4-3a Troubleshooting Tools
packet sniffer
A software package or hardwarebased tool that can capture data on a network; very similar to protocol analyzer Wireshark and many people use the terms interchangeably.
probes
Both traceroute and tracert limit the TTL of these repeated trial messages, called __________, thereby triggering routers along the route to return specific information about the route being traversed.
trial-and-error
Both traceroute and tracert utilities employ a ___________ approach to discover the nodes at each hop from the source to the destination
combined
Command parameters can be _________ into a single command. For example, entering the command netstat -an will display the IP addresses and ports of active TCP connections and also listening TCP and UDP ports.
netstat -r
Displays routing table information.
netstat -s
Displays statistics about each message transmitted by a host, separated according to protocol type (TCP, UDP, IP, or ICMP).
netstat -e
Displays statistics about messages sent over a network interface, including errors and discards.
tcpdump not port 22 or tcpdump not port 23
Filters out SSH or Telnet packets, which is helpful when running tcpdump on a remotely accessed network device.
tcpdump port http
Filters out all traffic except HTTP.
traceroute -4 google.com or tracert -4 google.com
Forces the command to use IPv4 packets only.
traceroute -6 google.com or tracert -6 google.com
Forces the command to use IPv6 packets instead of IPv4. The other parameters can be added to these IPv6 commands and function essentially the same as they do in IPv4.
traceroute -w 2 google.com or tracert -w 2000 google.com
Identifies a timeout period for responses; this parameter must be followed by a variable to indicate the number of seconds (in Linux) or milliseconds (in Windows) that the utility should wait for a response. The default time is usually between 3 and 5 seconds for Linux and 4000 milliseconds (4 seconds) for Windows.
pathping -p 2000 google.com
Identifies the wait time between pings; this parameter must be followed by a variable to indicate the number of milliseconds to wait. The default time is 4000 milliseconds (4 seconds).
pathping -n google.com
Instructs the command to not resolve IP addresses to host names.
tcpdump -n
Instructs the command to not resolve IP addresses to host names.
traceroute -n google.com or tracert -d google.com
Instructs the command to not resolve IP addresses to host names.
traceroute -I google.com
Instructs the command to use ICMP echo requests instead of UDP datagrams.
traceroute -T google.com
Instructs the command to use TCP SYN probes instead of UDP datagrams.
tcpdump -c 50
Limits the number of captured packets to 50.
pathping -q 4 google.com
Limits the number of queries per hop; must be followed by a variable to indicate the number of queries allowed. By default, pathping sends 100 pings per hop, which tends to take a long time to run.
mtr
Linux offers its own version of the pathping utility, called ____, which is short for "my traceroute."
traceroute
Linux, UNIX, and macOS systems use UDP datagrams or, possibly, TCP SYN messages, for their ____________ utility, but the concept is still the same.
tcpdump -i any
Listens to all network interfaces on a device.
netstat
Lists all active TCP/IP connections on the local machine, including the Transport layer protocol used (usually just TCP), messages sent and received, IP address, and state of those connections.
netstat -a
Lists all current TCP connections and all listening TCP and UDP ports.
tcpdump -D
Lists all interfaces available for capture.
netstat -n
Lists current connections, including IP addresses and ports.
netstat -f
Lists current connections, including IP addresses, ports, and FQDNs.
netstat -o
Lists the PID (process identifier) for each process using a connection and information about the connection.
netstat -b
Lists the name of each process using a connection and information about the connection. Requires an elevated Command Prompt.
tcpdump -r capture.cap
Reads the file capture.cap and outputs the data in the terminal window. This file can also be read by applications like Wireshark.
tcpdump -w capture.cap
Saves the file output to a file named capture.cap.
traceroute -f 3 google.com
Sets the first TTL value and must be followed by a variable to indicate the number of hops for the first probe. The default value is 1, which begins the trace at the first router on the route. Beginning at later hops in the route can more quickly narrow down the location of a network problem. tracert does not have a corresponding parameter for this function.
pathping -h 12 google.com
Specifies the maximum number of hops the messages should take when attempting to reach a host (the default is 30); this parameter must be followed by a specific number of hops.
traceroute -m 12 google.com or tracert -h 12 google.com
Specifies the maximum number of hops when attempting to reach a host; this parameter must be followed by a specific number. Without this parameter, the command defaults to 30.
nodes
The traceroute utility uses error messages from routers to map _______ on a route
TCP or ICMP
Traceroute can be configured to use ___________ messages.
UDP
Traceroute sends _______ messages to a random, unused port on the destination node, and listens for an ICMP "Port Unreachable" error message in response from that node.
ICMP echo request
Tracert sends an ________________ to the destination node and listens for an ICMP echo reply from that node.
sudo
You must either use the ____ command or log in as root to access tcpdump.
tcpdump utility
a free, command-line packet sniffer that runs on Linux and other Unix operating systems.
-z parameter
add more of a delay between the probe repetitions with the ________ followed by the number of seconds (up to 10) for the minimum wait time between probes. (only traceroute)
tcpdump
captures traffic that crosses a computer's network interface.
pathping utility
combines elements of both ping and tracert to provide deeper information about network issues along a route. It sends multiple pings to each hop along a route, then compiles the information into a single report.
netstat utility
displays TCP/IP statistics and details about TCP/IP components and connections on a host.
interpretation and analysis
the difference between a packet sniffer and a protocol analyzer is the level of ______________ the tool provides for the data captured from the network interface.
Information from the netstat command
the port on which a TCP/IP service is running, which network connections are currently established for a client, how many messages have been handled by a network interface since it was activated, how many data errors have occurred on a particular network interface
tracert utility
uses ICMP echo requests to trace the path from one networked node to another, identifying all intermediate hops between the two nodes.
