Network Troubleshooting

Question 1

Explain ping.

Answer 1

Packet InterNet Groper (ping) is a CLI tool used to check reachability of a host by sending ICMP ECHO_REQUEST packet to target host and waits to see if host responds.

The program reports error, packet loss and round trip time (RTT).

Question 2

What protocol does ping use?

Answer 2

Internet Control Message Protocol (ICMP)

Question 3

What could it mean if ping isn’t working?

Answer 3

It could mean one of the following

1. host is dead
2. connection problems in hardware
3. firewall in front of target host has blocked ICMP echo requests
4. DNS is not working (in this case, numeric IP address should be used when pinging)

Question 4

What is the default interval between sending each packet during ping in Linux? How can we change it?

Answer 4

Default interval: 1 second

To change the interval: ping -i 3 www.example.com

Question 5

How to make ping stop sending packets after a particular count?

Answer 5

Windows: ping -n 5 www.example.com

Linux: ping -c 5 www.example.com

Question 6

Which ping switch is used to ping host until externally stopped?

Answer 6

Windows: ping -t www.example.com

Question 7

Which ping switch in Linux is used to check the response of the network under high-load conditions?

Answer 7

ping -f www.example.com

• will flood the host with ping requests
• only root can use this option

Question 8

How does ping work?

Answer 8

1. If the host name is given, then DNS lookup is performed to fetch IP address. If IP address is provided then this step is skipped.
2. At network layer, ICMP packets are created containing source IP address, destination IP address, data and protocol field.
3. ARP is used to identify the MAC address of destination host. ARP first checks its cache for this address; if not present, it broadcasts the destination’s IP address on subnet to check if the address belongs to same subnet.
4. If no response is received, it is assumed that destination is on remote subnet and the request needs to be routed via default gateway. Default gateway’s IP address is stored in windows machine registry.
5. Once default gateway’s MAC address is found using ARP, the ICMP packet is send to data link layer, which encapsulates the packet in source MAC address, destination MAC address and an FCS (Frame Check Sequence).
6. The frame is then passed down to physical layer where one bit is placed on wire at a time. This is received by every host on the remote subnet which discards the frame if destination MAC address is not a match.

Question 9

What is traceroute?

Answer 9

It provides the sequence of gateways through which IP packets travel to reach destination.

The command is

“traceroute hostname”

where hostname can be DNS name or IP address.

Question 10

Which command to run if do not want tracert to resolve the intermediate IP addresses?

Answer 10

tracert -d google.com

Question 11

What protocol does traceroute use?

Answer 11

Internet Control Message Protocol (ICMP)

Question 12

What is the meaning of * in place of one of the RTTs?

Answer 12

No response was received from the router

Question 13

What is the meaning of * in all the time fields for a given gateway?

Answer 13

No ICMP Time Exceeded error message was received from that particular gateway.

Question 14

How does traceroute work?

Answer 14

1. The ICMP/UDP packet is prepared and sent to the first router with time to live (TTL) value of 1. The clock starts measuring time in ms.
2. When the first router receives the packet, it reduces the TTL value by 1, making it zero. When TTL value becomes zero, the packet is dropped and an ICMP Time Exceeded error message is sent back to the source host. The clock pauses, notes the time taken and displays it as delay in ms.
3. The sender’s IP address in the header of ICMP Time Exceeded error message identifies the gateway and using DNS lookup, gateway’s hostname is displayed.
4. The next set of packets are given TTL value of 2, so the first router forwards the packet (decrementing TTL by 1) but the second router drops the packet (decrementing TTL by 1 and making it zero) and sends back ICMP Time Exceeded error message.
5. This process continues until destination is reached and ICMP Echo Reply message is sent back to the source.

Question 15

What is asymmetric routing?

Answer 15

When the packets take one path to travel from source to destination and another path to travel from destination to source, the configuration is called asymmetric routing.

Question 16

What does the !N notation mean in traceroute RTT?

Answer 16

Network unreachable error

Question 17

What does the !H notation mean in traceroute RTT?

Answer 17

Host unreachable error

Question 18

What does the !P notation mean in traceroute RTT?

Answer 18

Protocol unreachable error

Question 19

What is MTR program?

Answer 19

My TraceRoute (MTR) is a program which combines functions of traceroute and ping in one network diagnostic tool like Unix/Linux’s top.

Question 20

What is netstat and what does it do?

Answer 20

Network Statistics (netstat) is a CLI tool that displays network connections, routing table, network interfaces and protocol stats.

It is used for finding problems in network and to determine amount of traffic on a network for performance measurement.

Question 21

What does the state LISTEN in netstat mean?

Answer 21

It shows the processes that are listening on the network for incoming connections.

We can use netstat -l (small L) to see only listening ports.

Question 22

What does the state ESTABLISHED in netstat mean?

Answer 22

It means that the connection is currently active.

We can use netstat -a to see all connections.

Question 23

What does the state TIME_WAIT in netstat mean?

Answer 23

It shows the connections in the process of closing.

Question 24

What does the state SYN_SENT in netstat mean?

Answer 24

It shows the process that is trying to contact a nonexistent/inaccessible network server.

Question 25

What does the state SYN_WAIT in netstat mean?

Answer 25

It means that our host is unable to handle the number of connections being requested. It could be due to kernel’s limitations (harmless) or malicious flooding (harmful).

Question 26

How to display kernel’s routing table?

Answer 26

netstat -r

Question 27

What are packet sniffers?

Answer 27

They listen to the network traffic and print/record packets that meet some criteria.

Ex. tcpdump, Wireshark

Question 28

Explain tcpdump.

Answer 28

It is a packet sniffing tool running on CLI that allows user to display TCP/IP and other packets being transmitted over the network in which user’s host lies.

Question 29

Explain Wireshark and Tshark.

Answer 29

It is a packet sniffing tool that includes both GUI (wireshark) and a CLI (tshark). It can read the packets, reassemble fragmented packets to examine data transferred during a complete TCP exchange,

Question 30

Explain nslookup.

Answer 30

name server lookup (nslookup) is a CLI tool for querying DNS to obtain domain name/IP address mapping. The command does not use OS’s DNS resolving ability to perform its queries and hence behaves differently than dig.

We can provide hostname and get IP adddress in response. When we provide IP address, we get name of the server.

For eg. nslookup NAME
will print info about the host/domain NAME using default server

nslookup NAME1 NAME2
is same as above but uses NAME2 as DNS server

We can set the type of query to any of A, AAAA, CNAME, MX, NS, PTR, SOA, SRV etc using
set type=MX. Now when we provide a hostname, we will get its mail exchanger server’s domain name data.

To do above in non-interactive mode, use queryType switch as follows:
nslookup -queryType=MX google.com

We can change the default DNS server with query
server 8.8.8.8
Now the queries will go to Google’s public DNS server to get an answer.

Question 31

In nslookup query, what does “non-authoritative answer” mean?

Answer 31

It means that the answer came from cache of local DNS server rather than an authoritative nameserver.

Question 32

What type of query can we get from following options of nslookup?

1. A
2. AAAA
3. A+AAAA
4. MX
5. NS
6. PTR
7. SOA
8. SRV
9. ANY

Answer 32

1. IPv4 address
2. IPv6 address
3. IPV4 and IPV6 addresses
4. Mail exchanger (domain name of mail server)
5. Domain name nameserver
6. pointer records (Reverse DNS lookup)
7. Display the authoritative nameserver for given hostname
8. location of a specific service
9. All of the available DNS records for given hostname

Question 34

How can we know the current DNS server we are using?

Answer 34

nslookup (in non-interactive mode)

set all (in interactive mode)

Question 35

What does this command do? What does it mean for it to fail?

ping 127.0.0.1

Answer 35

127.0.0.1 is called localhost/loopback address and it is the address of NIC of the current machine.

Pinging 127.0.0.1 means pinging itself.

If ping 127.0.0.1 doesn’t work, then there is problem with NIC of the machine.

Question 36

What is IPv4 and IPv6 loopback address?

Answer 36

IPv4- 127.0.0.1

IPv6- ::1
0000:0000:0000:0000:0000:0000:0000:0001

Question 37

What is the IP address of default gateway router?

Answer 37

192.168.1.1

Question 38

What is IPCONFIG and IFCONFIG?

Answer 38

Both the CLI tools are used to view the TCP/IP configuration on machines.

IPCONFIG: Windows
IFCONFIG: Linux/Unix

Question 38

What does this command do?

ipconfig /all

Answer 38

It displays the detailed TCP/IP configuration including DHCP server address, MAC address, IP lease etc for the machine.

Question 39

Explain the command arp.

Answer 39

This command displays the ARP table (IP to MAC address mapping).

1. Adding the static entry to current ARP table:
   arp -s 157.55.85.212 00-aa-00-62-c6-09
2. Adding the static entry to an interface whose IP address is 154.36.15.78
   arp -s 157.55.85.212 00-aa-00-62-c6-09 154.36.15.78
3. Displaying the current ARP table
   arp -a
   arp -g
4. Displaying the ARP table from an interface whose IP address is 154.36.15.78
   arp -a -N 154.36.15.78
   arp -g -N 154.36.15.78
5. Deleting an ARP entry from current table
   arp -d 157.55.85.212
6. Deleting an ARP entry from an interface whose IP address is 154.36.15.78
   arp -d 157.55.85.212 154.36.15.78

Question 40

Explain the command dig.

Answer 40

Domain Information Groper (dig) is a CLI tool for querying DNS and is much similar to nslookup.

It returns the data in DNS packet,showing header, question, answer, authority RRs and additional RRs.

1. Info on yahoo.com
   dig yahoo.com
2. Less verbose info on yahoo.com
   dig yahoo.com +short
3. Querying MX type records
   dig yahoo.com MX
4. Reverse DNS lookup
   dig -x 192.168.1.1