integrated with the utility programs: Windows Explorer and My Computer. The utility program Communications offers possibilities that enable connections to the Internet. Other.

Key Point Summary Conclusions and Recommendations

Internet functions successfully because it has extremely efficient and simple to use diagnosis tools. Troubleshooting involves managerial, technical, ethical (privacy, confidentiality), and also economic and financial aspects. Important diagnosis tools such as PathPing, Tracert, Ping, Netstat, arp ensure the first backbone of the troubleshooting activities.

Study Guide ESSENTIAL QUESTIONS TO EVALUATE THE ACQUIRED KNOWLEDGE 335 Leonardo da Vinci Programme – Project RO/03/B/P/PP175006 1. Please present some ethical aspects of troubleshooting. 2. Please present essential managerial aspects of troubleshooting. 3. What is RTT and how can the RTT be measured? 4. Which information about the network congestion do Ping and Tracert offer? 5. Which are the advanced features and performances of the PathPing and why? 6. Which is the frequent mode of launching the PathPing diagnosis tool? 7. Which are the essential outputs of the Netstat diagnosis tool? 8. Which are the two negative responses of Ping and which is the signification of each of these responses? 9. How can Netstat help in the identification of an aggression, for instance an intrusion, against your machine? 10. How can you know the name Hostname?

BIBLIOGRAPHY. REFERENCES. [1.] The describing of the elements of the Net MSDOS commands (are presented inside the http: www.computerhope.com/nethlp.htm) [2.] ***: Basic Network Trouble shooting, Reference Number CH000445, Computerhope.com, www.computerhope.com/issues/ch000445.htm [3.] Microsoft ™: Troubleshooting materials inside Microsoft XP Operatig System. [4.] Joseph D. Sloan: Network Troubleshooting Tools. O’REILLY, O’Reilly Media Inc.,2001, 0-596-00186-X.. www.sauronz.com/imprimir/OReilly%20- 20Network%20Troubleshooting%20Tools.pdf [5.] Curt Simmons, James Causey: XP ® Networking. Inside OUT. Microsoft Press. Redmond. Washington, 2003, 07356-1652-3. [6.] Harry M. Brelsford: Window ®2000 Server Secrets, IDG Books Worldwide, Inc. 2000, 0-7645-4620-1. [7.] Anand Deveriya: Network Administrators Survival Guide, Cisco Press, IN, 2006, 1-58705-211-3. [8.] Craig Hunt: TCP/IP Network administration, O’Reilly, CA, 2002, 0-596-00297-1.

IMPORTANT SUPPLEMENTARY BIBLIOGRAPHY. REFERENCES. (www) [SUPP.1.] www.mentortech.com/learn/tools/tools.shtml Mentor Technologies, Inc. (including the ports scanner ) [SUPP.2.] http://support.microsoft.com/kb/325487 How to troubleshoot network connectivity problems, Microsoft ®. [SUPP.3.] http://support.microsoft.com/kb/325487#XSLTH3142121122120121120120 [SUPP.4.] http://support.microsoft.com/kb/314067/?sd=RMVP How to troubleshoot TCP/IP connectivity with Windows XP, Microsoft ®.

SUPPLEMENTARY INDICATIONS ABOUT THE CONTENTS OF THE LESSON

It is recommendable that the documentations from the following addresses should also be consulted: www.cisco.com; www.sauronz.com/imprimir/OReilly%20-20Network%20Troubleshooting%20Tools.pdf; http://support.microsoft.com/kb/325487; http://support.microsoft.com/kb/314067/?sd=RMVP; http://support.microsoft.com/kb/325487#XSLTH3142121122120121120120;

ANSWERS TO QUESTIONS

1. The privacy and confidentiality (of all the people, including customers), in conformance with the privacy legislation, have to be respected at the capture of Data Packets. 2. Respecting the contracts with customers, management of documentation, back-ups, and others. 3. RTT – Round Trip Time – the medium time of trip between two hosts or between the source and the destination. It may be measured, for instance, with Ping, Tracert and with PathPing. 4. RTT between each two hops, percentage of dropped packets, behaviour of the path after a period in which about 100 Ping tests have reached between each two Hops. 5. The PathPing consists in one succession of tests (Ping and Tracert) over a long time, for instance 200 seconds. PathPing achieves the calculus of the percentage of dropped Data Packets, offering information about the path’s behaviour and possible congestions. 6. C:\> PathPing IP Address or URL Addresd [Taste Enter]. 7. The indication of the Internet connections and of the listening ports, the software packets / executables which have generated the respective connections, statistics such as Ethernet statistics per protocols and others. 8. “Request timed out” indicates that the diagnosis Data Packets have been sent to the network and the destination computer does not respond in the allowed interval of time. “Destination host is unreachable” indicates either that the own computer is disconnected from the network, or that the default gateway or the Router are not in operation. 9. With the launching of the C:\> Netstat –ao [Press Enter] may be viewed remote hosts which have generated connections with the own machine. The (unknown) abnormal connections launchers may be detected. 10. The Hostname of the remote machine is returned at the launching of the following command from your machine: C:\>Ping -a (the IP Address of the respective Host Name) [Press Enter].

WORDS TO THE LEARNER: “Do not wait for opportunities. Create them.” (After Bernard Shaw)

COPYRIGHT © 2005, IPA SA & Authors.

336