Monitoring Troubleshooting TCP/IP Chapter 3
Monitoring Troubleshooting TCP/IPChapter 3
Objectives for this Chapter
Troubleshoot TCP/IP addressing Diagnose and resolve issues related
to incorrect configuration Monitor network traffic Troubleshoot connectivity to the
Internet
In This Chapter
Analyzing Traffic Using Network Monitor
Troubleshooting TCP/IP Connections
To Complete the Exercises: Physically networked two computerstwo computers. Performed a Windows Server 2003
installation with default settings on default settings on both computersboth computers.
The computers should be named Computer1 and Computer2.
Assigned Computer1 a static address of 192.168.0.1/24.
Configured Computer2 to obtain an address automatically.
Assigned Computer2 an alternate configuration address of 192.168.0.2/24.
Two Versions
The basic version is shipped with Windows Server 2003, and
The full version is shipped with Microsoft Systems Management Server.
Understanding Network Monitor Network Monitor is a software-
based traffic analysis tool that allows a user to perform these tasks: Capture frames directly from the network Display and filter captured frames,
immediately after capture or at a later time
Edit captured frames and transmit them on the network (full version only)
Capture frames from a remote computer (full version only)
What is a Frame?
A frame is an encapsulation of layer 2, or network interface–layer, data.
Encapsulations that include both network interface–layer data (such as Ethernet data) and higher-layer data from protocols such as Address Resolution Protocol (ARP), IP, Transmission Control Protocol (TCP), and Domain Name System (DNS). Note the table on page 3-4
Exploring Network Monitor Components Network Monitor is composed of
an administrative tool called Network Monitor and an agent called the Network Monitor Driver.
Both components must be installed for you to capture, display, and analyze network frames.
How Network Monitor Works Installing the Network Monitor
Driver When you install Network Monitor, the Network Monitor Driver is installed automatically on the same computer.
What Network Monitor collects The source address of the
computer that sent the message The destination address of the
computer that received the frame
Header information of each protocol used to send the frame
The data (or a portion of it) being sent to the destination computer
Exam Tip
You can use Network Monitor to find out certain details—such as the MAC address of a network interface card (NIC), the globally unique identifier (GUID) of a client computer, or the port used by a protocol—that might have been lost with documentation.
Use Network Monitor to capture data Analyze captured data Summary Pane:
Frame Time Source MAC Address Destination MAC Address Protocol Description
Looking Within Frames
+ Frame: Base frame properties+ ETHERNET: EType = Internet IP (IPv4)+ IP: Protocol = UDP - User Datagram; Packet ID = 1576;
Total IP Length = 236; Options = No Options+ UDP: Src Port: NETBIOS Datagram Service (138);
Dst Port: NETBIOS Datagram Service (138); Length = 216 (0xD8)
+ NBT: DS: Type = 17 (DIRECT GROUP)+ SMB: C transact, File = \MAILSLOT\BROWSE+ Browser: Workgroup Announcement [0x0c] WORKGROUP
Network Monitor and the OSI Model The final three protocols shown
in the previous frame example are Microsoft network protocols that are not part of the standardTCP/IP stack.
The OSI Model - TCP/IP
Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data-Link Layer
Physical Layer
ApplicationLayer
Transport Layer
Internet Layer
NetworkInterface
Layer
OSI model TCP/IP model
Exam Tip
For the exam, remember that NetBT is an example of a session-layer interface.
Adding Parsers to Network Monitor The process of reading, analyzing,
and describing the contents of frames is known as parsing.
In Network Monitor, parsers are .dll files that are responsible for breaking down and reading messages from various protocols.
By default, Network Monitor includes more than 20 parsers that are responsible for parsing over 90 protocols.
Adding New Parsers
You can extend the functionality of Network Monitor by adding new parsers. FirstFirst add the .dll to the WINDOWS\
System32\ Netmon\Parsers folder, which is where all parsers for Network Monitor are stored.
SecondSecond add an entry for the new parser and protocol in the Parser.ini file. This file, which includes entries for all parsers and protocols used by Network Monitor, is stored in the WINDOWS\System32\Netmon folder.
Exam Tip On the exam, you will need to
remember the two steps necessary for adding a new parser to Network Monitor.
In addition, you will need to know the precise names and locations of both the Parser.ini file and the Parsers folder.
Remember, the Parser.ini file is in the \System32\Netmon folder, which is the parent folder of the Parsers folder.
Practice:
Using Network Monitor Exercise 1: Installing Network
Monitor Page 3-13
Exercise 2: Creating a Network Capture in Network Monitor
Page 3-14 Exercise 3: Saving a Frame to a
Text File Page 3-15
Troubleshooting TCP/IP Connections Faulty TCP/IP
Configuration IPCONFIG
Network Diagnostics
Network Diagnostics is a graphical troubleshooting tool that provides detailed information about the local computer’s networking configuration.
Finding Network Diagnostics On the Manage
Your Server select More More ToolsTools
Then Select Help and Help and Support Center Support Center ToolsTools
Finally you will find Network Network DiagnosticsDiagnostics
What Network Diagnostics does By default, Network Diagnostics collects
information about only three categories: The Internet ServiceThe Internet Service category,
Microsoft Outlook Express Mail, Microsoft Outlook Express News, and Internet Explorer Web Proxy configuration
The Computer InformationThe Computer Information category, Registry parameter settings for
The computer system, Operating system, and Operating system version; and The Modems
The Network AdaptersThe Network Adapters category Registry parameter settings for
Modems, Network adapters, and Network clients.
Netdiag
Netdiag is a command-line utility that you must install manually from the Windows Server 2003 installation CD
Table 3-3 list the Netdiag Test Page 3-23
Troubleshooting Connections Using Ping and PathPing PathPing is a tool
that detects packet loss over multiple-hop trips.
PathPing uses ICMP
Troubleshooting steps:
Using Ping
Ping 127.0.0.1
Ping Local Host Address
Ping Default Gateway
Ping Remote Address
Troubleshooting with Tracert Tracert works by sending ICMP
echo requests to an IP address, while incrementing the Time to Live (TTL) field in the IP header, starting at 1, and analyzing the ICMP errors that are returned.
Tracert prints out an ordered list of the routers in the path that returned these error messages.
Example of Tracert
To Infogem:
Exam Tip You need to know the difference
between Tracert and PathPing on the exam. Use Tracert to quickly determine where a break occurs in the path of connectivity to a remote location. PathPing is more useful when you have connectivity to a site but are experiencing erratic packet loss or high delay. In these cases, PathPing tells you exactly where packet loss is occurring.
Troubleshooting Using the ARP Tool If you can ping both the loopback
address and your own IP address, but you cannot ping a computer on the local subnet, the next step is to check the ARP cache for errors.
Some ARP switches include: -a Current ARP entries -g Same as –a -d Deletes the host specified by
inet_addr -s Adds static address
Practice:
Running Network Diagnostics and Netdiag Exercise 1: Running Network
Diagnostics Page 3-26
Exercise 2: Installing Windows Support Tools
Exercise 3: Running Netdiag from Across the Network
Page 3-28
Summary
Case Scenario Exercise Page 3-31
Exam Highlights Key Points Key Terms
Page 3-34