The following labs will help you become familiar with application layer protocols used on the internet and give you a little insite into how they operate. One of the most common tasks you will be asked to perform as a networking engineer is troubleshooting a broken network. Here are a few small excersises to get you familiar with the troubleshooting process. It is important that you follow a mithodical aproach to troubleshooting network problems and document as you go so that your methods can be repeated and checked by others. Ensure you check the obvious things first. Many network problems occur at the physical layer, so check cables, connectivity and hardware before worrying about higher level protocols. Ping tests. It don't mean a thing if you don't get that ping. The tcp/ip suite consists of many protocols to perform various network tasks. One of these protocols is known as icmp, Internet Mesage Control Protocol. This protocol is responsible for diagnostic functions and the returning of error messages to hosts such as "conection refused" or "host unreachable." One of the messages that can be sent to a host is the icmp echo request. If a host is not behind a firewall and the functionality has not been disabled it should return an echo reply to the sending host. The utility that performs this testing is called ping. It is called ping as the signal sent out and received is similar to the analogus process in sonar. Most operating systems that provide a tcp/ip stack provide some version of the ping command. It exists under windows, mac, Linux, Cisco routers and many other platforms. The following assumes you are running Microsoft Windows. Results will vary under other oprating systems. Open a command prompt. start ->run ->cmd try pinging the following destinations. To do this type ping followed by the hostname or ip address and press enter. ping 127.0.0.1 www.google.com.au www.microsoft.com What results do you recieve? how many packets were sent? How many received? What was the average round trip? What might these numbers be useful for? Microsoft's servers don't respond to pings, hence the lack of response from www.microsoft.com why would this be? In its default configuration Windows XP service pack 2 does not respond to pings. Why is this? Ping has other options that can be useful to the experienced administrator. to see what these options are execute the following: ping -? If possible disconnect your network cable and execute one of the above pings such as ping www.google.com.au What is the result? You will notice that one of the fields in the ping response is the ttl. TTL stands for time to live. Basically each packet starts off with a ttl value of say 64 or 128, and each time the packet passes through a router the ttl value is usually decrimented by 1. We say usually because not all tcp/ip stacks behave the same way and some routers don't decrement the value or set it to something completely different. Pinging a host is useful to test if that host is reachable or not however there are other tests we can perform. Traceroute: Traceroute shows the route taken by packets from a source host to a destination host. traceroute sends a packet on a hopefully unused udp port with increasing ttl values and looks for icmp time exceeded messages. These show which hosts the packet has traveled through and the round trip times. under Windows try executing the following: tracert www.google.com.au How many hopswere shown? If the command is repeated is the same information shown? Given that traceroute uses icmp are there situations in which this command would fail? What's in a name? as you would know from your notes machines that use tcp/ip usually need to map ip addresses to names for human consumption and also perform mappings the other way as well. Whilst reading Iain's document on dns; try some of the following: Open a command prompt under windows. If using a different operating system modify the commands as necessary. nslookup works under Windows, and Linux; provided the correct packages are installed. Run nslookup from the command prompt. nslookup is an interactive utility that accepts commands and gives responses. help is a valid command and is worth taking a look at. As explained in the dns document up on the website dns is a hirarcical system. Here is an example. Ensure you have read the dns document or the following won't make sense. once you are at the greater than prompt try looking up the a record for www.gotss.net key in the hostname www.gotss.net and hit the return key. What was the result? a records map names to ip addresses. nslookup can also look up other information about domains. As you can recall from Iain's notes dns looks information up in stages. For example when looking up www.gotss.net the dns does the following: looks up the nameservers for the .net domain. It knows how to do this because it is preloaded with hints on who the root name servers are. it asks the .net domain name servers who is authoratitive for gotss.net It then asks those nameservers what is the a record for www.gotss.net? although addresses are not written with a trailling dot the dot referrs to the root name servers. When your resolver starts up it is preloaded with information about the root name servers; or it is configured to talk to another nameserver that knows about these root name servers. You can see some of this information yourself by doing the following in nslookup set querytype=ns net. This should show you a list of name servers that know about the .net domain. you could then execute server name.from.list.above (replace with one of the name servers given) and this will change the default name server. You could then ask that server who is authoritative for gotss.net by typing gotss.net on the command lineThis is known as a recursive query. As it stands you can simply put the following in to find out which name servers are involved: .net. gotss.net to look up the www record you'd have to set the querytype back to a or any: set querytype=a or set querytype=any You will have noticed that some of the responses specified "non-authoratitive answer:" This means that one of the servers along the path has cached the response and for an absolutely accurate response (or as accurate as dns ever is) ask the authoratitive server. Note that in Linux since bind version 9 nslookup is depricated and that users are recommended to use the dig or host commands instead. these commands take information on the command-line and can return the same information as nslookup. Another record that is worth looking at is the soa record. This is the start of authority record and can be viewed by doing the following: set querytype=soa gotss.net A discussion of DNS is beyond the scope of this course however you can see that by using nslookup and similar utilities you can debug many aspects of dns resolution. It is important to realise that applications talk to the application layer which then talks to lower layers of the OSI reference model. This is best illistrated if we take a look under the hood at how http works. When you open a web browser and type an address into the address bar the browser usually sends a get request on tcp port 80 to the remote server after converting its name to an ip address using dns. we can do this by hand using either telnet or utf8 Teraterm Pro. Open a telnet connection to say www.google.com and change the port from port 21 to 80. following needs to be tested Once the connection is open type the following into the window: get /index.html HTTP 1.0 You should see a status code, some headers and the html content of the page. Usually after this has occurred the connection will be closed down. Http 1.1 allows you to keep a connection open for multiple requests. tcpdump and other packet capturing tools: As a network administrator it is often necessary for you to look at the trafic traveling on a network. You can use tools such as tcpdump to look at packets on the wire. Note that if your machines are connected through a switch and you haven't made arrangements to the contrary then you will only se broadcasts, packets to your machine and packets from your machine to other machines. If you want to see other trafic you may need to tell your managed switch to send all ports to the monitoring port. If you don't have a managed switch you may want to hook the machines beeing monitored up to a hub. You can use tcpdump to monitor packets on an interface such as ping requests. Use your copy of tcpdump to watch the packets as you ping a remote machine: tcpdump icmp ping name.of.remote.machine You should see an echo request followed by an echo reply. How many pairs do you see? What other information is shown in the packets? http://www.jmarshall.com/easy/http/ http://usertools.plus.net/tutorials/id/21