Network Troubleshooting tools

With discards, the situation is almost the opposite. The packets were received with no errors but were dumped before being passed on to a higher layer protocol. A typical cause of discards is when the router needs to regain some buffer space. In the case of discards, the issue is almost always with the router that's reporting the discards (not witha a next hop device, bad cable, etc).

1) Host Configurations
ps [ ps -aux ] - lists which processes are running on the system
This combination shows all users' processes (-a), including those without controlling terminals (-x), in considerable detail (-u). The options -ax will provide fewer details but show more of the command-line arguments.
Use the -w option to extend the displayed information to 132 columns

top - gives a periodically updated listing of processes ranked in order of CPU usage

netstat [ netstat -a ] - reports the contents of kernel data structures related to networking.
netstat -rn - routeing table
netstat -i 1 - interface stats

lsof - produces a list of all open files

ifconfig [ ifconfig -a ] -  retrieve interface configurations

arp [ arp -a ] - The ARP table on a system maps network addresses into MAC addresses

portscan [ portscan 1 10000 -vv ]

2) Network tools

ping - The normal operation of ping relies on two specific ICMP messages, ECHO_REQUEST and ECHO_REPLY, but it may respond to ICMP messages other than ECHO_REPLY when appropriate

fping - extends ping to support multiple hosts in parallel

echoping - works by sending packets to one of several services that may be offered over TCP and UDP -- ECHO, DISCARD, CHARGEN, and HTTP. Particularly useful when ICMP messages are being blocked, echoping may work where ping fails

arping - uses ARP requests and replies instead of ICMP packets

3) Path tools
traceroute - a tool used to discover the links along a path.
Bandwidth measurements will give you an idea of the hardware capabilities of your network, such as the maximum capacity of your network.  (10Mbps, 100Mbps, 1Gbps)
Throughput measurements will help you discover what capacity your network provides in practice, i.e., how much of the maximum is actually available.

Throughput is generally an end-to-end measurement. When dealing with multihop paths, however, the bandwidths may vary from link to link

Bandwidth estimate:
- ping
- pathchar
- bing

Throughput estimate tools:
ttcp - One of the oldest bulk capacity measurement tools.
iperf - unix/windows
nuttcp - unix/windows

4) Packet captures
Packet capture software works by placing the network interface in promiscuous mode. In normal operations, the network interface captures and passes on to the protocol stack only those packets with the interface's unicast address, packets sent to a multicast address that matches a configured address for the interface, or broadcast packets. In promiscuous mode, all packets are captured regardless of their destination address.
On a few systems you may need to manually place the interface in promiscuous mode with the ifconfig command before running the packet capture software.

tcpdump [ tcpdump -i xl1 ]
related tools:
sanitize - a collection of five Bourne shell scripts that reduce or condense tcpdump trace files and eliminate confidential information,

tcpdpriv - is another program for removing sensitive information from tcpdump files,

tcpflow - This program allows you to capture individual TCP flows or sessions,

tcpshow - decodes a tcpdump trace file

tcptrace -  is an extremely powerful tcpdump file analysis tool, is capable of producing several types of output files for plotting with the X Window program xplot.

trafshow -  provides a continuous display of traffic over the network, giving repeated snapshots of traffic. It displays the source address, destination address, protocol, and number of bytes. This program would be most useful in looking for suspicious traffic or just getting a general idea of network traffic.

5)  Discovery tools:
 - IP Address Management
 - nmap - supports IP scanning. It also provides port scanning and stack fingerprinting
 - arpwatch - recording IP addresses and their corresponding MAC addresses

Device Identification"
- telnet
Stack Fingerprinting
- queso
- nmap Revisited [ nmap -O ]

6) Device Monitoring
- snmp
NET SNMP (UCD SNMP - University of California at Davis)
- snmpget
- snmpgetnext, snmpwalk, and snmptable
- snmpset - is used to change the value of objects by sending SET_REQUEST messages
- snmptranslate -  Available OIDs are determined by the design of the agent and are described by its MIB. There are several different approaches you can take to discover the contents of a MIB.
snmptranslate system.sysContact.0
snmptranslate -On .
snmptranslate -Td system.sysContact - get extended information

 With Unix, it is possible to remotely log on to a system using telnet or ssh over a network connection and reconfigure the host

7) Network monitoring
 - mrtg
 - rrd
 - zabbix

8) Custom Packets Generators
 - hping
 - nemesis
 - netcat

9) Application level tools:
 - email
 - http
 - ftp
 - dns ( nslookup and dig )

10) Log Files and Auditing

 - syslog - can log events from your Cisco router to your Unix server. There are even a number of Windows versions available

Unfortunately, many services traditionally don't do logging, either through the syslog facility or otherwise.  If these services are started by inetd, you have a couple of alternatives. Some implementations of inetd have options that will allow connection logging.
- ntp -  is a protocol you can use to synchronize the clocks on your system
 ntpq -p

11) Troubleshooting Strategies
1) Document - Before you do anything else, start documenting what you are doing. This is a real test of willpower and self-discipline
2) Collect information and identify symptoms.
3) Define the problem. Once you have a clear idea, you can begin coming to terms with the problem.
[bsd1 can't telnet to lnx1. ]
4) Identify systems or subsystems involved. As you collect information, as seen in the previous example, you will define and refine not only the nature of the problem, but also the scope of the problem. This is the step in which we divide and hopefully conquer our problem.
5) Develop a testable hypothesis
6) Develop and assess solutions.
7) Implement and evaluate your solution.

PING & TRACEROUTE detailed info.

Basic Windows/*nix Network Tools:
Tool        Description
Arp         Allows viewing and editing of the Address Resolution Protocol (ARP) cache.
Hostname    Displays the host name of the computer.
Ipconfig    Displays the current IPv4/IPv6 config, manage DHCP, display/flush the DNS client resolver cache.
Netsh       Configuration tool for many network services.
Netstat     Displays protocol statistics and information on current TCP connections.
Nslookup    Performs DNS queries and displays the results.
Ping        Sends ICMP Echo or ICMPv6 Echo Request messages to test reachability.
Route       Print IPv4/IPv6 routing tables and editing of the IPv4 routing table. (or netstat -r)
Tracert     Sends ICMP v4/v6 messages to trace the network route taken by packets to a specific destination.
Pathping    Sends ICMP Echo or ICMPv6 Echo Request messages to trace the route an IPv4 or IPv6 and displays packet losses for each hop (MTR).
Telnet      Tests TCP connection establishment between two nodes.
For OS Windows:
Windows Sysinternals Tools : TCPView, Autoruns, Process Explore

Additional Network Tools:

arping - sends arp and/or ip pings to a given host (for Win hardping.exe)
dig - DNS lookup utility

Route Servers - view BGP routes on the internet, they are also useful to do traceroutes and troubleshoot networks  Austin, TX    Chicago,IL    New York, NY    Washington, DC

Layer 4

hp:~# cd /usr/ports/net/ripe-whois && make install clean
hp:~# whois3 -T route -i origin AS8708 | grep 'route' |awk -F " " '{print $2}' |grep /   

Layer 7
[root@speedtest /usr/ports/net/http_ping]# http_ping
218 bytes from 115.71 ms (50.897c/64.795r/0.018d)
218 bytes from 115.793 ms (51.263c/64.515r/0.015d)
218 bytes from 115.164 ms (50.96c/64.185r/0.019d)
218 bytes from 120.705 ms (51.07c/69.614r/0.021d)
--- http_ping statistics ---
4 fetches started, 4 completed (100%), 0 failures (0%), 0 timeouts (0%)
total    min/avg/max = 115.164/116.843/120.705 ms
connect  min/avg/max = 50.897/51.0475/51.263 ms
response min/avg/max = 64.185/65.7773/69.614 ms
data     min/avg/max = 0.015/0.01825/0.021 ms

DNS MOST USED Resource Records (RR):

A  - mapping a DNS domain name to an IP address         6465    IN      A

AAAA - mapping a DNS domain name to an IPv6         7200    IN      AAAA    2001:4f8:0:2::d

MX - mapping a DNS domain name to the name of a computer that exchanges or forwards mail         7200    IN      MX      10         7200    IN      MX      10

NS -  (Name Server) a list of authoritative DNS servers for a domain.                1686    IN      NS                1686    IN      NS                1686    IN      NS

CNAME - alias of one name to another domain name

PTR - (Pointer or reverse DNS lookup) translate IPv4/IPv6 to a CNAME. 3600 IN      PTR

SOA -  (Start Of Authority) specifies the DNS server providing authoritative information about an domain.                7191    IN      SOA 2011062100 7200 3600 24796800 3600

____________________  DNS TOOLS  _________________________________________

dig (Domain Information Groper) - DNS lookup utility.
The source code for dig is part of the larger ISC BIND distribution.

$ dig
$ dig +short                  # short output
$ dig -x +short     #  PTR
$ dig +trace                  #  recursive DNS lookup
    DNS server itself to make queries to other DNS servers on behalf of the client who made the original request
$ dig MX
$ dig NS

Default ouput (quering with OS DNS setting)
$ dig
; <<>> DiG 9.6.-ESV-R3 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44945
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;                       IN      A

;; ANSWER SECTION:                7200    IN      A

;; AUTHORITY SECTION:                6839    IN      NS                6839    IN      NS                6839    IN      NS                6839    IN      NS

;; ADDITIONAL SECTION: 86039  IN      A 86039  IN      AAAA    2001:500:2c::254

;; Query time: 205 msec
;; WHEN: Tue Jun 21 13:40:05 2011
;; MSG SIZE  rcvd: 184

nslookup - query Internet name servers interactively
   nslookup [-opt ...]             # interactive mode using default server
   nslookup [-opt ...] - server    # interactive mode using 'server'
   nslookup [-opt ...] host        # just look up 'host' using default server
   nslookup [-opt ...] host server # just look up 'host' using 'server'
Default Server:

TYPE A / AAAA   RR (which is default)
Non-authoritative answer:
Addresses:  2001:4f8:0:2::d



> server
Default Server:
server  - The name or IP ( is looked up using the current default dns (

> lserver
Default Server:
lserver - The name or IP ( is looked up using the original default dns (

> set type=mx

Non-authoritative answer: MX preference = 10, mail exchanger = MX preference = 10, mail exchanger =

- DNS lookup utility
$ host has address has IPv6 address 2001:4f8:0:2::d mail is handled by 10 mail is handled by 10