Chapter 15
DoS Attacks
A Denial of Service (DoS) attack has an obvious symptom but usually no quick solution. Most DoS attacks are network-based, where the network is being flooded with traffic. This can be quickly determined by querying routers or switches for congestion on their interfaces. Any network monitoring tool will be able to identify a network-based DoS. The only fix for a network-based DoS is to wait for it to stop. You can disconnect yourself from the network until it is done. You might also be able to filter the offending traffic on upstream routers. That may not be so useful, unless you have redundant links that will allow normal traffic to come to you through some other path. The best defense against network-based DoS is to have redundancy and load balancing. If the DoS is based on malicious code that consumes all of a server's CPU, memory, or disk space, that is not so obvious to detect, because it usually only takes a few packets to deliver that malicious payload. In that case, you will want your network intrusion detection system (NIDS) to watch for those types of signatures. If there is no signature for it, the NIDS will allow the attack to happen. The quickest way to deal with a malicious code DoS is to disconnect the power on the target and force it to reboot from a cold start. If you perform a proper shutdown, the infection might simply pop up again on restart. This does have the risk that it will corrupt unsaved data. Even with a sudden restart, if the malicious code was somehow saved on the machine, it will run again. You can run an antivirus scan to see if you can find and remove the code. The best defense is network load balancing in which you have multiple servers perform the same service.
Butt Sets
A butt set, also known as a lineman's test set, is a special type of telephone handset used by telecom technicians when installing and testing local lines. It is called a butt set because the technician "butts" into telephone lines to detect issues. The butt set allows a technician to bridge onto wire pairs with clips in order to monitor the line and use dialing features as if it was a physical phone on the system. This feature allows a technician to determine any problems that exist. Some butt sets can detect polarity reversals and other line faults to troubleshoot performance issues. Tone Generators and Tone Locators
Cable Certifiers
A cable certifier allows you to perform tests, such as cable testing and validity testing. It can detect shorts and crosstalk on a cable, test for the cable type and whether a cable is straight-through or crossover, and check if the NIC is functioning and at what speed: half or full duplex. Cable certifiers can also be attached to devices. The collected data can be used to print certification reports. Types of Cable Testers and Certifiers The types of cable testers and certifiers that are available vary based on the task they are used for. Certification tester Determine whether a cable meets specific ISO or TIA standards (CAT5e, CAT6, or CAT7). Should be used if a network is wired with both copper and fiber. Qualification tester Measure the speeds at which a network can transmit data. Also used to troubleshoot a network. It is not used to test networks. A qualification tester tests the continuity of UTP/STP cables and verifies the adherence to 10BASE-T, 100BASE-T, TIA-568A, TIA-568B, and token ring wiring standards. It also verifies ring wiring standards and shield integrity. LAN tester Test transmission speed, cable skew, cable propagation delay, cable typing (CAT3, 5, 5E, 6), attenuation, and cable verification. A LAN tester carries out a cable conduction test and a mis-wiring detection test. Network cable certifier Test transmission speed and performance.
Cable Strippers
A cable stripper, also called a wire stripper, is often part of a wire crimper, allowing the user to strip wires of their protective coating, and then use the crimping tool to attach a media connector.
Cable Testers and Line Testers
A cable tester, also called a line tester, is an electrical instrument that verifies if a signal is transmitted by a cable. A simple cable tester will determine whether a cable has an end-to-end connection and can detect shorts or opens, but cannot certify the cable for transmission quality, which is the cable installer's responsibility. Cable testers can differ based on their intended purpose. Unshielded twisted pair (UTP) cable links are limited to a distance of 295 feet. The speed will be either 10 Mbps or 100 Mbps depending on the type of switch used.
Circuit Testers
A circuit tester is an electrical instrument that is used for testing whether or not current is passing through the circuit. This is normally used when there is a problem in testing electricity flows through two points. Plug the circuit tester into the socket and it will display a pattern of lights depicting the status of wiring of a circuit, which will help identify whether or not power is passing through the points.
Hardware Loopback Plugs
A hardware loopback plug is a special connector used for diagnosing transmission problems such as redirecting electrical signals back to the transmitting device. It plugs into a port and crosses over the transmit and receive lines. Some loopback plugs are small and plug into a port with no visible wires, whereas others have wires that loop visibly into the connector. Hardware loopback plugs are commonly used to test Ethernet NICs. The plug directly connects Pin 1 to Pin 3 and Pin 2 to Pin 6. If a NIC comes with hardware diagnostic capabilities, the loopback plug will be included with the NIC. Connect the loopback plug to the installed NIC's network port, and run the diagnostic software to verify that the NIC can send and receive data. There are standards for loopback wiring. Etherent • Pin 1 to Pin 3 • Pin 2 to Pin 6 T1 • Pin 1 to Pin 4 • Pin 2 to Pin 5
Looking Glass Sites
A looking glass site is a web server that allows external users to get a look at routing and network behavior as it originates from the remote network. A looking glass site accesses a remote router and performs commands, allowing a view of the IP and Border Gateway Protocol (BGP) route tables. The information is then presented to the user. Looking glass sites are used for verifying routing between providers, and for verifying that routes are propagating correctly across the Internet.
Loopback Interface
A loopback interface is a virtual network interface that network applications can communicate with when executing on the local device. The loopback interface has no hardware associated with it, and it is not physically connected to a network. Any traffic that a computer program sends to a loopback IP address is passed back up the network software stack as if it had been received from another device. The loopback interface allows IT professionals to test IP software without any potential issues from broken or corrupted drivers or hardware. The IPv4 loopback address is 127.0.0.1 and the IPv6 loopback address is ::1.
Voltmeters
A voltmeter measures voltage and resistance between two points in a circuit. Like multimeters, voltmeters come in both digital and analog forms. A digital volt meter (DVM) provides scales for reading voltage in both AC and DC and different resistances. It can be used to test resistances between cable endpoints or voltages inside a low-power system. It should not be used to service high-power or high-frequency equipment. A voltage event recorder (VER) is another tool to use in conjunction with or in addition to a voltmeter to test and verify that the electrical signals transmitting through the network cables are within the required specifications. VERs are attached to electrical lines or outlets and remain there undisturbed to monitor the flow of electricity across the lines or within an outlet. VERs can help diagnose electrical faults or intermittent problems regarding low or high voltage.
Wire Crimpers
A wire crimper, also called a cable crimper, is a tool that attaches media connectors to the ends of cables. You can use it if you need to make your own network cables or trim the end of a cable. There are different crimpers for different types of connectors, so select the one that is appropriate for the type of network media you are working with.
Multimeters
A multimeter, also known as a volt/ohm meter, is an electronic measuring instrument that takes electrical measurements such as voltage, current, and resistance. A multimeter can be a handheld device for field service work or a bench-top model for in-house troubleshooting. Multimeters can be either analog or digital. The digital multimeter (DMM) and digital volt-ohm meter (DVOM) are examples of digital models, whereas the analog multimeter (AMM) is an example of the analog model. Not all circuits are the same. Some circuits carry much higher electrical loads than others. Be sure that you know the approximate current and impedance that the circuit you are testing should be running at, and use the appropriately rated multimeter for the job. Connecting an underrated multimeter to a main electrical line could result in damage to the multimeter, and possible injury to the operator. There are several items to be aware of when reading a multimeter. You must select all of these correctly, otherwise you will get a confusing or misleading reading, or possibly damage your meter. A multimeter has a positive probe and a negative probe. This is significant when measuring DC volts or DC current. You must get the polarity correct; in other words, touch the positive probe to the positive side of the power supply or battery, and the negative probe to the negative side of the power supply or battery. If your power supply is bi-polar, meaning that it has a positive, a ground, and a negative, you must touch the positive probe to ground and the negative probe to negative. You must select the type of measurement you want. This could be the following.
Punch Down Tools
A punch down tool is used in a wiring closet to connect cable wires directly to a patch panel or punch down block. The tool strips the insulation from the end of the wire and embeds the wire into the connection at the back of the panel. The punch down tool makes connecting wires to a patch panel easier than it would be to connect them by hand. Without the punch down tool, you would have to strip the wire manually and connect it by twisting it or tightening it around a connection pole or screw.
Time-Domain Reflectometers
A time-domain reflectometer (TDR) is a measuring tool that transmits an electrical pulse on a cable and measures the reflected signal. In a cable without any problems, the signal does not reflect and is absorbed by a terminator, if present. Bends, short circuits, and connector problems on the cable modify a signal's amplitude before it returns to a TDR. These modifications change how the signal reflects back. A TDR analyzes the returned signal, and based on the signal's condition and its rate of return, it checks the time span and determines cable problems. In addition, if a TDR is attached on a coaxial cable network, the TDR will indicate whether terminators are installed properly and are functioning correctly. Optical time-domain reflectometers (OTDRs) are a variation of TDRs used specifically for fiber optic cabling to determine cabling issues. An OTDR transmits light signals of different wavelengths over fiber. Depending on the quality of the signal returned, an OTDR can accurately measure the length of the fiber; determine locations of faulty splices, breaks, connectors, and bends; and measure signal attenuation over the length of the fiber cable.
Tone Generators and Locators
A tone generator is a device that sends an electrical signal through one pair of UTP wires. A tone locator or a tone probe is a device that emits an audible tone when it detects a signal in a pair of wires. Tone generators and tone locators are most commonly used on telephone systems to trace wire pairs. A digital toner and toner probe trace and locate voice, audio, and video cabling on a network. In addition to confirming the cable location, a toner and probe can verify continuity and detect faults. Note: The combination of a tone generator and tone locator is frequently referred to as "fox and hound." Do not confuse tone generators and tone locators with cable testers. Tone generators and tone locators can only help you differentiate between different UTP cables. To locate a cable in a group of cables, connect the tone generator to the copper ends of the wires; then move the tone locator over the group of cables. A soft beeping tone indicates that you are close to the correct wire set; when the beeping is loudest, you have found the cable. Caution: Do not connect a tone generator to a cable that is connected to a NIC. The signal sent by the tone generator can destroy network equipment.
troubleshooting model
A troubleshooting model is a standardized step-by-step approach to the troubleshooting process. The model serves as a framework for correcting a problem on a network without introducing further problems or making unnecessary modifications to the network. Models can vary in the sequence, number, and name of the steps involved, but all models have the same goal: to move in a methodical and repeatable manner through the troubleshooting process.
Wireless Testers
A wireless tester, or a Wi-Fi analyzer, is a Wi-Fi spectrum analyzer used to detect devices and points of interference, as well as analyze and troubleshoot network issues on a WLAN or other wireless networks. Like network analyzers, wireless testers give an overview of the health of a WLAN in one central location, enabling technicians to troubleshoot problems efficiently. A spectrum analyzer is an instrument that displays the variation of signal strength against the frequency.
-d
Deletes a single host entry if followed by if_addr. Deletes all host entries if followed by *.
Misconfigured ACLs and Applications
ACL misconfigurations, whether on a router or from operating systems or applications that have their own ACLs, can cause issues that need to be tracked down. Some common ACL misconfigurations with routers are: • A "deny" ACL has been applied for specific conditions, but there is no "permit" ACL for all other conditions (which has the net result of denying all traffic). • The rules in the ACL are out of order. • ACL is applied to wrong interface. • ACL is applied in the wrong direction (inbound or outbound). • ACL is applied to the wrong protocol or port. • Source and destination IP are reversed. • Wrong mask or IP range is applied to the ACL (the intended target is not in the range). The best way to approach troubleshooting router ACLs is to draw a network diagram showing the router, its connected networks, and how traffic flows through the router. Use the diagram to determine where to place the ACL (the interface and direction). Make sure if you deny specific traffic, that the ACL includes a "permit any" at the bottom of the list of rules to allow other traffic to flow through it. Test the ACL by attempting to send both permitted and denied traffic through. Operating systems and applications have their own ACLs. Windows has five ACLs: NTFS, Share, Printer, Registry, and Active Directory. Linux has comparable ACLs, though there is no registry and the directory service will not be Active Directory, but instead something like RedHat Directory Services or OpenLDAP. In addition, for any operating system, applications like database management systems, email servers, web servers, and so on have their own ACLs. What makes operating system or application ACLs difficult is that users can belong to many roles or groups that can potentially have conflicting permissions. You will have to compare all the groups/ roles that the user belongs to with the permissions assigned to that group/role in the ACL. Generally, if a user belongs to multiple groups, the user gets the permissions of ALL the groups together, meaning the least restrictive. The exception is Deny. If any of the groups the user belongs to is denied, the user is denied that particular action, even if the user is an administrator. Windows has an "Effective Permissions" tab to help sort out a user's ultimate permission level on an object, but that is only for the NTFS ACL. In Windows, any folder that is shared will be subject to both the Share and NTFS ACLs. A user will have to get past both ACLs to perform an action. This is true of not only the shared folder, but also of the contents inside the share. Troubleshooting operating system/application ACLs might take some investigation, especially if the administrator did not follow best practice regarding assigning permissions to users and groups. Test to see if some other person can perform the action. The best practice is you always assign permissions to a group, and then put users in or out of the group. You create groups based on roles or common security need. You make exceptions such as Deny sparingly.
-s inet_addr eth_addr
Adds a host. The Internet address is set by adding an inet_addr value and the physical address is set by adding an eth_addr value.
Network Hardware Tools
As a network technician, you might find that you occasionally need basic hand tools, such as: • A variety of screwdrivers and spare screws • Long-nose pliers • Small diagonal cutting pliers • A small adjustable wrench • A variety of wrenches or nut drivers • A small flashlight • An anti-static wrist strap with clip Because of the variety of tasks you will encounter as a network technician, you'll also require more specialized tools, such as those used to install and terminate network cables and connectors, including: • Cable crimpers. • Punch down tool. • Wire strippers. • Snips. • Optical time-domain reflectometers (OTDRs). • Cable certifier. There are also certain tools that you'll use while troubleshooting network issues: • Line testers. • Certifiers. • Multimeter. • Cable tester. • Light meter. • Toner probe. Other general tools and supplies that you might find useful include cable ties/zip strips, electrical tape, a lightweight laptop or notebook computer capable of both wired and wireless connectivity. The laptop should have Wi-Fi spectrum analyzer software installed on it such as NetStumbler, InSSIDer, or WiSpy. (It is also common for network technicians to carry desktop support software such as operating system boot disks and recovery disks, as well as a removable drive.)
Banner grabbing
Banner grabbing is one of the easiest ways to fingerprint an operating system or an application or service. In many cases, you can configure the service (web server, email server, and so on) to not respond to clients with any banner. Firewalls can also be configured to block banners.
ARP Issues
Because ARP is both dynamic and broadcast-based, it is quite easy to spoof ARP packets, poisoning host ARP caches and misdirecting LAN traffic to an undesirable MAC address. Some network monitoring tools can be used to detect ARP flooding and ARP spoofing attack events. In some attacks, a rogue host is sending ARP requests sourced from a different host MAC address. In this case, you need to identify the port on which the MAC address is learned. You then backtrack until you reach the rogue host. The only way to defeat this is to hard-code ARP to IP mappings, or to use software that regularly checks the accuracy of the ARP table.
Authentication Issues
Because there are often multiple authentication mechanisms to the same host, troubleshooting authentication issues can involve a few steps. The first thing to determine is if the problem is truly authentication and not some other problem with the network, the device, or the application. See if someone else can authenticate. If no one can authenticate by using one method, then see if users can authenticate by using some other method, such as sitting directly at the console, or across the network via remote access, RDP, SSH, telnet, remote PowerShell, and so on. Also try, if available, a different authentication protocol, such as Kerberos, NTLM, smart card/token, MS-CHAP v2 (for remote access), and more. Check the Event Viewer logs or error messages to see if there is any indication of the problem. Common problems include expired certificates, wrong user name or password, locked or disabled account, and client not configured to use correct authentication protocol or encryption level. Another source of possible authentication issues is TACACS/RADIUS misconfigurations. There are many possible causes of TACACS/RADIUS misconfigurations. The policy that controls how clients can connect has many possible components, any one of which could be mismatched between the remote access client (computer, laptop, or wireless device) and the remote access server/device, which is also known as the RADIUS/TACACS client (router, switch, wireless access point, or VPN server). These components include: • Authentication protocol. • Encryption level. • Certificates. • Permitted connection type such as VPN, wireless, and wired. • Permitted connection conditions such as user group, time of day, and type of protocol. In addition, you could have a mismatch between the RADIUS/TACACS client (router, switch, WAP, or VPN server) and the RADIUS/TACACS server, especially the following items: • Encryption key • Default port
Physical Issues
When troubleshooting network problems, it is helpful to understand the issues that can arise. Having this understanding will enable you to solve problems more efficiently. There are several categories of physical connectivity issues. Crosstalk Symptoms: Slow network performance and an excess of dropped or unintelligible packets. In telephony applications, users hear garbled voice or conversations from another line. Causes: Generally, crosstalk occurs when two cables run in parallel and the signal of one cable interferes with the other. Crosstalk can also be caused by crossed or crushed wire pairs in twisted pair cabling. Resolution: The use of twisted pair cabling or digital signals can reduce the effects of crosstalk. Maintaining proper distance between cables can also help. Near-end crosstalk Symptoms: Signal loss or interference. Causes: Near-end crosstalk occurs more closely along the transmitting end of the cable. Often occurs in or near the terminating connector. Resolution: Test with cable testers from both ends of the cable and correct any crossed or crushed wires. Verify that the cable is terminated properly and that the twists in the pairs of wires are maintained. Far-end crosstalk Symptoms: Signal loss or interference. Causes: Similar to near-end crosstalk, far-end crosstalk occurs at the other end of the cable from the transmitter that is causing the interference. Resolution: Test with cable testers from both ends of the cable and correct any crossed or crushed wires. Verify that the cable is terminated properly and that the twists in the pairs of wires are maintained. Attenuation Symptoms: Slow responses from the network. Causes: Degradation of signal strength. Resolution: In case of wired networks, use shorter cable runs. In case of wireless networks, add more access points and signal boosters along the transmission path. A longer cable length, poor connections, bad insulation, a high level of crosstalk, or EMI can all increase attenuation. Evaluate the environment for interference. The type of signal interference would depend on the wireless spectrum used. Collisions Symptoms: High latency, reduced network performance, and intermittent connectivity issues. Causes: Collisions tend to occur on networks as nodes attempt to access shared resources. Resolution: Depends on the network. For example, on a network still using hubs, replacing a hub with a switch will often alleviate the problem. Shorts Symptoms: Electrical shorts—complete loss of signal. Causes: Two nodes of an electrical circuit that are meant to be at different voltages create a low-resistance connection, causing a short circuit. Resolution: Use a TDR to detect and locate shorts. Replace cables and connectors. Open impedance Symptoms: There is an echo on either the talker or listener end of the connection Causes: The mismatching of electrical resistance. Resolution: Use a TDR to detect impedance. Collect and review data, interpret the symptoms, and determine the root cause in order to correct the cause. Interference (EMI/RFI) Symptoms: Crackling, humming, and static are all signs of interference. Additionally, low throughput, network degradation, and poor voice quality are also symptoms of interference. Causes: Electromagnetic and radio-frequency interference can be caused by a number of devices including cordless phones, Bluetooth® devices, cameras, paging systems, unauthorized access points, and clients in the ad-hoc mode. For a WAN connection, the distance of a WAN link, including all the networks and connections it may have to traverse, could make it more susceptible to interference, especially for DSL links that have practical distance limits, or radio transmissions that can be easily interfered with. Resolution: Remove or avoid environmental interferences as much as possible. This may simply entail turning off competing devices or relocating them. Ensure that there is adequate LAN coverage. To resolve problems proactively, test areas prior to deployment by using tools such as spectrum analyzers. SFP/GBIC issues Symptoms: There is no communication through the device. The system console may display error lights or message. Causes: Modules in SFPs/GBICs get corrupted, there is a cable mismatch, or a cable is bad. Resolution: Check cables, replace the faulty SFPs/GBICs. Cable problems Symptoms: The nodes on the network cannot communicate. The router, switches, and the individual nodes on the network are fully functional, but the problem still persists. Causes: There is a problem with the network cables. Resolution: There could be issues with the network cables. Identify the issue and determine a suitable solution. Bad connectors: Check and replace the faulty connectors. Verify that the cables are properly secured to the connectors and are properly crimped. Bad wiring: Check and replace the wires that are in bad condition. Open, short cables: Use cable testers and locate open or short cables. Repair the cables and recheck that the issues are resolved. If not, replace the cables. Split pair cables: Identify the split pair cables and replace them with compatible cables. DB loss: Check the cable for defects or damage, crimping, and connection with the connectors. Identify and remove sources of interference. Tx/Rx reversed: Check the network port indicators on the system; if the link light is off, there is an issue with the network adapter. Replace the network adapter. Cable placement: Verify that the cable is placed away from sources of EMI. Identify and remove the sources of interference. Distance limitations: Verify that the cables are run only for the maximum distance they are supported. For example, multimode fiber optic cables for Gigabit Ethernet range from 300 meters to 1,040 meters at 850 nm, or 600 meters at 1,310 nm. Dirty fiber connectors: Inspect and clean the connector. Fiber bend radius limitations: Excessively bent fiber cable needs to be replaced. Bad cables/ improper cable types Symptoms: The nodes on the network cannot communicate. The router, switches, and the individual nodes on the network are fully functional, but the problem still persists. Causes: Cables are cut or shorted. A short can happen when the wire conductor comes in contact with another conductive surface, changing the path of the signal. Resolution: Cable testers can be used to detect many types of cable problems such as: cut cable, incorrect cable connections, cable shorts, interference, and faulty connectors. After identifying the source of the issue, move the cable to prevent it from coming in contact with other conductive surfaces. Mismatched fiber optic cables/ connectors Symptoms: Signal loss or slow responses from the network. Causes: There is a fiber type mismatch, connector mismatch, or wavelength mismatch. These cause a mismatch of the chosen light wavelength and the cable that conducts it. Because both the core and cladding of fiber optic cable are designed to be optimal for specific wavelengths, you do not want to mix and match the various cable types or connectors. Resolution: Replace mismatched fiber cables and terminations to use the same type. Incorrect termination Symptoms: Intermittent problems with a network connection. Causes: Copper cables may not be properly terminated. Resolution: Ensure that straight-through cables are used unless you specifically need to use a crossover cable. Hardware failure Symptoms: Intermittent problems with a network connection or no connection. Causes: A device had a hardware failure which causes it to function intermittently or not all. The entire device may have failed, or in case of a computer, it may be just one component that has failed. Resolution: Investigate the issue and trace it to the source hardware that has failed. Test the device to determine if it is just a component that has failed or if the entire device has failed. Have the device repaired or replaced.
-N if_addr
Displays the ARP entries for the network interface specified by if_addr.
-a
Displays the current ARP entries in the cache. Can add inet_addr to specify a particular IP address.
-g
Displays the same information as the -a option.
Domain Internet Groper (DIG)
Domain Internet Groper (DIG) is a UNIX/Linux command-line tool that can be used to display name server information. Some experts consider it to be generally easier to use than nslookup, and that it supports more flexible queries and is easier to include in command scripts. It is included with the BIND version of DNS, and can be downloaded from many UNIX and Linux resource sites on the Internet.
Demarc
Earlier in the course, you saw that a demarc, or demarcation point, is where a building's wiring ends and the provider company's wiring begins. Any premises connected to the telephone company wiring include a demarc, including residential buildings as well as commercial and industrial buildings. A demarc can be installed on the outside of the building, as is common with residential demarcs, or it can be installed inside the building, as is the case with most commercial and industrial demarcs. A smart jack is a device that serves as the demarcation point between the end user's inside wiring and local access carriers' facilities. The smart jack is capable of looping a diagnostic signal back to the provider. The provider can thus remotely test the line up to the smart jack, without having to send a technician to the premises. Sometimes the provider also installs a physical jack on the backboard next to the demarc that you can plug a device into ad hoc. The customer would typically either perform a visual inspection of the wiring from the demarc to the punch down block, or might possibly put a telephone toner on the demarc posts if they are accessible. The customer would then use a wand to trace the tone signal. The demarc is the point at which the telephone company's responsibility for the line ends, and your responsibility begins. Usually, the telephone company will not troubleshoot issues past the demarc unless you pay for that service.
Network Analyzers
Earlier in the course, you saw that a network analyzer, also known as a packet or protocol analyzer, or a packet sniffer, is a software or hardware tool that integrates diagnostic and reporting capabilities to provide a comprehensive view of an organization's network. Network analyzers can be used to troubleshoot network problems and detect network intrusions. They can identify anomalous network issues or diagnose and troubleshoot complex network and application performance issues. They can look inside the header of the packets, which helps to determine if the packets, route, and destination are all what you expect.
Environment Monitors
Environment monitors are hardware tools that ensure that environmental conditions do not spike or plummet to place temperatures above or below equipment specifications. In addition to temperature, environment monitors allow you to monitor the humidity in the environment in which the network devices are placed. By monitoring humidity, you can ensure that condensation does not build in devices, and that there is enough humidity to decrease static electricity buildup. You can monitor a computer room with a humidity monitor or you can use sensors to monitor the temperature inside servers, workstations, and components such as hard drives.
Wireless Issues
In addition to the physical and logical connectivity issues you can encounter while troubleshooting a wired network, wireless networks present their own issues. Interference Symptoms: Low throughput, network degradation, dropped packets, intermittent connectivity, and poor voice quality are all symptoms caused by interference. Causes: RF interference can be caused by a number of sources, including cordless phones, Bluetooth devices, cameras, paging systems, unauthorized access points, metal building framing, and clients in ad-hoc mode. Resolution: Determine the signal-to-noise ratio and try to locate the sources of interference. Remove or avoid environmental interference as much as possible. Incorrect encryption/Wrong encryption type Symptoms: If the encryption types between two devices (access point and client) do not match, no connection is established. Similarly, if different encryption keys are used between two devices, they cannot negotiate key information for verification and decryption in order to initiate communication. Causes: Improper configuration and different encryption types. Resolution: Ensure that security settings match between and among devices. Congested/ overlapping channels Symptoms: Very slow speeds or no connectivity. Causes: Interference from neighboring wireless networks that are on the same channel; mismatched channels will prevent connectivity; congested network channels. Resolution: Many wireless routers are set to autoconfigure the same wireless channel. Try logging in to the router and manually change the channel the wireless router is operating on. Incorrect frequency Symptoms: No connectivity. Causes: Devices must operate on the same frequency. For example, a device designed to communicate at 5 GHz frequency cannot communicate with one designed to communicate at 2.4 GHz. Resolution: Deploy devices that operate on the same frequency. SSID mismatch/ Wrong SSID Symptoms: No connectivity between devices. Causes: Devices are configured to use different ESSIDs. Resolution: Set the devices to use the same SSID. Ensure that the wireless client and the access point are the same. Note: SSIDs are case-sensitive. Standard mismatch Symptoms: No connectivity between devices. Causes: Devices are configured to use different standards such as 802.11a/b/g/n. Resolution: Devices chosen to work together should use the same standard to operate. 802.11a, for example, is incompatible with 802.11b/g because the first operates at 5 GHz and the second at 2.4 GHz. Or, an 802.11g router could be set only for "g" mode and you are trying to connect with an 802.11b wireless card. Both 802.11b and 802.11g transmit at 2.4 GHz. Their throughput is different with 802.11b at 11 Mbps and 802.11g at 54 Mbps. Change the mode on the router. Signal strength/loss Symptoms: Low or no signal strength and throughput. Causes: The distance between two points causes this connectivity issue. The longer the distance between two devices, the lower the signal strength. Issues that can occur because of low signal strength include latency, packet loss, retransmission, or transient traffic. Physical environmental factors can also have an impact on signal strength. Signal strength can be lost when the signal encounters objects such as concrete walls, window film, or metal studs. If it is a multiple input, multiple output wireless access point (MIMO WAP) that does not have the superior signal strength, then it could be that one or both antennas is loose, unscrewed, or broken off. A MIMO WAP needs both antennas in order to deliver the superior signal strength. Resolution: Add another access point to increase coverage. Use a spectrum analyzer to determine coverage and signal strength. You might need to use directional antennas or additional APs to improve signals when such environmental factors are encountered. Make sure that antennas are not loose and are screwed on properly. Bounce Symptoms: No or low connectivity between devices. Causes: Signals from a device bounce off obstructions and are not received by the receiving device. Resolution: If possible, move one of the devices to avoid obstructions. Monitor performance and check for interference. Antenna placement Symptoms: No or low signal and connectivity. Causes: The position of your antenna can negatively affect overall performance, if placed incorrectly. Resolution: Alter the position of your antenna and monitor device performance. AP configuration Symptoms: The wireless modem is active, but clients cannot access the Internet. Causes: Configuration of the wireless modem is incorrect. Resolution: • Check the configuration of the wireless modem by accessing the web admin interface. • Check the encryption type, SSID, and passphrase text that is specified and confirm that the wireless modem was rebooted after the configuration change. • Ensure that the clients can also support the same encryption type. • Verify that the same SSID and key phrase are defined in the network connection. • Verify that the wireless receiver on the client is configured properly with the correct compatible drivers installed. • Similarly, for a laptop, check that the wireless network adapter is functional and is turned on. If needed, update the device driver on the client systems. • Check to see if any untested updates were applied to your wireless routers or devices. As with updates on any other part of your network, you should test any updates to your wireless routers and devices before deploying the updates on a wide scale. Troubleshooting a single update on a single device is much easier than troubleshooting it on an organization-wide basis. • Determine whether the access point is stand-alone (thick) or controller based (thin). A thick AP is a stand-alone device so you will only have to check configuration settings for it. For a thin AP, it will also connect to a wireless LAN controller and will use the LWAPP protocol. The controller will need to be accessed to check configuration settings. Note: Typically, http://192.168.1.1 will be the address for accessing the admin interface. This may vary for some routers. Refer the user manual or the manufacturer's site for the actual address. Incompatibilities Symptoms: The wireless device is not accessible from the client. Causes: The settings on the wireless device are not compatible with the clients. Resolution: Check the configuration of the wireless modem by accessing the web admin interface. Verify that the clients can support the same configuration. If not, identify the configuration, such as the encryption type, supported on both the clients and the server and apply the same on the wireless device and the client systems. Incorrect channel Symptoms: The wireless signal is not accessible even within the expected range. Causes: A number of factors can cause the signal of the WAP to deteriorate and the performance of your network will dip lower than normal. The most common cause could be another wireless device or application that operates at the same frequency level creating a conflict. Resolution: Identify the conflicting device and move it to another location that is outside the reach of the WAP. If it is not possible to relocate devices, change the channel of one of the devices such that they operate at a different frequency. Ensure that the cordless phones, microwaves, and other electrical equipment are kept a safe distance away from the access point. Latency Symptoms: Delay in data transmission on the network is very high. Causes: The signal strength is weak or the position of the wireless antenna is modified. Resolution: Verify that the wireless modem is functional. Change the antenna position to the position that gives the best performance. Ensure that your antenna is maintained in the same position. AP placement Symptoms: AP performance is considerably reduced. Causes: There is a conflicting device in the range which is causing the interference that results in the WAP performance being degraded. Resolution: Locate the conflicting device and, if possible, move it to another location. If that is not possible, work on your network layout and determine a better position for the WAP such that there is no conflict with the other devices. Monitor the WAP performance periodically to prevent further occurrence of the issue. Device/bandwidth saturation Symptoms: Very slow speeds or no connectivity. Causes: On a wireless network, you can only have a certain number of devices connected before performance begins deteriorating. When you reach the device saturation limit, transmissions will be lost and need to be re-sent, thus decreasing the throughput to the device. Bandwidth saturation on wireless networks can also be reached if you have a lot of devices connected, or a device is transferring a large volume of data. Resolution: Replace the WAP with one that provides better bandwidth, or add another WAP to support the needed traffic demands. Investigate to see if some devices could use a wired connection instead. Open network Symptoms: Unauthorized devices are connected to your wireless network; you suspect your wireless traffic is being intercepted by an external entity. Causes: An open network is a wireless network that is unsecured. It doesn't use any type of security or encryption. This makes any information you send or receive available for grabbing by anyone. It also gives anyone on that wireless network access to your device. Resolution: Configure security and encryption settings for all WAPs and devices that connect to the wireless network. Power levels Symptoms: Wireless devices connect to a WAP that is not the closest; the coverage area of the WAP is smaller than it should be. Causes: The power level on the WAP may be set too high or too low. This will cause it to extend its range too far or make it too small. Resolution: Set the power to 50% and make small increments up and down to find a good balance of power and coverage. Rogue access point Symptoms: Unauthorized access through the wireless network. Causes: A wireless access point that is added to a network without the administrator's consent or knowledge is considered a rogue access point. These are usually installed by employees who want wireless access to the network when no wireless access is available. Rogue access points can also be used as an evil twin. An evil twin operates outside of the organization's network and receives beacons transmitted by the legitimate network with the intent of gaining access to the organization's network by unauthorized users. Resolution: Remove the rogue access point from the network. Administrators can routinely monitor their managed wireless access points. If any additional access points are detected, they should immediately be removed from the network to protect the network. Wrong antenna type Symptoms: The range of the wireless signal is either too short or too far. Causes: Installing the wrong antenna type can make your Wi-Fi signal not reach far enough or it can make it so that the signal can be picked up outside the area you intend your network to reach. The range covered depends on the access point type (802.11b, g, or n) and the type of antenna connected to it. The standard antenna that comes with an 802.11g AP can usually reach about 100 meters. However, if a semi-parabolic antenna is installed, the same AP can often reach as far as 20 miles. You would not want your AP to broadcast so far. An 802.11n AP can often reach twice as far. Resolution: Replace the wrong antenna type with the correct one. You can also use directional antennas to improve the distance the AP can reach without going outside of the desired area you want covered. Some APs allow you to install upgraded antennas to improve coverage in this way.
ICMP-Related Issues
ICMP can be misused by hackers and cause problems. ICMP smurf attacks can cause a DoS. ICMP redirect messages can cause clients to use a fake gateway so that a hacker can capture user names, passwords, and data. ICMP echo and echo reply packets can carry malicious payloads as a covert channel. ICMP is used in ping and tracert commands, and if you block ICMP on a firewall or in a router ACL, then you won't be able to ping to test network connectivity. A NIDS can be used to actively monitor the network for malicious ICMP traffic. The challenge with this is that there needs to be accurate signatures to detect malicious ICMP traffic. Host-based IDS is another option, but it will also require accurate inputs to monitor the traffic accurately. You can filter ICMP traffic to minimize potential threats. To do this, you need to know what type of ICMP messages should only be allowed in and out of the network. You may receive an ICMP "unreachable" message from the gateway. The gateway router has no specific route or default route to send the packet to. It then drops the packet and sends an ICMP "unreachable" message to the sender. Verify that the router has a route defined to send the packets to. Perform a traceroute for the destination that was unreachable to see where the traffic stops. A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size of 65,535 bytes. Larger packets could crash the target computer. Operating systems were patched to avoid this type of attack. A new form of the ping of death, called ping flooding, will flood the victim with so much ping traffic that normal traffic fails to reach the system, a basic DoS attack.
Improper Access
Improper access is usually an authorized person going into an unauthorized area or doing something they shouldn't be doing. It is not always malicious. It can be accidental by a user or by a developer who is trying to create software for the company to use internally. It can also be a hacker using a backdoor to gain access to your network. A backdoor not only allows the hacker to access the network, potentially undetected, it also provides them with the means to return and enter the system. Troubleshooting improper access is the same as for malicious users. It goes back to tightening all access controls, implementing IDS, granting least privilege, and auditing/monitoring for unauthorized or improper access. You should also always have backups and redundancy to get your system back to normal quickly in case there was damage due to improper access.
Crossover Cables
In Ethernet UTP installations, crossover cables enable you to connect devices without using a hub or a switch. In a crossover cable, the transmit and receive lines are crossed to make them work like a loopback—a function that the switch does. In troubleshooting, crossover cables let you connect two stations' network adapters directly without a switch so that you can test communications between them. T1 crossover cable is used to connect two T1 CSU/DSU devices by using T568B pairs. Crossover cables are very much like straight-through cables with the exception that TX and RX lines are crossed. Connector A/ connector B Pin 1, pin 3 Pin 2, pin 6 Pin 3, pin 1 Pin 4, pin 7 Pin 5, pin 8 Pin 6, pin 2 Pin 7, pin 4 Pin 8, pin 5 If you suspect that a server's NIC might be corrupt, you can use a crossover cable to attach a laptop's NIC directly to the server's NIC. Provided that both NICs are configured correctly, you should be able to log on to the server if the server's NIC is good.
Logical issues
In addition to physical connectivity issues, your network can suffer from logical connectivity issues, which range from no connectivity to lost connectivity and can vary in severity. Port speed Symptoms: No or low-speed connectivity between devices. Cause: Ports are configured to operate at different speeds and are therefore incompatible with each other. Resolution: Verify that equipment is compatible and is operating at compatible speeds. For example, if you're running a switch at 100 Mbps, but a device's NIC runs at 10 Mbps, the device will be slow. Replace the NIC with one that runs at 100 Mbps and you will increase the throughput to a higher level (or at least a theoretical higher level since there are other variables such as network congestion). Port duplex mismatch Symptoms: Late collisions, port alignment errors, and FCS errors are present during testing. Causes: Mismatches are generally caused by configuration errors. They occur when the switch port and a device are configured to use a different set of duplex settings, or when both ends are set to auto negotiate the settings. Resolution: Verify that the switch port and device are configured to use the same duplex setting. This may entail having to upgrade one of the devices. Wrong VLAN/Incorrect VLAN assignment Symptoms: No connectivity between devices. Causes: Devices are configured to use different VLANs. Resolution: Reconfigure devices to use the same VLAN. Incorrect interface/ Interface misconfiguration Symptoms: No connectivity between devices. Causes: Either the source or destination device has an incorrect IP address or subnet mask. Resolution: Use the ping command to determine if there is connectivity between devices. Resolution will depend on the problem. If a network is running a rogue DHCP server, for example, two devices could have been leased the same IP address. Check TCP/IP configuration info by using ipconfig /all on Windows devices, and ifconfig on Linux/UNIX/Mac devices. After confirming the issue, troubleshoot DHCP. It could also be the case that a static IP address was entered incorrectly. Check IP addresses, and empty the ARP cache on both devices. Check the subnet mask on both devices. Change the incorrect subnet mask to a correct one and test connectivity. Interface errors Symptoms: No connectivity between devices, device is generating error messages, or WAN connection is down. Causes: The device is misconfigured or it, or another device, is failing. For WAN connections, there may be issues such as a protocol mismatch between the two routers, an improperly configured DCE/DTE relationship, or there might be PPP authentication mismatch between the two sides. Resolution: Review system messages for the device, if any, to see if there is information that indicates what the issue is. You can use utilities to look for errors such as CRC errors, collisions, and frame errors. Wrong default gateway address Symptoms: No connectivity between devices. Causes: The IP address of the default gateway is incorrect for the specified route. Resolution: Change the IP address of the default gateway to the correct address. Misconfigured DHCP Symptoms: No connectivity for some or all devices. Causes: DHCP is misconfigured and not assigning the correct IP addresses for the network, or did not assign enough IP addresses to cover all devices. Resolution: Check the DHCP server configuration and verify that it is using the correct IP address range. Determine the number of addresses in the IP address range and compare that against the number of connecting devices to see if there are enough. Misconfigured DNS Symptoms: No connectivity between devices when using device names, or unable to resolve names on Internet connection. Causes: A device is configured to use the wrong DNS server which prevents using device names or resolving names on the Internet. Resolution: Open TCP/IP properties and check the IP address of the DNS server listed for the client. Replace with the correct IP address and test connectivity. Duplicate IP address Symptoms: System displays notification that the same IP address is in use on the network. No connectivity between devices. Causes: The same IP address is assigned to more than one device. Resolution: In case the network is DHCP-enabled, try to identify the devices that are assigned IP addresses manually and change the IP address of such devices to be outside the DHCP scope. If the network is not DHCP-enabled, locate the devices that have the same IP address, and change the IP address in one of the devices. Power failure Symptoms: There is a power failure that affects switches and routers. Causes: Switch and router adapters connect to cable modems which depend on the availability of power. Resolution: Use cable modems and other network devices with battery- backed power supplies to ensure that there is uninterrupted service of several hours in case of local power failures. Bad/missing IP routes Symptoms: The router is sending packets using an invalid path. Causes: The router setting is incorrect. Missing IP routes are either the result of missing or misconfigured routing protocols, or an unconfigured or misconfigured default gateway address. Resolution: Check and change the router setting and reboot the router for the changes to be effected. NIC teaming misconfiguration Symptoms: There is a switching loop on the network related to NIC team. Causes: Administrator misconfigures a NIC team so that it ends up being not one aggregate link, but several parallel links. Something happens to the hardware that causes the aggregate to break apart. Any broadcast or multicast would then cause an instant storm. Resolution: Configure "active" and "passive" features of the Link Aggregation Control Protocol (LACP) to prevent the NIC team from losing aggregation. You can have both sides of the links be in active mode, thus guaranteeing link aggregation. You can also have one side be active and the other passive to create link aggregation. Unpatched firmware/OS Symptoms: Network devices or computers are targets of exploit attacks. Causes: Attackers are taking advantage of a security flaw in the firmware of a device or OS of a computer. Resolution: Apply patches that address the security flaw in the firmware or OS. Loss of internet connectivity Symptoms: One or more devices cannot connect to the Internet. Cause: Loss of Internet connectivity could be related to many different issues such as hardware failure, misconfigured settings, Internet service provider (ISP) issue, and more. Resolution: Try to determine if the entire network has lost Internet or if it is localized to certain segments or computers. If it is not the entire network, then troubleshoot the affected segments and computers that have lost connectivity. If it is the entire network, then check the WAN devices to ensure they are functioning properly. Call your ISP and have them validate that there are no issues on their end. Split horizon Symptoms: One branch office sends a route update to the main office; the hub office will NOT repeat the route to the other branch office. Causes: Split horizon becomes a problem on a multipoint link in a hub and spoke topology where you have two or more branch offices connected to the same interface of a main (hub) office. Resolution: To fix this unintended consequence of split horizon, break the multipoint connection into two separate links. If you cannot use two separate physical interfaces on the hub, then you turn the one physical interface into two logical subinterfaces on the hub site's router. Each subinterface creates its own point-to-point link with its corresponding branch office. The routing protocol now treats the subinterfaces as separate interfaces, allowing an incoming routing update on one subinterface from one branch office to be repeated out the other subinterface to the other branch office. Router configurations Symptoms: No WAN connectivity or limited connectivity. Causes: Since it is the router that has the WAN interface, any number of things can be misconfigured, including the Layer 2 protocol, the clock rate, route tables, possible router-to-router authentication, or IPSec VPN settings, and inappropriate access control lists (ACLs) set on the router. Resolution: Troubleshoot the issue by checking the different configuration settings on the router. Check each group of settings and verify that they are correct and then check the connection again to see if it is now working. Customer premise equipment Symptoms: No WAN connectivity or limited connectivity. Cause: There can be an issue with the customer premise equipment. The demarc, smart jack, or Channel Service Unit/Data Service Unit (CSU/DSU) could have failed or been misconfigured. If copper line drivers/repeaters are in use, they may have been placed too far away from the transmitting source. Resolution: Check the components inside the building such as the demarc, smart jack, and CSU/DSU to verify that they have power and are functioning. Most CSU/DSUs are built into the WAN interface card, but older routers may require a separate CSU/DSU between the router's serial port and the provider's demarc. Ensure that the repeaters are placed no farther than 80% of the recommended distance. In some cases, it should be closer if there is more EMI/RFI in the environment. Company security policy Symptoms: WAN connection is not performing as well as it should. Causes: Your company policy may limit and/or block certain traffic or protocols. It may limit how much bandwidth a connection can utilize. It may block many types of traffic/protocols for security reasons, especially going out on the Internet. Common protocols that are blocked for security reasons include ICMP, RDP, SMB, RPC, telnet, and SSH. It may disallow users from using more than their fair share of WAN bandwidth, and thus impose limits on utilization. Resolution: If the company security policy is interfering with legitimate work- related traffic, then it can be re-evaluated to see if it needs to be changed, or perhaps an exception can be created for certain traffic. If the policy is not interfering with legitimate work-related traffic, then remind the users of the company policy. Satellite issues Symptoms: Satellite connectivity is slow or intermittent. Causes: Due to the greater distances the signal must travel, average latency is high, and weather conditions also affect the signal. Resolution: Check to see if there is a closer connection that can be used that has lower latency. Much of the slowdown associated with satellite connections is that for each request, many roundtrips must be completed before any useful data can be received by the requester. Special IP stacks and proxies can reduce latency through lessening the number of roundtrips, or simplifying and reducing the length of protocol headers. These types of technologies are generally referred to as TCP acceleration, HTTP pre-fetching, and DNS caching.
Jamming
Jamming is a very crude but effective form of radio-based DoS. It is effective if the jamming device emits a relatively stronger signal than the legitimate transmitter. The jammer itself can produce a fairly weak signal, but if it is close to the receiver and the legitimate transmitter is farther away, the jammer's signal will be relatively strong. You can identify jamming by using a spectrum analyzer. You will then need to use several mobile devices/laptops with directional antennas to triangulate the location of the jammer. Jammers can be very small, and well hidden, even on a person, so you have to look carefully and use a good directional antenna to find them.
Light Meters
Light meters, also known as optical power meters, are devices used to measure the power in an optical signal. A typical light meter consists of a calibrated sensor, measuring amplifier, and display. The sensor primarily consists of a photodiode selected for the appropriate range of wavelengths and power levels. The display will show the measured optical power and set wavelength. A traditional light meter responds to a broad spectrum of light, and the user sets the wavelength to test. If there are other spurious wavelengths present, then wrong readings can result.
LED Indicators
Light-emitting diode (LED) indicators on network adapters, switches, routers, and cable and DSL modems can give you information about the status of the network connection. There are different types of LED indicators. Link indicators Most adapters have a link indicator to visually indicate signal reception from the network. If the link indicator is not lit, it could indicate a problem with the cable or the physical connection. Activity indicators Most adapters also have an activity indicator that flickers when data packets are received or sent. If the indicator flickers constantly, the network might be overused or there is a system generating noise. Speed indicators Dual-mode adapters have a speed indicator to display whether the adapter is operating at 10 Mbps, 100 Mbps, or at 1 Gbps. Dual-color indicators Uses dual-color indicators to indicate different network states. For example, a green flickering indicator might indicate normal activity, whereas an amber flickering indicator indicates collisions on the network.
Malicious Users
Malicious users are an interesting problem. If they are very careful, it can be quite hard to detect their activity if they are inside the organization. They can be untrusted users who actively cause damage or violate security on purpose, or they can be trusted users who inadvertently cause damage to the network or violate security. The list of issues that malicious users can create ranges from using packet sniffing to examine traffic on the trusted network, to damaging equipment, to simply copying data and releasing it outside of the network. You will need good auditing and monitoring with someone actually looking at the logs and alerts to try to detect malicious users. Lock down machines very tightly with host-based IDS and lots of auditing. Automate the monitoring system as much as possible so that there is less chance of activity getting past you.
Malware
Malware is often difficult to troubleshoot because the symptoms can be vague or not obvious. Some malware, such as browser hijacking, has obvious telltale signs. Other malware, such as zero-day infections or root kits, are very difficult to trace. A lot of malware is difficult to remove. The best way to search for infections is to use a good up-to-date virus scanner. However, some malware such as spyware, adware, root kits, and hijacked browsers do not show up in a virus scan. Use antivirus products that scan for all of these, or that specialize in one thing, such as spyware. However, do not install two antivirus products on the same device, as they tend to conflict and will usually cause severe performance degradation. Sometimes, the easiest way to remove a serious infection from a Windows device is to apply a restore point, which takes the device back to a previously saved state. In a really serious case, you can refresh the device by wiping the hard drive and reinstalling the operating system. Both of these methods come with the inconvenience that you may have to reinstall applications that were added after the restore point was created. You will also spend time re-applying updates that came after the restore point was created. In addition, this will not fix the user behavior, such as visiting certain websites or trading flash drives with other people, that caused the computer infection to begin with. Without careful education, the user will most likely reinfect his or her device again very quickly. In an enterprise environment, carefully locking down devices through policy or even desktop virtualization can go a long way toward limiting or preventing malware infections
NBTSTAT
NBTSTAT is a Windows utility that is used to view and manage NetBIOS over TCP/IP (NetBT) status information. It can display NetBIOS name tables for both the local device and remote devices, and also the NetBIOS name cache. The table names enable you to verify the connection establishment. With NBTSTAT, you can refresh the NetBIOS name cache as well as the names registered with the Windows Internet Name Server (WINS) server. NBTSTAT can be very helpful in identifying problems that are specific to Windows devices using NetBIOS naming. NBTSTAT was developed specifically as a NetBIOS diagnostic tool, and it displays NetBIOS information that is not available with other TCP/IP utilities. There are several case-sensitive options you can use with the NBTSTAT command. They follow the syntax: -a [RemoteName] Displays the NetBIOS name table of the remote device specified by the name. -A [IPAddress] Displays the NetBIOS name table of the remote device specified by the IP address. -c Displays the NetBIOS name cache of the local device. -n Lists the local NetBIOS name table along with the service code, type, and status. -r Lists NetBIOS names resolved by broadcast and via WINS. -R Purges the cache and reloads static entries from the LMHOSTS file. -S Lists NetBIOS connections and their state with destination IP addresses. -s Lists NetBIOS connections and their state, converting destination IP addresses to computer NetBIOS names. -RR Sends name release packets to the WINS server and then starts refresh.
Discovery of Neighboring Devices and Nodes
Network discovery is a method for devices to find each other on the network. This is usually a configuration option as it can lead to some security issues, mostly on public networks. When not working, devices typically can be pinged but cannot be connected to. If network discovery is used but not functioning, then the first step to take is to make sure that the option has been enabled. Check network connectivity in general to make sure there isn't another issue causing the problem. Typically there are certain services that need to be running in order for the network discovery to work properly. For example, for Windows these typically include: DNS Client, SSDP Discovery, UPnP Device Host, and Function Discovery Resource Publication services. For your system, verify that the required services are running. Some security applications such as firewalls may interfere with network discovery. Research what traffic needs to be allowed and determine if your firewall or other security application is causing the issue.
traceroute/tracert
On a UNIX® or Linux device, if you cannot connect to a particular remote host, you can use traceroute, or traceroute6 for IPv6, to determine where the communication fails. Issue a traceroute command from the local device to see how far the trace gets before you receive an error message. By using the IP address of the last successful connection, you will know where to begin troubleshooting the problem and potentially even pinpoint a specific failed device. On Windows devices, the tracert, or tracert -6 for IPv6, utility provides similar functionality.
Safety Rules
Only a professional electrician should install, test, and maintain electric power equipment. Network technicians can safely install and test low-power communication circuits in network cabling. When you work with electrical power, you need to follow certain basic safety rules: • Always disconnect or unplug electrical equipment before opening or servicing it. • Work with a partner. • Never bypass fuses or circuit breakers. • Use anti-static mats and wristbands to protect yourself and equipment from static discharge. Prevent an electrostatic discharge (ESD) from damaging components by standing on a totally insulated rubber mat to increase the resistance of the path to ground. In some cases, workstations are located in areas with grounded floors and workbenches, so static electricity has a low-resistance, non-destructive path to ground. • Use grounding conductive materials and self-grounding methods before touching electronic equipment. You can prevent ESD injuries by using ESD straps that can be attached to your ankle or wrist. • Eliminate unnecessary activities that create static charges. By removing unnecessary materials that are known charge generators, you can protect against ESD-related damage and injuries. • Perform only the work for which you have sufficient training. • Check the area for potential causes of secondary injuries. • Do not attempt repair work when you are tired; you may make careless mistakes, and your primary diagnostic tool, deductive reasoning, will not be operating at full capacity. • Do not assume anything without checking it out for yourself. • Do not wear jewelry or other articles that could accidentally contact circuitry and conduct current. • Wear rubber-soled shoes to insulate yourself from ground. • Suspend work during an electrical storm. • Do not handle electrical equipment when your hands or feet are wet or when you are standing on a wet surface. Perform tests with the power supply turned off. • Power supplies have a high voltage in them any time the device is plugged in, even if the device's power is turned off. Before you start working inside the device case, disconnect the power cord and press the power button to dissipate any remaining power in the circuitry. Leave the power off until you are done servicing the unit. Similarly, when you are installing, maintaining, and troubleshooting equipment, you should follow these safety rules: • Check tools before you begin to ensure they are in good condition and functioning properly. Do not misuse tools. • When lifting equipment, always assess the situation first to determine if you can lift or move items safely. • When you lift, bend at your knees and not at your waist. This will prevent strain on your back muscles and pressure on your spine. • Use lifting equipment for heavy and/or bulky items. • When installing a rack system, follow safety guidelines to ensure your safety and the safety of any equipment. • Make sure you use proper placement of equipment and devices as prescribed by the manufacturer.
Open or Closed Ports
Open and closed ports are generally used in hacking, rather than regular troubleshooting. A port scanner can determine if a port is open or closed. If it is open, then the host has a service that is responding on that port. If it is a TCP port, the usual response is SYN ACK. That port can then have a vulnerability scan performed against it to see if the service is vulnerable. A closed port means that there is a device at that IP address, but that there is no service listening on that port. If it is a TCP port, the target device will send back a TCP RST (reset) meaning that it is not accepting connections on that port. Open and closed ports can be used for troubleshooting to see if a firewall permits traffic to a protected host on a particular port. If you use a port scanner to connect to port 80 and get no response where there should be a response, then perhaps the firewall is misconfigured. If you get an RST, then the firewall may be permitting the traffic, but the target host is not listening on that port. This may be particularly useful if the target host is using a non-standard port. In addition, if the port is open but the service does not respond properly, then there is something wrong with the service. For example, if you scan TCP port 80 and get a SYN ACK response, you know you are getting port 80 traffic to the target. If you then open a browser and do not get the response you expect, you know that the web server is misconfigured or has a problem, but that there is no problem with the network itself. The only exception to that would be if the firewall was acting as a reverse proxy and perhaps has some additional rules that filter or block the content.
Simultaneous Wired/Wireless Connections
Simultaneous wired and wireless connections are not an issue in and of themselves. Sometimes issues can be created when a device has both connections. For example, if you are connected to both, you may want to use the wired connection for its higher transfer rate but the wireless connection may be the one used. If a device is connected using the wired connection and then the user disconnects it to move to another location where they will rely on the wireless connection, they will lose their network connection while the device switches from the disconnected NIC to the wireless adapter. Normally this only results in a brief interruption of network connectivity. If the user was connected to an application, it may need to be closed and reopened for it to use the new connection. Users should be educated on how the two connections work when both are available and what happens when one is added or removed. If both the wired and wireless connections are on the same subnet then either one connection will have a lower route cost than the other, or routes will be ambiguous and unpredictable. For example, if your wired LAN connection has a lower cost, the wireless connection will always be used whenever it is active. However, if both connections have the same cost, some packets may be routed to the wired LAN and others to the wireless network. In this case change the subnet of one of the networks.
Common Security Configuration Issues
Some of the more common security configuration issues that you are likely to encounter include: • Misconfigured firewalls • Misconfigured access control lists (ACLs) and applications • Open or closed ports • Authentication issues • Domain or local group configurations
Troubleshooting Documentation Template
Some of the things you might want to include in a troubleshooting documentation template are: • A description of the initial trouble call, including date, time, who is experiencing the problem, and who is reporting the problem. • A description of the conditions surrounding the problem, including the type of device, the type of network interface card (NIC), any peripherals, the desktop operating system and version, the network operating system and version, the version of any applications mentioned in the problem report, and whether or not the user was logged on when the problem occurred. • Whether or not you could reproduce the problem consistently. • The exact issue you identified. • The possible cause or causes you isolated. • The correction or corrections you formulated. • The results of implementing each correction you tried. • The results of testing the solution. • Any external resources you used, such as vendor documentation, addresses for vendor and other support websites, names and phone numbers for support personnel, and names and phone numbers for third-party service providers.
Speed Test Sites
Speed test sites are a web service that measure the bandwidth (speed) and latency of a visitor's Internet connection. Tests typically measure the data rate for the downloads and the upload data rate. A server located in the visitor's geographic location is typically used for the test. The tests are performed within the user's web browser and the sites will provide statistics based on test results. These sites allow you to test your connection speeds and latency in a real world setting to see what the actual performance is.
SNIPS
System and Network Integrated Polling Software (SNIPS) is a system and network monitoring software tool that runs on UNIX devices. It offers both command-line and web interfaces to monitor network and system devices. The monitoring functions of SNIPS determine and report the status of services running on the network. Reports can be viewed in real time by the systems administrator through a terminal or web interface. Alarms created by SNIPS can be set to set off an alarm or to simply log the event based on monitoring levels the administrator can configure. The four monitoring levels supported by SNIPS are: info, warning, error, and critical.
NETSTAT
The NETSTAT utility shows the status of each active network connection. NETSTAT (network statistics) will display statistics for both TCP and UDP, including protocol, local address, foreign address, and the TCP connection state. Because UDP is connectionless, no connection information will be shown for UDP packets. NETSTAT is a versatile troubleshooting tool that can serve several functions. You can: • Use NETSTAT to find out if a TCP/IP-based program, such as SMTP or FTP, is listening on the expected port. If not, the system might need to be restarted. • Check statistics to see if the connection is good. If there is a bad connection, this usually means there are no bytes in the send or receive queues. • Use statistics to check network adapter error counts. If the error count is high, it could be a problem with the card, or could indicate generally high network traffic. • Use NETSTAT to display routing tables and check for network routing problems. There are several options available to use with the NETSTAT command. -s All connections and listening ports. -e Ethernet statistics. -n Addresses and port numbers in numerical form. -o The process ID associated with each connection. -p [protocol] Connections for the protocol specified in place of [protocol] in the command syntax. The value of the [protocol] variable may be TCP, UDP, TCPv6, or UDPv6. -r The routing table -s Statistics grouped by protocol—IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6. [interval] Refreshes and redisplays the statistics specified in the command at the stated number of seconds specified in place of [interval] in the code syntax. Ctrl+C stops the command from refreshing. Socket states SYN_SEND Connection is active and open. SYN_RECEIVED The server just received the synchronize flag set (SYN) from the client. ESTABLISHED The client received the server's SYN and the session is established. LISTEN The server is ready to accept a connection. FIN_WAIT_1 The connection is active, but closed. TIMED_WAIT The client enters this state after FIN_WAIT_1. CLOSE_WAIT Passive close. The server just received FIN_WAIT_1 from a client. FIN_WAIT_2 The client just received an acknowledgement of its FIN_WAIT_1 from the server. LAST_ACK The server is in this state when it sends its own FIN. CLOSED The server received an acknowledgement (ACK) from the client and the connection is closed.
arp
The arp utility supports the Address Resolution Protocol (ARP) service of the TCP/IP protocol suite. It enables an administrator to view the ARP cache and add or delete cache entries. It is also used to locate a node's hardware address. Any added entry becomes permanent until it is deleted or the device is shut down. The ARP cache is a table used for maintaining the correlation between each media access control (MAC) address and its corresponding IP address. To reduce the number of address resolution requests, a client normally has all addresses resolved in the cache for a short period of time. The ARP cache is of a finite size; if no limit is specified, all incomplete and obsolete entries of unused devices will accumulate in the cache. The ARP cache is, therefore, periodically flushed of all entries to free up memory. arp can be used both to help troubleshoot duplicate IP address problems and to diagnose why a workstation cannot connect to a specific host. If a host is reachable from one workstation but not from another, you can use the arp command on both workstations to display the current entries in the ARP table. If the MAC address on the problem workstation does not match the correct MAC address, you can use arp to delete the incorrect entry. On both UNIX and Windows systems, the arp -a command will return a tabular listing of all ARP entries in the node's ARP cache. You can refer to online MAC address lookup tables to identify an address on a switch, in network command results, or in the ARP cache that you don't think belongs on your network. Identifying the MAC address helps you identify the manufacturer of the device to help you narrow down the device you are looking for and remove it from your network. There are several options available for use with arp. They follow the syntax: arp [option] arp can be used in conjunction with ping to troubleshoot more complex network problems. If you ping a host on the network and there is no reply, the host may not necessarily be unavailable. The increased use of firewalls today can prevent a ping from returning accurate information. Instead, you can use the arp command to find the host by the MAC address and bypass the IP address resolution.
Misconfigured Firewalls
The first step you typically take in troubleshooting a Windows Firewall problem is to view which rules are currently being applied to the device. Many firewalls have a monitoring node that enables you to see the rules currently being applied to a device. Many firewalls also allow for the logging of processed rules. This will also allow you to research which rules are being applied. Only one firewall rule is used to determine if a network packet is allowed or dropped. If the network packet matches multiple rules, then you need to determine how your system handles multiple rules. Some firewalls process the first rule that applies, and others allow certain types of rules to take precedence.
nslookup
The nslookup utility is used to test and troubleshoot domain name servers. nslookup has two modes: the interactive mode enables you to query name servers for information about hosts and domains, or to print a list of hosts in a domain. The non-interactive mode prints only the name and requested details for one host or domain. The non-interactive mode is useful for a single query. You can use nslookup to display information about DNS servers. You can verify that: • The device is configured with the correct DNS server. • The server is responding to requests. • The entries on the server are correct. • The DNS server can communicate with other servers in the DNS hierarchy to resolve names. nslookup is available on UNIX and Windows systems. The syntax for the nslookup command is nslookup [-option ...] [computer-to-find | - [server]] • To enter the interactive mode of nslookup, type nslookup without any arguments at a command prompt, or use only a hyphen as the first argument and specify a domain name server in the second. The default DNS name server will be used if you do not enter anything for the second argument. • To use the non-interactive mode, in the first argument, enter the name or IP address of the device you want to look up. In the second argument, enter the name or IP address of a domain name server. The default DNS name server will be used if you do not enter anything for the second argument.
The Network+ Troubleshooting Model
There are seven stages in the CompTIA® Network+® troubleshooting model. 1. Identify the problem. This stage includes: • Gathering information • Duplicating the problem, if possible • Questioning users to gain experiential information • Identifying the symptoms • Determining if anything has changed • Approaching multiple problems individually 2. Establish a theory of probable cause. This stage includes: • Questioning the obvious • Considering multiple approaches, such as examining the OSI model from top to bottom and bottom to top and dividing and conquering 3. Test the theory to determine the cause. a. When the theory is confirmed, determine the next steps to resolve the problem. b. If the theory is not confirmed, establish a new theory or escalate the issue. 4. Establish a plan of action to resolve the problem, while identifying the potential effects of your plan. 5. Implement the solution, or escalate the issue. 6. Verify full system functionality and, if applicable, implement preventative measures. 7. Document your findings, actions, and the outcomes.
Routing and Switching Issues
There are several common router and switch issues that can occur on a network. Switching loop Symptoms: There is a switching loop on the network. Causes: Packets are switched in a loop. Resolution: A switching loop needs STP to ensure loop-free switching of data. Rework on the network arrangement and cabling to prevent the switching loop. Routing loop Symptoms: There is a routing loop on the network. Causes: Packets are routed in a loop. Resolution: Recheck the router configuration and adjust it to prevent a routing loop. Route problems Symptoms: Packets do not reach their intended destination. Causes: This could be caused by configuration problems, route convergence, broken segments, or router malfunctioning. Resolution: Verify that the router is functional. If necessary, replace the router. Proxy arp Symptoms: The proxy server is not functional. Causes: The proxy settings are misconfigured. This may lead to DoS attacks. Resolution: Correct the proxy settings to resolve the issue. Broadcast storms Symptoms: The network becomes overwhelmed by constant broadcast traffic generated by a device on the network. Causes: There are too many broadcast messages being sent in parallel, causing high network traffic. Resolution: Identify the device and reconfigure it to increase the interval of broadcast messages. On the network, apply restrictive settings to prevent network nodes from sending broadcast messages. Port configuration Symptoms: Port configuration is incorrect. Causes: The recent changes made to the port configuration were incorrect. Resolution: On the system console of the switch, verify the port properties of the individual nodes and check their status. If required, restore the port configuration to its default setting from the last backup. VLAN assignment Symptoms: Nodes on the network cannot communicate with one other. Causes: By default, computers on different segments are added to different VLANs, and they cannot communicate with one another, unless the switch is configured to allow communication between computers on different VLANs. Resolution: Check the VLAN assignment on the switch console and reassign the computers to the VLAN to enable communication among them. Ensure that the IOS of the switch is updated to reflect the latest settings. Mismatched MTU/MTU black hole Symptoms: MTU is inaccessible or there are intermittent errors. Causes: In case of a mismatch of the MTU, the TCP/IP connection handshake does not occur between the devices (routers) and the connection cannot be established. For black holes, the router receives a packet that is larger than the size of the MTU and it sends an ICMP message saying to change the size but the message is never received. Resolution: Reconfigure the MTU to check whether the problem gets resolved. If not, replace the device. For black holes, configure the router to send ICMP Type 3 Code 4 messages. At times, you will encounter issues that need to be escalated in order to be solved. This is an important aspect of network troubleshooting, because solutions may require input from people who are more experienced in switching or routing configurations and operations.
DC volts
This is typically used to test a computer power supply. • You put the probes in parallel to the voltage source, such as an unused molex plug coming out of the power supply. • Touch the positive probe to a positive source, such as a red or yellow wire. • Touch the negative probe to a negative or ground source such as a black wire.
AC volts
This is typically used to test an AC outlet, a power strip, or a UPS. • You must put the probes in parallel to the voltage source, with one probe on each side of the outlet.
Domain or Local Group Configuration
Troubleshooting groups can be challenging if you don't know what group the user is supposed to be in. Groups are meant to funnel users down to the object's ACL: • Universal groups are forest wide. They go into global groups. • Global groups are domain wide. They go into domain local groups. • Domain local groups get permissions in an object's ACL. Groups tend to quickly get out of hand if not carefully designed, well-documented, and tightly controlled. They change, with groups being added or deleted, and members coming and going. The two things you need to check for in group configurations are: 1. Who is a member of the group, including users and other groups? 2. Which groups, if any, is this group a member of? You also must evaluate the group type and scope, to see if they are appropriate for your usage scenario.
Troubleshooting
Troubleshooting is the recognition, diagnosis, and resolution of problems. Troubleshooting begins with the identification of a problem, and does not end until services have been restored and the problem no longer adversely affects users. Troubleshooting can take many forms, but all approaches have the same goal: to solve a problem efficiently with a minimal interruption of service.
Ohms
Typically used to check for breaks in the wires. Should be close to zero ohms resistance. • You must MAKE SURE the circuit has NO power on it, or you will damage the meter. • Touch the two probes to the two ends of the cable. • If the cable is good, the resistance (the reading) will show zero or very close to zero. • If the cable is broken, the resistance will show infinity. • When using probes, make sure they make very firm, unmoving contact with what they're measuring. There are various categories of multimeters that are used in different situations. I Conditions where current levels are low. II Interior residential branch circuits. III Distribution panels, motors, and appliance outlets. IV High-current applications, such as service connections, breaker panels for wiring mains, and household meters.
The ping Utility
Use the ping utility as an initial step in diagnosing general connectivity problems. To use ping with IPv6 addresses, use ping -6 for Windows® or ping6 for Linux®. The steps can include: 1. Ping the loopback address (127.0.0.1 or ::1 for IPv6) to test whether TCP/IP has initialized on an individual device. 2. Ping a specific device to verify that it is running and is connected to the network. 3. Ping by IP address instead of host name to determine if it is a problem related to name resolution. 4. Localize the problem: • Ping the local loopback address. • Ping the device's own IP address. • Ping the address of the default gateway. • Ping the address of a remote host. When you ping a device, it will respond with one of the following responses: • Reply from...: The device responds normally with requested data for different parameters. • Destination Network / Host Unreachable: The target device was identified but was not reachable by the default gateway. • Unknown Host: The target device is unknown and is not reachable. • Request timed out: The ping command timed out because there was no response. • Hardware Error: Your network adapter is disabled or unplugged.
eth_addr
Used with other options to specify a physical address.
inet_addr
Used with other options to specify an Internet address.
if_addr
Used with other options to specify the Internet address of the interface whose ARP table should be modified.
WLAN Survey Software
WLAN survey software is used to plan, simulate, and implement WLANs. WLAN survey software can simulate WLAN performance during the planning phase even before any installation takes place. Technicians can use the software to analyze WLAN performance before and after implementation to determine the health of the network based on defined, measurable criteria. WLAN survey software can also be used to define network coverage areas before implementation.
Troubleshooting with IP Configuration Utilities
With TCP/IP networking problems, a common first step is to verify that the host's IP addressing information is correct. Use ipconfig or ifconfig, as appropriate, to determine if the host is configured for static or dynamic IP addressing and if it has a valid IP address. If the host is getting an incorrect dynamic IP address and you believe there is a valid Dynamic Host Configuration Protocol (DHCP) server, you can use the utility to release and renew the address.