In most environments your desktop Operating System will probably be Windows so it’s useful to know the inbuilt network troubleshooting tools.
A summary of the commands in this post are:
Before we jump into the tools, I’d like to introduce redirection and filtering output. As in IOS you can output to files to allow you to snapshot the output easily, for example:
C:\Users\bruce>ping google.com > test
This will save the output into the file called test in your current working directory, please note, this will overwrite any existing text in the file. However >> will append to the current text
C:\Users\bruce>ping google.com >> test
You can also filter output much like grep in linux or an include statement in IOS
For example if you want to see the particular network socket state for a particular IP you could use:
C:\Users\bruce>netstat -n | find "127.0.0.1" TCP 127.0.0.1:1051 127.0.0.1:19872 ESTABLISHED
These tools are useful for when you need to capture information for sharing or base lining or for finding targeted information in large groups of data
Ping uses ICMP Echo messages to test host connectivity – of course everyone knows this. However, let’s explore some of the switches and their uses.
This will resolve an IP address for you when pinging for example:
C:\Users\bruce>ping -a 188.8.131.52 Pinging ns.optus.net.au [184.108.40.206] with 32 bytes of data: Reply from 220.127.116.11: bytes=32 time=47ms TTL=249 Reply from 18.104.22.168: bytes=32 time=78ms TTL=249 Reply from 22.214.171.124: bytes=32 time=48ms TTL=249 Reply from 126.96.36.199: bytes=32 time=46ms TTL=249 Ping statistics for 188.8.131.52: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 46ms, Maximum = 78ms, Average = 54ms
Continuous ping, I find this useful for a number of cases, an example of a few:
• Before reloading a host or a network device I set up a continuous ping to know when it is back online
• When deploying new access switches I will set up a continuous ping and plug into a few ports to test connectivity
-w (#number of seconds)
This allows you to set the timeout window. This is very useful for when you are fault finding links with large latency, for example, I once had a 3G connection that had up to 10 seconds latency so the standard timeout period made it look like 100% packet loss when it was actually just really bad latency.
-l (#packet size)
This allows you to specify the size of the ICMP payload, this is useful when using the Do Not Fragement Bit for figuring out the Maximum Transmission Unit (MTU). Also, note, that packet size in windows and packet size in IOS are two different things. Packet size in windows refers to the payload of the packet. Given that most IP networks support an MTU of 1500 Bytes then you must actually specify ping –l 1472 to send a 1500 byte packet on the wire (20 Bytes IP, 8 Bytes ICMP)
Do not fragment bit
-r (1 to 9)
This is used to set the record route IP option in the header. I find this useful for finding asymmetric routing paths in the network
C:\Users\bruce>ping xx.xx.xx.5 -r 9 Pinging xx.xx.xx.5 with 32 bytes of data: Reply from xx.xx.xx.5: bytes=32 time=50ms TTL=252 Route: xx.xx.xx.199 -> xx.xx.xx.145 -> xx.xx.xx.6 -> xx.xx.xx.5 -> xx.xx.xx.5 -> xx.xx.xx.146 -> xx.xx.xx.143 -> xx.xx.xx.254
Tracert is Traceroute … it traces the route 😛
I pretty much just use – d to only output IP Addresses and not use DNS resolution
I found pathping in a Microsoft textbook and I think it is useful for getting support staff to run this test. Pathping combines the operation of tracert and ping, it does this by performing a traceroute and then sending ICMP echo messages to each hop. It is a very useful tool for non-network engineering focused people to quickly identity the issue with a service.
C:\Users\bruce>pathping xx.xx.xx.xx Tracing route to name [xx.xx.xx.xx] over a maximum of 30 hops: 0 name [xx.xx.xx.xx] 1 name [xx.xx.xx.xx] 2 name [xx.xx.xx.xx] 3 name [xx.xx.xx.xx] 4 name [xx.xx.xx.xx] Computing statistics for 100 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address 0 name [xx.xx.xx.xx] 0/ 100 = 0% | 1 0ms 0/ 100 = 0% 0/ 100 = 0% name [xx.xx.xx.xx] 0/ 100 = 0% | 2 32ms 0/ 100 = 0% 0/ 100 = 0% name [xx.xx.xx.xx] 0/ 100 = 0% | 3 32ms 0/ 100 = 0% 0/ 100 = 0% name [xx.xx.xx.xx] 0/ 100 = 0% | 4 49ms 0/ 100 = 0% 0/ 100 = 0% name [xx.xx.xx.xx] Trace complete.
Netstat is an incredibly useful tool, very handy for showing people it’s not the firewall it’s the fact their service isn’t even started that’s causing the issue 😀
It helps to understand the Socket States (Thanks Microsoft – http://support.microsoft.com/kb/137984):
• SYN_SEND Indicates active open.
• SYN_RECEIVED Server just received SYN from the client.
• ESTABLISHED Client received server’s SYN and session is established.
• LISTEN Server is ready to accept connection.
• FIN_WAIT_1 Indicates active close.
• TIMED_WAIT Client enters this state after active close.
• CLOSE_WAIT Indicates passive close. Server just received first FIN from a client.
• FIN_WAIT_2 Client just received acknowledgment of its first FIN from the server.
• LAST_ACK Server is in this state when it sends its own FIN.
• CLOSED Server received ACK from client and connection is closed.
Why is this useful? If you only see SYN_SEND chances are you are hitting a firewall or it’s a silent drop by an upstream routing device. However, if you see ESTABLISHED then life’s good!
This shows the Process ID which you can find out by using Task Manager or tasklist in a command window. However, there is an easier way.
C:\Users\bruce>netstat -n -o Active Connections Proto Local Address Foreign Address State PID TCP xx.xx.xx.xx:24965 184.108.40.206:80 ESTABLISHED 6896
Print the process name, oh so convenient!
C:\Users\bruce>netstat -n -o Active Connections Proto Local Address Foreign Address State TCP xx.xx.xx.xx:24965 220.127.116.11:80 ESTABLISHED [firefox.exe]
Prints the hosts routing table.
Prints IP, ICMP and TCP/UDP Statistics, a whole load of useful output in this one.
Prints Ethernet (Interface) Statistics.
Prints the Fully Qualified Domain Name in the netstat output
Despite have the obvious use of telneting to a device (but we all use SSH right … >_> <_<) you can also use it to see if a port is reachable to a host. You can also use it to just do some banner sniffing to see what a device is (more about this later … )
telnet (host) (port)
This will open up a tcp session to the host on the specified port, you can then use the previously discussed netstat tools to see whether the session is allowed or not.
arp allows you to see the results in your arp cache, this can be really useful when fault finding connectivity on a firewall as the arp confirms that you have link reachablility.
Shows all ARP entries
Deletes arp entries
Ipconfig is a classic tool, often used and loved.
Get the mac address of the device you are on as well as see which DHCP server allocated you your address.
Flush your DNS resolutions, useful when you migrate servers and you can’t see them …
Look up those DNS resolutions
Another classic tool, a friend at work advised me of,
Gives you useful DNS output
C:\Users\bruce>nslookup Default Server: name Address: xx.xx.xx.xx > set d2 > google.com Server: name Address: xx.xx.xx.xx ------------ SendRequest(), len 28 HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: google.com, type = A, class = IN ------------ ------------ Got answer (340 bytes): HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 11, authority records = 4, additional = 4 QUESTIONS: google.com, type = A, class = IN ANSWERS: -> google.com type = A, class = IN, dlen = 4 internet address = 18.104.22.168 ttl = 15 (15 secs) … -> google.com type = A, class = IN, dlen = 4 internet address = 22.214.171.124 ttl = 15 (15 secs) AUTHORITY RECORDS: type = NS, class = IN, dlen = 6 nameserver = ns2.google.com ttl = 124 (2 mins 4 secs) -> google.com type = NS, class = IN, dlen = 6 nameserver = ns3.google.com ttl = 124 (2 mins 4 secs) ADDITIONAL RECORDS: -> ns1.google.com type = A, class = IN, dlen = 4 internet address = 126.96.36.199 ttl = 610 (10 mins 10 secs) … -> ns4.google.com type = A, class = IN, dlen = 4 internet address = 188.8.131.52 ttl = 617 (10 mins 17 secs) … Addresses: 2404:6800:4006:802::1000 184.108.40.206 220.127.116.11 … 18.104.22.168 >
The Resource Monitor is an inbuilt GUI Windows application that is really useful for looking at all kinds of system usage (CPU, Memory and Network) it has pretty graphs and it allows you to filter by process. It is a nicer looking option than perfmon.
To run resmon just type “resmon” at the run command or windows launch textbox
Click the below imagine for an example screen shot: