Network Software Tools and Commands PDF
Document Details
Uploaded by Deleted User
Todd Lammle
Tags
Summary
This chapter covers various software tools and commands used in network testing and troubleshooting, including protocol analyzers, ping, traceroute, nslookup, tcpdump, dig, netstat, and more. It also discusses specialized tasks and connects tools to their usage within a networking environment.
Full Transcript
Chapter 19 Network Software Tools and Commands THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: 5.5 Given a scenario, use the appropriate tool or protocol to solve networking issues. Software tools Protocol analyzer Command line ping traceroute/tr...
Chapter 19 Network Software Tools and Commands THE FOLLOWING COMPTIA NETWORK+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: 5.5 Given a scenario, use the appropriate tool or protocol to solve networking issues. Software tools Protocol analyzer Command line ping traceroute/tracert nslookup tcpdump dig netstat ip/ifconfig/ipconfig arp Nmap Link Layer Discovery Protocol (LLDP)/Cisco Discovery Protocol (CDP) Speed tester Hardware tools Toner Cable tester Taps Wi-Fi analyzer Visual fault locator Basic networking device commands show mac-address-table show route show interface show config show arp show vlan show power Specialized tasks require specialized tools, and installing network components is no exception. We use some of these tools, like network scanners, on an everyday basis, but most of the software tools I’ll be covering in this chapter are used mainly in the telecommunications industry. Still, to meet the CompTIA Network+ Exam objectives, and also because you’re likely to run across them in today’s networking environments, you must be familiar with them. To find Todd Lammle CompTIA videos and practice questions, please see www.lammle.com. Software Tools To effectively test and troubleshoot networks, it is important to be aware of, and know how to operate, the many different types of tools available for you to use. We will start the chapter by going over many of the software applications designed for network testing and troubleshooting. Knowledge on how to use these tools allows you to locate, troubleshoot, and resolve any networking issues you may come across. Protocol Analyzer/Packet Capture Protocol analyzers, also called sniffers or network monitors, are used to capture packets in their raw format as they cross the network. Windows desktop operating systems before Windows Vista came with a built-in protocol analyzer called Network Monitor, but that is no longer the case, although you can download one for free that will work with the newer operating systems. The Network Monitor tool that comes with these operating systems will capture only packets that are sourced from or destined to the computer on which the tool is running. Commercial sniffers like Wireshark and Omnipeek can capture any packets because they set the NIC to operate in promiscuous mode, which means the NIC processes all packets that it sees. Protocol analyzers can be used to determine the type of traffic that you have in your network, and depending on the product and the bells and whistles contained therein, you may be able to sort the results based on port numbers, protocols, and so on. Another use of a sniffer is to examine the traffic that should be occurring on the network when something is not working to aid in troubleshooting. These devices can capture and display all packets involved in the connection setup, including, for example, request and response headers to a web server. Let’s review the series of four packet types that must occur for a DHCP client to receive an IP configuration from the server. As a review, those packets are as follows: DHCP Discover DHCP Offer DHCP Request DHCP ACK If you turned on the analyzer and then executed the ipconfig/release and ipconfig/renew commands on the client system (more on those commands later in this chapter), you should see these four packets in the analyzer’s capture file. The packets would be interspersed with the hundreds and perhaps thousands of other packet types that would be captured, but by using the display filtering options in the software, you can easily segregate out the DHCP traffic. Figure 19.1 shows an example of the DHCP process, as seen in a capture. FIGURE 19.1 DHCP capture If all you saw in the capture were the DHCP Discover packets with no DHCP Offer packets, you could reasonably assert that the DHCP server is not receiving the DHCP Discover packets (perhaps it is located in another broadcast domain or perhaps it is not on). Additionally, you could examine fields in the DHCP Offer packets that may tell you that the DHCP server is out of addresses. The point is that the tool can be used to troubleshoot the issue. Bandwidth Speed Testers Users of a network often complain about the speed of the network. Network “speed” is in some ways a personal perception because some people have more patience than others. To determine when a network slowdown is real as opposed to perceived, you need to actually measure the throughput. That’s what throughput testers are used for. These devices, typically software-based, work much like a protocol analyzer in that they measure the traffic seen on the network and can also classify the types of traffic that are eating up your bandwidth (which is probably what you really need to know). Figure 19.2 shows one version of this software by TamoSoft. FIGURE 19.2 Throughput This software is installed on a server and also on a client. In the figure, the software is measuring traffic between the client and a server. It shows the throughput for traffic in real time and in this shot is breaking that traffic up by unicast (TCP) and broadcast (UDP) types and by direction. Earlier in this book, I discussed the importance of baselines, and this is another area where they are important. Network throughput figures mean little without a baseline with which comparisons can be made. How do you know what is abnormal when you don’t know what normal is? Baselines should be taken when the network is operating well, but they should also be taken when the traffic load is normal. IPerf is an open-source software tool that measures network throughput and is very handy for testing and creating baselines of your network. The software runs as a server on one end and a client on the other. IPerf can run on both Linux and Windows operating systems. It is highly customizable, allowing you to specify if you want to use TCP or UDP and what port numbers and packet size. After the test is run, reports are generated that give you throughput, the parameters used, and a timestamp. Port Scanners A port scanner is a software tool designed to search a host for open ports. Those of us administering our networks use port scanners to ensure their security, but bad guys use them to find a network’s vulnerabilities and compromise them. To port scan means to scan for TCP and UDP open ports on a single target host either to legitimately connect to and use its services for business and/or personal reasons or to find and connect to those ports and subsequently attack the host and steal or manipulate it for nefarious reasons. In contrast, port sweeping means scanning multiple hosts on a network for a specific listening TCP or UDP port, like SQL. (SQL injection attacks are super common today.) This just happens to be a favorite approach used by hackers when trying to invade your network. They port sweep in a broad manner, and then, if they find something—in this case, SQL—they can port scan the particular host they’ve discovered with the desired service available to exploit and get what they’re after. This is why it’s a really good idea to turn off any unused services on your servers and routers and to run only the minimum services required on every host machine in your network. Do yourself a big favor and make sure this is in your security policy. NetFlow Analyzers The NetFlow protocol allows for viewing and analyzing application-level traffic across an interface. NetFlow is a step above SNMP in that it looks at the actual conversations taking place on your network and, based on that information, allows you to gain deep visibility of what traffic is moving across your network. NetFlow collects information on each unique traffic flow into and out of a network device interface. NetFlow collects source and destination addresses, application information, and quality of service (QoS) data and is very helpful in troubleshooting causes of networking problems. A flow exporter is a network device such as a router that monitors traffic flowing in and out of an interface and exports not the complete packet but a summary of its contents to a flow collector. A flow collector is a server on the network that receives the flows from multiple exporters and consolidates the NetFlow data in a centralized storage location. A NetFlow application then analyzes the data and creates reports, charts, graphs, and sometimes analytics on the received information. Trivial File Transfer Protocol Server When the time comes to upgrade the software on a piece of networking equipment such as a switch or router, the code is downloaded from the vendor site to your laptop or a management server. Then steps are taken to transfer the code to the actual device. One of the most common methods is to use the Trivial File Transfer Protocol (TFTP) as it is supported by all vendors. A TFTP server is a small application that is available from a wide variety of developers as freeware for Windows and Linux computers. All that is needed is to run the TFTP server on your local machine and point its source directory to where the file to upload resides. Then from the network device, specify the IP address of the TFTP server and the name of the file you want to upload. TFTP is designed to be a simple, effective, and fast method to upload code to a network device. Connectivity Software There are times when you need to make a remote connection to a machine to perform troubleshooting but you are miles away. Connectivity software is designed to allow you to make a connection to the machine, see the desktop, and perform any action you could perform if you were sitting in front of it. The Microsoft operating system has had software called Remote Desktop installed since Windows NT. The Remote Desktop software enables GUI-based remote access, as you learned in Chapter 13, “Remote Network Access.” The Remote Desktop software operates via the Remote Desktop Protocol (RDP) via the TCP protocol port 3389. Since that time, Microsoft has introduced a number of other remote assistance software packages, such as Quick Assist, as shown in Figure 19.3. Commercial tools are also available that (of course) claim to have more functionality, and they probably do have a few extra bells and whistles. These include LogMeIn.com, GoToMyPC, and others. The advantages of these connectivity tools are obvious. With these tools, you can do anything you need to on the machine as long as you can connect. They also allow you to see what a user is actually doing when they encounter a problem rather than having to rely on what they tell you they are doing. You can even show a user what they are doing wrong. Most of these tools allow for chat sessions and for either end of the connection to take control of the machine. You can also transfer files to them if required (maybe a file got deleted, for example). For networking, it is common to access the devices command-line interface remotely. This will require you to use terminal emulation software. Today the Telnet protocol is rarely used because it has no security and all data is sent unencrypted. Secure Shell (SSH) is the preferred method of accessing a remote device command line from across a network. There are many free and commercial terminal emulation packages for you to use. The most common open-source emulator is PuTTY, and it supports Telnet, SSH, and serial interfaces. PuTTY is widely used and found in almost every networking shop. As for commercial packages, SecureCRT is popular and has an extensive feature set. FIGURE 19.3 Quick Assist IP Scanner It is often very helpful to know what is running on a server or networking device. Scanners can tell you what IP addresses are active and what they are “listening for.” All IP applications have an associated port number that is open for incoming connections, such as port 80 for HTTP and 443 for HTTPS. An IP scanner can be run on your local computer and will scan for open ports on each IP host. However, be very careful doing this on live production networks because security appliances such as intrusion and firewall systems may generate an alarm when they detect scans as it may be an indication of fingerprinting your network by hackers. Scanners can be used for network mapping by listing all of the active IP addresses in each subnet and what applications are running on them. There are many commercial and open-source scanners available on the market. Many have advanced features such as listing bugs and vulnerabilities of a scanned device and providing information on remediation. Using traceroute Most of us are running Transmission Control Protocol/Internet Protocol (TCP/IP) version 4 on our networks these days, so we absolutely need a way to test IP connectivity. But we also need to be able to test and verify IPv6 networks. The reason for this is that even though Microsoft makes the majority of client platforms, a lot of the commands used to test IP connectivity are really platform independent, and most of the platforms can now use both IPv4 and IPv6. Even so, keep in mind that the Network+ exam focuses on the basic concepts of the function and use of the TCP/IP utilities that come with Windows. You can use several utilities, both command line and GUI, to verify TCP/IP function on Windows workstations, and most of them are listed in the chapter objectives. Here’s a list of all the utilities I’ll discuss: traceroute (tracert in Microsoft) ipconfig (ifconfig in Linux/UNIX) ping arp nslookup (dig in Linux/UNIX) Resolving Names Mtr (pathping) Nmap route netstat tcpdump ftp By the way, it’s important that you don’t just blow through the output that I’ve supplied for each command. Instead, pay serious attention to it because to meet the Network+ objectives, you’ll be required to correctly identify each command’s output. So, let’s cut right to the chase and take a look at some of these commands and their output. Oh, and do try and have fun with it! For starters, let’s pose these questions: Where do all those packets really go when we send them over the Internet? And, how do all the packets actually get to their destinations? Well, we can use the TCP/IP traceroute (tracert with Windows) command-line utility to help us answer both questions because its output will show us every router interface a TCP/IP packet passes through on the way to its destination. traceroute (trace for short) displays the path a packet takes to get to a remote device in all its glory by using something we call IP packet time to live (TTL) timeouts and Internet Control Message Protocol (ICMP) error messages. And it’s also a handy tool for troubleshooting an internetwork because we can use it to figure out which router along a path through that internetwork happens to be causing a network failure when a certain destination machine or network is, or suddenly becomes, unreachable. To use tracert, at a Windows command prompt, type tracert, a space, and the Domain Name System (DNS) name or IP address of the host machine to which you want to find the route. The tracert utility will respond with a list of all the DNS names and IP addresses of the routers that the packet is passing through on its way. Plus, tracert uses TTL to indicate the time it takes for each attempt. The following is the tracert output from my workstation in Boulder, Colorado, to my Lammle.com server in Dallas, Texas: C:\Users\tlammle>tracert www.lammle.com Tracing route to lammle.com [206.123.114.186] over a maximum of 30 hops: 1 1 ms This provides excellent feedback at the end of the output. In addition to traceroute and tracert, which show the path of an IPv4 packet, you can use tracert -6 for a Windows trace, traceroute6 for macOS and Linux/UNIX, and traceroute -6 for Cisco routers to trace an IPv6 packet through an internetwork. Using ipconfig, ifconfig, and ip The utilities known as ipconfig (in Windows) and ifconfig/ip (in UNIX/Linux/macOS) will display the current configuration of TCP/IP on a given workstation—including the current IP address, DNS configuration, configuration, and default gateway. In the following sections, I will show you how to use both. Using the ipconfig Utility With the new macOS, Windows 10/11, and Windows Server 2019/2022 operating systems, you can now see the IPv6 configuration because IPv6 is enabled by default. The output of the ipconfig command provides the basic routed protocol information on your machine. From a DOS prompt, type ipconfig, and you’ll see something like this: C:\Users\tlammle>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : domain.actdsltmp Link-local IPv6 Address..... : fe80::2836:c43e:274b:f08c%11 IPv4 Address........... : 192.168.0.6 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 192.168.0.1 Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix. : qwest.net Link-local IPv6 Address..... : fe80::20e7:7fb8:8a00:832b%10 IPv4 Address........... : 10.0.1.198 Subnet Mask........... : 255.255.255.0 Default Gateway......... : fe80::21b:63ff:fef3:3694%10 10.0.1.1 Tunnel adapter Local Area Connection* 6: Media State........... : Media disconnected Connection-specific DNS Suffix. : Tunnel adapter Local Area Connection* 7: Media State........... : Media disconnected Connection-specific DNS Suffix. : [output cut for brevity] Wow, there sure are a lot of options in this output compared to the output for earlier versions of Windows! First, what’s up with all these interfaces showing? I have only two —one Ethernet and one wireless. You can see that my Ethernet adapter shows up first, and it has an IP address, a mask, and a default gateway plus an IPv6 address and a DNS suffix. The next configured interface is the wireless local area network (LAN) adapter, which has an IP address, a mask, a default gateway, an IPv6 address, and the IPv6 default gateway as well. This IPv6 default gateway address is simply my router advertising that it runs IPv6 and saying, “I am the way out of the local LAN!” The next adapters are disconnected because they are logical interfaces and I’m not using them—my machine actually shows eight, but I cut the output because it provides no new information. They’re automatically inserted because IPv6 is installed and running on my machine, and these adapters allow me to run IPv6 over an IPv4-only network. But just in case the ipconfig command doesn’t provide enough information for you, try the ipconfig /all command—talk about details. Here’s the beginning of that output: C:\Users\tlammle>ipconfig /all Windows IP Configuration Host Name............ : globalnet-todd Primary Dns Suffix....... : globalnet.local Node Type............ : Hybrid IP Routing Enabled........ : No WINS Proxy Enabled........ : No DNS Suffix Search List...... : globalnet.local domain.actdsltmp qwest.net Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : domain.actdsltmp Description........... : Intel(R) 82566MM Gigabit Network Connection Physical Address......... : 00-1E-37-D0-E9-35 DHCP Enabled........... : Yes Autoconfiguration Enabled.... : Yes Link-local IPv6 Address..... : fe80::2836:c43e:274b:f08c%11(Preferred) IPv4 Address........... : 192.168.0.6(Preferred) Subnet Mask........... : 255.255.255.0 Lease Obtained.......... : Monday, October 20, 2008 9:08:36 AM Lease Expires.......... : Tuesday, October 21, 2008 9:08:39 AM Default Gateway........ 192.168.0.1. : DHCP Server.......... 192.168.0.1. : DNS Servers.......... 192.168.0.1. : 205.171.3.65 NetBIOS over Tcpip........ : Enabled Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix. : qwest.net Description........... : Intel(R) Wireless WiFi Link 4965AGN Physical Address......... : 00-1F-3B-3F-4A-D9 DHCP Enabled........... : Yes Autoconfiguration Enabled.... : Yes Link-local IPv6 Address..... : fe80::20e7:7fb8:8a00:832b%10(Preferred) IPv4 Address........... : 10.0.1.198(Preferred) Subnet Mask........... : 255.255.255.0 Lease Obtained.......... : Monday, October 20, 2008 10:43:53 AM Lease Expires.......... : Monday, October 20, 2008 2:43:53 PM Default Gateway......... : fe80::21b:63ff:fef3:3694%10 10.0.1.1 DHCP Server........... : 10.0.1.1 DNS Servers........... : 10.0.1.1 NetBIOS over Tcpip........ : Enabled Tunnel adapter Local Area Connection* 6: Media State........... : Media disconnected Connection-specific DNS Suffix. : Description........... : isatap.globalnet.local Physical Address......... : 00-00-00-00-00-00-00-E0 DHCP Enabled........... : No Autoconfiguration Enabled.... : Yes Tunnel adapter Local Area Connection* 7: Media State........... : Media disconnected Connection-specific DNS Suffix. : Description........... : isatap.{9572A79F-3A58-4E9B- 9BD0-8F6FF2F058FC} Physical Address......... : 00-00-00-00-00-00-00-E0 DHCP Enabled........... : No Autoconfiguration Enabled.... : Yes [output cut] As you can see, it’s more of the same—a whole lot more. The most important thing I want you to notice is that I’ve received the hardware information about each interface, including the Media Access Control (MAC) address. Also significant is that I can see the Dynamic Host Configuration Protocol (DHCP) lease times and DNS addresses now. But why stop here? There are two more valuable options you need to use with the ipconfig command. They are /release and /renew. When you change networks, you need to get the IP address of that subnet and/or virtual LAN (VLAN). Windows 10/11 works most of the time without doing anything, but sometimes I do have to renew the IP configuration when changing networks. But that’s easy—just type ipconfig /renew from a command prompt, and if you’re connected to a DHCP server that’s available, you’ll then magically receive an IP address. Now, if it still doesn’t work, you’ll need to release and renew your TCP/IP settings. To release your current DHCP TCP/IP information, you must elevate (run as administrator) your command prompt or you’ll get this warning: C:\Users\tlammle>ipconfig /release The requested operation requires elevation. C:\Users\tlammle> Should this happen to you, left-click in the search box in the lower-left menu bar, type in command prompt, right-click the command prompt icon, and choose Run As Administrator. (Of course, you’ll have to enter your name and password to do this if you are using Windows 10/11. But we love Windows 10/11, right? Okay, maybe not always.) Figure 19.4 shows how I did this. FIGURE 19.4 Elevating your command prompt Once your command prompt has been duly elevated, you can use the ipconfig /release command and then the ipconfig /renew command to get new TCP/IP information for your host. Using the ifconfig Utility There is a utility in Linux/UNIX/macOS that will give you information similar to what ipconfig shows. It’s called ifconfig (short for interface configuration). Although ipconfig and ifconfig show similar information, there are major differences between these two utilities. The ipconfig utility is mainly used to view the TCP/IP configuration for a computer. You can use ifconfig to do the same thing, but ifconfig can also be used to configure a protocol or a particular network interface. The general syntax of the ifconfig command is as follows: ifconfig interface [address [parameters]] The interface parameter equals the Linux/UNIX name of the interface, such as eth0. If the optional address parameter is specified, the ifconfig command sets the IP address for the interface to the address you’ve specified. When the ifconfig command is used by itself with no parameters, all configured interfaces will be reported on. But if only the interface name is specified, you’ll get output that looks like this: # ifconfig eth0 eth0 Link encap 10Mbps Ethernet HWaddr 00:00:C0:90:B3:42 inetaddr 172.16.0.2 Bcast 172.16.0.255 Mask 255.255.255.0 UP BROADCAST RUNNING MTU 1500 Metric 0 RX packets 3136 errors 217 dropped 7 overrun 26 TX packets 1752 errors 25 dropped 0 overrun 0 Looking at this, we can see that the eth0 interface is a 10 Mbps Ethernet interface. The interface’s MAC and IP address information is displayed in this output as well. And, although not shown in the output, the ifconfig tool can show you the DNS information configured on the host. Using the ip Utility Newer versions of the Linux operating system have added the ip utility to replace the ifconfig command. This command serves the same purpose as ifconfig and is used to assign an address to a network interface and/or configure network interface parameters on Linux operating systems. The ip command allows us to find out what interfaces are configured on the computer, view and configure their IP values, take an interface up or down, configure routing, display network status information, view and configure multicast values, view the ARP table, add or remove static routes, and view the host’s routing table. For example, to add the IP address of 192.168.1.1 to interface Ethenrnet0, use the following command: #ip a add 192.168.1.1/255.255.255.0 dev eth0Using the iptables utility Using the iptables Utility While iptables is not part of the exam objectives, it is added here as it is an important Linux networking utility and good to be aware of. The iptables firewall utility is built for the Linux operating system. It is a command-line utility that uses chains to allow or disallow traffic. When traffic arrives, iptables looks for a rule that addresses that traffic type, and if none exists, it will enforce the default rule. There are three different chain types: Input: Controls behavior for incoming connections Forward: Used for incoming connections that aren’t being delivered locally (like a router would receive) Output: Used for outgoing connections You can set the default action to accept, drop, or reject, with the difference between reject and drop being that reject sends an error message back to the source. Examples of iptables To block a connection from the device at 192.168.10.1, use this command: iptables -A INPUT -s 192.168.10.1 -j DROP To block all connections from all devices in the 172.16.0.0/16 network, use this command: iptables -A INPUT -s 172.16.0.0/16 -j DROP Here is the command to block SSH connections from 10.110.61.5: iptables -A INPUT -p tcp --dport ssh -s 10.110.61.5 -j DROP Use this command to block SSH connections from any IP address: iptables -A INPUT -p tcp --dport ssh -j DROP The following command is used to save the changes in Ubuntu (a Linux distribution): sudo /sbin/iptables-save In Red Hat–based systems, use either of the following commands: /sbin/service iptables save /etc/init.d/iptables save Using the ping Utility The ping utility is the most basic TCP/IP utility, and it’s included with most TCP/IP stacks for most platforms. Windows, again, is no exception. In most cases, ping is a command-line utility, although there are many GUI implementations available. You use the ping utility for two primary purposes: To find out if a host is responding To find out if you can reach a host Here’s the syntax (you can use either command): ping hostname ping IP address If you ping any station that has an IP address, the ICMP that’s part of that particular host’s TCP/IP stack will respond to the request. The ICMP test and response looks something like this: ping 204.153.163.2 Pinging 204.153.163.2 with 32 bytes of data: Reply from 204.153.163.2: bytes=32 timearp -a Interface: 192.168.0.6 --- 0xb Internet Address Physical Address Type 192.168.0.1 00-15-05-06-31-b0 dynamic 192.168.0.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static Interface: 10.100.10.54 --- 0x10 Internet Address Physical Address Type 10.100.10.1 00-15-05-06-31-b0 dynamic 10.100.10.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static By the way, the –g switch will produce the same result. Now, from this output, you can tell which MAC address is assigned to which IP address. Then, for static assignments, you can tell which workstation has a specific IP address and if it’s indeed supposed to have that address by examining your network documentation—you do have that record, right? For DHCP-assigned addresses, you can begin to uncover problems stemming from multiple DHCP scopes or servers doling out identical addresses and other common configuration issues. And remember that under normal circumstances, you shouldn’t see IP addresses in the ARP table that isn’t a member of the same IP subnet as the interface. If the machine has more than one network card (as may happen in Windows servers and on laptops with both Ethernet and wireless cards), each interface will be listed separately. It’s good to know that in addition to displaying the ARP table, you can use the arp utility to manipulate the table itself. To add static entries to the ARP table, you use the arp command with the –s switch. These static entries will stay in the ARP table until the machine is rebooted. A static entry essentially hardwires a specific IP address to a specific MAC address so that when a packet needs to be sent to that IP address, it will automatically be sent to that MAC address. Here’s the syntax: arp –s [IP Address] [MAC Address] Simply replace the [IP Address] and [MAC Address] sections with the appropriate entries, like so: arp –s 204.153.163.5 00–a0–c0–ab–c3–11 Now, take a look at your new ARP table by using the arp –a command. You should see something like this: Internet Address Physical Address Type 204.153.163.5 00–a0–c0–ab–c3–11 static Finally, if you want to delete entries from the ARP table, you can either wait until the dynamic entries time out or use the –d switch with the IP address of the static entry you’d like to delete, like this: arp –d 204.153.163.5 Doing so effectively deletes the entry from the ARP table in memory. The arp utility doesn’t confirm successful additions or deletions (use arp -a or arp -gfor that), but it will give you an error message if you use incorrect syntax. Using the nslookup Utility Whenever you’re configuring a server or a workstation to connect to the Internet, you’ve got to start by configuring DNS if you want name resolution to happen (that is, if you want to be able to type www.sybex.com instead of an IP address). When configuring DNS, it’s a very good thing to be able to test what IP address DNS is returning to ensure that it’s working properly. The nslookup utility allows you to query a name server and quickly find out which name resolves to which IP address. The Linux/UNIX dig (short for domain information groper) utility does the same thing as nslookup. It’s primarily a command-line utility that allows you to perform a single DNS lookup for a specific entity, but it can also be employed in batch mode for a series of lookups. Detailed information on this command is beyond the scope of this study guide, but you can find more information on the web by searching for “UNIX/Linux dig.” The nslookup utility comes with Windows as well as most versions of UNIX and Linux. You can run it from a Windows command prompt. At the command prompt, you can start the nslookup utility by typing nslookup and pressing Enter. When you’re inside this utility, the command prompt will change from something similar to a C:\> sign to a shorter > sign. It will also display the name and IP address of the default DNS server you will be querying (you can change it, if necessary). Then you can start using nslookup. The following output gives you a sample of the display after the nslookup command has been entered at the C:\> prompt: C:\Users\tlammle>nslookup Default Server: gnt-corpdc1.globalnet.local Address: 10.100.36.12 > The primary job of nslookup is to tell you the many different features of a particular domain name, the names of the servers that serve it, and how they’re configured. To get that, just type in a domain name at the > prompt, and the nslookup utility will then return this information: > lammle.com Server: dslmodem.domain.actdsltmp Address: 192.168.0.1 The non-authoritative answer is as follows: Name: lammle.com Address: 206.123.114.186 What this tells you is that the server that returned the information is not responsible (authoritative) for the zone information of the domain for which you requested an address and that the name server for the domain lammle.com is located at the IP address 206.123.114.186. You can also ask nslookup for other information by setting a different option within nslookup. Just type set option at the > prompt and replace option with the actual option you want to use—for example, use >set type=mx to determine the IP address of your email server. If you can’t decide which one you want, use the question mark (?) at the greater than sign (>) to see all available options. If you type in nslookup and receive this reply NS request timed out. timeout was 2 seconds. ***Can't find server name for address 206.123.114.186: Timed out Default Server: UnKnown Address: fec0:0:0:ffff::1 then you know your DNS servers are not answering. You need to get over to the DNS server, stat! EXERCISE 19.1 Examining DNS with nslookup In this exercise, you will examine how to use the nslookup command. 1. Open the command prompt by clicking Start and then typing cmd. Right-click the command prompt result, select Run As Administrator, and press Enter. 2. Type nslookup -type=A wiley.com, press Enter, and note the results. 3. Type nslookup -type=MX wiley.com, press Enter, and note the results. Reflecting back on Chapter 5, “Networking Devices,” remember the various resource records. An A record is a host record, and an MX record is a mail exchanger record. Try other records with wiley.com and other domains. Resolving Names with the Hosts File The hosts file is really a lot like DNS, except its entries are static for each and every host and server. Within the Hosts table, you’ll find a collection of hostnames that devices reference for name-resolution purposes. And even though it works in both IPv4 and IPv6 environments, it’s unlikely you will use it these days because the hosts file is a way- ancient relic left over from old UNIX machines. But just because it’s museum quality doesn’t mean you won’t run into it now and then, which is the main reason I’m showing it to you. You can find the Hosts table in C:\Windows\System32\drivers\etc. Just double-click the file, and then choose to open the file in Notepad or another text editor. Here’s the default information—it’s really nothing more than an explanation of how to use it and the local hosts for both IP and IPv6: # Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ::1 localhost Any information entered to the right of a pound sign (#) in a hosts file is ignored, so you can use this space for comments. Because it’s a plain ASCII text file, you add the IP address under the local hosts and then the name to which you want to resolve the IP address. It’s a pretty simple configuration and, again, one I don’t recommend using because you have to type in the names of every host on every machine in your network. DNS is definitely the name resolution of choice for networks today. Do not get the hosts file confused with the hostname command. The hostname command doesn’t do much but display the name of your host, as shown here: C:\Users\tlammle>hostname /? Prints the name of the current host. hostname C:\Users\tlammle>hostname globalnet-todd Using the mtr Command (pathping) The mtr, or My traceroute command, is a computer program that combines the functions of the traceroute and ping utilities in a single network diagnostic tool. It also adds round-trip time and packet loss to the output—very cool. The mtr command probes routers on the route path by limiting the number of hops individual packets are allowed to traverse and listening to news of their termination. It will regularly repeat this process (usually once per second) and keep track of the response times of the hops along the path. The mtr command is great if you have Linux or UNIX, but by default, it’s not installed on Windows devices. Third-party applications of mtr are available to install on Windows, but Microsoft did respond with its own version of mtr—it’s called pathping, and it provides the same functions as mtr. Here’s a look at the output and the options: C:\Users\tlammle>pathping Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n] [-p period] [-q num_queries] [-w timeout] [-4] [-6] target_name Table 19.3 lists the options of the Windows pathping command. TABLE 19.3 pathping options Option Description -g host-list Uses a loose source route along the host list -h Specifies the maximum number of hops to search for the maximum_hops target -i address Uses the specified source address -n Does not resolve addresses to hostnames -p period Waits period milliseconds between pings -q num_queries Specifies the number of queries per hop -w timeout Waits timeout milliseconds for each reply -4 Forces using IPv4 -6 Forces using IPv6 The mtr utility is basically the same as traceroute and ping, but it does give you some additional output that can help you troubleshoot your network. Using the Nmap Utility Nmap is one of the most popular port scanning tools used today. After performing scans with certain flags set in the scan packets, security analysts (and hackers) can make certain assumptions based on the responses received. These flags are used to control the TCP connection process and so are present only in TCP packets. Figure 19.5 shows a TCP header with the important flags circled. Normally flags are “turned on” because of the normal TCP process, but hackers can craft packets to check the flags they want to check. Figure 19.5 shows these flags, among others: FIGURE 19.5 TCP flags URG: Urgent pointer field significant ACK: Acknowledgment field significant PSH: Push function RST: Reset the connection SYN: Synchronize sequence numbers FIN: No more data from sender While application of a scan and interpretation of the responses are beyond the scope of this book, security analysts and hackers alike can perform scans with these flags set in the scan packets to get responses that allow them to determine the following information: If a port is open on a device If the port is blocked by a firewall before it gets to the device Nmap can also be used as follows: To determine the live hosts on a network To create a logical “map” of the network Using the route Command I went over static routing in Chapter 9, “Introduction to IP Routing,” so you know that Windows devices like routers perform routing. Most of the time, it’s a good idea to leave Windows alone, but it’s still good to know how to add and delete routes on your Windows machines. Probably the biggest reason for manipulating the routing table on a Windows server is to create a firewall. For instance, let’s say we’re running an Application layer firewall on a Windows server located between a screen subnet, formerly known as a demilitarized zone (DMZ), and the internal network. This scenario would mean the routing that’s happening on the server or hosts located in the DMZ wouldn’t be able to reach the internal network’s hosts and vice versa. To circumvent this problem, we would need to employ both static and default routing because while Windows 10/11 and Windows Server versions support some routing protocols, running routing protocols on hosts and servers wouldn’t be a good solution for today’s networks, and Microsoft knows that. To view the routing table on a Windows device, use the route print command, as shown in Figure 19.6. In this output, you can see that each of the routes were added automatically when the system booted up. (This is all based on the configuration of your IP stack.) To see all the options available with the route command, type the route command and then press Enter. To add a route to your routing table, use the following syntax: route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]] FIGURE 19.6 route print output Using the route Command Options Let’s start with the switches you can use: -f Using this switch with any of the options like add, change, or delete will clear the routing table of all entries that aren’t host routes (routes with the subnet mask 255.255.255.255), the loopback network route or routes (routes with a destination of 127.0.0.0 and the subnet mask 255.0.0.0), and any multicast routes (those with a destination of 224.0.0.0 and the subnet mask 240.0.0.0). -p If you use this with the add command, the individual route will be added to the Registry and then used to initialize the IP routing table whenever TCP/IP is started. It’s important to remember that by default the routes you’ve statically added won’t remain in the routing table the next time TCP/IP boots. And if you use -p with the print command, you’ll get shown a list of the persistent routes that are stored in the Registry location of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes Now, let’s take a look at how and when you would use the route command. Table 19.4 shows the command options available and what they do when you are using the route command with them. TABLE 19.4 route command options CommandPurpose Add Adds a route Change Modifies an existing route Delete Deletes a route (or routes) Print Prints a route (or routes) Here’s a description of some other tasks you can accomplish via the rest of the command’s options: Destination This will give you the network destination of a given route. If the host bits of the network address are set to 0, it will be depicted with the destination’s IP network address, an IP address for a specific host route, or the default route of 0.0.0.0. mask netmask This will provide you with the netmask—often referred to as the subnet mask—that’s associated with the destination network. The default destination subnet mask is 0.0.0.0, and typically you’ll see 255.255.255.255 representing a host route. It’s really important to remember that the destination address can’t be more specific than its corresponding subnet mask. What I’m saying is that there absolutely can’t be a bit set to 1 in the destination address if the equivalent bit in the subnet mask is a 0. Gateway The gateway also depends on the network address and subnet mask, but it’s even more specific and delimits what’s called the next-hop IP address. For routes located on a local subnet, the gateway address maps directly to a particular interface. If the destination is on a remote network, the gateway IP address will direct packets to the neighboring router. metric metric Metric refers to the cost of a given route from the sending to the receiving device, and it’s a value between 1 and 9999. Devices use this value to choose the best, or most efficient, routes among those in their routing table—the route with the lowest value wins. This decision can also include factors like the number of hops and the speed, reliability, and available bandwidth of the path being considered plus the various administrative aspects associated with it. if interface This tool depends on information from the gateway address and determines the interface index for the specific interface that needs to receive the data. You can get a list of interfaces along with their relevant interface indexes by typing the route print command. /? Using this will allow you to view help at the command prompt. Some Examples of the route Command Even though the finer points of the route command demand that you use caution when deploying some of the options, I’ll still list the basics of the route command because it can be really useful. I highly recommend that you spend some time practicing them on a non-production server, though—especially at first. To display the entire IP routing table, type route print. To add a default route with the default gateway address 192.168.10.1, type route add 0.0.0.0 mask 0.0.0.0 192.168.10.1. To add a route to the destination 10.1.1.0 with the subnet mask 255.255.255.0 and the next-hop address 10.2.2.2, type route add 10.1.1.0 mask 255.255.255.0 10.2.2.2. If you want to, let’s say, add a persistent route to the destination 10.100.0.0 with the subnet mask 255.255.0.0 and the next-hop address 10.2.0.1, type route -p add 10.100.0.0 mask 255.255.0.0 10.2.0.1. If you want to delete the route to the destination 10.100.0.0 with the subnet mask 255.255.0.0, enter route delete 10.100.0.0 mask 255.255.0.0. Finally, if you want to change the next-hop address of a route with the destination 10.100.0.0 and the subnet mask 255.255.0.0 from 10.2.0.1 to 10.7.0.5, type route change 10.100.0.0 mask 255.255.0.0 10.7.0.5. Let’s move on to some other important Windows utilities. Using the netstat Utility Using netstat is a great way to check out the inbound and outbound TCP/IP connections on your machine. You can also use it to view packet statistics like how many packets have been sent and received, the number of errors, and so on. When used without any options, netstat produces output similar to the following, which shows all the outbound TCP/IP connections. This utility is a great tool to use to determine the status of outbound web connections. Take a look: C:\Users\tlammle>netstat Active Connections Proto Local Address Foreign Address State TCP 10.100.10.54:49545 gnt-exchange:epmap TIME_WAIT TCP 10.100.10.54:49548 gnt-exchange:epmap TIME_WAIT TCP 10.100.10.54:49551 gnt-exchange:1151 ESTABLISHED TCP 10.100.10.54:49557 gnt-exchange:1026 ESTABLISHED TCP 10.100.10.54:49590 gnt-exchange:epmap TIME_WAIT TCP 127.0.0.1:49174 globalnet-todd:62214 ESTABLISHED TCP 127.0.0.1:62514 globalnet-todd:49174 ESTABLISHED TCP 192.168.0.6:2492 blugro2relay:2492 ESTABLISHED TCP 192.168.0.6:2492 blugro3relay:2492 ESTABLISHED TCP 192.168.0.6:49170 64.12.25.26:5190 ESTABLISHED TCP 192.168.0.6:49171 oam-d05c:5190 ESTABLISHED TCP 192.168.0.6:49473 205.128.92.124:http CLOSE_WAIT TCP 192.168.0.6:49625 64-190-251-21:ftp ESTABLISHED TCP 192.168.0.6:49628 210-11:http ESTABLISHED TCP 192.168.0.6:49629 varp1:http ESTABLISHED TCP 192.168.0.6:49630 varp1:http ESTABLISHED TCP 192.168.0.6:49631 varp1:http ESTABLISHED TCP 192.168.0.6:49632 varp1:http ESTABLISHED TCP 192.168.0.6:49635 199.93.62.125:http ESTABLISHED TCP 192.168.0.6:49636 m1:http ESTABLISHED TCP 192.168.0.6:49638 spe:http ESTABLISHED The Proto column lists the protocol being used. You can see that I’m connected to my Exchange server and an FTP server and that I have some HTTP sessions open; by the way, all of them use TCP at the Transport layer. The Local Address column lists the source address and the source port (source socket). The Foreign Address column lists the address of the destination machine (the hostname if it’s been resolved). If the destination port is known, it will show up as the well-known port. In the previous output, you see http instead of port 80 and ftp instead of port 21. The State column indicates the status of each connection. This column shows statistics only for TCP connections because User Datagram Protocol (UDP) establishes no virtual circuit to the remote device. Usually, this column indicates ESTABLISHED when a TCP connection between your computer and the destination computer has been established. All sessions eventually time out and then close, and you can see that I have all of these listed in my netstat output. If the address of either your computer or the destination computer can be found in the hosts file on your computer, the destination computer’s name, rather than the IP address, will show up in either the Local Address or Foreign Address column. The output of the netstat utility depends on the switch. By using the netstat /? command, we can see the options available to us. C:\Users\tlammle>netstat /? Table 19.5 lists all of the netstat switch options. TABLE 19.5 netstat options OptionDescription -a Displays all connections and listening ports. Displays the executable involved in creating each connection or listening port. In some cases, well-known executables host multiple independent components, -b and in these cases the sequence of components involved in creating the connection or listening port is displayed. Note that this option can be time consuming and will fail unless you have sufficient permissions. -e Displays Ethernet statistics. This may be combined with the -s option. -f Displays fully qualified domain names (FQDNs) for foreign addresses. -n Displays addresses and port numbers in numerical form. -o Displays the owning process ID associated with each connection. Shows connections for the protocol specified by proto; proto may be TCP, UDP, -p proto TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. -r Displays the routing table. Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, -s ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default. Displays the current connection offload state. Redisplays selected statistics, -t pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics. If -t is omitted, netstat will print the current configuration information once. Simply type netstat followed by a space and then the particular switch you want to use. Some switches have options, but no matter what, the syntax is basically the same. Note that with UNIX/Linux-type switches, the hyphen absolutely must be included. This is common in Microsoft operating systems for TCP/IP utilities that originate from UNIX systems. I’m not going to exhaustively go over each and every switch, but make sure you practice all of these on your own Windows machine. The –a Switch When you use the –a switch, the netstat utility displays all TCP/IP connections and all UDP connections. Figure 19.7 shows sample output produced by the netstat –a command. FIGURE 19.7 Sample output of the netstat –a command The last two entries in Figure 19.7 show that the protocol is UDP and give the source- port nicknames nbname and nbdatagram. These are the well-known port numbers of 137 and 138, respectively. These port numbers are commonly seen on networks that broadcast the NetBIOS name of a workstation on the TCP/IP network. You can tell that this is a broadcast because the destination address is listed as *:* (meaning “any address, any port”). The State column in Figure 19.7 has no entry for the UDP rows because UDP is not a connection-oriented protocol and, therefore, has no connection state. The most common use for the –a switch is to check the status of a TCP/IP connection that appears to be hung. You can determine if the connection is simply busy or is actually hung and no longer responding. The –e Switch The -e switch displays a summary of all the packets that have been sent over the network interface card (NIC) as of an instance. The Received and Sent columns show packets coming in as well as being sent: C:\Users\tlammle>netstat -e Interface Statistics Received Sent Bytes 7426841 7226953 Unicast packets 25784 35006 Non-unicast packets 1115 12548 Discards 0 0 Errors 0 71 Unknown protocols 0 You can use the –e switch to display the following categories of statistics: Bytes The number of bytes transmitted or received since the computer was turned on. This statistic is useful for finding out if data is actually being transmitted and received or if the network interface isn’t doing anything at all. Unicast Packets The number of packets sent from or received at this computer. To register in one of these columns, the packet must be addressed directly from one computer to another and the computer’s address must be in either the source or destination address section of the packet. Non-Unicast Packets The number of packets that weren’t directly sent from one workstation to another. For example, a broadcast packet is a non-unicast packet. The number of non-unicast packets should be smaller than the number of unicast packets. If the number of non-unicast packets is as high as or higher than that of unicast packets, too many broadcast packets are being sent over your network. Definitely find the source of these packets and make any necessary adjustments to optimize performance. Discards The number of packets that were discarded by the NIC during either transmission or reception because they weren’t assembled correctly. Errors The number of errors that occurred during transmission or reception. (These numbers may indicate problems with the network card.) Unknown Protocols The number of received packets that the Windows networking stack couldn’t interpret. This statistic shows up only in the Received column because if the computer sent them, they wouldn’t be unknown, right? Unfortunately, statistics don’t mean much unless they can be colored with time information. For example, if the Errors row shows 71 errors, is that a problem? It might be if the computer has been on for only a few minutes. But 71 errors could be par for the course if the computer has been operating for several days. Unfortunately, the netstat utility doesn’t have a way of indicating how much time has elapsed for these statistics. The –r Switch You use the –r switch to display the current route table for a workstation so that you can see exactly how TCP/IP information is being routed. This will give you the same output as the route print command that we covered earlier in this chapter. The –s Switch Using the –s switch displays a variety of TCP, UDP, IP, and ICMP protocol statistics. But be warned—the output you’ll get is really long, which may or may not be okay for you. For this book, it’s way too long for me to insert. With that in mind, we can add another modifier called the -p switch. The –p Switch Like the –n switch, the –p switch is a modifier that’s usually used with the –s switch to specify which protocol statistics to list in the output (IP, TCP, UDP, or ICMP). For example, if you want to view only ICMP statistics, you use the –p switch like so: netstat –s –p ICMP The netstat utility then displays the ICMP statistics instead of the entire gamut of TCP/IP statistics that the –s switch will typically flood you with. For a different example, let’s use the -s and -p switches to retrieve some IPv6 information: C:\Users\tlammle>netstat -s -p IPV6 IPv6 Statistics Packets Received = 1400 Received Header Errors = 0 Received Address Errors = 6 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 451 Received Packets Delivered = 10441 Output Requests = 24349 Routing Discards = 0 Discarded Output Packets = 3575 Output Packet No Route = 41 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0 C:\Users\tlammle> Nice! Gets right to the point. Now, let’s see the TCP connections my host has: C:\Users\tlammle>netstat -s -p tcp TCP Statistics for IPv4 Active Opens = 7832 Passive Opens = 833 Failed Connection Attempts = 1807 Reset Connections = 2428 Current Connections = 11 Segments Received = 1391678 Segments Sent = 1340994 Segments Retransmitted = 6246 Active Connections Proto Local Address Foreign Address State TCP 10.100.10.54:54737 gnt-exchange:1151 ESTABLISHED TCP 10.100.10.54:54955 gnt-exchange:1026 ESTABLISHED TCP 10.100.10.54:55218 gnt-exchange:epmap TIME_WAIT TCP 127.0.0.1:2492 globalnet-todd:54840 ESTABLISHED TCP 127.0.0.1:54516 globalnet-todd:62514 ESTABLISHED TCP 127.0.0.1:54840 globalnet-todd:2492 ESTABLISHED TCP 127.0.0.1:62514 globalnet-todd:54516 ESTABLISHED TCP 192.168.0.6:2492 blugro2relay:2492 ESTABLISHED TCP 192.168.0.6:2492 blugro3relay:2492 ESTABLISHED TCP 192.168.0.6:54527 64.12.25.26:5190 ESTABLISHED TCP 192.168.0.6:54531 oam-d05c:5190 ESTABLISHED TCP 192.168.0.6:55163 207.123.44.123:http CLOSE_WAIT C:\Users\tlammle> This kind of efficiency is exactly why it’s good to use the -p modifier with the -s switch. Because the Network+ exam doesn’t cover them, we won’t go into detail about what all these statistics mean for most of these commands. You can probably figure out most of them—for instance, Packets Received. For more details, go to Microsoft’s support website at https://support.microsoft.com/en-us. The –n Switch The -n switch is a modifier for the other switches. When used with them, it reverses the natural tendency of netstat to use names instead of network addresses. In other words, when you use the –n switch, the output always displays network addresses instead of their associated network names. The following is output from the netstat command used with the netstat -n command. It’s showing the same information but with IP addresses instead of names. C:\Users\tlammle>netstat Active Connections Proto Local Address Foreign Address State TCP 10.100.10.54:54737 gnt-exchange:1151 ESTABLISHED TCP 10.100.10.54:54955 gnt-exchange:1026 ESTABLISHED TCP 127.0.0.1:2492 globalnet-todd:54840 ESTABLISHED TCP 127.0.0.1:54516 globalnet-todd:62514 ESTABLISHED TCP 127.0.0.1:54840 globalnet-todd:2492 ESTABLISHED TCP 127.0.0.1:62514 globalnet-todd:54516 ESTABLISHED TCP 192.168.0.6:2492 blugro2relay:2492 ESTABLISHED TCP 192.168.0.6:2492 blugro3relay:2492 ESTABLISHED TCP 192.168.0.6:54527 64.12.25.26:5190 ESTABLISHED TCP 192.168.0.6:54531 oam-d05c:5190 ESTABLISHED TCP 192.168.0.6:55163 207.123.44.123:http CLOSE_WAIT C:\Users\tlammle>netstat -n Active Connections Proto Local Address Foreign Address State TCP 10.100.10.54:54737 10.100.36.13:1151 ESTABLISHED TCP 10.100.10.54:54955 10.100.36.13:1026 ESTABLISHED TCP 127.0.0.1:2492 127.0.0.1:54840 ESTABLISHED TCP 127.0.0.1:54516 127.0.0.1:62514 ESTABLISHED TCP 127.0.0.1:54840 127.0.0.1:2492 ESTABLISHED TCP 127.0.0.1:62514 127.0.0.1:54516 ESTABLISHED TCP 192.168.0.6:2492 65.55.239.100:2492 ESTABLISHED TCP 192.168.0.6:2492 65.55.248.110:2492 ESTABLISHED TCP 192.168.0.6:54527 64.12.25.26:5190 ESTABLISHED TCP 192.168.0.6:54531 205.188.248.163:5190 ESTABLISHED TCP 192.168.0.6:55163 207.123.44.123:80 CLOSE_WAIT C:\Users\tlammle> Real World Scenario Uses for netstat You might be saying to yourself, “Fine. I can use lots of cool switches with netstat, but really, what for?” I’m always finding uses for netstat. For instance, once I found a particularly nasty worm on my PC using netstat. I just happened to run netstat for giggles one day and noticed a very large number of outbound connections to various places on the Internet. My PC was sending out SYN packets to a large number of hosts (an indication that my computer was involved—unknowingly—in a large-scale denial-of-service attack). Upon further examination, I noticed that this activity would start shortly after bootup. I tried running netstat after bootup and noticed that the first outbound connection was to TCP port 6667, some Internet Relay Chat (IRC) server I’d never heard of—I didn’t even have an IRC client on my machine at the time. The worm was particularly nasty to try to get rid of while active, so I turned off port 6667 on my firewall. That prevented the initial connection to the IRC server and, as I found out later, nicely prevented the worm from getting its instructions from the IRC server. I was then able to simply remap without netstat. Even my antivirus program missed it. EXERCISE 19.2 Examining Connections with netstat In this exercise, you will examine how to use the netstat command to identify TCP connections. 1. Open the command prompt by clicking Start and then typing cmd. Right-click the command prompt result, select Run As Administrator, and press Enter. 2. Type netstat -n and wait for the output. 3. Examine the foreign addresses and the state of the connections. 4. Open a web browser, type http://1.2.3.4:1234, and press Enter. Note: The web browser will eventually time out; you are just creating traffic for the next step. 5. Type netstat -n and wait for the output. 6. Examine the foreign addresses and the state of the connections. Notice that the output will show 1.2.3.4:1234 with a state of SYN. Remember from Chapter 6, “Introduction to the Internet Protocol,” that the TCP protocol requires a three-way handshake. Since this host does not exist, only the first part of the three- way handshake (SYN) will be displayed in the output of the command. Using tcpdump The tcpdump utility is used to read either packets captured live from a network or packets that have been saved to a file. Although there is a Windows version called windump, tcpdump works only on UNIX-like operating systems. Examples of Using tcpdump Use this command to capture traffic on all interfaces: # tcpdump -i any Here is the command to capture traffic on a particular interface: # tcpdump -i eth0 To filter traffic by IP, whether it’s the source or the destination, use this command: # tcpdump host 192.168.5.5 Basic Networking Device Commands In this section, I’ll run through some basic and common router and switch commands. Let’s get started with the common CLI command, show running-config. show running-config (Show Run) To verify the configuration in dynamic RAM (DRAM), use the show running-config command (sh run for short), which provides the current configuration the device is using: Router#show running-config Building configuration… Current configuration : 877 bytes ! version 15.0 Next, you should check the configuration stored in non-volatile RAM (NVRAM), which is basically RAM that is not deleted when the device is either turned off or rebooted. To see this, use the show startup-config command (sh start for short): Router#sh start Using 877 out of 724288 bytes ! ! Last configuration change at 04:49:14 UTC Fri Mar 7 2024 ! version 15.0 As shown in the following output, by copying running-config to NVRAM as a backup, you ensure that your running-config file will always be reloaded if the router gets rebooted. Starting in the 12.0 IOS, you’ll be prompted for the filename you want to use. Router#copy running-config startup-config Destination filename [startup-config]?[enter] Building configuration… [OK] To delete the startup-config file on a Cisco router or switch, use the command erase startup-config: Todd#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm][enter] [OK] Erase of nvram: complete *Mar 7 17:55:20.405: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram Todd#reload System configuration has been modified. Save? [yes/no]:n Proceed with reload? [confirm][enter] *Mar 7 17:55:31.079: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. This command deletes the contents of NVRAM on the switch and router. If you type reload while in privileged mode and say no to saving changes, the switch or router will reload and come up into setup mode since you no longer have a configuration on the device. show config The show config command displays all the configuration settings for the device that have been changed from the default settings on many various industry devices. See the earlier show running-config command output for an example of a Cisco configuration. Cisco Discovery Protocol The Cisco Discovery Protocol (CDP) is a Cisco proprietary Data Link layer protocol used for gathering information. CDP broadcasts every 120 seconds advertising the details of the Cisco device to include IP address, version information, and capabilities. Even though the CDP doesn’t technically provide management access, it’s really useful if you’re working on Cisco networks and need to figure out how the various Cisco devices are connected. show cdp neighbors The show cdp neighbors command (sh cdp nei for short) delivers information about directly connected devices. It’s important to remember that CDP packets aren’t passed through a Cisco switch and that you see only what’s directly attached. This means that if your router is connected to a switch, you won’t see any other Cisco devices connected to that switch! The following output shows the show cdp neighbors command: SW-3#sh cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW-1 Fas 0/1 150 S I WS-C3560- Fas 0/15 SW-1 Fas 0/2 150 S I WS-C3560- Fas 0/16 SW-2 Fas 0/5 162 S I WS-C3560- Fas 0/5 SW-2 Fas 0/6 162 S I WS-C3560- Fas 0/6 The previous output shows that SW-3 is directly connected with a console cable to the SW-3 switch and that SW-3 is directly connected to two other switches. CDP lets me see who my directly connected neighbors are and gather information about them. From the SW-3 switch, you can see that there are two connections to SW-1 and two connections to SW-2. SW-3 connects to SW-1 with ports Fas 0/1 and Fas 0/2, and there are connections to SW-2 with local interfaces Fas 0/5 and Fas 0/6. Both the SW-1 and SW-2 switches are 3650 switches. SW-1 is using ports Fas 0/15 and Fas 0/16 to connect to SW-3. SW-2 is using ports Fas 0/5 and Fas 0/6. To summarize, the device ID shows the configured hostname of the connected device, that the local interface is our interface, and that the port ID is the remote device’s directly connected interface. Remember that all you get to view are directly connected devices! Table 19.6 summarizes the information displayed by the show cdp neighbors command for each device. TABLE 19.6 Output of the show cdp neighbors command Field Description Device The hostname of the device directly connected. ID Local The port or interface that CDP packets are received on. Interface The amount of time the router will hold the information before discarding it Holdtime if no more CDP packets are received. The capability of the neighbor—the router, switch, or repeater. The capability Capability codes are listed at the top of the command output. The type of Cisco device directly connected. In the previous output, the SW-3 Platform shows that it’s directly connected to two 3560 switches. Port ID The neighbor device’s port or interface that CDP packets are multicast from. Another command that will deliver the goods on neighbor information is the show cdp neighbors detail command (show cdp nei de for short). The show cdp neighbors detail command can be run on both routers and switches. It displays detailed information about each device connected to the device you’re running the command on. Check out the router output: SW-3#sh cdp neighbors detail ------------------------- Device ID: SW-1 Device ID: SW-1 Entry address(es): IP address: 10.100.128.10 Platform: cisco WS-C3560-24TS, Capabilities: Switch IGMP Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/15 Holdtime : 135 sec Version : Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Mon 28-Jan-13 10:10 by prod_rel_team advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=25, value=00000000FFFFFFFF010221FF000000000000001C555EC880Fc00f000 VTP Management Domain: 'NULL' Native VLAN: 1 Duplex: full Power Available TLV: Power request id: 0, Power management id: 1, Power available: 0, Power management level: -1 Management address(es): IP address: 10.100.128.10 ------------------------- [output cut] ------------------------- Device ID: SW-2 Entry address(es): IP address: 10.100.128.9 Platform: cisco WS-C3560-8PC, Capabilities: Switch IGMP Interface: FastEthernet0/5, Port ID (outgoing port): FastEthernet0/5 Holdtime : 129 sec Version : Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 19-Jul-05 18:15 by nachen advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=25, value=00000000FFFFFFFF010221FF000000000000B41489D91880Fc00f000 VTP Management Domain: 'NULL' Native VLAN: 1 Duplex: full Power Available TLV: Power request id: 0, Power management id: 1, Power available: 0, Power management level: -1 Management address(es): IP address: 10.100.128.9 [output cut] What do we see here? We’ve been given the hostname and IP address of all directly connected devices. In addition to the same information displayed by the show cdp neighbors command, the show cdp neighbors detail command tells us the IOS version and IP address of the neighbor device. Nice! Link Layer Discovery Protocol Before moving away from CDP, I need to discuss a nonproprietary discovery protocol that provides much of the same information as CDP but works in multivendor networks. The IEEE created a new standardized discovery protocol called 802.1AB for Station and Media Access Control Connectivity Discovery. We’ll just call it the Link Layer Discovery Protocol (LLDP). LLDP defines basic discovery capabilities, but it was also enhanced to specifically address the voice application, and this version is called LLDP- Media Endpoint Discovery (MED). LLDP and LLDP-MED are not compatible. show ip route (route Command in Windows) By using the command show ip route on a router, you can see the routing table (map of the internetwork) that the following router output used to make its forwarding decisions: Lab_A#sh ip route Codes: L - local, C - connected, S - static, [output cut] 10.0.0.0/8 is variably subnetted, 6 subnets, 4 masks C 10.0.0.0/8 is directly connected, FastEthernet0/3 L 10.0.0.1/32 is directly connected, FastEthernet0/3 C 10.10.0.0/16 is directly connected, FastEthernet0/2 L 10.10.0.1/32 is directly connected, FastEthernet0/2 C 10.10.10.0/24 is directly connected, FastEthernet0/1 L 10.10.10.1/32 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 is directly connected, FastEthernet0/0 The C in the routing table output means that the networks listed are directly connected. Until you add a dynamic routing protocol like RIPv2, OSPF, etc. to the routers in your internetwork, or enter static routes, only directly connected networks will show up in our routing table. show version You can see the current value of the configuration register by using the show version command (sh version or show ver for short), as follows: Router#show version [output cut] System returned to ROM by power-on System image file is "flash:c2600nm-advsecurityk9-mz.151-4.M6.bin" [output cut] Cisco 2611 (revision 1.0) with 249656K/12266K bytes of memory. Processor board ID FTX1049A1AB 2 FastEthernet interfaces 2 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62820K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 Notice that the show version command provides the IOS version. In the preceding example, it shows the IOS version as 15.1(4)M6. This output also shows the RAM, NVRAM, and flash size. The last information given from this command is the value of the configuration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence. The show version command displays system hardware configuration information, the software version, and the names of the boot images on a router. To change the configuration register, use the config-register command from global configuration mode: Router(config)#config-register 0x2142 Router(config)#do sh ver [output cut] Configuration register is 0x2102 (will be 0x2142 at next reload) Be careful when setting the configuration register! show inventory The show inventory command displays a list of the specified components in the chassis. If no components are specified when you run the command, all components are listed. This command also retrieves and displays inventory information about each Cisco product in the form of a universal device identifier (UDI). The UDI is a combination of three separate data elements: a product identifier (PID), a version identifier (VID), and the serial number (SN). The PID is the name by which the product can be ordered; it has been historically called the Product Name or Part Number. This is the number that you would use to order a replacement part. Here is the show inventory command run on a Cisco Firepower 1010 series device. The command provides useful information about that device, such as the number and types of ports and the serial number of the device: firepower# show inventory Name: "module 0", DESCR: "Firepower 1010 Appliance, Desktop, 8 GE, 1 MGMT" PID: FPR-1010 , VID: V01 , SN: JMX2539X06S Here is the same command on the Cisco 12008 switch. It shows the cards in each slot, their capability, and the S/N. Router# show inventory NAME: "Chassis", DESCR: "12008/GRP chassis" PID: GSR8/40 , VID: V01, SN: 63915640 NAME: "slot 0", DESCR: "GRP" PID: GRP-B , VID: V01, SN: CAB021300R5 NAME: "slot 1", DESCR: "4 port ATM OC3 multimode" PID: 4OC3/ATM-MM-SC , VID: V01, SN: CAB04036GT1 NAME: "slot 3", DESCR: "4 port 0C3 POS multimode" PID: LC-4OC3/POS-MM , VID: V01, SN: CAB014900GU NAME: "slot 5", DESCR: "1 port Gigabit Ethernet" PID: GE-GBIC-SC-B , VID: V01, SN: CAB034251NX NAME: "slot 7", DESCR: "GRP" PID: GRP-B , VID: V01, SN: CAB0428AN4O show switch A typical access closet contains one of more access switches placed next to each other in the same rack and uses high-speed redundant links with copper, or more typically fiber, to the distribution layer switches. Here are three big drawbacks to a typical switch topology: There is an overhead of management. STP will block half of the uplinks. There is no direct communication between switches. Cisco StackWise technology connects switches that are mounted in the same rack so that they basically become one larger switch. By doing this, you can add more access ports for each closet while avoiding the cost of upgrading to a bigger switch. So, you’re adding ports as you grow your company, instead of front-loading the investment into a pricier, larger switch all at once. And since these stacks are managed as a single unit, it reduces the management of your network. All switches in a stack share configuration and routing information, so you can easily add or remove switches at any time without disrupting your network or affecting its performance. The show switch command provides information about switch stacks. The following options are available with the show switch command: 3560-New#show switch ? Switch Number detail show detailed information about the stack ring hstack-ports show the status of the horizontal stack ports neighbors show each switch's neighbors stack-ports show the status of the stack ports stack-ring show stack ring | Output modifiers I ran the command on my Master switch. The following output shows the base MAC address, the priority to become Master, the version, and the state of the switch: 3560-New#show switch Switch/Stack Mac Address : 4ca6.4d28.2380 H/W Current Switch# Role Mac Address Priority Version State ---------------------------------------------------------- *1 Master 4ca6.4d28.2380 1 4 Ready show mac-address-table When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database. If the destination hardware address is known and listed in the database, the frame is sent only out of the appropriate exit interface. The switch won’t transmit the frame out any interface except for the destination interface, which preserves bandwidth on the other network segments. This process is called frame filtering. But if the destination hardware address isn’t listed in the MAC database, also known as the content addressable memory (CAM) table, then the frame will be flooded out all active interfaces except the interface it was received on. If a device answers the flooded frame, the MAC database is then updated with the device’s location—its correct interface. If a host or server sends a broadcast on the LAN, by default, the switch will flood the frame out all active ports except the source port. Remember, the switch creates smaller collision domains, but it’s always still one large broadcast domain by default. Now let’s take a look at the output that results from using a show mac address-table command: Switch#sh mac address-table Vlan Mac Address Type Ports]]> ---- ----------- -------- ----- 1 0005.dccb.d74b DYNAMIC Fa0/1 1 000a.f467.9e80 DYNAMIC Fa0/3 1 000a.f467.9e8b DYNAMIC Fa0/4 1 000a.f467.9e8c DYNAMIC Fa0/3 1 0010.7b7f.c2b0 DYNAMIC Fa0/3 1 0030.80dc.460b DYNAMIC Fa0/3 1 0030.9492.a5dd DYNAMIC Fa0/1 1 00d0.58ad.05f4 DYNAMIC Fa0/1 Let’s say the preceding switch received a frame with the following MAC addresses: Source MAC: 0005.dccb.d74b Destination MAC: 000a.f467.9e8c How will the switch handle this frame? The right answer is that the destination MAC address will be found in the MAC address table and the frame will be forwarded only out Fa0/3. Never forget that if the destination MAC address isn’t found in the forward/filter table, the frame will be forwarded out all of the switch’s ports except for the one on which it was originally received in an attempt to locate the destination device. show interface The command show interface x reveals the hardware address, logical address, and encapsulation method as well as statistics on collisions, as shown here: Router#sh int f0/0 FastEthernet0/0 is up, line protocol is up Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8 (bia 001a.2f55.c9e8) Internet address is 192.168.1.33/27 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto Speed, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:02:07, output hang never Last clearing of “show interface” counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec The show interfaces command, plural, displays the configurable parameters and statistics of all interfaces on a router. The preceding interface is working and looks to be in good shape. The show interfaces command will show you if you’re receiving errors on the interface, and it will also show you the maximum transmission unit (MTU). MTU is the maximum packet size allowed to transmit on that interface, bandwidth (BW) is for use with routing protocols, and 255/255 means that reliability is perfect! The load is 1/255, meaning no load. Continuing through the output, can you figure out the bandwidth of the interface? Well, other than the easy giveaway of the interface being called a “FastEthernet” interface, you can see that the bandwidth is 100,000 Kbit, which is 100,000,000. Kbit means to add three zeros, which is 100 Mbits per second, or Fast Ethernet. Gigabit would be 1,000,000 Kbits per second. Be sure that you don’t miss the output errors and collisions, which show 0 in my output. If these numbers are increasing, then you have some sort of Physical or Data Link layer issue. Check your duplex! If you have one side as half-duplex and one as full-duplex, your interface will work, albeit really slow, and those numbers will be increasing fast! The most important statistic of the show interface command is the output of the line and Data Link protocol status. If the output reveals that FastEthernet 0/0 is up and the line protocol is up, then the interface is up and running at layers 1 and 2: Router#sh int fa0/0 FastEthernet0/0 is up, line protocol is up Troubleshooting with the show interfaces Command Let’s take a look at the output of the show interfaces command one more time, as there are some important statistics in this output: 275496 packets input, 35226811 bytes, 0 no buffer Received 69748 broadcasts (58822 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 58822 multicast, 0 pause input 0 input packets with dribble condition detected 2392529 packets output, 337933522 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Knowing where to start when troubleshooting an interface can be difficult, but you should look right away for the number of input errors and CRCs. Typically, you would see those statistics increase with a duplex error, but it could be another Physical layer issue such as the cable might be receiving excessive interference or the network interface cards might have a failure. Typically, you can tell if it is interference when the CRC and input errors output grow but the collision counters do not. Let’s take a look at some of the output: No Buffer This isn’t a number you want to see incrementing. This means you don’t have any buffer room left for incoming packets. Any packets received once the buffers are full are discarded. You can see how many packets are dropped with the ignored output. Ignored If the packet buffers are full, packets will be dropped. You see this increment along with the no buffer output. Typically, if the no buffer and ignored outputs are incrementing, you have some sort of broadcast storm on your LAN. This can be caused by a bad NIC or even a bad network design. Runts Runts are frames that did not meet the minimum frame size requirement of 64 bytes. Typically caused by collisions. Giants Giants are frames received that are larger than 1,518 bytes. Input Errors This is the total of many counters: runts, giants, no buffer, CRC, frame, overrun, and ignored counts. CRC At the end of each frame is a frame check sequence (FCS) field that holds the answer to a cyclic redundancy check (CRC). If the receiving host’s answer to the CRC does not match the sending host’s answer, then a CRC error will occur. Frame This output increments when the frames received are of an illegal format or not complete. Typically, the output is incremented when a collision occurs. Packets Output This is the total number of packets (frames) forwarded out the interface. Output Errors This is the total number of packets (frames) that the switch port tried to transmit but for which some problem occurred. Collisions When transmitting a frame in half-duplex, the NIC listens on the receiving pair of the cable for another signal. If a signal is transmitted from another host, a collision has occurred. This output should not increment if you are running full-duplex. Late Collisions If all Ethernet specifications are followed during the cable installation, all collisions should occur by the 64th byte of the frame. If a collision occurs after 64 bytes, the late collisions counter increments. This counter will increment on a duplex mismatched interface. show ip interface brief The show ip interface brief command is probably one of the best commands that you can ever use on a Cisco router or switch. This command provides a quick overview of the device’s interfaces, including the logical address and interface status at layers 1 and 2: Router#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset up up FastEthernet0/1 unassigned YES unset up up Serial0/0/0 unassigned YES unset up down Serial0/0/1 unassigned YES unset administratively down down Serial0/1/0 unassigned YES unset administratively down down Serial0/2/0 unassigned YES unset administratively down down Remember, administratively down means that you need to type no shutdown to enable the interface. Notice that Serial0/0/0 is up/down, which means that the Physical layer is good and carrier detect is sensed but no keepalives are being received from the remote end. In a nonproduction network, like the one I am working with, this tells us the clock rate hasn’t been set. Verifying with the show ip interface Command The show ip interface command provides you with information regarding the layer 3 configurations of a router’s interfaces: Router#sh ip interface FastEthernet0/0 is up, line protocol is up Internet address is 1.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled [output cut] The status of the interface, the IP address and mask, information on whether an access list is set on the interface, and basic IP information are all included in this output. show arp Using this command displays the forward filter table, also called a content-addressable memory (CAM) table. Here’s the output from the S1 switch: S3#sh mac address-table Mac Address Table]]> ------------------------------------------- Vlan Mac Address Type Ports]]> ---- ----------- -------- ----- All 0100.0ccc.cccc STATIC CPU [output cut] 1 000e.83b2.e34b DYNAMIC Fa0/1 1 0011.1191.556f DYNAMIC Fa0/1 1 0011.3206.25cb DYNAMIC Fa0/1 1 001a.2f55.c9e8 DYNAMIC Fa0/1 1 001a.4d55.2f7e DYNAMIC Fa0/1 1 001c.575e.c891 DYNAMIC Fa0/1 1 b414.89d9.1886 DYNAMIC Fa0/5 1 b414.89d9.1887 DYNAMIC Fa0/6 The switches use things called base MAC addresses, which are assigned to the CPU. The first one listed is the base MAC address of the switch. From the preceding output, you can see that we have six MAC addresses dynamically assigned to Fa0/1, meaning that port Fa0/1 is connected to another switch. Ports Fa0/5 and Fa0/6 have only one MAC address assigned, and all ports are assigned to VLAN 1. show vlan You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries plus the number of VLANs it can belong to. You can also configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport command. You can even configure multiple ports at the same time with the interface range command. In the next example, I’ll configure interface Fa0/3 to VLAN 3. This is the connection from the S3 switch to the host device: S3#config t S3(config)#int fa0/3 S3(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk Set trunking mode to TRUNK unconditionally S3(config-if)#switchport mode access S3(config-if)#switchport access vlan 3 S3(config-if)#switchport voice vlan 5 By starting with the switchport mode access command, you’re telling the switch that this is a nontrunking layer 2 port. You can then assign a VLAN to the port with the switchport access command, as well as configure the same port to be a member of a different type of VLAN, called the voice VLAN. Let’s take a look at our VLANs now: S3#show vlan VLAN Name Status Ports ---- ------------------------ --------- ------------------------------- 1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Gi0/1,Gi0/2 2 Sales active 3 Marketing active Fa0/3 5 Voice active Fa0/3 Notice that port Fa0/3 is now a member of VLAN 3 and VLAN 5—two different types of VLANs. But, can you tell me where ports 1 and 2 are? And why aren’t they showing up in the output of show vlan? That’s right, because they are trunk ports! We can also see this with the show interfaces interface switchport command: S3#sh int fa0/3 switchport Name: Fa0/3 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off Access Mode VLAN: 3 (Marketing) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: 5 (Voice) The output shows that Fa0/3 is an access port and a member of VLAN 3 (Marketing), as well as a member of the Voice VLAN 5. That’s it. Well, sort of. If you plug devices into each VLAN port, they can talk only to other devices in the same VLAN. But as soon as you learn more about trunking, we will enable inter-VLAN communication! show power The show power command displays the current power status of system components: Router#show power system power redundancy mode = combined system power redundancy operationally = combined(2+0) system power total = 5699.72 Watts (109.61 Amps @ 52V) system power used = 3930.16 Watts (75.58 Amps @ 52V) system power available = 1769.56 Watts (34.03 Amps @ 52V) The show power inline displays PoE status for a switch or a switch stack for the specified interface or can use a module/port number at the end of the command for a specific stack member. Switch#show power inline Available:780.0(w) Used:0.0(w) Remaining:780.0(w) Interface Admin Oper Power Device Class Max (Watts) Hardware Tools In this section, we’ll discuss the following: Toner Cable tester Taps Wi-Fi analyzer Visual fault locator Toner/Toner Probe A toner probe, also called a tone generator, is a simple copper cable tester that is simple to use and can be used to trace a wire in a wall. It is a two-piece unit that’s basically a tone generator and probe, sometimes called a “fox and hound” wire tracer. This type of device consists of one part that you connect to a cable with a standard jack—or to an individual wire with alligator clips that transmit a signal over the cable or wire—and another part that’s a penlike probe that emits an audible tone when it touches the other end of the cable, the wire, or even its insulating sheath. Most often, you will use a toner probe to locate a specific connection in a punch-down block because (annoyingly) some installers run all the cables for a network to the central punch-down block without labeling them. They (or you, if you’re unlucky enough) then have to use a tone generator to identify which block is connected to which wall plate and label the punch-down block accordingly. This tool can identify a particular cable at any point between the two ends, and because the probe can detect the cable containing the tone signal through its sheath, it can help you to locate one specific cable out of a massive cable-spaghetti bundle in a ceiling conduit or other type of raceway. Just connect the tone generator to one end and touch the probe to each cable in the bundle until you hear the tone. Figure 19.8 shows a picture of my toner and the probe I use to find the tone on the other end of the cable. FIGURE 19.8 A toner probe Also, by testing the continuity of individual wires using alligator clips, you can use a tone generator and probe to find opens, shorts, and miswires. An open wire won’t produce a tone at the other end, a short will produce a tone on two or more wires at the other end, and an improperly connected wire will produce a tone on the wrong pin at the other end. Sound like fun to you? Well, not so much—it takes a really long time, and it’s super tedious. Worse, the whole process is almost as prone to errors as the cable installation itself. You have to either continually travel from one end of the cable to the other to move the tone generator unit or use a partner to test each connection, keeping in close contact using radios or some other means of communication to avoid confusion. So, considering the time and effort involved, investing in a wire-map tester is just a much more practical solution unless you’re numbingly bored or really easily amused. Cable Tester The best way to deal with a faulty cable installation is to avoid the problem in the first place by purchasing high-quality components and installing them carefully. Still, this isn’t a perfect world—no matter how careful you are, problems are bound to arise anyway. The tools that I’m going to cover can be used to test cables at the time of their installation and afterward, if and when you need to troubleshoot cabling problems. Cable-testing tools can range from simple, inexpensive mechanical devices to elaborate electronic testers that automatically supply you with a litany of test results in an easy-to- read pass/fail format. Figure 19.9 shows an example of an inexpensive cable tester for twisted-pair wiring testing. FIGURE 19.9 An inexpensive cable tester This little box can verify the connection through the cable and tell you if the cable is straight-through or crossover. It can also identify problems such as grounding issues. Sometimes the problem is not a complete lack of connectivity. Sometimes performance is slow, which can also be a cabling issue that a cable tester can identify. This tool is as cheap as they come. Let’s focus on the types of tools available for both copper and fiber-optic cable testing. This is not to say that you need all of the tools listed here. In fact, I’ll try t