Bài giảng Network+ Certification - Chapter 18, Network Troubleshooting Tools

Chapter 18, Network Troubleshooting Tools |1| Chapter Overview A. Documentation and Resources B. Logs and Indicators C. Network Testing and Monitoring Tools Chapter 18, Lesson 1 Documentation and Resources 1. Introduction A. Many people who work with computers and networks do not read the documentation that comes with the products they use. B. To cut costs, most hardware and software manufacturers have greatly reduced the amount of printed documentation they include with products. C. To properly administer and troubleshoot a network, you must have information about the products you are using. 1. In many cases, you must turn to resources other than the product manufacturer to get information. 2. Many other sources of information are now available to the network administrator. |2| 2. Product Documentation A. Hardware and software products usually do not come with thick volumes of printed manuals as they used to, but documentation is usually included in some form. B. Even if you do not need to read the manual to install or configure the product, you should always keep all the documentation. 1. Although you may be very familiar with the devices or software products you use, you might still need the documentation some day. a. Example: suppose you need to install additional memory in all the computers on an existing network. (1) You might not know what type of memory modules you need, what combinations of modules the computers support, or how much memory they can use. (2) Suppose that the company that manufactured those computers no longer makes or supports the model you are using. (a) If you have kept the documentation, you can probably find the information you need. (b) If you do not have the documentation, you will have to determine by trial and error what memory configurations the computers can use, which could waste a lot of time and money. |3| C. CD-ROMs can contain documents in various formats, such as the following: 2 Outline, Chapter 18 Network+ Certification, Second Edition 1. Text files a. Many manufacturers use plain ASCII text files to provide late- breaking information about product problems, revisions, and compatibility issues. b. The traditional name for this type of text file is README.1ST or something similar. c. Check the software distribution CD-ROMs that accompany the product for README text files or files with a .txt extension. d. To view text files, you can (1) Use a simple program like NOTEPAD.EXE (included with all current versions of Microsoft Windows) (2) Copy the files to a printer by typing a command such as copy readme.1st lpt1 at the MS-DOS command prompt 2. Hypertext Markup Language Files a. Some manufacturers create documentation in Hypertext Markup Language (HTML) format and include it with the product on a CD-ROM. b. Once you have pointed your browser to the home page file on the disk, viewing the documents on the CD-ROM is the same as viewing them on a Web site. c. Depending on how the HTML files are organized, searching them might or might not be possible. 3. Adobe Acrobat Portable Document Format files a. Acrobat creates and displays documents in a proprietary format called the Portable Document Format (PDF), identified by the .pdf file extension. b. The .pdf files preserve all the original design elements, layout, and formatting characteristics of the original documents, including fonts and full-color illustrations. |4| (1) Acrobat Reader displays the documents in fully laid-out pages, just as they would appear when printed. c. A .pdf file is created by using a special printer driver supplied with Acrobat, which takes the document that was created in another application and compiles it into a single .pdf file. d. You can print a .pdf document to create a printed manual. e. Acrobat is an easy and attractive solution for manufacturers seeking to reduce their publishing costs. f. Despite being a proprietary format, .pdf has become a de facto publishing standard in the computing industry. g. To view a .pdf file, you must have Acrobat Reader, which is available free of charge from the Adobe Web site at (1) Some Acrobat versions can support more than a dozen different hardware platforms. (2) Adobe allows third parties to include Acrobat Reader on their own CD-ROMs, so that if a product includes documentation in Outline, Chapter 18 3 Network+ Certification, Second Edition .pdf format and you do not already have Acrobat Reader, you can usually install it from the CD-ROM. h. Acrobat Reader also includes a plug-in for your Web browser so that you can click links to .pdf files on Web sites and display them. (1) When a .pdf file is created specifically for Web access, the Web browser plug-in can display a document as it is downloading, one page at a time, so that you do not have to wait for the entire file to download before any of it is displayed. i. The .pdf files can be quite large, making them better suited for CD-ROM distribution than Web distribution. j. The .pdf files are searchable. (1) Publishers can create an index of key terms in a collection of .pdf files, which speeds up the searching process. |5| 3. Telephone Support A. Virtually every hardware and software company at one time maintained a free technical support telephone line. B. Today, free telephone support is a thing of the past. 1. The costs of hiring, training, and maintaining an effective technical support staff have risen so high that manufacturers have had to limit support or charge a fee for it. 2. Some products include free technical support for a limited time or a limited number of incidents before the manufacturer begins charging a fee. a. The fee can be based on an hourly rate or a per-incident charge, but it usually is not cheap. C. Calling for technical support can be a significant expense, so determining when to call for help is more difficult than it used to be. 1. When support was free, many users called frequently about problems they could easily have solved themselves, simply to avoid the bother of reading the manual. 2. Today, people are more likely to find other sources of support before paying for help. 3. At times, calling for technical support is necessary. a. For example, some manufacturers might have recently discovered product problems or issues that have not yet been documented in print, on their Web site, or even in their Readme files. (1) You could spend hours attempting to research a problem when the whole issue could be solved with a 5-minute telephone call. 4. In general, you should look for help on the Web and Usenet first, and call technical support only as a last resort. 4. Online Resources A. The Internet is the most valuable source of information about computer networking and network products. B. Most manufacturers maintain Web sites that provide extremely valuable information. 4 Outline, Chapter 18 Network+ Certification, Second Edition |6| C. Resources commonly found on manufacturers’ Web sites 1. Marketing collateral a. More useful for presales product evaluation than for technical support b. Includes datasheets, features and benefits lists, product comparisons, product reviews (at least the favorable ones), and other sales literature c. Most often in .pdf format, although it might also be in HTML 2. Product manuals a. An online version can be more valuable if the site has a search engine that lets you find the information you need more easily. 3. Technical documents a. Often provide technical background information that can help you evaluate networking products, understand how they work, and troubleshoot them b. Often posted in .pdf format c. Frequently more concerned with the theoretical aspects of the product than with day-to-day operations 4. Frequently asked questions (FAQs) a. One of the best resources for information about common problems (1) When enough people report the same problem to the manufacturer, the company often addresses the problem by adding it to a list of FAQs, hoping to avoid repetitive support calls. b. The FAQ list should be one of the first resources that you turn to for help. c. Can be an excellent product evaluation resource (1) Finding out what kind of problems a product has and how the manufacturer deals with them can help you decide whether a product is worth purchasing. 5. Technical support databases a. Typically let you search for keywords or error messages b. Provide information on solutions and links to software patches c. The amount of information available depends on the simplicity or complexity of the product. (1) Example: Microsoft’s Knowledge Base (available at contains thousands of articles about the company’s products. (a) You can search by keyword, article ID number, or file name. (b) The Microsoft Knowledge Base, like many other sites, also supports plain language queries, which let you search for information online just as you would ask a person for it. |7| 6. File downloads Outline, Chapter 18 5 Network+ Certification, Second Edition a. Being able to download drivers, software updates, patches, and other files is a major benefit of using a manufacturer’s Web site instead of its technical support telephone line. b. Checking to see how many patches have been issued for a product is a good way of evaluating the product before buying it. (1) If a software product has had a large number of bug fixes in a short time, it is probably a good idea to look elsewhere. c. Downloadable files on Web sites are typically supplied as compressed ZIP archives that either are self-extracting or require a decompression program like PKUNZIP or WinZip. (1) UNIX downloads are usually supplied in gzip format. 7. Online messaging a. Online messaging is the Web equivalent of the old bulletin board systems, where you leave a text message and receive a reply from a technical support representative. b. You might find that a solution to your problem has already been posted in a response to another user, or you might find helpful information from other users or the company’s representatives. c. One way of checking the value of online messaging is to see how long it takes for the company to respond to questions from users. (1) If the company takes several days to reply to users’ questions, or if the replies sometimes are not helpful, you should probably look elsewhere for support. 8. Live support a. A few companies offer live sales information or technical support over the Web. (1) Usually a chat application that provides a live text-messaging link between users and company representatives (2) Usually offered during limited hours b. Test the interface carefully on your computer before relying on it as a primary technical support medium. c. In some cases, communication difficulties make this type of support impractical. 9. Manufacturer’s contact information on Web sites a. Includes e-mail addresses and telephone numbers for technical support b. Might include other contact information, such as mailing addresses and procedures for returning defective products D. Third-party Web sites 1. Many other Web sites, in addition to those run by product manufacturers, contain useful networking information. a. Many independent sites are devoted to each of the popular operating systems, major applications, computer hardware, and networking principles. 2. When dealing with information from what is essentially an unknown source, you must be careful to verify anything that seems unlikely or potentially dangerous. 6 Outline, Chapter 18 Network+ Certification, Second Edition a. You can sometimes tell from examining the site whether the information there can be trusted, but the Web has a way of making even the most egregious misinformation seem convincing. |8| E. Usenet 1. A worldwide, text-based Internet bulletin board system that consists of tens of thousands of newsgroups devoted to many topics 2. Not as user-friendly as the Web but provides an enormous amount of valuable technical information 3. To access Usenet newsgroups, you must have a client program called a newsreader and access to a news server. a. The clients and servers communicate with each other by using a specialized Transmission Control Protocol/Internet Protocol (TCP/IP) protocol called the Network News Transfer Protocol (NNTP). b. Newsreaders can be stand-alone programs or they can be incorporated into other applications, such as the Outlook Express client included with Microsoft Internet Explorer. c. Most Internet service providers (ISPs) include access to a news server as part of a standard Internet access subscription. (1) The quality of service varies greatly from ISP to ISP. 4. Usenet newsgroups generate several gigabytes of information every day, and news servers can keep only a limited amount of information available. a. A news server might be able to keep only a few days’ worth of messages available at a time. b. Some servers have incomplete news feeds, which means you will not see all the messages that have been posted to a particular group. (1) This can be a problem, because you might not see all the responses to your questions. 5. For more complete and comprehensive Usenet access, you can subscribe to any one of several commercial news services for a small monthly fee. a. These services guarantee full access to all Usenet newsgroups and usually retain messages for a longer time. |9| 6. To access Usenet, configure your newsreader with the name or Internet Protocol (IP) address of a news server and download a list of the newsgroups. a. The list is alphabetical. b. Newsgroup names consist of several cryptic abbreviations separated by periods, such as comp.infosystems.www.authoring.html. c. You can usually work out the subject of a newsgroup from its name, but some names are in languages other than English. d. As you become accustomed to Usenet jargon, you will learn where to find the newsgroups that deal with a particular subject. 7. A large number of newsgroups are devoted to technical computing issues. a. Examples (1) Newsgroups that deal with individual networking protocols, operating systems, programming languages, and many other related topics Outline, Chapter 18 7 Network+ Certification, Second Edition (2) There are hundreds of newsgroups beginning with the word “comp,” which are all computer-related. 8. Usenet is primarily a text-based service, and “netiquette” dictates that you post only text messages on most newsgroups. a. Many news server administrators try to conserve storage space by maintaining only the text-only newsgroups. b. Newsgroups that have the word “binaries” in their name permit the posting of binary files, such as program and image files. 9. The newsreader lets you subscribe to a newsgroup that you want to access. a. Subscribing means only that the newsreader adds the selected newsgroup to the list of groups that you want to access regularly. |10| b. When you access your list of newsgroups, the newsreader downloads the message headers for each group you have subscribed to. c. Message headers contain the subject of each message, the name of the person who posted it, and the date and time it was posted. d. Newsreaders typically can display the headers in several different ways: chronologically; alphabetically by subject or author; by size; or by thread. (1) A thread is a series of messages with the same subject. (2) One person posts a message containing a question or comment, and other people reply to that message. 10. Downloading text-only messages is usually rapid, but downloading messages that contain binary files can take quite a while, depending on the size of the files. |11| a. When the download is complete, you can select a message, and the newsreader displays the text. b. You can compose a reply and send it to the newsgroup or send an e-mail directly to the author. c. If you send the message to the newsgroup, it goes to your news server, which eventually uploads it to other servers. 11. It is more difficult to separate useful from useless information in Usenet than it is on the Web because anyone can participate on Usenet. a. What used to be a medium frequented primarily by technical people has been invaded by many other types of users. b. Unwanted mass postings or off-topic material (“spam”) is a major problem on Usenet, as it is with e-mail. c. Some newsgroups are moderated to keep out the spam, and some news server administrators run software that filters out much of it. 5. CD-ROM Resources A. The CD-ROM products released by several major manufacturers are another good source of information about computer and networking products. 1. Sometimes the disks are free, but in most cases you must purchase a subscription for CD-ROM releases that come out monthly or quarterly. 8 Outline, Chapter 18 Network+ Certification, Second Edition |12| B. Microsoft’s TechNet is one of the most popular CD-ROM subscription products. 1. Each month, you get several CD-ROMs with information about all Microsoft products. 2. The discs include a. Documentation such as the manuals and Resource Kits for Microsoft products, marketing collateral, the complete Knowledge Base, audio and video training materials, and hundreds of other articles and book excerpts b. Data discs that have the latest service packs, patches, and evaluation copies of new products 3. Includes its own searchable viewer application, which makes it easy to locate the information you need C. MSDN is a subscription-based CD-ROM service intended for software and hardware developers. 1. The discs include an enormous amount of information, including a. Software developer’s kits (SDKs) and driver developer’s kits (DDKs) for all Microsoft products b. Copies of all the operating systems c. A developer Knowledge Base 2. There are three subscription levels with different prices and different levels of access. |13| 6. Books and Periodicals A. Many books are available on networking and computer-related topics. 1. Cover a fairly limited range of specific networking products 2. Cover major products, such as operating systems, in depth 3. Excellent resource for background information and networking theory B. Many books include a searchable electronic version on a CD-ROM. 1. Makes the book more portable 2. Lets you search for information quickly and efficiently C. Magazines and trade newspapers are good places to look for current technical information and industry news. 1. Keep in mind that information in a typical monthly magazine is written at least three to four months before you see the issue. 2. Weeklies usually provide more timely information. 3. Many weekly trade newspapers are now available online. Chapter 18, Lesson 2 Logs and Indicators 1. Introduction A. One of the most important responsibilities in maintaining a network is knowing when something is wrong. Outline, Chapter 18 9 Network+ Certification, Second Edition 1. Networks perform many important processes automatically and in the background, and you must make sure that what is supposed to have been done has been done, without error and without problems. 2. Power and Drive Lights A. One of the most basic signs that something is wrong on your network is when the equipment operation lights are not lit. 1. Possible causes include a. Power failure b. A tripped circuit breaker c. A disconnected electrical plug d. A power supply failure e. A drive failure or a disconnection inside the computer B. You should become familiar with the light-emitting diode (LED) displays of your equipment during normal operation so that you can quickly determine when something is wrong. |14| 3. Link Pulse Lights |15| A. Most Ethernet network interface adapters that use unshielded twisted- pair (UTP) cable have an LED that is lit when the adapter is connected to a functioning hub. |16| B. The hub usually has an LED for each port as well, that indicates from either end of the patch cable whether the devices are connected. C. These link pulse lights can tell you whether a computer is wired to the hub properly. 1. When you connect a UTP network interface adapter to a hub, the link pulse lights on both devices should be lit, as long as both are switched on. 2. The network interface adapter must be installed in the computer and the computer must be turned on. a. However, the network adapter driver does not need to be installed, and you do not need to be logged on to the network to activate the LED. D. When an Ethernet adapter and a hub are properly connected, they exchange signals to test the connection. |17| 1. On 10Base-T and 10Base-FL equipment, the signal is called a normal link pulse (NLP). a. The NLP signals (1) Last for 2 milliseconds (2) Repeat at intervals of 16.8 milliseconds (3) Occur only when the network is not busy transmitting data, so they do not interfere with normal operations 2. When the LEDs at both ends of the connection are lit, the NLP signals generated by each device are reaching the other device. a. If you accidentally use a crossover cable to connect a computer to a hub, the signals sent over the transmit wires do not reach the receive contacts in the other device, and the LEDs will not light. 10 Outline, Chapter 18 Network+ Certification, Second Edition b. If you connect two network interface adapters together using a straight-through cable and no hub, the LEDs will not light. c. If the LED lights on one device, but not on the other, there is a fault in the cable connection. (1) The cable itself might be faulty, one of the devices’ connectors might be broken, or the cable might not be properly seated into the jack at one or both ends. (2) Try reseating the cable connectors into the jacks, or replace the cable with one that you know is functioning properly. |18| 3. Fast Ethernet and Gigabit Ethernet equipment that supports multiple speeds uses fast link pulse (FLP) signals. a. FLP signals differ from NLP signals in that they include a 16-bit data packet that the devices use to autonegotiate their connection speed. (1) The data packet contains a link code word that consists of a selector field and a technology ability field. (2) The devices use these fields to advertise their capabilities, including the speeds they can run at, and whether they support full-duplex (that is, simultaneous bidirectional) communications. b. By examining the link code word supplied by the other device, the network interface adapter and the hub both configure themselves to use the best transmission mode that they have in common according to the following priorities: (1) 1000Base-T (full-duplex) (2) 1000Base-T (3) 100Base-TX (full-duplex) (4) 100Base-T4 (5) 100Base-TX (6) 10Base-T (full-duplex) (7) 10Base-T c. FLP signals are fully compatible with the NLP signals that are used by devices that cannot operate at multiple speeds. (1) If you connect a computer with a 10/100 dual-speed Fast Ethernet adapter to a standard 10Base-T hub, the adapter (a) Receives the NLP signal from the hub (b) Determines that 10 Mbps half-duplex is the fastest speed it has in common with the hub (c) Configures itself accordingly (2) The 10Base-T hub, receiving the FLP signal from the adapter, cannot interpret the link code word and sees the signal only as a normal NLP link test. (a) No autonegotiation occurs at the hub because none is possible. d. Some dual-speed devices also have LEDs that light up to indicate the speed at which the device has configured itself to run. (1) Do not confuse this LED with the link pulse LED. Outline, Chapter 18 11 Network+ Certification, Second Edition 4. Link pulse LEDs are only an indication that the network connection is wired properly; do not mistake them for a true diagnostic test of the network’s transmission capabilities. a. Just because the LEDs are lit does not necessarily mean that the connection can carry Ethernet traffic. b. Link pulse signals run far more slowly than Ethernet data signals and are not affected by electromagnetic interference, such as crosstalk, the way that Ethernet data signals are. (1) If you use a “silver satin”–type telephone cable to connect a network interface adapter to a hub, the link pulse LEDs will usually light. (2) In the “silver satin” cable, the wire pairs are not twisted, which results in high levels of crosstalk. (3) When Ethernet signals are transmitted over “silver satin” cable, crosstalk causes the signals to bleed over from one wire pair to the others. (a) The crosstalk causes the network interface adapters to receive signals over both the transmit and receive wire pairs simultaneously. (4) UTP Ethernet adapters interpret simultaneous signals on both wire pairs as an indication that a collision has occurred. (5) In fact, even though there has been no real collision, the adapters behave as though there has been one. (a) The adapters discard the supposedly damaged packets and begin the data retransmission process. (b) This is called a phantom collision, and if it occurs frequently enough, it can seriously degrade the efficiency of the network. |19| 4. Error Displays A. The most obvious indication that a problem has occurred on a computer is an error message that appears on the screen. 1. Error messages are generated primarily by applications and operating systems. 2. They can inform you when something has gone wrong with a computer or the software running on it. B. In most cases, error messages cannot give you specific information about a problem with the network itself. 1. There is usually no way for the computer to test or communicate with network components except for other computers. 2. An error message generated by an operating system might tell you that the computer could not communicate with another computer on the network. a. However, the error message usually cannot tell you why unless the problem is with the computer generating the message. C. Many error messages are ambiguous or misleading, so you might need help interpreting them. 12 Outline, Chapter 18 Network+ Certification, Second Edition D. If you do not understand an error message, record the exact message, including all number and letter codes, memory addresses, and other types of information, even if you do not know what they mean. 1. The manufacturer’s technical support department might be able to use the information to resolve the problem. 2. You should inform all network users to record the same information for any error messages they receive. 3. One of the easiest ways to preserve a complex error message is to save an image of the entire screen. a. On a Windows system, press PRINT SCREEN to copy the current screen image to the clipboard. (1) Open the Windows Paint program and select Paste on the Edit menu to paste the image into the program. (2) Print the error message or save it to a bitmap file. b. The screen capture works as long as the computer can still run programs. (1) If the problem halts the system and generates a fatal system error (sometimes known as “the blue screen of death”) in Microsoft Windows NT or Windows 2000, you have no recourse other than to write down the error information. E. If you receive error messages that you do not understand, it is useful to have the documentation for the products on a searchable medium, such as a CD-ROM or a Web site. |20| 5. Event Logs A. An event log is a running record of processes that documents an operational history of the product involved. 1. Many applications, operating systems, and networking components maintain logs of their activities. a. You should check the logs on a regular basis for problems or even just for informational messages. 2. Some products keep logs as text files and may or may not supply the means for you to view them. a. You might have to open the log file in a separate application to read the contents. 3. Log files can grow very large, so to read them you might have to use a text editor that can handle large files. B. Logging options 1. Some applications let you specify whether you want them to log their activities and how much detail you want in the logs. 2. When you work with a newly installed or reconfigured application or device, it is a good idea to keep logs for a while. 3. Consider the amount of detail you want in the logs. a. Selecting the most detailed option might not always be best. (1) You want an accurate picture of the product’s activities, but you do not want to spend hours poring through log files. Outline, Chapter 18 13 Network+ Certification, Second Edition b. For example, most backup programs have a full detail logging option, which means that the log maintains a complete listing of every file that the program backs up. (1) This might be useful in some instances, but it creates an enormous log file that is difficult to scan for basic information, such as whether a backup job has been completed successfully. (2) In this case, you are better off selecting a less detailed log unless you suspect a problem that requires more specific information. c. Highly detailed log files take up a lot of disk space, so be careful not to let them grow unchecked. 4. Many applications that keep logs let you set parameters that limit the log file size. |21| a. For example, the IIS application included with Microsoft Windows 2000 Server allows you to specify when each service should create a new log file—hourly, daily, weekly, or monthly. (1) You can also specify a maximum size for the log file or leave it with no limitations. |22| (2) By selecting the Extended Properties tab, you can select what information the service should include in the log. |23,24,25| C. Event Viewer |24| 1. Some logs are maintained and displayed by a separate application, such as the Event Viewer included in Windows 2000 and Windows NT. 2. To launch Event Viewer in Windows 2000, select Event Viewer on the Start menu’s Programs/Administrative Tools group. a. By default, the application displays the logs for the current system. b. To view the logs of another computer running Windows 2000, select Event Viewer in the left pane, and then select Connect To Another Computer on the Action menu. |25| 3. Event Viewer maintains lists of messages generated by various elements of the operating system. a. Each log entry is listed as a separate item with the date and time that it was generated, the process that generated it, the event ID, and other important information. 4. By default, Microsoft Windows 2000 Professional contains three different logs—an Application Log, a Security Log, and a System Log— all of which are maintained independently. a. The Windows 2000 Server products include these three logs, plus others, depending on the services installed. (1) An Active Directory domain controller, for example, also has Directory Service, DNS Server, and File Replication Service logs. 5. Each event in each log is assigned one of the following classifications and marked with a corresponding icon: a. Information. Indicates the successful completion of an event, such as launching a server application or loading a device driver 14 Outline, Chapter 18 Network+ Certification, Second Edition (1) Information messages are a normal by-product of the computer’s operations and are not considered problematic. b. Warning. Indicates a condition that is not necessarily a problem now, but might become a problem in the future, such as when available memory or disk space drops below a certain level c. Error. Indicates the occurrence of a significant problem that has caused a loss of system functionality or a loss of data (1) Requires immediate attention, such as when a service fails to load or a drive goes offline |26| 6. When you double-click a log entry in Event Viewer’s main display, an Event Properties dialog box appears. a. Contains more detailed information about the entry, including a description and any data generated by the event b. You can use the arrow buttons in the upper right corner of the dialog box to scroll up and down through the events in the log. c. The entries stored in Event Viewer are sometimes also displayed as pop-up error messages. 7. One advantage of using Event Viewer is that you do not have to write down most error messages because you can always view or print them later. a. To copy the contents of the entry to the Windows clipboard, click the third button in the upper right corner of the Event tab. b. Paste the clipboard contents into Microsoft Notepad or another application for printing or faxing to a technical support representative. |27| 6. Network Management Products A. Error messages generated by operating systems and applications are usually easy to monitor, but receiving error messages from other network components, such as routers or computers at remote locations, can be more difficult. 1. A stand-alone router does not have a screen to display error messages, but many networking devices can supply information about their status. B. Network management products, such as Hewlett Packard’s OpenView, provide a comprehensive view of network systems and processes. 1. These products use a distributed architecture based on a specialized management protocol, such as the Simple Network Management Protocol (SNMP) or the Remote Monitoring (RMON) protocol. C. Network management products often include a large collection of other functions as well, including the following: 1. Software distribution and metering 2. Network diagnostics 3. Network traffic monitoring 4. Report generation D. Network management products are not designed for small networks, and they are not cheap. Outline, Chapter 18 15 Network+ Certification, Second Edition E. Deploying a network management system is a complex undertaking that is intended for administrators of large networks who cannot monitor all their network devices individually. 1. You must be sure that, when you design and build your network, all the equipment you use supports the network management protocol you intend to use. |28| F. SNMP 1. A TCP/IP application layer protocol and query language that specially equipped networking devices use to communicate with a central console 2. Many networking hardware and software products, including routers, switches, hubs, operating systems, and applications, are equipped with SNMP agents. a. An SNMP agent is a software module that gathers information about the product and delivers it to a computer that has been designated as the network management console. b. The agents gather specific information about the network devices and store it as managed objects in a management information base (MIB). c. At regular intervals, the agents transmit their MIBs to the console, using SNMP messages, which are carried inside User Datagram Protocol (UDP) datagrams. d. The console collates the information that it receives from the agents and provides a composite picture of the network and its processes. e. The console software can usually create a map of the interconnections between network devices and display detailed log information for each device. f. If a serious problem occurs, an agent can generate a special message called a trap. (1) The agent transmits the trap immediately to the console, which alerts you to a potentially dangerous condition. 3. In many cases, you can configure the console software to send alerts to administrators in a variety of ways, including pop-up messages, e-mails, faxes, and even pager signals. 7. Performance Monitors A. Network monitoring tools, such as the Windows 2000 Performance console, display activities as they occur. 1. The Performance console displays ongoing information about the processes running on the computer that it is installed on, but many of these processes can involve network activities. B. The Windows 2000 Performance console is a graphical application that displays real-time statistics about a computer’s activities. 1. It can also maintain logs of those statistics and generate alerts when their values reach certain levels. |29| 2. The System Monitor component of the Performance console lets you select the statistics you want to monitor and view them in a dynamic display. 3. The various elements that the program can monitor are called counters. 16 Outline, Chapter 18 Network+ Certification, Second Edition a. Windows 2000 includes dozens of counters for many different hardware and software components, such as the processor, the memory, and the network interface, as well as individual services and applications. b. Third-party software products can also add their own counters to System Monitor, enabling you to track their specific activities. 4. Using System Monitor |30| a. To add counters to the display, click the + (add) button on the toolbar to open the Add Counters dialog box. b. You can select as many counters as you want from each of the categories in the Performance Object list, and for any computer on the network. c. The Explain button provides a brief definition of what the highlighted counter is designed to measure. d. After you have selected all the counters that you want to display in the Add Counters dialog box, click Close. (1) The main System Monitor screen immediately begins graphing the values of the counters you selected. e. Click Properties in the main System Monitor screen to change the display from a line graph to a histogram or a numerical report. f. To display information in a graph effectively, you might also have to modify the scale used in the y axis, so that all of your counters are not piled on top of each other at the bottom of the graph. g. You can also change the colors used in the graph, the interval at which the information is updated, and other display characteristics. |31| C. You can also use the Performance Logs and Alerts feature of the Performance console to create log files containing the statistics of particular counters over a period of time. |32| 1. You can create alerts that are triggered when the value of a particular counter reaches a level that you specify. 2. You can then configure the alert to notify you of the situation by adding an entry to the event log, sending a network message, starting a performance data log, or executing a program that you specify. 3. The Performance console and other similar tools can give you information that you can use to monitor and diagnose problems on your network. D. Other operating systems have their own monitoring applications. |33| 1. Example: MONITOR.NLM in Novell NetWare 2. Several third-party products are also available with which you can continually observe the status of your network. |34| 8. Protocol Analyzers A. Are tools that capture a sample of the traffic passing over the network, decode the packets into the language of the individual protocols that they contain, and let you examine them in minute detail Outline, Chapter 18 17 Network+ Certification, Second Edition 1. Often compile network traffic statistics, such as the number of packets using each protocol and the number of collisions that occur on the network B. Using the protocol analyzer to capture and display network traffic is relatively easy. 1. However, interpreting the information that the analyzer presents and using it to troubleshoot your installation requires a detailed understanding of the protocols running on the network. 2. There is no better way to acquire this understanding than to examine the data transmitted over a live network. C. Are useful tools that can also be used for malicious purposes 1. In addition to displaying the information in the captured packets’ protocol headers, the analyzer can also display the data carried inside the packets. a. This can sometimes include confidential information, such as unencrypted passwords and personal correspondence. 2. If you can avoid it, do not permit your users to run protocol analyzers unsupervised. D. Can be either a device with a proprietary interface that you connect to a network to capture traffic, or a software program that runs on a computer that is already connected to the network 1. Some network consultants who frequently work at different sites install a software-based protocol analyzer on a portable computer and, by changing PC Card network interface adapters, are ready to connect to virtually any network. E. Typically work by switching the network interface adapter they use to access the network into promiscuous mode 1. In promiscuous mode, a network interface adapter reads and processes all the traffic that is transmitted over the network, not just the packets that are addressed to it. a. This means that you can examine all the traffic on the network from one computer. 2. Running a protocol analyzer in promiscuous mode also requires a network interface adapter that is capable of being switched into that mode. 3. Most, but not all, adapters can run in promiscuous mode. F. The most common protocol analyzer today is the Microsoft Network Monitor application, mostly because it is included with all the Windows 2000 Server and Windows NT Server products. 1. The Network Monitor application is also included with the Microsoft Systems Management Server (SMS) product, but with an important difference. a. The version of Network Monitor in SMS supports promiscuous mode, but the version in Windows 2000 Server and Windows NT Server does not. 18 Outline, Chapter 18 Network+ Certification, Second Edition (1) This means that the server version lets you capture only the traffic addressed to or transmitted by the server that Network Monitor is running on. G. Capturing traffic 1. The first step of a protocol analysis is to capture a sample of the network traffic. 2. Select the network interface that you want to use (if there is more than one) and start the capture process by clicking Start Capture on the toolbar. 3. The program reads the packets that arrive over the network interface and stores them in a buffer for later examination. a. Protocol analyzers, like detailed log files and performance monitors, offer a huge amount of information. (1) The trick to using the tool effectively is zeroing in on what you need. (2) On a busy network, a packet capture of only a few seconds can consist of thousands of packets, generated by dozens of different systems. (3) Protocol analyzers have filters that let you select the packets that you want to capture by using criteria such as (a) The source computer address (b) The destination computer address (c) The protocols used to build the packets (d) The information found in the packets (4) If you specify capture filters, you have a much smaller traffic sample that contains less of the extraneous information generated by other network processes. b. Some protocol analyzers offer more comprehensive capture filtering capabilities, such as selecting specific application layer protocols, than Network Monitor does. 4. When you start the capture, the software displays the number of packets passing over the network and the number that are being captured by the filter. 5. When you have a sample of sufficient size, click Stop Capture. H. Displaying captured traffic |35| 1. When you have captured a network traffic sample, click Display Captured Data to show your sample in the Capture Summary window. 2. This window displays a chronological list of the packets in your sample, including the following information: a. Frame. Shows the number of the frame (or packet) in the sample b. Time. Indicates the time (in seconds) that the packet was captured, measured from the beginning of the sample c. Src MAC Addr. Gives the hardware address of the network interface in the computer that transmitted the packet Outline, Chapter 18 19 Network+ Certification, Second Edition (1) For computers that the analyzer recognizes by a friendly name, such as a Network Basic Input/Output System (NetBIOS) name, this field contains that name instead of the address. (a) The computer the analyzer is running on is identified as LOCAL. d. Dst MAC Addr. Gives the hardware address of the network interface in the computer that received the packet (1) Friendly names are substituted if available. (2) By building up an address book of the computers on your network, you can eventually have captures that use only friendly names. e. Protocol. Shows the dominant protocol in the packet (1) Each packet contains information generated by protocols running at several different layers of the Open Systems Interconnection (OSI) reference model. (2) The protocol specified here indicates the primary function of the packet. (a) For example, a Hypertext Transfer Protocol (HTTP) packet also uses the Transmission Control Protocol (TCP), IP, and Ethernet protocols, but the the packet’s function is to deliver an HTTP message. f. Description. Indicates the function of the packet, using information specific to the protocol referenced in the Protocol field (1) For an HTTP packet, for example, this field indicates whether the packet contains an HTTP GET Request or a Response message. g. Src Other Addr. Specifies another address used to identify the computer that transmitted the packet (1) In the case of the TCP/IP protocols, this field contains the IP address. h. Dst Other Addr. Specifies another address (such as an IP address) used to identify the computer that received the packet i. Type Other Addr. Specifies the type of address used in the Src Other Addr and Dst Other Addr fields 3. From this main display, you can track the progress of transactions between specific pairs of computers on your network. 4. To zero in on a particular message exchange, you can use Network Monitor to apply filters to already-captured samples as well as during the capture. a. The interface you use to create the filters is the same one you use to select the capture filters. b. When you apply a filter, you see only the packets that conform to the parameters you have chosen. (1) The other packets are still there in the sample; they are just not being displayed. c. You can modify the filter at any time to display more or less data. 20 Outline, Chapter 18 Network+ Certification, Second Edition |36| 5. When you double-click one of the packets listed in the main Capture Summary window, the display splits into three parts. a. The top section contains the original capture summary, with the selected packet highlighted. b. The middle section contains the contents of the selected packet, in a fully interpreted, expandable display. (1) The center section of the display is where you can learn the most about the contents of each packet. (2) The analyzer interprets the data in the packet and separates it into the headers for the protocols operating at the various layers. |37| (3) Clicking the plus sign (+) next to a protocol expands it to display the contents of the various header fields. (4) The header fields display the source port and destination port numbers. (5) The destination port number contains (a) The protocol code for HTTP (b) The sequence number and acknowledgment number values used to implement TCP’s packet acknowledgment and error detection mechanisms (c) The other header fields |38| c. The bottom section contains the raw, uninterpreted contents of the packet in hexadecimal and alphanumeric form. (1) The raw data display at the bottom of the window is used primarily to view the application layer data carried as the payload inside a packet. (2) When you look at an HTTP Response packet transmitted by a Web server to a browser, you see the HTML code of the Web page the server is sending to the browser. Chapter 18, Lesson 3 Network Testing and Monitoring Tools 1. Introduction A. Some network tools used by network administrators can do more than merely provide information. 1. Most of these specialized tools are used to install and troubleshoot cables, primarily because cables are a component of the network that have no means of displaying error messages. |39| 2. Crossover Cables A. A crossover cable, which is used to connect UTP Ethernet computers without a hub, is also a good tool to use for eliminating the hub and the cables as possible sources of a network communications problem. Outline, Chapter 18 21 Network+ Certification, Second Edition 1. If two computers seem to be properly connected using a hub and prefabricated cables (or an internal cable run and patch cables) and they are not communicating, try connecting the computers with a crossover cable that you know works properly. a. If the computers can communicate with the crossover cable, the problem is in either the hub or the cables connecting the computer to the hub. b. If the computers fail to communicate with the crossover cable, the problem is in one or both of the computers or network interface adapters. |40| 3. Hardware Loopback Connectors A. An inexpensive device that you plug into a jack B. Redirects the outgoing signals from the device right back into it 1. Example: you can buy loopback connectors for parallel and serial ports that work with diagnostic software to check the transmission and reception capabilities of the ports. 2. You can also purchase a loopback connector that plugs into a UTP network interface adapter’s RJ-45 port. C. Many adapters have a diagnostic utility built into their configuration programs. 1. After plugging the loopback connector into the adapter port, you run the diagnostic program, and the loopback connector transmits a series of signals out through the adapter. 2. If the adapter receives the signals back in exactly the same format as they were sent, the adapter passes the test. D. Running a test with a loopback connector is completely different from transmitting packets to the TCP/IP loopback address (127.0.0.1). 1. Even though using the loopback address causes all transmitted traffic to return to the incoming buffers of the same computer, the signals never actually reach the network interface adapter. 2. The loopback address is a feature of the IP protocol, and packets sent to it never travel below the network layer of the OSI reference model. 3. In a loopback connector test, the packets travel all the way down to the physical layer and out of the computer, only to be routed immediately back in by the loopback connector. |41| 4. Tone Generators and Tone Locators A. When you install UTP cable internally, you must test each connection. 1. After installing cable, you certainly do not want to tear everything apart again because of an improperly wired connection. |42| B. One of the most basic ways to identify and test a cable connection is to use a tone generator and locator, also known as a "fox and hound" cable tester. 1. The tone generator is a device that you connect to a cable at one end; it then transmits a signal over the cable. 22 Outline, Chapter 18 Network+ Certification, Second Edition 2. The tone locator is a separate device with a probe that can detect the generator’s signal, either by touching it to the conductor in the cable or by touching it to the insulation on the outside of the cable. a. When the locator detects the generator’s signal, it emits an audible tone. C. You can use a tone generator and locator to test an entire cable or to test the individual wire connections inside a UTP cable. D. Tone generators and locators are most commonly used to identify the cable belonging to a particular connection. 1. If you perform an internal cable installation and you forget to label a cable, you can connect the tone generator at the wall plate end and touch the probe to each cable at the patch panel end until you find the cable that produces a tone. 2. Some cable installers omit the labeling process entirely and rely completely on this method for identifying their cable runs, but this is not recommended. 3. The tool is also valuable for identifying one particular cable in a bundle in the middle of the connection. E. You can also use a tone generator and locator to test the individual wire connections inside a UTP cable. 1. You connect the generator to a single wire or connector contact, using alligator clips, and then touch the locator to each wire or contact at the other end of the cable. 2. You can test for any major wiring faults that affect internal UTP cable installations. a. If you fail to detect a signal on the contact that the generator is connected to at the other end, you have an open circuit. b. If you detect a signal on the wrong contact, you have punched down the wires to the wrong contacts, resulting in transposed wires. c. If you detect a signal on two or more wires, you have a short. F. The tone generator and locator is the simplest and most inexpensive type of cable tester (at approximately $100), but this method of testing UTP cable connections is relatively unreliable and extremely time- consuming. 1. Testing individual wires in a UTP cable is a slow and error-prone process. 2. Requires two people to use the equipment—one at the generator end and one at the locator end—who are in constant contact a. You can do this by yourself if you do not mind running back and forth from one end of the cable connection to the other. 3. The tone locator is a useful tool for troubleshooting a single cable connection. 4. For testing a large number of newly installed cable runs, you can buy a wire map tester that detects all the same faults by testing all of the wire connections in the cable at once. Outline, Chapter 18 23 Network+ Certification, Second Edition |43| 5. Wire Map Testers A. A device that is similar in principle to the tone generator and locator, except that it tests all the wire connections in a UTP cable at once B. Consists of two parts that you connect to the opposite ends of a cable 1. The unit at one end transmits signals over all the wires, which are detected by the unit at the other end. C. Can detect transposed wires, open circuits, and shorts, just as a tone generator and locater can 1. However, it does all the tests simultaneously and provides you with a simple readout telling you what is wrong. D. The one common cable fault that a typical stand-alone wire map tester cannot detect is a split pair. 1. A split pair is a wiring fault in which the wires are connected to the wrong contacts at both ends of the cable in exactly the same way. 2. Each contact is wired straight through to its corresponding contact at the other end, yielding a connection that appears to be correct to a normal wire map test. a. However, the wires that are actually carrying the signals are improperly paired. 3. Normally, a UTP cable has one transmit wire and one receive wire, each of which is twisted into a separate pair with its corresponding ground wire. a. In a split pair, the transmit and receive wires can be twisted into one pair and their two ground wires into another pair. 4. Having the two signal wires twisted into the same pair generates an excessive amount of crosstalk. 5. A wire map tester knows only that the signals it has transmitted over each wire have reached the other end of the cable at the correct contact. 6. You need a device that can measure crosstalk, such as a multifunction cable tester, to detect split pairs. E. Wire map testers are relatively inexpensive ($200–$300) stand-alone devices. 1. You can also find the same functions as part of a multifunction cable tester, which costs a great deal more. F. For a small to medium-sized internal cable installation, a wire map tester is a good investment, both for installation and for troubleshooting purposes. 1. You can also use the tester to check your prefabricated cables for faults. G. For large installations or professional cable installers, a multifunction cable tester is a better idea. |44, 6. Multifunction Cable Testers |45,46| |45| A. Handheld devices that perform a variety of tests on a cable connection and compare the results to standard values that have been programmed into the unit 24 Outline, Chapter 18 Network+ Certification, Second Edition 1. Also called media testers or certifiers 2. You connect the unit to the cable and press a button, and the device displays a list of pass or fail ratings for the individual tests. B. Multifunction cable testers can perform the basic wire mapping tests and can also test copper cable for any of the following: 1. Length a. The most common method for determining the length of a cable is called time domain reflectometry (TDR). (1) The tester transmits a signal over the cable and measures how long it takes for the signal’s reflection to return. (2) Using the nominal velocity of propagation (NVP) for the cable, which is the speed at which signals travel through the cable (information supplied by the manufacturer), you can compute the length of the cable. b. This function also enables you to determine the location of a break in a cable. 2. Attenuation a. The tester determines the cable’s attenuation (measured in decibels) by comparing the strength of a signal at the far end of a cable to its strength when transmitted. 3. Near end crosstalk (NEXT) a. Testing for NEXT is a matter of transmitting a signal over one of a cable’s wires and then detecting the strength of the signal that bleeds over into the other wires near the end of the cable where the transmitter is located. 4. Power sum NEXT (PSNEXT) a. A measurement of the crosstalk generated when three of the four wire pairs are carrying signals at once b. Intended for networks using technologies like Gigabit Ethernet that transmit signals over several wire pairs simultaneously 5. Equal level far end crosstalk (ELFEXT) a. A measurement of the crosstalk at the opposite end of the cable from the transmitter, corrected to account for the amount of attenuation in the connection 6. Power sum ELFEXT (PSELFEXT) a. A measurement of the crosstalk generated at the far end of the cable by three signal-carrying wire pairs, corrected for attenuation 7. Propagation delay a. Indicates the amount of time required for a signal to travel from one end of a cable to the other 8. Delay skew a. The difference between the lowest and the highest propagation delay measurements for the wires in a cable b. Because the wire pairs inside a UTP cable are twisted at different rates, their relative lengths can differ, and the delay skew measurement quantifies that difference. Outline, Chapter 18 25 Network+ Certification, Second Edition 9. Return loss a. A measurement of the accumulated signal reflection caused by variations in the cable’s impedance along its length b. These impedance variations are typically caused by untwisting too much of the wire pairs when making connections. C. Not all of these tests are required for every cable installation. 1. Knowing the lengths of your cables and other measurements can help you keep your cable installation within the guidelines established for the protocol you will be using. 2. Measuring elements such as attenuation and delay skew are also useful for testing cables before you install them, so that you can be sure that you received the cable grade that you paid for. |46| D. Multifunction cable testers can, in some ways, be dangerous because of the very strengths they advertise. 1. Some marketing materials for these devices imply that you do not really have to know what all of these measurements mean; you can just plug your cables in and rely on the device to tell you if they are installed correctly. a. This is true, as long as the tester is calibrated to the proper standards. 2. If you do not know what the various tests represent, you are relying on the manufacturer of the device to set it to the proper standards. a. In some cases, official standards for certain cable types have not yet been ratified. 3. It is possible to reprogram the device with your own baseline standards, which can be a problem if you are relying on someone else’s tester to tell you that your installation has been performed properly. a. An unscrupulous cable installer could make a few simple changes to the tester’s settings, such as changing the NVP rating for the cable, and cause a network that would previously have failed certain tests to pass them. 4. The bottom line for using multifunction cable testers: a. Do not let an untrustworthy person to test cables. b. If you purchase a tester, you should familiarize yourself with all of its tests and the standards against which it compares its results. E. Most multifunction cable testers are extremely expensive. 1. Prices running to several thousand dollars are common. 2. Top-of-the-line units (such as those that combine copper and fiber optic testing capabilities) can cost $5,000 or more. Chapter Summary |47| A. Documentation and resources 1. Product documentation can be a valuable network troubleshooting tool. a. You should always keep all the documentation that comes with your hardware and software. 26 Outline, Chapter 18 Network+ Certification, Second Edition 2. Web sites for many hardware and software manufacturers offer a variety of resources for the network administrator, including technical documents, FAQs, online messaging, and technical support databases. |48| B. Logs and indicators 1. LEDs and other lights are frequently useful indicators of a hardware component’s current status. 2. The link pulse LEDs on Ethernet hubs and network interface adapters indicate when these devices are connected properly. 3. Tools such as the Windows 2000 Performance console let you monitor ongoing computer and network operations in real time. |49| C. Network testing and monitoring tools 1. Tone generators and tone locators are simple cable-testing devices that determine whether a cable is carrying a signal. 2. Wire map testers test all four of the wire pairs in a UTP cable at the same time. 3. Multifunction cable testers perform a comprehensive battery of tests on a cable connection and compare the results to established standards.