Troubleshooting TCP/IP

Tagged with: , ,
Posted on Tuesday, October 13, 2009
This article was posted in Microsoft

1)   Analyzing traffic using network monitor

  • Frame is an encapsulation of network interface layer (layer 2) data. Each frame contains source and destination computer addresses, header of the protocol used to send data and data itself.
  • Packet is an encapsulation of internet layer (layer 3) data
  • There are two versions of Network Monitor, the basic version ships with Windows Server 2003. Network administrator needs to purchase the advanced version from Microsoft. Advanced version can capture data from all devices on a network provided the administrator used hubs not more common switches.
  • Network Monitor is made up of two components, administrative tool called Network Monitor and an agent called Network Monitor Driver
  • Network Monitor Driver can be installed by itself on windows XP/2000/2003 PCs in the same manner as one installs a new protocol
  • The monitor can be used to find NIC’s MAC address, computers GUID and many other useful information
  • Parsing is the process of reading, analyzing and describing the contents of frames. Administrator can add new parsers to network monitor by adding parser dll files into %systemroot%\system32\Netmon\Parsers folder and modifying parser.ini file in %systemroot%\system32\Netmon folder. By default network monitor supports over 90 protocols.
2)   Problems with TCP/IP connections
  • Network diagnostics is a graphical tool that administrator can access from help and support tools menu. Users can save output to a file for examination by network administrator.
  • Netdiag is a command line tool that is used to run different network tests. Administrator needs to install the tool first from the Windows CD, the support tools file is called suptools.msi.
  • Tracert – shows the path a packet takes to reach given destination, this is done by setting different TTL values in the IP header of ICMP echo requests. Up to 30 hops, tells administrator when connectivity stops.
  • Pathping – as tracert but shows the path that a packet takes to reach a given destination, however it also shows detailed analysis of traffic. Used to troubleshoot erratic network behaviour such as packets being delayed, where tracert is used for network connectivity.
  • Arp – used to show the Arp cache on the PC. Sometimes local network computers can have wrong MAC addresses of each other cached and thus cannot communicate, use arp to check whatever addresses are correct. To cleat arp cache use arp -d command. Arp -a is used to check hardware address mappings, if it checks out look for hardware problem
  • If the administrator is able to ping loopback address, PC own address and the local gateway but no other PCs the problem is most likely with arp cache being corrupted.
  • Troubleshooting steps: loopback, local PC, default gateway, remote host by IP, remote host by name

Random Articles

Random Articles