5.3 Given a scenario, use the appropriate network software tools and commands

Which of the following Windows command-line utilities produced the output shown here? a) ``` b) Server: trv213.pljd.net c) ``` 1. `nslookup` 2. `pathping` 3. `netstat` 4. `route`

1. `nslookup` is a command-line utility that generates Domain Name System (DNS) resource record requests and sends them to a specific DNS server. The output shown here first specifies the name and address of the DNS server to which the request was sent, and then the response to the request, containing the name to be resolved and the Internet Protocol (IP) addresses contained in the server's resource record for that name. The `pathping`, `netstat`, and `route` utilities cannot perform DNS queries.

user calls Alice at the help desk to report that he cannot access the Internet. He can access systems on the local network, however. Alice examines the routing table on the user's workstation. Which of the following statements explains why the user cannot access the Internet? a) ``` b) IPv4 Route Table c) ``` 1. The routing table contains a loopback address. 2. The routing table does not specify a default gateway address. 3. The routing table does not specify a DNS server address. 4. The routing table contains two different routes to the 224.0.0.0 network.

2. To access the Internet, the workstation's routing table must include a default gateway entry, which would have a Network Destination value of 0.0.0.0. A workstation's routing table does not specify the address of a Domain Name System (DNS) server. The loopback and 224.0.0.0 multicast addresses are normal routing table entries.

Which of the following Windows command-line utilities produced the output shown here? a) ``` b) Interface Statistics c) ``` 1. `ping` 2. `tracert` 3. `netstat` 4. `arp`

3. Running the Windows `netstat` command with the `-e` parameter displays Ethernet statistics, including the number of bytes and packets that have been transmitted and received. The `ping`, `tracert`, and `arp` utilities are not capable of producing this output.

Alice has recently created a new screened subnet (or perimeter network) for the company's web server cluster, along with a router to connect it to the internal network. When she is finished, she sends Ralph an email instructing him to run the following command on his Windows workstation so that he can access the servers on the screened subnet. What function does the IP address 192.168.87.226 perform in this command? a) ``` b) route add 192.168.46.0 MASK 255.255.255.0 192.168.87.226 c) ``` 1. 192.168.87.226 is the address of Ralph's workstation. 2. 192.168.87.226 is the network address of the perimeter network. 3. 192.168.87.226 is the address of one of the router's interfaces. 4. 192.168.87.226 is the address of the web server cluster.

3. The correct syntax for the Windows `route add` command is to specify the destination network address, followed by the subnet mask for the destination network, followed by the address of the router interface on the local network that provides access to the destination network. Therefore, 192.168.87.226 is the address of the router interface on the internal network, where Ralph's workstation is located.

Ralph is working on his company's perimeter network, which has five web servers running Linux, a Cisco router, a CSU/DSU providing a leased line connection, and a Windows-based firewall. While trying to troubleshoot a network communications failure, Ralph types the following command on one of the systems: `ping 192.168.1.76` . Which of the following systems might Ralph be working on? (Choose all that apply.) a) The Windows-based firewall b) The Cisco router c) The CSU/DSU console d) One of the Linux web servers

A, B, D. Windows, Linux, and the Cisco IOS operating systems all include the `ping` utility. The CSU/DSU cannot run a `ping` command.

alph is the administrator of his company's network. All of the users on the network are reporting that they are having difficulty connecting to a particular application server that is located on a perimeter network, on the other side of a router. The users are not having trouble connecting to local hosts. Which of the following troubleshooting tools can Ralph use to verify the network layer functionality of the application server and the router? (Choose all that apply.) a) `ping` b) `route` c) `arp` d) `traceroute`

A, D. Ralph can use the `ping` and `traceroute` tools to verify the network layer functionality of the application server and the router. The `ping` tool tests the network layer through the exchange of Internet Control Message Protocol (ICMP) Echo and Echo Reply messages. The `traceroute` tool can verify that there is a functioning path between the users' workstations and the application server. The `route` tool is used to administer the routing table on the local machine. The `arp` tool is used to view a computer's Internet Protocol to Media Access Control (IP to MAC) address resolution table stored in memory.

Which of the following command-line utilities can run on Windows, Unix, or Linux systems? (Choose all that apply.) a) `ping` b) `traceroute` c) `ifconfig` d) `iptables` e) `nslookup`

A, E. The `ping` and `nslookup` utilities can both run on Windows, Unix, or Linux systems. The `traceroute` command runs only on Unix or Linux, although there is a Windows version called `tracert` . The `ifconfig` and `iptables` commands only exist on Unix and Linux systems.

Which of the following statements describes the difference between a packet sniffer and a protocol analyzer? a) A packet sniffer captures network traffic, and a protocol analyzer examines packet contents. b) A protocol analyzer captures network traffic, and a packet sniffer examines packet contents. c) A packet sniffer only captures the local workstation's traffic, whereas a protocol analyzer can capture all the traffic on the network. d) There is no difference. Packet sniffers and protocol analyzers perform the same functions.

A. A packet sniffer is a tool that captures packets for the purpose of traffic analysis but cannot view their contents. A protocol analyzer is a tool that enables a user to view the contents of packets captured from a network. In practice, however, packet sniffer and protocol analyzer capabilities are often integrated into a single tool. Both tools can function in promiscuous mode to capture packets from an entire network.

Which of the following command-line utilities enables you to view the Internet Protocol (IP) configuration on a Unix or Linux host? a) `ifconfig` b) `nslookup` c) `ipconfig` d) `netstat` e) `iperf`

A. On a Unix or Linux host, the `ifconfig` command displays the system's current IP configuration settings and parameters. `ipconfig` is a Windows command-line utility that performs the same basic function. The other options are command-line utilities that do not display IP configuration information.

Which of the following commands can Ralph use to display the number of bytes that a Windows workstation has transmitted? a) `netstat` b) `tcpdump` c) `ipconfig` d) `iptables`

A. Running `netstat` with the `-e` parameter on a Windows workstation displays Ethernet statistics, including the number of bytes and packets the workstation has sent and received. The `ipconfig` command displays Transmission Control Protocol/Internet Protocol (TCP/IP) configuration data; it does not display network traffic statistics. The `tcpdump` and `iptables` commands both run only on Unix and Linux workstations.

Which of the following parameters enables you to specify the number of messages the `ping` tool transmits? a) `-n` b) `-t` c) `-i` d) `-a`

A. Running the `ping` tool with the `-n` parameter specifies the number of messages the tool should transmit with each execution. The `-t` parameter causes the `ping` tool to send messages to the target continuously until manually stopped. The `-i` parameter specifies the Time to-Live (TTL) value of the messages that `ping` transmits. The `-a` parameter resolves an Internet Protocol (IP) address specified as the target to a hostname.

Which of the following are the three main categories of information that you can display by running the `netstat` command on a Windows computer? a) Connection state b) Active connections c) Routing table d) Interface statistics

B, C, D. When you run the `netstat` command without any switch options, it displays the computer's active connections. Running `netstat -e` displays the computer's interface statistics. Running `netstat -r` displays the routing table. There is no `netstat` switch that displays the computer's connection state.

While performing a protocol analysis, Alice notes that there are many Internet Control Message Protocol (ICMP) packets in her captured traffic samples. She attributes these to her frequent use of Transmission Control Protocol/Internet Protocol (TCP/IP) troubleshooting tools. Which of the following utilities are used to test network layer characteristics of a host using ICMP messages? (Choose all that apply.) a) `ipconfig` b) `netstat` c) `ping` d) `tracert`

C, D. `ping` and `tracert` are both utilities that test network layer characteristics using ICMP messages. `ping` tests the network layer functionality of the host, and `traceroute` displays the path to the host through the internetwork. `ipconfig` and `netstat` do not use ICMP messages.

Which of the following tools can administrators use to monitor network bandwidth and traffic patterns? a) Protocol analyzer b) Bandwidth speed tester c) NetFlow analyzer d) IP scanner

C. A NetFlow analyzer is a tool that can collect network traffic data and analyze how bandwidth is being used and who is using it. A protocol analyzer is also a tool that captures network packets, but for the purpose of analyzing their contents. A bandwidth speed tester measures a network's internet access speed. An Internet Protocol (IP) scanner lists the IP addresses that are in use on a network.

Which of the following commands enables you to view the Address Resolution Protocol (ARP) table stored in memory? a) `arp -c` b) `arp -d` c) `arp -a` d) `arp -s`

C. The `arp -a` command displays the entries in the ARP table stored in its cache. The `arp -d` command is for deleting entries, and the `arp -s` command is for adding entries. The `arp -c` command is not a valid option.

Which of the following Unix/Linux tools is a packet analyzer? a) `iptables` b) `nmap` c) `tcpdump` d) `pathping`

C. The `tcpdump` utility is a command-line tool that captures network packets and displays their contents. The `iptables`, `nmap`, and `pathping` utilities cannot capture and analyze packets. `iptables` manages Unix/Linux kernel firewall rules, `nmap` is a port scanner, and `pathping` is a Windows route tracing tool.

Which of the following command-line utilities can only run on Unix and Linux systems? a) `ping` b) `ipconfig` c) `tracert` d) `ifconfig` e) `netstat`

D. The `ifconfig` command runs only on Unix and Linux systems. The `ping` and `netstat` utilities run on Windows, Unix, or Linux systems. The `ipconfig` and `tracert` commands run only on Windows, although there is a Unix/Linux version of `tracert` called `traceroute` .

Which of the following protocols does the ping program never use to carry its messages? a) Ethernet b) ICMP c) IP d) UDP e) TCP

E. All Windows ping transactions use Internet Control Message Protocol (ICMP) messages. ICMP messages are encapsulated directly within Internet Protocol (IP) datagrams; they do not use transport layer protocols, such as User Datagram Protocol (UDP). Ping transactions to destinations on the local network are encapsulated within Ethernet frames. On Unix and Linux, ping uses UDP, which is also encapsulated in IP datagrams.

Which of the following command-line utilities enables you to generate Domain Name System (DNS) request messages? a) `ifconfig` b) `nslookup` c) `nbtstat` d) `netstat` e) `iperf`

B. The `nslookup` tool enables you to generate DNS request messages from the command line and send them to a specific DNS server. The other options listed are not DNS utilities.

Which of the following protocols does the `traceroute` utility on Unix and Linux systems use to test TCP/IP connectivity? a) ICMP b) HTTP c) TCP d) UDP

D. On Unix and Linux systems, the `traceroute` utility tests Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity by transmitting User Datagram Protocol (UDP) messages. This is unlike the `tracert` utility on Windows systems, which uses Internet Control Message Protocol (ICMP) messages. Neither version uses TCP or Hypertext Transfer Protocol (HTTP).

Which of the following Windows commands enables you to create a new entry in the Address Resolution Protocol (ARP) cache? a) `arp -N` b) `arp -d` c) `arp -a` d) `arp -s`

D. The `arp -s` command enables you to create a cache record specifying the Media Access Control (MAC) address and its associated Internet Protocol (IP) address. The `arp -N` command enables you to display the ARP cache entries for a specified network interface. The `arp -d` command is for deleting cache entries. The `arp -a` command displays the entries in the ARP table stored in its cache.

Ralph has been advised to check his Linux web servers for open ports that attackers might be able to use to penetrate the servers' security. Which of the following utilities can Ralph use to do this? a) `tcpdump` b) `dig` c) `iptables` d) `nmap` e) `iperf`

D. The `nmap` utility is capable of scanning a system for open ports that might be a security hazard. The `tcpdump`, `dig`, `iptables`, and `iperf` utilities cannot do this.

Ed is implementing a web server farm on his company's network and has created a screened subnet (or perimeter network) on which the web servers will be located. The screened subnet is using the network Internet Protocol (IP) address 192.168.99.0/24. He has also installed a router connecting the screened subnet to the internal network, which uses the 192.168.3.0/24 network address. The IP addresses of the router's interfaces are 192.168.3.100 and 192.168.99.1. Ed needs to access the web servers from his Windows workstation on the internal network, but right now, he cannot do so. Because he needs to have a different router specified as his default gateway, Ed decides to add a route for the screened subnet to his computer's routing table. Which of the following commands will create a routing table entry that enables Ed to access the screened subnet? a) `route add 192.168.3.0 MASK 255.255.255.0 192.168.3.100` b) `route add 192.168.99.1 MASK 255.255.255.0 192.168.3.0` c) `route add 192.168.3.100 MASK 255.255.255.0 192.168.99.0` d) `route add 192.168.99.0 MASK 255.255.255.0 192.168.3.100`

D. The correct syntax for the Windows `route add` command is to specify the destination network address, followed by the subnet mask for the destination network, followed by the address of the router interface on the local network that provides access to the destination network. The other options do not specify the correct addresses in the syntax.

Which of the following is not a tool that runs only on Unix or Linux systems? a) `tcpdump` b) `dig` c) `iptables` d) `ifconfig` e) `route`

E. Of the utilities listed, `tcpdump`, `dig`, `iptables`, and `ifconfig` are all tools that run on Unix or Linux systems only. The `route` utility runs on both Unix or Linux and Windows.

Ed suspects that his workstation is experiencing Transmission Control Protocol/Internet Protocol (TCP/IP) communication problems. Which of the following commands can he use to confirm that the computer's TCP/IP stack is loaded and functioning? (Choose all that apply.) a) `ping loopback` b) `ping localhost` c) `ping 127.0.0.1` d) `ping 127.0.0.0`

B, C. The Internet Protocol (IP) address 127.0.0.1 is a dedicated loopback address that directs outgoing IP traffic directly into the incoming IP traffic buffer. The hostname localhost resolves to the 127.0.0.1 address on every TCP/IP system. Ed can therefore ping either the hostname or the IP address to test that his TCP/IP stack is functional. Loopback is not a hostname for the loopback address, and 127.0.0.0 is a network address, not a host address, so it will not work in this situation.

Ralph is working on his company's perimeter network, which has five web servers running Linux, a Cisco router, a CSU/DSU providing a leased line connection, and a Windows-based firewall. While trying to troubleshoot a network communications failure, Ralph types the following command on one of the systems: `traceroute [adatum.com](http://adatum.com/)` . Which of the following systems might Ralph be working on? (Choose all that apply.) a) The Windows-based firewall b) The Cisco router c) The CSU/DSU console d) One of the Linux web servers

B, D. Both Linux and the Cisco IOS operating systems have the `traceroute` utility. Windows has a version of the utility, but it is called `tracert` . The CSU/DSU cannot run a `traceroute` command.

Ed has recently discovered a rogue Dynamic Host Configuration Protocol (DHCP) server on his network. After disabling the server, he now needs to terminate all of the rogue Internet Protocol (IP) address leases currently held by Windows DHCP clients on the network and have them request new leases from the authorized DHCP server. Which of the following commands must he use on each Windows client to do this? (Choose all that apply.) a) `ipconfig /dump` b) `ipconfig /renew` c) `ipconfig /lease` d) `ipconfig /discard` e) `ipconfig /release`

B, E. The `ipconfig /release` command terminates the current DHCP address lease. Then, the `ipconfig /renew` command causes the client to begin the process of negotiating a new lease, this time with an authorized DHCP server. `dump`, `lease`, and `discard` are not valid `ipconfig` parameters.

Ralph is the network administrator of his company's network. He has had three users call the help desk to report that they are having problems connecting to the local application server. Comparing their stories, Ralph suspects that their Transmission Control Protocol (TCP) connections are being dropped. The users are not having problems connecting to any other hosts on the network. To troubleshoot this problem, Ralph decides to use a protocol analyzer. He wants to store and view only the traffic relating to the hosts and server that are having problems. How can Ralph do this? a) Configure a display filter b) Configure a capture filter c) Set a trap on the analyzer d) Configure both a capture filter and a display filter

B. Ralph wants to store and view only the traffic relating to the hosts that are experiencing problems. The best way to do this is to set a capture filter. Capture filters determine what is stored in the buffer. Display filters only determine what is displayed from the contents of the buffer. You do not set a trap on an analyzer—you set traps on Simple Network Management Protocol (SNMP) agents. Also, there is no need to configure both a capture filter and a display filter. If you set a capture filter that blocks all other traffic from entering the buffer, the display filter would be redundant.

Which of the following parameters causes the ping tool to transmit messages continually until manually halted? a) `-n` b) `-t` c) `-i` d) `-a`

B. Running the `ping` tool with the `-t` parameter causes it to send messages to the target continuously until it is manually stopped. The `-n` parameter specifies the number of messages the `ping` tool should transmit. The `-i` parameter specifies the time-to-live (TTL) value of the messages ping transmits. The `-a` parameter resolves an Internet Protocol (IP) address specify as the target to a hostname.

Alice is troubleshooting a Windows server, and while doing so she runs the following command: `ping 127.0.0.1` . The command completes successfully. What has Alice proven by doing this? a) That the computer's network adapter is functioning properly b) That the computer's TCP/IP networking stack is loaded and functioning c) That the computer's IP address is correct for the network d) Nothing at all

B. The Internet Protocol (IP) address 127.0.0.1 is a dedicated loopback address that directs outgoing IP traffic directly into the incoming IP traffic buffer. A successful ping test using that address indicates that the computer's Transmission Control Protocol/Internet Protocol (TCP/IP) stack is functioning properly, but the traffic never reaches the network adapter or the network, so the test does not confirm that the adapter is functioning or that the computer has a correct IP address for the network.

Which of the following Windows commands enables you to delete the entire ARP cache? a) `arp -c *` b) `arp -d *` c) `arp -a` d) `arp -s`

B. The `arp -d` command is for deleting cache entries, and by running it with the asterisk wildcard, the command deletes all of the entries in the cache. The `arp -a` command displays the entries in the ARP table stored in its cache, and the `arp -s` command is for adding entries. The `arp -c *` command is not a valid option.

Which of the following command-line utilities can only run on Windows systems? a) `ping` b) `ipconfig` c) `traceroute` d) `ifconfig` e) `netstat`

B. The `ipconfig` command runs only on Windows, although there is a similar Unix or Linux-only command called `ifconfig` . The `ping` and netstat utilities run on Windows, Unix, or Linux systems. The `traceroute` utility runs only on Unix or Linux systems, although there is a Windows version called `tracert` .

Which of the following `netstat` commands can tell you how many IPv6 packets have been received on a particular Windows workstation? a) `netstat -a` b) `netstat -s` c) `netstat -e` d) `netstat -r`

B. The `netstat -s` command displays packet counts and other traffic statistics for the IPv6, IPv4, ICMP, TCP, and UDP protocols. The `netstat -a` command displays all of a workstation's current connections and ports on which it is listening. The `netstat -e` command displays Ethernet statistics, such as the number of bytes and packets sent and received. The `netstat -r` command displays the computer's routing table.

Which of the following `route` commands displays the contents of a Windows computer's IPv6 routing table only? a) `route print` b) `route print -6` c) `route list -6` d) `route list`

B. The `route print` command displays both the IPv4 and IPv6 routing tables. To display only the IPv6 routing table, you add the `-6` parameter to the `route print` command. `route list` and `route list -6` are not valid commands.

Based on the output shown here, what is the average response time of the destination system? a) ``` b) 1 <1 ms <1 ms <1 ms RT-N86U [192.168.2.99] c) ``` 1. 109.5 ms 2. 104.33 ms 3. 106 ms 4. 99.66 ms

B. The destination system is the last one listed in the trace. By averaging the response times of 99, 106, and 108 milliseconds (ms), you can calculate the average response time: 104.33 ms.

Which of the following commands displays the routing table on the local computer? a) `arp -r` b) `netstat -r` c) `ifconfig -r` d) `telnet -r`

B. The netstat utility can display the routing table, along with other types of network traffic and port information. The arp utility is for adding addresses to the Address Resolution Protocol (ARP) cache; it cannot display the routing table. The `ifconfig` command displays Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information on Unix and Linux systems; it cannot display the routing table. Telnet is a terminal emulation program; it cannot display the routing table.

Ralph is the administrator of his company's network. He has a Dynamic Host Configuration Protocol (DHCP) server configured to supply Internet Protocol (IP) addresses and configuration information to all of the Windows computers on the network. One of the Windows users reports that she cannot connect to the network. Which of the following commands can Ralph run on her computer to verify the status of the computer's IP settings and configuration parameters? a) `ifconfig` b) `ipconfig` c) `msinfo32` d) `tracert`

B. `ipconfig` is a Windows command that displays a computer's current IP address and Transmission Control Protocol/Internet Protocol (TCP/IP) configuration settings, including whether the computer has obtained its address from a DHCP server. The `ifconfig` command displays the same information for Unix and Linux systems. `msinfo32` is a Windows program that generates a graphical display of the computer's hardware and software configuration, but not its IP address and TCP/IP settings. The `tracert` command in Windows displays the path that packets take through the internetwork to reach a specified destination, but it does not display DHCP information.

Which of the following troubleshooting tools enables you to copy all of the packets transmitted over a network to a buffer, interpret the protocols used in the packets, and display the output? a) Event Viewer b) Traffic monitor c) Protocol analyzer d) Management console

C. A protocol analyzer copies all network traffic, interprets the protocol headers and fields, and displays the output. The Event Viewer displays system, application, and security event logs on a single computer. There is no network troubleshooting tool called a traffic monitor. A management console is a remote monitoring and management device that queries Simple Network Management Protocol (SNMP) agents.

Which of the following parameters enables you to specify the Time to Live (TTL) value of the messages that `ping` transmits? a) `-n` b) `-t` c) `-i` d) `-a`

C. Running the `ping` tool with the `-i` parameter specifies the TTL value of the messages that `ping` transmits. The `-t` parameter causes the `ping` tool to send messages to the target continuously until it is manually stopped. The `-n` parameter specifies the number of messages the `ping` tool should transmit. The `-a` parameter resolves an Internet Protocol (IP) address specified as the target to a hostname.

Ed has configured his workstation to use Internet Protocol Security (IPSec) encryption for network communications. Which of the following tools can he use to verify that his network traffic is encrypted? a) Multimeter b) Packet sniffer c) Port scanner d) Protocol analyzer e) IP scanner

D. A protocol analyzer is a tool that enables a user to view the contents of packets captured from a network. In Ed's case, if IPSec is properly implemented, he should be able to see that the data in packets captured from his workstation is encrypted. A packet sniffer is a tool that captures packets for the purpose of traffic analysis but cannot view their contents. In practice, however, packet sniffer and protocol analyzer capabilities are usually integrated into a single tool. A port scanner examines a system, looking for open Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports, and a multimeter is a tool that reads voltages on electrical circuits. An Internet Protocol (IP) scanner queries the network for the IP addresses currently in use and gathers information about the devices using them. None of these tools can examine packet contents.