Book: CompTIA Network+ Lab Manual

Previous: Phase 3: Maintaining and Securing the Network
Next: Index

Phase 4

Troubleshooting the Network

In this phase, many of the tools available to a network administrator during troubleshooting are presented. The utilities and protocols you will use in phase 4 as you enhance your troubleshooting skills are ARP, netstat, FTP, ping, ipconfig, traceroute, Telnet, and nslookup.

Additionally, you get to practice with a protocol analyzer for a much closer look at the traffic on your network. Finally, you will take a look into the event logs of your computer to find out how to monitor those events that matter most during day-to-day operation.

note.eps

The tasks in this chapter map to domains 1.5, 1.6, 1.7, 4.3, and 4.4 in the objectives for the CompTIA Network+ exam.

note.eps

The domain names in this chapter might resolve to different IP addresses from the ones shown in here in the output. This is not a cause for concern and simply reflects the operation of a global internetwork. Many sites mirror around the world and represent themselves as different IP addresses, depending on where the observer’s computer is located on the internetwork at the time the command was executed.

illustrates the sample network connectivity between a computer and a router.

Sample network layout

c04f001.eps

Equipment Used

For this task, you need a computer with a Windows operating system and a Cisco router. Connect the computer’s Ethernet interface to the router’s Ethernet interface. Also connect the computer to the console port of the router for configuration access.

Details

This task walks you through configuring a computer and a router for IP access to one another and then confirming Layer 2 connectivity through each device’s ARP utility.

1. Use an Ethernet crossover cable to connect the computer to the router or use a switch or hub with two straight cables.

2. Configure the computer and router to be on the same IP subnet, as in .

ARP on the Computer

1. Ping the router from the computer.

C:\>ping 172.16.50.65

Pinging 172.16.50.65 with 32 bytes of data:

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Ping statistics for 172.16.50.65:

   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

   Minimum = 1ms, Maximum = 20ms, Average = 5ms

C:\>

2. On the computer, open a command prompt.

3. Enter the command arp -a at the computer’s command prompt. You should see the IP-to-MAC association for the router. In the Type column of the output, dynamic means that the resolution was automatic when the two devices were forced to communicate during the ping, or before, perhaps. For a list of UNIX-style switches for the arp command, enter arp /? Or simply enter arp with no arguments.

C:\>arp -a

Interface: 172.16.50.66

 Internet Address      Physical Address      Type

 172.16.50.65          00-0c-85-c4-d3-20     dynamic

C:\>

4. Enter the command arp -s IP_address MAC_address, where IP_address and MAC_address are the addresses for the router in the previous ARP output.

C:\>arp -s 172.16.50.65 00-0c-85-c4-d3-20

C:\>

5. Now when you enter the arp -a command, the dynamic entry has become static.

C:\>arp -a

Interface: 172.16.50.66

 Internet Address      Physical Address      Type

 172.16.50.65          00-0c-85-c4-d3-20     static

C:\>

6. Use the arp -d IP_address command to remove the static entry and let the association be learned dynamically the next time it is needed.

C:\>arp -d 172.16.50.65

C:\>

ARP on the Router

1. On the router, show the ARP cache with the EXEC command show arp.

ARProuter#show arp

Protocol  Address      Age (min) Hardware Addr   Type   Interface

Internet  172.16.50.66       -   000f.1fbd.76a5  ARPA   Fa0/0

ARProuter#

2. Enter the following commands, in order to do the following:

ARProuter#config t

ARProuter(config)#arp 172.16.50.66 000f.1fbd.76a5 arpa

ARProuter(config)#end

ARProuter#

There is no clear-cut way to know that the entry is static, except for the absence of the interface value in the last column.

ARProuter#show arp

Protocol  Address      Age (min) Hardware Addr   Type   Interface

Internet  172.16.50.66       -   000f.1fbd.76a5  ARPA

ARProuter#

3. Negate the command that created the static entry, leaving off the MAC address, to go back to dynamic, as shown in the following code. Displaying the cache again eventually shows that the interface value returned. Ping the computer to hurry things along if necessary.

ARProuter#config t

ARProuter(config)#no arp 172.16.50.66

ARProuter(config)#end

ARProuter#

Criteria for Completion

You have completed this task when you have displayed and configured static ARP entries on the computer and on the router.

. Go back and watch the progress in your command prompt window. The number 3 causes the command to repeat every three seconds. You see a developing set of connections similar to the following.

C:\>netstat 3

Active Connections

  Proto  Local Address         Foreign Address        State

 TCP    filesrv:1659          www.wiley.com:http     ESTABLISHED

Active Connections

  Proto  Local Address         Foreign Address        State

 TCP    filesrv:1663          208.215.179.180:http   ESTABLISHED

 TCP    filesrv:1664          208.215.179.180:http   ESTABLISHED

 TCP    filesrv:1665          www.wiley.com:http     LAST_ACK

Active Connections

  Proto  Local Address         Foreign Address        State

 TCP    filesrv:1664          208.215.179.180:http   ESTABLISHED

 TCP    filesrv:1666          www.wiley.com:http     TIME_WAIT

 TCP    filesrv:1669          208.215.179.180:http   ESTABLISHED

^C

C:\>

6. Press Ctrl+C to stop the command from running.

7. Issue the command netstat 3 again in your command prompt window. Return to your web browser and enter the address ftp://ftp.microsoft.com. The following connection display should be similar to yours:

C:\>netstat 3

Active Connections

  Proto  Local Address         Foreign Address        State

 TCP    filesrv:1068          localhost:6139         ESTABLISHED

 TCP    filesrv:6139          localhost:1068         ESTABLISHED

Active Connections

  Proto  Local Address         Foreign Address        State

 TCP    filesrv:1068          localhost:6139         ESTABLISHED

 TCP    filesrv:6139          localhost:1068         ESTABLISHED

 TCP    filesrv:1891          ftp.microsoft.com:ftp  ESTABLISHED

^C

C:\>

8. (Optional) Try to think of other ways to generate traffic that results in your computer establishing connections that you can verify using different forms of the netstat command, which you can investigate by issuing the command netstat /?.

Criteria for Completion

You have completed this task when you have displayed your computer’s sockets using the NETSTAT utility while establishing connections using various protocols.

.

note.eps

It is acceptable to leave off the ftp:// prefix when the server name is ftp, just as it is not problematic to leave off http:// when the server name is www.

c04uf004.tif

2. When you double-click the Softlib object in the window, the following listing is displayed, from which it is not difficult to spot that index.txt is a file and MSLFILES is a directory, unlike the ambiguity when using the ls command in the FTP command-line utility. All you need to do to read the index.txt file is to double-click it.

c04uf005.tif

3. Double-click the MSLFILES folder object and look for WD97VW32.EXE, as illustrated next.

c04uf006.tif

4. Making sure the Explorer window with the FTP content is not maximized and that you can see part of the Desktop, simply drag the file to the Desktop and drop it. A copy of the file is placed on the Desktop. Other methods that work between Explorer windows work in this case as well—for example, right-clicking and choosing Copy from the context menu and then pasting it to the destination any one of a variety of ways.

BulletProof

By browsing to and performing a search on “ftp client,” you can find the latest version of an application called BulletProof FTP Client. Keep your eye on WebDrive as well, which comes up in the same search. You’ll need to download and install WebDrive before you begin the next section. Other favorites include FTP Voyager and SmartFTP. If FTP transfers are likely to be a large part of your life, you might consider an application called WS_FTP Home by Ipswitch. Try searching for FileZilla for a totally free, popular application.

1. After downloading and installing BulletProof, you find a full-featured FTP client with quite a few more bells and whistles than the Explorer method of FTP access offers.

c04uf007.tif

2. Traverse the local tree in the local pane on the left to the same directory you used earlier—for example, C:\Documents and Settings\Administrator\Desktop in Windows XP and C:\Users\Administrator\Desktop in Vista and higher.

3. Type ftp.microsoft.com in the Server Name/IP field and click the Connect button to connect to the server.

c04uf008.tif

Notice the string of commands (to the server) and responses (from the server) and informational messages detailing the actual FTP dialog between the devices. Passive FTP is on by default and can be disabled, if necessary, from the dialog found by clicking the Options button and then clicking Firewall (PASV, NAT). Note that anonymous access is the default.

c04uf009.tif
note.eps

If you sit and watch, you might notice that, as the server drops your connection from inactivity, BulletProof reestablishes it automatically.

4. In the remote pane on the right, notice the same directories that you saw earlier in the output from the ls command.

c04uf010.tif

5. To view the index.txt file, you must first download it from the Softlib folder, much as you did with the command-line method earlier. There is a drag-and-drop feature, but it is only from one pane to another within the application, not out to the Desktop or an Explorer window. After you double-click the file index.txt, it appears queued up in the bottom pane of the application, as you can see at the bottom of the following screen shot. In fact, you can click the first icon at the bottom to start the transfer now or wait a configurable amount of time, no more than 30 seconds or so by default, and the application transfers it automatically. Then you must find the file and open it, as with the command-line method. Alternatively, you can double-click the file in the local pane on the left to open it.

c04uf011.tif

6. Traverse the directory tree on the server to where you found the Word Viewer file before and start the transfer. Notice the progress indicator (showing 21%) at the very bottom of the application, as shown next.

c04uf012.tif

When the transfer is complete, the file appears in the pane on the left.

c04uf013.tif

If you choose, you can save your new connection by clicking File Save BP Session and supplying a name for the file. The name you choose will receive a .bps extension.

WebDrive

Of the methods presented here, WebDrive arguably offers the best mix of features and convenience. You are able to choose the protocol you wish to use between client and server; you’re not limited to just FTP. You can choose something more secure if you like. You also are able to map the server to a drive letter, making the drag-and-drop feature possible again. The following image depicts the initial state of WebDrive after installation.

c04uf014.tif

1. Click the New Site button to bring up the following dialog and choose whether you would like to use a classic server-based protocol to establish a file-transfer connection or a newer cloud-computing-service connection.

c04uf015.tif

2. Choose Connect By Server Type and click Next to display the following Site Wizard screen, where you can choose the server type you intend to connect to.

c04uf016.tif

3. Select FTP from the pull-down list, leave the Connect Securely check box unchecked, and then click the Next button. Note that all options except SFTP (ssh) include the option to connect securely or not. SFTP, by definition, can only connect securely and does not allow clearing of the check box.

c04uf017.tif

If you had selected to connect securely, the dialog box in would have given you the opportunity to choose the SSL or TLS encryption method compatible with the server to which you are connecting.

Encryption method selection

c04f002.tif

4. Do not check the Use Passive Mode check box unless you already know you require passive FTP; just click the Next button to continue.

The Use of Passive FTP

If the server supports it, check the Use Passive Mode check box in to circumvent the situation where the client’s firewall does not allow inbound unsolicited traffic, which is how active FTP works: The server receives the client’s initial request to its TCP port 21 (FTP control) from an unprivileged TCP port (> 1023) and then responds automatically from its TCP port 20 (FTP data) to a different unprivileged port specified by the client in the initial exchange. This response by the server might not make it through the firewall on some networks because it has no transactional information about the client having requested the subsequent contact by the server.

Despite the advantage it affords the client, passive FTP can open servers up to attacks because passive FTP requires that the server not use port 20 in the second stage of communication as in the case of active FTP. Instead, an unprivileged port is established on the server for further communication. For this reason, the server-side firewall must be configured to allow unsolicited inbound access to multiple unprivileged ports that the server has been configured to use for this purpose.

5. In the Domain Name/IP Address field, enter ftp.microsoft.com as the domain name.

c04uf018.tif

6. Leave all other fields and selections at their defaults and click the Next button, which takes you to a dialog where you can enter account information.

c04uf019.tif

7. In this case, you do not need a user account to connect to Microsoft’s FTP server. Select the Anonymous/Public Logon check box and clear the Save Password check box, and then click the Next button to go to the dialog where you name this connection and assign it a drive letter.

c04uf020.tif

8. Enter a descriptive name for the connection and choose any available drive letter from the drop-down for the drive to map to the server. Click the Next button to move along to the dialog that allows you to choose when to connect to the site.

c04uf021.tif

9. Check the box labeled Connect To Site Now and then click the Finish button to leave the wizard and try out your new connection. If you are in the demo period, you will need to choose whether to try or buy the software before continuing. If all goes well, you will be presented with a Windows Explorer window with the contents of the FTP site in the body and the associated drive’s identity in the address bar.

c04uf022.tif

10. Note, from the following screen shot, that your friendly site name appears under the Sites folder and all your optional settings are to the right and editable as long as your site is selected and you have disconnected any previous drive connection from My Computer by right-clicking WebDrive and choosing Disconnect from the menu. If you choose not to connect automatically when Windows starts, you can click the Connect button in this dialog to produce an Explorer window for the drive you specified.

c04uf023.tif

11. Traverse the directory structure of the server until you arrive at the MSLFILES directory and then find the WD97VW32.EXE object, as shown in the following screen shot. You can drag this file to the location of your choosing. You might have to make sure the Explorer window is not maximized.

c04uf024.tif

Criteria for Completion

You have completed this task when you have performed a file transfer using the command-line and Explorer methods. Optionally, downloading and installing the trial versions of BulletProof FTP Client and WebDrive offers experience with additional FTP utilities.

illustrates the sample network connectivity between a computer and a router.

Sample network layout

c04f003.eps

Equipment Used

For this task, you need a computer with a Windows operating system and a Cisco router. Connect the computer’s Ethernet interface to the router’s Ethernet interface. Also connect the computer to the console port of the router for configuration access.

Details

In this task, you use the ping utility on an interconnected computer and router to investigate the differences in their interfaces as well as the nature of IP routing.

1. Use an Ethernet crossover cable to connect the computer to the router or use a switch or hub with two straight cables.

2. Configure the computer and router according to .

3. At a command prompt on the computer, ping the router’s nearest interface. This works because when a device pings another, it sources the ICMP echo request on the exit interface. This IP address is the destination address that the device you ping uses to send an echo reply. Because both addresses are on the same IP subnet, they know to use their common interface to send traffic to each other.

C:\>ping 172.16.50.65

Pinging 172.16.50.65 with 32 bytes of data:

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Reply from 172.16.50.65: bytes=32 time=1ms TTL=64

Ping statistics for 172.16.50.65:

   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

   Minimum = 1ms, Maximum = 20ms, Average = 5ms

C:\>

4. On the router, reverse the source and destination for the ping just to show that neither end has a problem generating the echo request.

PingRouter#ping 172.16.50.66

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.50.66, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

PingRouter#

5. Now, attempt to ping the router’s loopback interface from the computer. If the computer’s default gateway is other than the router’s local interface, the computer thinks it has a path everywhere in the world. When the default gateway device does not know how to handle a destination network, it forwards it on to its default gateway. By the time the unreachable messages begin to flow back to the source of the pings, the source has timed out waiting for a response.

C:\>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 1.1.1.1:

   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

6. On the router, execute an extended ping by entering only the command ping. The rest of the settings appear as follows. Again, the source and destination are reversed from the previous step.

PingRouter#ping      

Protocol [ip]:

Target IP address: 172.16.50.66

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 1.1.1.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.50.66, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.....

Success rate is 0 percent (0/5)

PingRouter#

note.eps

Note that the ping was unsuccessful. This is because you sourced the ping from the loopback interface, which has an IP address to which the computer is unable to return traffic, as evidenced in Step 5. This is a way to test connectivity of a remote device to a local address without the need to conduct the ping from the remote device.

7. Teach the computer how to find the address of the router’s loopback interface.

C:\>route add 1.1.1.1 mask 255.255.255.255 172.16.50.65

C:\>

8. Now, try the ping from both directions. The router has no problem responding to the computer’s source address, which is on a local subnet with the router. After the alteration to the computer’s routing table, the computer has no trouble getting to the loopback interface of the router even though it is not a local address.

C:\>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:

Reply from 1.1.1.1: bytes=32 time=495ms TTL=120

Reply from 1.1.1.1: bytes=32 time=428ms TTL=120

Reply from 1.1.1.1: bytes=32 time=428ms TTL=120

Reply from 1.1.1.1: bytes=32 time=465ms TTL=120

Ping statistics for 1.1.1.1:

   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

   Minimum = 428ms, Maximum = 495ms, Average = 454ms

C:\>

PingRouter#ping        

Protocol [ip]:

Target IP address: 172.16.50.66

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 1.1.1.1     

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.50.66, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

PingRouter#

Criteria for Completion

You have completed this task when you have configured the devices according to the task procedure and observed the success and failure of the ping utility. Because this feature is so prevalent and crucial to daily troubleshooting, it is highly recommended that you devise your own scenarios and conduct similar attempts to verify connectivity.

illustrates the sample network connectivity between the computer and router.

Sample network layout

c04f004.eps

Equipment Used

For this task, you need a computer with Internet access as well as connectivity to one router, which in turn is connected to another router, as in . You need hubs, switches, and cabling to reproduce the network shown in the same diagram.

Details

In this task, you use the traceroute utility to discover the path to remote endpoints.

1. Use an Ethernet crossover cable to connect the computer to the router or use a switch or hub with two straight cables.

2. Connect the two routers together.

3. Configure the computer and routers according to .

4. Add the following configuration to RouterY:

RouterY#config t

RouterY(config)#ip route 172.16.50.64 255.255.255.192

172.16.50.163

RouterY(config)#end

RouterY#

5. Add the following configuration to the computer:

C:\>route add 172.16.50.160 mask 255.255.255.248 172.16.50.65

C:\>

6. On RouterY, conduct a traceroute to the computer at 172.16.50.95.

RouterY#traceroute 172.16.50.95

Type escape sequence to abort.

Tracing the route to 172.16.50.95

  1 172.16.50.163 4 msec 4 msec 4 msec

 2 172.16.50.95 4 msec 4 msec *

RouterY#

note.eps

The escape sequence referenced in the output of the command is Ctrl+Shift+6. Hold down the Ctrl and Shift keys while tapping the 6 key above the keyboard—not on the numeric keypad—until you return to a prompt. The traceroute command continues until a TTL of 30 is reached or the destination returns the “destination port unreachable” message. A failed traceroute can continue through 30 slow, pointless iterations without the escape sequence.

7. On the computer, issue the tracert command with no arguments or switches.

C:\>tracert

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name

Options:

   -d                 Do not resolve addresses to hostnames.

   -h maximum_hops    Maximum number of hops to search for target.

   -j host-list       Loose source route along host-list.

   -w timeout         Wait timeout milliseconds for each reply.

C:\>

While there are very few switches, one or two of them tend to make life much easier. For example, if you know there are only so many intermediate devices (routers) between source and destination devices, limit the number of hops with the -h switch so that the traceroute does not seem to go on forever on a failure. If the name of each device along the way is not beneficial, there is a way to stop those from displaying as well: the -d switch.

8. On the computer, pick an Internet (or corporate intranet) location and traceroute to it by name or address.

C:\>tracert www.yahoo.com

Tracing route to www.yahoo.akadns.net [216.109.118.70]

over a maximum of 30 hops:

  1    62 ms    92 ms   105 ms  172.16.10.65

 2    14 ms    91 ms    93 ms  68.216.218.66

 3    15 ms    68 ms    88 ms  68.216.218.49

 4    42 ms    50 ms    53 ms  205.152.181.25

 5    44 ms    89 ms    81 ms  65.83.237.36

 6    32 ms    83 ms    74 ms  65.83.236.9

 7    30 ms    89 ms    79 ms  65.83.236.116

 8    42 ms    85 ms    56 ms  65.83.236.66

 9    52 ms    60 ms    60 ms  65.83.237.228

10    44 ms   100 ms    64 ms  ge-0-0-0-p100.msr1.dcn.yahoo.com↵

  [216.115.108.1]

11    46 ms    78 ms    68 ms  ge3-1.bas1-m.dcn.yahoo.com↵

  [216.109.120.149]

12    43 ms    46 ms    58 ms  p7.www.dcn.yahoo.com [216.109.118.70]

Trace complete.

C:\>

Note that the utility seeks to run a reverse DNS lookup on all results. For those that come back with a corresponding DNS name, the IP address is listed in square brackets after the name. Use the -d switch to stop names from displaying.

9. Going back to the router and performing an extended traceroute by issuing the traceroute command with no arguments gives you the opportunity to experiment with alternate port numbers. This can be used to test security designed to prohibit traceroute activity. The extended traceroute also gives you the opportunity to test the remote device’s ability to send traffic to an interface on the router that does not source pings and traceroute messages to the destination by default. Consider a Loopback0 interface on RouterY with an address of 1.1.1.1/32. The following traceroute sources from the Loopback0 interface, limits the number of TTL iterations to five, and sends messages to UDP port number 33500. Notice in the list at that this port number is unassigned and has a good chance of working for traceroute.

RouterY#traceroute

Protocol [ip]:

Target IP address: 172.16.50.95

Source address: 1.1.1.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]: 5

Port Number [33434]: 33500

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 172.16.50.95

  1 172.16.50.163 4 msec 4 msec 4 msec

 2 172.16.50.95 4 msec 4 msec *

RouterY#

10. You can also use this method to test for the existence of a working UDP port on the destination device. Say the computer is a DNS server listening on UDP port 53 for client resolution queries. Specifying that port will not result in “destination port unreachable” messages returning to the router, indicating that the port is active on that host.

RouterY#traceroute

Protocol [ip]:

Target IP address: 172.16.50.95

Source address:

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]: 5

Port Number [33434]: 53

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 172.16.50.95

  1 172.16.50.163 4 msec 4 msec 4 msec

 2  *  *  *

 3  *  *  *

 4  *  *  *

 5  *  *  *

RouterY#

Criteria for Completion

You have completed this task when you have configured the devices according to the task procedure and observed the success and failure of the traceroute utility.

illustrates the sample network connectivity between the computer and router.

Sample network layout

c04f005.eps

Equipment Used

For this task, you need a computer connected to one router, which in turn is connected to another router, as in . You need hubs, switches, and cabling to reproduce the network shown in this figure.

Details

In this task, you configure the Telnet server on a Cisco router and then gain access to its CLI from a computer and another Cisco router.

General Setup

1. Use an Ethernet crossover cable to connect the computer to the router or use a switch or hub with two straight cables.

2. Connect the two routers.

3. Configure the computer and routers according to .

4. Add the following configuration to RouterY:

RouterY#config t

RouterY(config)#ip route 172.16.50.64 255.255.255.192

172.16.50.163

RouterY(config)#end

RouterY#

5. Add the following configuration to the computer:

C:\>route add 172.16.50.160 mask 255.255.255.248 172.16.50.65

C:\>

6. On RouterY, create a username for authentication and a password to go with it. Enter delliot as the username and wiley as the password.

RouterY#config t

RouterY(config)#username delliot password wiley

RouterY(config)#

7. On RouterY, configure the default Telnet ports for access using the local user database.

RouterY(config)#line vty 0 4

RouterY(config-line)#login local

RouterY(config-line)#end

RouterY#

Using Telnet from Router to Router

1. On RouterX, telnet to RouterY using the credentials created for David Elliot. Try to enter privileged EXEC mode. If your router has an enable secret configured, enter that when prompted; if it has only an enable password, enter that. However, if you have configured neither, you are not allowed into privileged mode over a Telnet connection, as shown in the following output:

RouterX#172.16.50.161

Trying 172.16.50.161 ... Open

User Access Verification

Username: delliot

Password:

RouterY>enable

% No password set

RouterY>

2. Configure an enable secret on RouterY, if necessary.

RouterY#config t

RouterY(config)#enable secret wiley

RouterY(config)#end

RouterY#

3. Try to enter privileged mode again in the Telnet session to RouterY from RouterX. Enter the enable secret you just configured. This time, it works.

RouterY>enable

Password:

RouterY#

4. Begin the process to suspend the Telnet session by executing the key sequence Ctrl+Shift+6, x. To do this, hold the Ctrl and Shift keys down and then tap the 6 key once. Release the Ctrl and Shift keys and tap the letter x key once. This brings you back to the host router you used to telnet into RouterY.

RouterY#

RouterX#

5. Issue the show sessions command to confirm that the Telnet session is just suspended, not disconnected.

RouterX#show sessions

Conn Host                Address         Byte  Idle Conn Name

*  1 172.16.50.161       172.16.50.161      0     0 172.16.50.161

RouterX#

6. Issue the disconnect command with the connection number of the Telnet session to RouterY, found under the Conn column, and confirm that you wish to disconnect your session. Showing the suspended sessions again confirms you have completely exited your session with RouterY.

RouterX#disconnect 1

Closing connection to 172.16.50.161 [confirm]

RouterX#sh sessions

% No connections open

RouterX#

Using Telnet from Computer to Router

1. On the computer, open HyperTerminal; one way to open it in Windows XP is by choosing Start All Programs Accessories Communications HyperTerminal (the application, not the folder, if one exists). (In Windows Vista and Windows 7, you’ll have to use another utility, such as the built-in telnet command-line utility, or download HyperTerminal.) This produces the opening dialog for HyperTerminal. Name the session and click the OK button.

c04uf025.tif

2. In the Connect To dialog, choose TCP/IP (Winsock) from the Connect drop-down. Doing so takes away the modem information that might have displayed by default. Instead, you now have a location to enter a hostname or address and accept or change the default port number. Port 23 is correct for Telnet. Enter the IP address for RouterY. Click the OK button to continue to the HyperTerminal session.

c04uf026.tif

3. In the HyperTerminal session, you are prompted for the username and password just as you were when connecting from router to router. Enter the appropriate information, similar to what you see in the following image:

c04uf027.tif

Criteria for Completion

You have completed this task when you have configured the devices according to the task procedure and successfully used Telnet to gain access to a Cisco router from another Cisco router and from a computer.

.

The nslookup utility takes almost all of the guesswork out of the equation, even allowing you to test name resolution with servers that are not part of the standard DHCP scope you feel you are restricted to. When you ping or trace to a destination, you get to see one of the possibly many IP addresses the hostname you specify resolves to. With the nslookup utility, you are able to see all addresses and aliases associated with a name. More options might make future troubleshooting less of a struggle.

Scenario

Your DNS server is not returning IP addresses for Internet sites. You take it upon yourself to test its resolution capacity manually as well as compare it to the capacity of other known DNS servers in the Internet.

Scope of Task

Duration

This task should take about 30 minutes.

Setup

For this task, you need a computer with Internet access. Alternatively, a corporate intranet connection is sufficient if you know the name or address of DNS servers that are not your primary and secondary servers.

Caveat

The nslookup utility, as its name implies, is for the display of information only. Permanently changing such information for full-time use on a device must be done through other avenues. Be certain the name server you attempt to use is a known server. This utility will return negative results that can lead you to the wrong conclusion if you happen to use the wrong DNS server name or address. At the very least, ping the DNS server’s name or address before attempting to use it with the nslookup utility.

Procedure

In this task, you use the nslookup utility of the Microsoft operating system to display information provided by DNS servers regarding name resolution.

Equipment Used

For this task, you need a computer with an Internet connection or an intranet connection that leads to multiple DNS servers. All associated devices and cabling to provide this access are assumed.

Details

The following steps lead you through the more common uses of the nslookup command-line utility in a Microsoft operating system. Stemming from a UNIX environment, this utility is present in other operating systems, under both the same name and others, such as DIG.

1. Connect the computer to a network that offers multiple DNS servers. This procedure uses the Internet.

2. At a command prompt on the computer, issue the command ipconfig/all. Pay special attention in the output to the IP addresses of the DNS servers.

       DNS Servers . . . . . . . . . . . : 205.152.37.23

                                           205.152.132.23

3. At a command prompt on the computer, issue the command nslookup.

C:\>nslookup

Default Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

>

As you can see, you are thrust into another command shell, called the nslookup prompt. You are no longer sitting at a DOS command prompt. The address of one of your DNS servers appears with a name that has been resolved in reverse by that very server. Your prompt is now a simple greater-than symbol (>). This is known as the interactive mode of the nslookup utility.

note.eps

In certain situations, this procedure results in the inability to resolve a server name. This is due to the fact that the address is that of the internal private interface of a home router, such as a wireless access point with built-in router. This device acts as a proxy for DNS queries from the DNS clients on the internal private network and does not offer a name for itself to the nslookup utility.

4. Enter a question mark (?) and study the help display. The command help accomplishes the same result. The output is too extensive to present here because the entire display is worthwhile.

5. At the nslookup prompt, you can simply specify a name for which you want to see the resolution.

> www.wiley.com

Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

Non-authoritative answer:

Name:    www.wiley.com

Address:  208.215.179.146

>

The same result can be obtained from the command prompt by placing the name you want resolved directly after the nslookup keyword. This is the noninteractive mode of the nslookup utility. Once your resolution is returned, you are placed back at the command prompt.

C:\>nslookup www.wiley.com

Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

Non-authoritative answer:

Name:    www.wiley.com

Address:  208.215.179.146

C:\>

6. Say your regular DNS servers do not appear to be working. In interactive mode, issue the command server ns1.mindspring.com, which changes the default server while in this mode. Then look up the same name you looked up earlier.

> server ns1.mindspring.com

Default Server:  ns1.mindspring.com

Address:  207.69.188.185

> www.wiley.com

Server:  ns1.mindspring.com

Address:  207.69.188.185

Non-authoritative answer:

Name:    www.wiley.com

Address:  208.215.179.146

>

7. If you prefer to use another server only for this lookup, you can specify the name and server on the same line. Subsequent lookups consult the original default server. Note that you must change the default server back to its original value for the following procedure to work properly. You can use the exit command to leave interactive mode and then enter the nslookup command at the command prompt to reenter interactive mode if you prefer. This returns your name server to its default setting.

> www.wiley.com ns1.mindspring.com

Server:  ns1.mindspring.com

Address:  207.69.188.185

Non-authoritative answer:

Name:    www.wiley.com

Address:  208.215.179.146

> www.sybex.com

Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

Non-authoritative answer:

Name:    www.sybex.com

Address:  208.215.179.220

>

The equivalent noninteractive procedure places the server you wish to use at the end of the earlier noninteractive command, as follows.

C:\>nslookup www.wiley.com ns1.mindspring.com

Server:  ns1.mindspring.com

Address:  207.69.188.185

Non-authoritative answer:

Name:    www.wiley.com

Address:  208.215.179.146

C:\>

Perhaps you need to look up all common server addresses for a particular domain name, say . For example, you want to know if Google’s web servers have different IP addresses from its mail servers as well as how many addresses are used to get you to the same server and if any aliases to the common names exist. From interactive mode, change the default domain name to so that you do not have to enter it repeatedly.

> set domain=google.com

>

Now, until you exit interactive mode, any unqualified names you enter are appended by . Note that the command set srchlist=google.com would work as well, but that command implies the use of multiple domains in the search list. Nevertheless, either command works fine.

> www

Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

Non-authoritative answer:

Name:    www.l.google.com

Addresses:  72.14.204.105

         72.14.204.103

         72.14.204.147

         72.14.204.99

         72.14.204.104

Aliases:  www.google.com

> mail

Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

Non-authoritative answer:

Name:    googlemail.l.google.com

Addresses:  72.14.204.83

         72.14.204.17

         72.14.204.19

         72.14.204.18

Aliases:  mail.google.com

> smtp

Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

Non-authoritative answer:

Name:    smtp.google.com

Addresses:  74.125.121.57

         216.239.44.95

> ns

Server:  dns.asm.bellsouth.net

Address:  205.152.37.23

Non-authoritative answer:

Name:    ns.google.com

Address:  216.239.32.10

>

Set the default server to ns.google.com and look up the address for again.

> www

Server:  ns.google.com

Address:  216.239.32.10

Name:    www.l.google.com

Addresses:  72.14.204.105

         72.14.204.103

         72.14.204.147

         72.14.204.104

         72.14.204.99

Aliases:  www.google.com

>

>

Notice that the answer is authoritative, unlike before, because the DNS server is authoritative for all things ending in . Under certain circumstances, you might notice the answer still comes back as non-authoritative. This is not actually an issue to worry about, unless you suspect you are the victim of DNS spoofing, a type of man-in-the-middle attack. Non-authoritative servers can be trusted to return accurate results; that’s the way DNS works, after all.

8. To resolve names from the first domain that produces a match when the domain name is appended to the unqualified name, create an ordered list with the set srchlist command in interactive mode. An example follows.

> set srchlist=wiley.com/google.com

> www

Server:  ns.google.com

Address:  216.239.32.10

Non-authoritative answer:

Name:    www.wiley.com

Address:  208.215.179.146

> smtp

Server:  ns.google.com

Address:  216.239.32.10

Name:    smtp.google.com

Addresses:  74.125.121.57

         216.239.44.95

>

In this example, because comes first in the list, which must be delimited by slashes, it is appended first to any unqualified names, such as www. When a match occurs, it is presented. In the case of the name smtp, appending does not produce a match, so , the second domain name in the list, is appended and produces a match.

While there certainly is much more that can be done with the nslookup utility, you are well on your way to mastering its capabilities. You also have the necessary navigation skills to be able to carry on your own experiment with the command structure.

Criteria for Completion

You have completed this task when you have practiced the foregoing techniques for using the nslookup utility in both interactive and noninteractive modes. You can manipulate the name server to use in resolutions as well as the domain list that is to be appended to unqualified names.

to download a compatible version of this application for Vista or 7. The latest version of the software is vastly different, but the preceding web page includes a link to a TechNet forum where discussions on the use of Network Monitor can be found. Regardless, Task 4.9b, “Using a Third-Party Protocol Analyzer,” in this phase works for all operating systems.

Procedure

In this task, you use Microsoft’s Network Monitor utility on Windows Server 2003 to capture frames from the network and inspect the contents of the frames and the packets they encapsulate.

Equipment Used

For this task, you need a server with network access to at least one other device that can generate known traffic to the server for analysis.

Details

This task walks you through accessing and executing Microsoft Network Monitor on a contemporary Windows Server product.

General Use

1. Open Network Monitor. You can do this by clicking Start All Programs Administrative Tools Network Monitor.

2. After the program starts, the F8 key allows you to create a filter for your capture. Alternatively, follow Capture Filter, along the menu bar at the top. Unless the server is an SMS server, this brings up the following informational message. Click the OK button to continue.

c04uf028.tif

3. As you can see, in the Capture Filter dialog (shown next), you have the option to filter on types of frames, on addresses—both MAC and IP—and on any patterns in the data in which you are interested.

c04uf029.tif

Double-click the SAP/ETYPE line. Doing so produces the Capture Filter SAPs And ETYPEs dialog.

4. In the Capture Filter SAPs And ETYPEs dialog, you can change the default action to capture all types of frames by double-clicking any entry. Alternatively, you can click the entry and then click the Disable button. The following image shows a filter that does not capture Bridge Protocol Data Units (BPDUs)—not a bad idea if you have them and don’t care about them. BPDUs come out every two seconds per switch or bridge interface by default. Click the OK button to return to the Capture Filter dialog.

c04uf030.tif

5. In the Capture Filter dialog (see Step 3), double-click the (Address Pairs) line. Alternatively, you can click the line once and then click the Address button. This launches the Address Expression dialog, shown in the following image:

c04uf031.tif

Each pass of the Address Expression dialog adds another address-based expression to the filter. How the expressions are grouped affects how the filter works—more on that later. In the Address Expression dialog, make sure the Include radio button is filled. The Exclude radio button creates a NOT function similar to that offered for pattern expressions, shown later in this procedure. For Station 1, click the server’s name on the line with the IP address you wish to monitor. Others can be added by repeating this step. Leave Station 2 set to *ANY and Direction set to bidirectional (<—>). Click OK to return to the Capture Filter dialog.

Filter Operators

The following graphic shows the results of Step 5 in this procedure.

c04uf032.tif

The AND farthest to the left dictates that SAP/ETYPE, address pairs, and pattern matches are all considered equally when matching traffic. A frame not matching all three of the criteria is not captured. If you do not specify Address Pairs or Pattern Matches, these criteria simply are not checked. Leaving all SAPs and ETYPEs enabled is tantamount to ignoring this criterion. Be careful what criteria you specify. It is easy to leave yourself with a capture that yields no frames. The following image shows the same filter as before but with additional, more complex conditions.

c04uf033.tif

The patterns are the hexadecimal representations of the ASCII words goodbye and hello. Realize that these patterns do not appear at the 0x0 offset (very beginning) of any frames, but this is just an example to explain the operators. With pattern matches, you can use the OR and NOT operators. So the filter in the previous graphic reads as follows: If a frame comes along that was either sourced by or destined for the local server AND either the frame has the word hello right at the beginning OR it at least does NOT have the word goodbye right at the beginning, then capture the frame. Reproduce the logic in the previous graphic, which is not as easy as it looks, and then use this logic to build your own meaningful filters later on.

Capture filters are not always where you want to put your effort. Sometimes it’s best to go ahead and capture everything and then apply a display filter to the results. Be aware, though, that the hard drive space must be available to house the original capture on which to apply the display filter. Occasionally, this requirement makes capture filters a better choice. Display filters are presented later in this procedure.

6. On another computer that has access to the server, open a command prompt and prepare to ping the server.

7. Start the capture that you built the filter for simply by pressing the F10 key. If you prefer, you can follow Capture Start. You also can click the button that looks like the play button on your home electronics and that says Start Capture when you hover over it. Once you start the capture, go to the other computer and ping the server a few times. The following image shows a capture in progress on the server.

c04uf034.tif

8. By clicking the Capture menu while a capture is in progress, you see that you have myriad options. For example, you can press the F11 key to stop the capture, or you can click the button with the “stop” square. If you hold the Shift key down while you press the F11 key, you not only stop the capture, you immediately bring up the screen to display the captured data. Alternately, you can stop first, then display. The buttons with the spectacles on them are equivalent to these key sequences. Using the method of your choice, stop the capture after the pings have completed and display the results. Note, by the following screen shot, there are still quite a few extraneous frames that have been captured, depending on what you are looking for of course.

c04uf035.tif

Nevertheless, you can scroll through them until you come to one of your ICMP packets, shown in greater detail in the following illustration.

c04uf036.tif

The preceding screen shot was produced by double-clicking the ICMP-based frame in what is called the summary pane. Doing so automatically produces the additional detail and hex panes, in that order, from top to bottom. By expanding the Ethernet section in the detail pane and clicking on the line that shows the Ethernet type, for example, you see that the corresponding value in the hex pane becomes highlighted. Note that 0x0800 appears in both panes.

9. Now, expand the IP section of the frame, as shown here.

c04uf037.tif

The highlighted portion in the hex pane is the entire IP header, 20 bytes. The IP header follows the Ethernet header, which is 14 bytes—remember, each pair of hex digits is a pair of 4-bit nibbles, or 1 byte. Note, in the detail pane, that the protocol field points to ICMP. If you were to find that value in the hex pane, it would be the value 0x01 at byte number 24, the 10th byte of the IP header. Because numbering begins at an offset of 0x00, this is really byte 23, or offset 0x17 (the hexadecimal value for 23). In fact, if you click the Protocol field in the detail pane, this byte will highlight in the hex pane. Make a note of this byte number for later. Also notice the repeating text in the hex pane. That’s the standard dummy payload for a ping packet, a repeating uppercase A through W.

note.eps

The numbers in the first column of the hex pane are the offsets, in hexadecimal, that begin that row. Each row contains 16 (0x10) bytes, causing the beginning hex offset of each row to end in 0. For example, in the graphic at the beginning of this step, the row beginning with 00000010 begins with byte number 0x10. Counting up to the byte with the value 0x01 on that row, you find it to be byte number 0x17.

As an example of how closely you can scrutinize this output, consider the following screen shot, which is a composite of a normal ping on top and a ping with the -f switch to set the do-not-fragment (DF) bit in the IP header, the only field with a 1 in either output. In practice, you might set this switch along with gradually increasing the payload size to see what the largest MTU along the path is. It would be the highest payload size that gets a successful response because packets with the DF bit set that are larger than the MTU of the immediate link are discarded.

c04uf038.tif

Also expand the ICMP section of the frame and note the telltale type 8, code 0 of an ICMP echo request or type 0, code 0 of an echo reply.

10. While in display mode, press the F8 key to open the Display Filter dialog. Alternatively, you can click the button with the picture of a funnel. Double-click the Protocol==Any line (or single-click and then click the Edit Expression button) to bring up the Expression dialog.

11. On the Protocol tab, click the Disable All button to start with a clean slate.

12. Scroll down in the Disabled Protocols pane and click the entry with ICMP in the name column. Click the Enable button (not the Enable All button). You now see ICMP alone in the Enabled Protocols pane, as shown next. Click OK to return to the Display Filter dialog.

c04uf039.tif

13. The Display Filter dialog now looks similar to the following, with ICMP in the place of ANY. Click the OK button.

c04uf040.tif

Now the display is pared down to include only ICMP packets, as shown in the following image:

c04uf041.tif

You can toggle the display filter on and off by clicking the button showing the funnel with the red circle and slash over it.

14. Close the capture display by choosing File Close, for example.

Using a Capture Filter for ICMP and Telnet

1. Press the F8 key to bring up the Capture Filter dialog again.

2. Double-click Pattern Matches or single-click it and click the Pattern button. This opens the Pattern Match dialog. Now that you know where to find the signature of ICMP in a frame, enter the information you discovered earlier, as shown in the following illustration. Click the OK button.

c04uf042.tif

This tells the capture engine to watch byte 23 (0x17) for the value 0x01, counting from the beginning of the frame, which is the 24th byte because the first one is byte 0. This is where the value for the protocol field of the IP header can be found. 0x01 means ICMP.

3. Click once on your new Pattern Match entry. The OR and NOT buttons light up in the Insert section to the right. With the Offset 0x17 entry highlighted, click the OR button. This produces something in the dialog similar to the following. Note the OR flag under Pattern Matches.

c04uf043.tif

4. To create another pattern match to be part of the OR expression, click on the OR label or the first pattern match you created for ICMP. Do not click on the preceding AND label beside Pattern Matches. Creating another pattern match that way puts it in series with the OR expression, not under it. Click the Pattern button.

5. To include Telnet traffic from a Telnet server, fill in the information according to the following image:

c04uf044.tif

This means that byte 34, the 35th byte, or 0x22, starts the pattern 0x0017. This is the location of the source port number in the TCP header, which is port 23 (0x17) for Telnet. You can discover this information by looking at unfiltered Telnet traffic. To monitor traffic destined for the Telnet server as well, make another OR pattern match for 0x0017 at byte 0x24.

6. Now, as the next illustration shows, you have two pattern matches, either one of which causes a frame capture if all other requirements are met. Click OK.

c04uf045.tif

7. Start a capture and then ping and try to telnet to the server from the other computer. Even if there is no Telnet service active on that device, Telnet traffic is generated. The following graphic shows that when you stop and display the capture, except for the statistics frame, only ICMP and TCP are listed in the Protocol column, even without applying a display filter. However, all other frames are lost for good. There is nothing to toggle here.

c04uf046.tif

8. When you scrutinize one of the TCP-based frames, similar to the one shown next, note that it was sourced by a device acting as a Telnet server using port 23, if for no other reason than to tell the client that no Telnet service exists. Nevertheless, the destination port must be used as the source port or the client has no idea why it is receiving unsolicited information. At least this way the client understands that its intended target for Telnet was bogus and is able to report as much back to the user interface.

c04uf047.tif

Criteria for Completion

You have completed this task when you have conducted the captures using Network Monitor on a Microsoft Windows Server product.

.

Scenario

One of your servers seems to be under a higher level of utilization than expected. Your plan is to run Wireshark on that server to analyze the activity.

Scope of Task

Duration

This task should take about 30 minutes.

Setup

For this task, you need access to a server connected across a network, even if fabricated with a crossover cable, and the ability to generate related traffic that can be captured for analysis. Alternatively, as shown in the following exercises, you can use an Internet connection and a communications package, such as HyperTerminal or SecureCRT, to generate dummy traffic to almost any public website.

Caveat

The same caveat exists as with the use of Network Monitor. Additionally, Wireshark is a bit more advanced, so you might need to spend more time with this application to reap the greatest benefits. After completing this task, however, you will be well on your way to understanding and effectively using Wireshark.

Finally, the method used to produce network traffic in this task results only in TCP-based traffic for all port numbers, but you can easily observe UDP-based DNS traffic while running a Wireshark capture simply by surfing to any website that wouldn’t be cached locally, causing an outbound query to a DNS server. If there’s a limited number of sites you’re allowed to visit, first executing an ipconfig /flushdns command will cause new queries to go out for commonly visited sites as well. Only zone transfers between DNS servers generate TCP-based DNS traffic, so it’s not a bad thing that this process does as well. It might be one of the very few times you would ever witness such traffic when not in the requisite environment. Just don’t be surprised when TFTP and SNMP, for example, appear to be transported by TCP; under normal circumstances, they are not.

Procedure

In this task, you use Wireshark on a server product to capture frames from the network and identify popular application protocols in use. You can also choose to follow the steps in this task using a communications package to emulate such traffic.

Equipment Used

For this task, you need a server with network access to at least one other device that can generate known traffic to the server for analysis or a single computer with Internet access. You also need to download Wireshark and have access to an appropriate communications package.

Details

This task details the use of Wireshark and HyperTerminal, allowing the generation and observation of specific network traffic with nothing more than an Internet connection. You should attempt to identify as many of the following protocols as possible:

Starting a Capture with Wireshark

The first thing to do when simulating traffic and subsequently capturing that traffic is to start the capture. Otherwise, the initial traffic can pass before you are able to start the capture. If you have a fairly busy environment, your simulated traffic might be preceded by quite a bit of real traffic that you will have to sift through. Using the filters discussed later in this task can help with the sifting.

Read through this section first to familiarize yourself with the process. Once you are comfortable with this process and the process for generating traffic, you will want to perform both in fairly rapid succession, starting with the capture.

1. Open Wireshark.

c04uf048.tif

2. Click the Capture Interfaces icon, as shown in the following graphic. You can also navigate to Capture Interfaces from the menu bar. You need to perform this step only when you first open Wireshark or when you want to change the interface for capturing traffic. For subsequent captures, the Capture Start button (two buttons to the right) can be used.

c04uf049.tif

3. In the Capture Interfaces dialog shown here, click the Start button for the active adapter where the traffic will be observed. The capture will start immediately.

c04uf050.tif

A sample capture screen is shown in the following screen shot.

c04uf051.tif

At some point, you will want to stop the capture and analyze the traffic you have captured.

4. Click the Capture Stop button, shown in the following graphic. You can also click Capture Stop from the menu bar or press Ctrl+E.

c04uf052.tif

Use the buttons shown in the next graphic to save the capture, close the capture (prompts to save unsaved captures), or reload the view of the current capture, respectively. Saving and closing can also be achieved from the File menu, and the View menu offers the Reload option. Keyboard shortcuts can be found in these menus as well.

c04uf053.tif

Simulating Traffic with HyperTerminal

The next thing you need to do is produce network traffic with known characteristics. This helps build your trust in and understanding of the Wireshark output. Again, read through this process before performing it. You will want to execute this procedure on the same computer, right after starting the Wireshark capture. The next procedure details putting this process together with the Wireshark process explained previously.

1. Open HyperTerminal. A slight adjustment to the following steps is required for other terminal emulation packages.

2. Name your connection and choose an icon in the Connection Description dialog before clicking OK.

c04uf054.tif

3. In the Connect To dialog, select TCP/IP (Winsock) from the Connect Using drop-down menu. Additionally, enter the URL for an Internet-accessible website in the Host Address field and one of the port numbers from the list at the beginning of the Details section in this task. Then click OK. The following graphic shows an example using POP3:

c04uf055.tif

Eventually, if the server does not have that application running, you receive a message to that effect.

c04uf056.tif

The message is not a cause for concern; the desired traffic has already been generated and captured by Wireshark.

4. Click OK to close the message.

Using Wireshark and HyperTerminal Together

Now it’s time to put the two preceding actions together to generate and capture the desired traffic. You’re going to start a capture in Wireshark for the active interface and then use HyperTerminal to generate known traffic to an Internet site. The following procedure features the use of POP3 traffic, but you could perform these steps initially for any protocol you wish to capture. The next section details how to change to another protocol for subsequent traffic generation and captures.

1. Open Wireshark and HyperTerminal, if not already open.

HyperTerminal will demand the most attention up front, so enter your site and protocol information in the Connect To dialog but don’t click OK yet. Again, this example uses port 110 for POP3.

2. Bring Wireshark to the front, identify the adapter on which to capture traffic, and then click the Start button.

3. Bring HyperTerminal back to the front and click OK in the Connect To dialog. Traffic is now flowing.

4. After 10 to 15 seconds, stop the capture in Wireshark. If you don’t see results similar to the following after scrolling back to packet 1 (the number in the first column), close the capture and start again with Step 2 but leave the capture running longer.

c04uf057.tif

Notice the pop3 destination port for the TCP segments in packets 5, 6, and 8.

Filtering Packets with Wireshark

If you’re interested in isolating certain packets from the rest, such as POP3 in this example, you can click the Expression button on the Filter bar after stopping the capture.

c04uf058.tif

In the Filter Expression dialog, scroll down to the transport protocol in use, TCP in this case, and expand it by clicking the plus sign beside it. Next, click the indented line labeled Destination Port. Click the == relation and then enter the port number for the application protocol for which you want to display packets. The TCP port number for POP3 is 110. Finally, click OK. Your Filter Expression dialog should look similar to the following screen shot.

c04uf059.tif

You have to click the Apply button on the Filter bar to filter out the unwanted packets, as shown here.

c04uf060.tif

Notice only packets destined for the POP3 application are shown in the output; packet numbers 5, 6, and 8, pointed out earlier in Step 4, retain their numbering. If you prefer to see the protocol and port numbers instead of having them resolved to their names, click Edit Preferences. Then, click Name Resolution in the left-hand frame. Finally, deselect the option Enable Transport Name Resolution, as shown here, and click OK.

c04uf061.tif

In order to reflect the change in the output, click the Reload button. The effect is shown in the following screen shot. Notice that the names in the Info column have been replaced with numbers.

c04uf062.tif

Adjusting for Subsequent Protocols

A minor adjustment in HyperTerminal allows you to change the protocol for which traffic is generated. Closing the capture file and then starting a new capture is all that is required in Wireshark. The following steps explain this process. Repeat this procedure until you have generated traffic for all the protocols you wish to capture.

1. In HyperTerminal, click File Properties and change the Port Number field on the Connect To tab to a new value. The following steps show traffic for SNMP, which is based on UDP port 161. However, as noted earlier, using a communications package to generate traffic causes everything to go out over TCP. Don’t let that throw you. Here’s a screen shot of how your dialog might look.

c04uf063.tif

2. Go ahead and click OK. The traffic does not begin to flow automatically. When changing the properties of a disconnected session, you must reconnect manually.

3. In Wireshark, click the Clear button on the Filter bar to remove the filter for the previous protocol.

c04uf064.tif

4. Next, click the Close Capture button in Wireshark to clear the previous capture, as shown in the following screen shot. Feel free to save the previous capture when prompted, but there is no reason to do so for this task.

c04uf065.tif

5. Start a new capture by clicking the icon shown in the following image, or by clicking Capture Start, and then move quickly to the next step.

c04uf066.tif

6. Bring HyperTerminal back to the front and click the call icon, as shown here. Doing so begins the traffic flow.

c04uf067.tif

7. Bring Wireshark back to the front and stop the capture whenever you are satisfied your generated packets have been captured.

Criteria for Completion

You have completed this task when you have conducted all the captures you wish to see, preferably no fewer than those listed in this task.

as a guide.

Accessing the Taskbar And Start Menu Properties dialog

c04f006.tif

In this composite illustration, you see two locations where you can right-click and then click Properties to enter the Taskbar And Start Menu Properties dialog, either in an unaffiliated portion of the Start menu—on the left in the illustration—or on an unaffiliated portion of the Taskbar—on the right in the illustration. Additionally, right-clicking directly on the Start button and choosing Properties gets you the same results.

4. Choose one of these methods and enter the Taskbar And Start Menu Properties dialog.

5. Click the Start Menu tab to display the Start Menu page, shown next.

c04uf070.tif

6. Click the Customize button.

7. In Windows XP, click the Advanced tab to display the Advanced page (Vista and 7 place you in the correct view of a dialog with no tabs) and scroll down to the bottom in the Start Menu Items portion of the page, shown next in XP/2003.

c04uf071.tif

8. Under the System Administrative Tools item in the list, fill in the first or second radio button but not the third, Don’t Display This Item.

9. Click the OK button to return to the Taskbar And Start Menu Properties dialog.

10. Click the OK button to close the Taskbar And Start Menu Properties dialog.

11. Now, confirm that Administrative Tools appears in the Start menu under All Programs.

Running and Using Event Viewer

Now that you have your favorite method lined up for accessing the tools, it’s time to investigate the use of one of them, Event Viewer.

1. In Administrative Tools, find and double-click Event Viewer. This produces a window similar to the following, which is taken from a server running Microsoft Windows Server 2003.

c04uf072.tif

2. Spend a moment browsing the logs shown by clicking the items in the left pane of Event Viewer. In Windows Vista/Server 2008 and Windows 7/Server 2008 R2, you must expand the Windows Logs group in the left pane to complete this step.

3. Right-click the item labeled Security in the left pane and click Clear All Events (Clear Logs in Vista and higher).

note.eps

Feel free to perform Step 3 whenever you want to see the effects of one of the following steps more clearly. The screen captures of the Event Viewer in this task are taken after performing this step.

4. Assuming you have an event 517 (1102 in Windows 7) success audit, caused by clearing the log, double-click this entry in the right pane. This brings up the Event Properties dialog (shown in the following image), which adds detail to the abstract entry in the Event Viewer’s right-hand pane. Note that the first line of the description states that the audit log was cleared.

c04uf073.tif
note.eps

If you scroll to the bottom of the Event Properties dialog in XP/2003, you will find a link to the Help And Support Center, which can use your Internet access to show detailed help for your event. In Vista, 7, and their server counterparts, there is a link to Event Log Online Help that uses your Internet access to pull up a related Microsoft TechNet page, if one exists.

5. Leave Event Viewer open and minimize all open windows.

Using Other Tools to Debug Events

Various tools and utilities exist for organizing the logged information found in Event Viewer, which can grow quite unwieldy very quickly. One such tool is provided free by Microsoft’s Event Comb. The Event Comb tool is included in the Windows Server 2003 resource kit tools.

A tool that provides ready detail for sometimes confusing event descriptions can be found at . Subscribers can launch additional information sources directly from this site. The following screen shot illustrates the gist of looking up the 517 event ID on this website. Note that many sections are omitted from this output because an ID of 517 appears in more logs than just the security log, each with a different meaning.

c04uf074.tif

Auditing Success

Now that Event Viewer is handy, this section guides you through a controlled environment for generating success entries in the log.

1. Create a folder on the Desktop called Audit Me. Then right-click the folder and choose Properties from the context menu to open the Properties tabs for your folder.

c04uf075.tif

2. Click the Security tab to display the Security properties.

c04uf076.tif

3. Click the Advanced button to bring up the Advanced Security Settings tabs for your folder, and then click the Auditing tab for the folder. In Windows Vista and higher with UAC turned on, you will need to click the Continue button to authorize displaying the Auditing tab.

c04uf077.tif

4. Click the Add button to display the Select User Or Group dialog and type Everyone, for the group of the same name, in the text box. Click the OK button.

c04uf078.tif

5. In the Auditing Entry dialog for the Everyone group, check the boxes as shown in the following image to turn on auditing for success and failure in accessing and changing the Audit Me folder and its contents. Click OK to return to the Auditing page of the Advanced Security Settings dialog.

c04uf079.tif

6. Click the OK button on the Auditing page of the Advanced Security Settings tabs, which might bring up the a security warning, indicating that auditing has yet to be enabled on the system. In Vista and higher, you might not receive such a warning. You should always complete Step 7 unless you are sure that object access auditing is turned on.

7. Open Local Security Settings (Local Security Policy in Vista and higher) in Administrative Tools. Expand Local Policies and click Audit Policy to display a window similar to the following.

c04uf080.tif
tip.eps

An alternative way to get to the Security Settings branch of the Local Security Settings applet is through the Microsoft Management Console (MMC). Add the snap-in called Local Computer Policy and navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings.

8. If possible, double-click each item in the right pane and remove the check marks from both check boxes.

9. Double-click the item in the right pane labeled Audit Object Access and check the boxes for both Success and Failure. Click OK to return to Local Security Settings.

10. Close Local Security Settings and return to where you created the Audit Me folder on the Desktop. Open the Audit Me folder.

11. Remember that you can clear the security event log if you want a clean start. Create a folder under Audit Me called Audit Junior.

12. Open Event Viewer and click Application in the left pane and then click Security. This is the best way to refresh the log if the security log view was left open. The refresh function adds unnecessary entries to the log. You now see entries created by the audit you configured for the Audit Me folder similar to the following display:

c04uf081.tif

13. Assuming the items in your list are ordered by date and time, scroll down toward the bottom and the oldest entry. Double-click the oldest entry related to your folder creation and click the up arrow button in the Event Properties dialog until you find the event that shows New Folder in the Object Name field, as shown here.

c04uf082.tif

This entry was logged when you created the new folder and it was registered under the name New Folder, which happens as soon as the folder is created, even though the name appears to be temporary because it is highlighted as editable.

14. Click the up arrow button on the Event Properties dialog until you find the next event that shows New Folder in the Object Name field, but notice when you scroll the description down, you eventually see DELETE in the Accesses field, similar to the following:

c04uf083.tif

This entry was logged the split second before the folder’s new name took effect. The old name, New Folder, has to be expunged before the new name can take its place, hence the deletion event for New Folder.

15. Click the up arrow button again until you find the event that shows Audit Junior in the Object Name field. This entry was logged after you entered the new name for the folder. This completes the major steps in the audit for creating a folder. Creating a file produces similar audits.

Auditing Failure

This section shows you how to create a scenario that allows you to observe the Event Viewer entries made by attempted access to or control over an object without proper permissions.

1. Right-click the icon on your Desktop for the Audit Me folder and click Properties to bring up the Properties dialogs for Audit Me.

2. Click the Security tab.

3. Click the Advanced button to bring up the Advanced Security Settings dialogs.

4. On the Permissions tab, clear the check mark from the Inherit From Parent box. In Windows Vista and higher, you must first click the Edit button to unlock this check box. This opens a dialog that asks if you want to copy the current settings (the Copy button) or start from scratch (the Remove button).

c04uf084.tif

5. Click the Copy button so you can build from what your account already has.

6. As shown for David Elliot in the following screen shot, deny the permission to create folders and to delete anything. Click the OK button.

c04uf085.tif

7. Click OK on the security warning drawing your attention to the possible unintentional lockout that denials of access might generate. You do not need to worry about that here.

8. Click the OK button on the Security tab of the Audit Me Properties dialog.

9. Attempt to create a folder in the Audit Me folder. You are met with the following error message. Click OK.

c04uf086.tif

10. Go back to Event Viewer and click away from and back to the security section and notice the failure notifications caused by your attempt. The following screen shot illustrates how these events look in Event Viewer. Feel free to look at these more closely.

c04uf087.tif

11. Note that the following dialog shows New Folder in the Object Name field, indicating the failure event was created after the default name was applied to the folder that you thought was never created.

c04uf088.tif

12. Now, try to delete the Audit Junior folder. You see the following error. Click the OK button.

c04uf089.tif

13. In Event Viewer, find the failure entry that, when opened, specifies Audit Junior in the Object Name field and DELETE in the Accesses field.

Criteria for Completion

You have completed this task when you have configured auditing globally and on an object, opened Event Viewer, and manipulated the object to generate controlled Event Viewer entries.

Previous: Phase 3: Maintaining and Securing the Network
Next: Index