Monitoring Troubleshooting TCP/IPChapter 3

Objectives for this Chapter

Troubleshoot TCP/IP addressing Diagnose and resolve issues related

to incorrect configuration Monitor network traffic Troubleshoot connectivity to the

Internet

In This Chapter

Analyzing Traffic Using Network Monitor

Troubleshooting TCP/IP Connections

To Complete the Exercises: Physically networked two computerstwo computers. Performed a Windows Server 2003

installation with default settings on default settings on both computersboth computers.

The computers should be named Computer1 and Computer2.

Assigned Computer1 a static address of 192.168.0.1/24.

Configured Computer2 to obtain an address automatically.

Assigned Computer2 an alternate configuration address of 192.168.0.2/24.

Two Versions

The basic version is shipped with Windows Server 2003, and

The full version is shipped with Microsoft Systems Management Server.

Understanding Network Monitor Network Monitor is a software-

based traffic analysis tool that allows a user to perform these tasks: Capture frames directly from the network Display and filter captured frames,

immediately after capture or at a later time

Edit captured frames and transmit them on the network (full version only)

Capture frames from a remote computer (full version only)

What is a Frame?

A frame is an encapsulation of layer 2, or network interface–layer, data.

Encapsulations that include both network interface–layer data (such as Ethernet data) and higher-layer data from protocols such as Address Resolution Protocol (ARP), IP, Transmission Control Protocol (TCP), and Domain Name System (DNS). Note the table on page 3-4

Exploring Network Monitor Components Network Monitor is composed of

an administrative tool called Network Monitor and an agent called the Network Monitor Driver.

Both components must be installed for you to capture, display, and analyze network frames.

How Network Monitor Works Installing the Network Monitor

Driver When you install Network Monitor, the Network Monitor Driver is installed automatically on the same computer.

What Network Monitor collects The source address of the

computer that sent the message The destination address of the

computer that received the frame

Header information of each protocol used to send the frame

The data (or a portion of it) being sent to the destination computer

Exam Tip

You can use Network Monitor to find out certain details—such as the MAC address of a network interface card (NIC), the globally unique identifier (GUID) of a client computer, or the port used by a protocol—that might have been lost with documentation.

Use Network Monitor to capture data Analyze captured data Summary Pane:

Frame Time Source MAC Address Destination MAC Address Protocol Description

Looking Within Frames

+ Frame: Base frame properties+ ETHERNET: EType = Internet IP (IPv4)+ IP: Protocol = UDP - User Datagram; Packet ID = 1576;

Total IP Length = 236; Options = No Options+ UDP: Src Port: NETBIOS Datagram Service (138);

Dst Port: NETBIOS Datagram Service (138); Length = 216 (0xD8)

+ NBT: DS: Type = 17 (DIRECT GROUP)+ SMB: C transact, File = \MAILSLOT\BROWSE+ Browser: Workgroup Announcement [0x0c] WORKGROUP

Network Monitor and the OSI Model The final three protocols shown

in the previous frame example are Microsoft network protocols that are not part of the standardTCP/IP stack.

The OSI Model - TCP/IP

Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data-Link Layer

Physical Layer

ApplicationLayer

Transport Layer

Internet Layer

NetworkInterface

Layer

OSI model TCP/IP model

Exam Tip

For the exam, remember that NetBT is an example of a session-layer interface.

Adding Parsers to Network Monitor The process of reading, analyzing,

and describing the contents of frames is known as parsing.

In Network Monitor, parsers are .dll files that are responsible for breaking down and reading messages from various protocols.

By default, Network Monitor includes more than 20 parsers that are responsible for parsing over 90 protocols.

Adding New Parsers

You can extend the functionality of Network Monitor by adding new parsers. FirstFirst add the .dll to the WINDOWS\

System32\ Netmon\Parsers folder, which is where all parsers for Network Monitor are stored.

SecondSecond add an entry for the new parser and protocol in the Parser.ini file. This file, which includes entries for all parsers and protocols used by Network Monitor, is stored in the WINDOWS\System32\Netmon folder.

Exam Tip On the exam, you will need to

remember the two steps necessary for adding a new parser to Network Monitor.

In addition, you will need to know the precise names and locations of both the Parser.ini file and the Parsers folder.

Remember, the Parser.ini file is in the \System32\Netmon folder, which is the parent folder of the Parsers folder.

Practice:

Using Network Monitor Exercise 1: Installing Network

Monitor Page 3-13

Exercise 2: Creating a Network Capture in Network Monitor

Page 3-14 Exercise 3: Saving a Frame to a

Text File Page 3-15

Troubleshooting TCP/IP Connections Faulty TCP/IP

Configuration IPCONFIG

Network Diagnostics

Network Diagnostics is a graphical troubleshooting tool that provides detailed information about the local computer’s networking configuration.

Finding Network Diagnostics On the Manage

Your Server select More More ToolsTools

Then Select Help and Help and Support Center Support Center ToolsTools

Finally you will find Network Network DiagnosticsDiagnostics

What Network Diagnostics does By default, Network Diagnostics collects

information about only three categories: The Internet ServiceThe Internet Service category,

Microsoft Outlook Express Mail, Microsoft Outlook Express News, and Internet Explorer Web Proxy configuration

The Computer InformationThe Computer Information category, Registry parameter settings for

The computer system, Operating system, and Operating system version; and The Modems

The Network AdaptersThe Network Adapters category Registry parameter settings for

Modems, Network adapters, and Network clients.

Netdiag

Netdiag is a command-line utility that you must install manually from the Windows Server 2003 installation CD

Table 3-3 list the Netdiag Test Page 3-23

Troubleshooting Connections Using Ping and PathPing PathPing is a tool

that detects packet loss over multiple-hop trips.

PathPing uses ICMP

Troubleshooting steps:

Using Ping

Ping 127.0.0.1

Ping Local Host Address

Ping Default Gateway

Ping Remote Address

Troubleshooting with Tracert Tracert works by sending ICMP

echo requests to an IP address, while incrementing the Time to Live (TTL) field in the IP header, starting at 1, and analyzing the ICMP errors that are returned.

Tracert prints out an ordered list of the routers in the path that returned these error messages.

Example of Tracert

To Infogem:

Exam Tip You need to know the difference

between Tracert and PathPing on the exam. Use Tracert to quickly determine where a break occurs in the path of connectivity to a remote location. PathPing is more useful when you have connectivity to a site but are experiencing erratic packet loss or high delay. In these cases, PathPing tells you exactly where packet loss is occurring.

Troubleshooting Using the ARP Tool If you can ping both the loopback

address and your own IP address, but you cannot ping a computer on the local subnet, the next step is to check the ARP cache for errors.

Some ARP switches include: -a Current ARP entries -g Same as –a -d Deletes the host specified by

inet_addr -s Adds static address

Practice:

Running Network Diagnostics and Netdiag Exercise 1: Running Network

Diagnostics Page 3-26

Exercise 2: Installing Windows Support Tools

Exercise 3: Running Netdiag from Across the Network

Page 3-28

Summary

Case Scenario Exercise Page 3-31

Exam Highlights Key Points Key Terms

Page 3-34