Chapter 12 - Troubleshooting Tools and Strategies

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Many excellent network troubleshooting tools are available for Windows NT Server and Windows NT Workstation. Most are included with the product or in the Windows NT Server and Windows NT Workstation Resource Kits. Microsoft Network Monitor is an excellent network tracing tool that is included in the Microsoft Systems Management Server product.

When troubleshooting any problem, it is helpful to use a logical approach. Some questions to ask are:

What does work?
What doesn't work?
How are the things that do and don't work related?
Have the things that don't work ever worked on this computer and network?
If so, what has changed since they last worked?

Troubleshooting a problem "from the bottom up" is often a good way to quickly isolate it. The troubleshooting tasks discussed in this chapter are organized using this "bottom up" approach.

The first section of this chapter gives an overview of TCP/IP troubleshooting tools. The next section discusses various TCP/IP troubleshooting tasks, followed by a section on using Performance Monitor and Network Monitor to analyze network behavior. The final section of this chapter provides information about common TCP/IP networking problems.

Overview of TCP/IP Troubleshooting Tools
Identify the TCP/IP Configuration by Using IPConfig
Test Connection to the TCP/IP Network by Using Ping
Understanding Address and Name Resolution
Troubleshoot NetBIOS Name Resolution by Using NBTStat
Test IP-address-to-MAC-address Resolution by Using ARP
Understanding IP Routing for Windows NT
Examine the Route Between Network Connections by Using Tracert
Examine the Route Table by Using Route
Display Current TCP/IP Connections and Statistics by Using Netstat
Using Performance Monitor
Using the Microsoft Network Monitor
Using the Microsoft Knowledge Base
Troubleshooting Other Connection Problems

Overview of TCP/IP Troubleshooting Tools

The following table lists the diagnostic utilities included with Microsoft TCP/IP that can be used to identify or resolve TCP/IP networking problems.

Table 12.1 TCP/IP Diagnostic Utilities

Utility	Used to
arp	View the ARP (address resolution protocol) table on the local computer to detect invalid entries.
hostname	Print the name of the current host.
ipconfig	Display current TCP/IP network configuration values, and update or release TCP/IP network configuration values.
nbtstat	Check the state of current NetBIOS over TCP/IP connections, update the LMHOSTS cache, and determine the registered name and scope ID.
netstat	Display protocol statistics and the state of current TCP/IP connections.
nslookup	Check records, domain host aliases, domain host services, and operating system information by querying Internet domain name servers.
ping	Verify whether TCP/IP is configured correctly and that a remote TCP/IP system is available.
route	Print the IP route table, and add or delete IP routes.
tracert	Check the route to a remote system.

For complete details about the TCP/IP utilities, see Appendix A, "TCP/IP Utilities Reference."

These additional Windows NT tools can be used for TCP/IP troubleshooting:

Microsoft SNMP service — provides statistical information to SNMP management systems
Event Viewer — tracks errors and events
Performance Monitor — analyzes TCP/IP and WINS server performance
Registry Editor — allows viewing and editing of Registry parameters

In general, when troubleshooting it is usually best to first verify that the computer TCP/IP configuration is correct, and then verify that a connection and route exist between the computer and network host by using ping, as described in the section "Test Connection to the TCP/IP Network by Using Ping" later in this chapter.

Compile a list of what works and what doesn't work, and then study the list to help isolate the failure. If link reliability is in question, try a large number of pings of various sizes at different times of the day, and plot the success rate. When all else fails, using a protocol analyzer, such as Microsoft Network Monitor, can be helpful.

Identify the TCP/IP Configuration by Using IPConfig

When troubleshooting a TCP/IP networking problem, begin by checking the TCP/IP configuration on the computer experiencing the problem. Use the ipconfig command to get the host computer configuration information, including the IP address, subnet mask, and default gateway. Ipconfig is a command-line utility that prints out the TCP/IP-related configuration of the local computer.

Note: Windows 95 users use winipcfg in place of ipconfig.

When ipconfig is used with the /all switch, it produces a detailed configuration report for all interfaces, including any configured serial ports (RAS). Ipconfig output may be redirected to a file and pasted into other documents. This output of ipconfig can be reviewed to find any problems in the computer network configuration. For example, if the computer has been configured with an IP address that is a duplicate of an existing IP address, the subnet mask will appear as 0.0.0.0.

The following example illustrates the results of an ipconfig/all command on a computer that is configured to use a DHCP server for automatic TCP/IP configuration, and WINS and DNS servers for name resolution:

    Windows NT IP Configuration
    Host Name . . . . . . . . . : davemac1.terraflora.com
    DNS Servers . . . . . . . . : 172.16.48.03
    Node Type . . . . . . . . . : Hybrid
    NetBIOS Scope ID. . . . . . :
    IP Routing Enabled. . . . . : No
    WINS Proxy Enabled. . . . . : No
    NetBIOS Resolution Uses DNS : No
    Ethernet adapter Elnk31:
    Description . . . . . . . . : ELNK3 Ethernet Adapter.
    Physical Address. . . . . . : 00-20-AF-1D-2B-91
    DHCP Enabled. . . . . . . . : Yes
    IP Address. . . . . . . . . : 172.16.48.10
    Subnet Mask . . . . . . . . : 255.255.248.0
    Default Gateway . . . . . . : 172.16.48.03
    DHCP Server . . . . . . . . : 172.16.48.03
    Primary WINS Server . . . . : 172.16.48.03
    Secondary WINS Server . . . : 172.16.48.03
    Lease Obtained. . . . . . . : Sunday, June 25, 1996 11:43:01 
    PM
    Lease Expires . . . . . . . : Wednesday, June 28, 1996 
    11:43:01 PM
    Ethernet adapter NdisWan5:
    Description . . . . . . . . :
    Physical Address. . . . . . : 00-00-00-00-00-00
    DHCP Enabled. . . . . . . . : No
    IP Address. . . . . . . . . : 0.0.0.0
    Subnet Mask . . . . . . . . : 0.0.0.0
    Default Gateway . . . . . . :

If no problems appear in the TCP/IP configuration, the next step is to test the ability to connect to other host computers on the TCP/IP network.

Test Connection to the TCP/IP Network by Using Ping

Ping is a tool that helps to verify IP-level connectivity. When troubleshooting, the ping command is used to send an ICMP echo request to a target host name or IP address. Use ping whenever you need to verify that a host computer can connect to the TCP/IP network and network resources. You can also use the ping utility to isolate network hardware problems and incompatible configurations.

It is usually best to verify that a route exists between the local computer and a network host by first using ping and the IP address of the network host to which you want to connect. First try pinging the IP address of the target host to see if it will respond, because this is the simplest case. The command syntax is:

ping IP_address

Perform the following steps when using ping:

Ping the loopback address to verify that TCP/IP is installed and configured correctly on the local computer.

Ping 127.0.0.1

Ping the IP address of the local computer to verify that it was added to the network correctly.

Ping IP_address_of_local_host

Ping the IP address of the default gateway to verify that the default gateway is functioning and that you can communicate with a local host on the local network.

Ping IP_address_of_default_gateway

Ping the IP address of a remote host to verify that you can communicate through a router.

Ping IP_address_of_remote_host

Ping uses Windows Sockets-style name resolution to resolve a computer name to an IP address, so if pinging by address succeeds, but fails by name, then the problem lies in address or name resolution, not network connectivity. Refer to the section "Test IP-address-to-MAC-address Resolution by Using ARP" later in this chapter.

If you cannot use ping successfully at any point, check the following:

The computer was restarted after TCP/IP was installed and configured.
The local computer's IP address is valid and appears correctly in the IP Address tab of the Microsoft TCP/IP Properties dialog box.
IP routing is enabled and the link between routers is operational.

Type ping -? to see what command-line options are available. For example, ping allows you to specify the size of packets to use, how many to send, whether to record the route used, what time-to-live (TTL) value to use, and whether to set the "don't fragment" flag.

The following example illustrates how to send two pings, each 1450 bytes in size, to address 172.16.48.10:

C:\>ping -n 2 -l 1450 172.16.48.10
Pinging 172.16.48.10 with 1450 bytes of data: 

Reply from 172.16.48.10: bytes=1450 time=10ms TTL=32
Reply from 172.16.48.10: bytes=1450 time=10ms TTL=32

By default, ping waits only 750 ms for each response to be returned before timing out. If the remote system being pinged is across a high-delay link such as a satellite link, responses could take longer to be returned. The -w (wait) switch can be used to specify a longer timeout.

Understanding Address and Name Resolution

TCP\IP under Windows NT allows a computer to communicate over a network with another computer by using any of the following:

IP address
Host name
NetBIOS name

If you get the correct response when using ping with an IP address but an incorrect response when using ping with the host name or NetBIOS name, you have a name resolution problem. The following sections describe the processes that occur when using a host name or a NetBIOS name, instead of an IP address, to connect with hosts on a TCP/IP network.

Host Name Resolution

A DNS server or the HOSTS file is used when you use the TCP/IP utilities, such as ping. You can find the HOSTS file in the winnt\system32\drivers\etc directory. This file is not dynamic; entries are made manually. The format of the file is the following:

IP Address Friendly Name

172.16.48.10jsmith_nt   # Remarks are denoted with a #.

Host Name Resolution Using a HOSTS File

The general process that occurs when using the HOSTS file for name resolution is summarized in the following steps.

Computer A enters a command using the host name of Computer B.
The HOSTS file on Computer A (in the \Systemroot\System32\Drivers\Etc directory) is parsed. When the host name of Computer B is found, it is resolved to an IP address.
The Address Resolution Protocol (ARP) is then used to resolve the IP address of Computer B to its hardware address. If Computer B is on the local network, its hardware address will be obtained by using the ARP cache or by sending a local broadcast asking for a reply from Computer B with its hardware address. If Computer B is on a remote network, ARP will determine the hardware address of the default gateway for routing to Computer B.

Note: Host name resolution using a Domain Name System (DNS) server is similar to the preceding steps. Instead of parsing the HOSTS file in Step 2, the DNS server looks up the host name of Computer B in its database and resolves it to an IP address.

The following types of problems can occur because of errors related to the HOSTS file:

The HOSTS file or the DNS server does not contain the particular host name.
The host name in the HOSTS file or in the command is misspelled or uses different capitalization. (Host names are case-sensitive.)
An invalid IP address is entered for the host name in the HOSTS file.
The HOSTS file contains multiple entries for the same host on separate lines; if so, the first entry is the one that is used.
A mapping for a computer name-to-IP-address was mistakenly added to the HOSTS file (rather than LMHOSTS).

Troubleshoot NetBIOS Name Resolution by Using NBTStat

NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. TCP/IP provides many options for NetBIOS name resolution, including local cache lookup, WINS server query, broadcast, DNS server query, and LMHOSTS and HOSTS lookup.

Nbtstat is a useful tool for troubleshooting NetBIOS name resolution problems. The nbstat command allows for removing or correcting preloaded entries.

nbtstat - n displays the names that were registered locally on the system by applications such as the server and redirector.
nbtstat -c shows the NetBIOS name cache, which contains name-to-address mappings for other computers.
nbtstat -R purges the name cache and reloads it from the LMHOSTS file.
nbtstat -a <name> performs a NetBIOS adapter status command against the computer specified by name. The adapter status command returns the local NetBIOS name table for that computer plus the MAC address of the adapter card.
nbtstat -S lists the current NetBIOS sessions and their status, including statistics, as shown in the following example:

NetBIOS Connection Table

Local Name State In/Out Remote Host Input Output

DAVEMAC1 <00> Connected Out CNSSUP1<20> 6MB 5MB DAVEMAC1 <00> Connected Out CNSPRINT<20> 108KB 116KB DAVEMAC1 <00> Connected Out CNSSRC1<20> 299KB 19KB DAVEMAC1 <00> Connected Out STH2NT<20> 324KB 19KB DAVEMAC1 <03> Listening

Test IP-address-to-MAC-address Resolution by Using ARP

TCP\IP under Windows NT allows a computer to communicate over a network with another computer by using either an IP address, a host name, or a NetBIOS name. However, when one computer attempts to communicate with another computer using one of these three naming conventions, that name must ultimately be resolved to a hardware address, the medium access control (MAC) address.

The Address Resolution Protocol (ARP) allows a host to find the MAC address of a destination host on the same physical network, given the destination host's IP address. To make ARP efficient, each computer caches IP-to-MAC address mappings to eliminate repetitive ARP broadcast requests.

The arp command allows a user to view and modify the ARP table entries on the local computer. The arp command is useful for viewing the ARP cache and resolving address resolution problems.

Understanding IP Routing for Windows NT

Windows NT supports routing on both single- and multi-homed computers with, and without, the Multi-Protocol Router (MPR). MPR includes Routing Information Protocol (RIP) for TCP/IP and RIP for IPX. Routers use RIP to dynamically exchange routing information. RIP routers broadcast their routing tables every 30 seconds by default. Other RIP routers will listen for these RIP broadcasts and update their own route tables.

This section provides information about the Windows NT-based route table as used on single- and multi-homed computers with, and without, MPR. This background information will help with TCP/IP troubleshooting.

The Route Table

Even a single-homed TCP/IP host has to make routing decisions. The route table controls these routing decisions. You can display the route table by typing route print at the command prompt. The following is an example route table from a single-homed machine. Windows NT automatically builds this simple route table based on the IP configuration of your host.

Network Address   Netmask          Gateway Address  Interface       Metric

0.0.0.0           0.0.0.0          172.16.16.1      172.16.48.169      1
127.0.0.0         255.0.0.0        127.0.0.1        127.0.0.1          1
172.16.16.0       255.255.248.0    172.16.16.169    172.16.16.169      1
172.16.48.169     255.255.255.255  127.0.0.1        127.0.0.1          1
172.16.255.255    255.255.255.255  172.16.48.169    172.16.48.169      1
224.0.0.0         224.0.0.0        172.16.48.169    172.16.48.169      1
255.255.255.255   255.255.255.255  172.16.48.169    172.16.48.169      1

Network Address

The network address in the route table is the destination address. The network address column can contain:

Host address
Subnet address
Network address
Default gateway

Netmask

The netmask defines which portion of the network address must match in order for that route to be used. When the mask is written in binary, a 1 is significant (must match) and a 0 need not match. For example, a 255.255.255.255 mask is used for a host entry.

The mask of all 255s (all 1s) means that the destination address of the packet to be routed must exactly match the network address in order for this route to be used. For another example, the network address 172.16.48.0 has a netmask of 255.255.192.0. This netmask means that the first two octets must match exactly, the first 2 bits of the third octet must match (192=11000000), and the last octet does not matter. Because 18 in the decimal number system is equivalent to 00110000 in binary, a match would have to start with 0011. Thus, any address of 172.16 and the third octet of 48 through 255 (255=11111111) will use this route. This is a netmask for a subnet route and is therefore called the subnet mask.

Gateway Address

The gateway address is where the packet needs to be sent. This can be the local network card or a gateway (router) on the local subnet.

Interface

The interface is the address of the network card over which the packet should be sent out. 127.0.0.1 is the software loopback address.

Metric

The metric is the number of hops to the destination. Anything on the local LAN is one hop, and each router crossed after that is an additional hop. The metric is used to determine the best route.

Multihomed Router

The following is the default route table of a multihomed Windows NT host:

Network Address	Netmask	Gateway Address	Interface	Metric
0.0.0.0	0.0.0.0	172.16.24.1	172.16.24.193	1
0.0.0.0	0.0.0.0	172.16.40.1	172.16.40.139	1
127.0.0.0	255.0.0.0	127.0.0.1	127.0.0.1	1
172.16.24.0	255.255.248.0	172.16.24.193	172.16.24.193	1
172.16.24.193	255.255.255.255	127.0.0.1	127.0.0.1	1
172.16.40.0	255.255.255.0	172.16.40.139	172.16.40.139	1
172.16.40.139	255.255.255.255	127.0.0.1	127.0.0.1	1
172.16.40.255	255.255.255.255	172.16.40.139	172.16.40.139	1
224.0.0.0	224.0.0.0	172.16.24.193	172.16.24.193	1
224.0.0.0	224.0.0.0	172.16.40.139	172.16.40.139	1
255.255.255.255	255.255.255.255	172.16.40.139	172.16.40.139	1

To enable routing, check Enable IP Forwarding on the Routing tab of the Microsoft TCP/IP Properties dialog box. At this point, Windows NT will route between these two subnets.

A note on default gateways: in the TCP/IP configuration, you can add a default route for each network card. This will create a 0.0.0.0 route for each. However, only one default route will actually be used. In this case, the 199.199.40.139 is the first card in the TCP/IP bindings, and therefore the default route for this card is used. Because only one default gateway will be used, configure only one card to have a default gateway. This will reduce confusion and ensure the results you intended.

If the Windows NT router does not have an interface on a given subnet, it will need a route to get there. This can be done by adding static routes or by using MPR.

Adding a Static Route

The following is an example route.

Route Add 199.199.41.0 mask 255.255.255.0 199.199.40.1 metric 2

The route in this example means that to get to the 199.199.41.0 subnet with a mask of 255.255.255.0, use gateway 199.199.40.1, and that the gateway is 2 hops away. A static route will also need to be added on the next router, telling it how to get back to subnets reachable by the first router. With a network of a few routers or more, static routes can become very complicated.

Examine the Route Between Network Connections by Using Tracert

Tracert is a route tracing utility. Tracert uses the IP TTL field and ICMP error messages to determine the route from one host to another through a network. Sample output from the tracert command is shown in the ICMP section of this chapter.

Examine the Route Table by Using Route

Route is used to view or modify the route table. Route print displays a list of current routes known by IP for the host, including routes that Windows NT creates by default and routes learned by running RIP. Sample output is shown in the IP section of this chapter. Route add is used to add routes to the table, and route delete is used to delete routes from the table. Note that routes added to the table are not made permanent unless the -p switch is specified. Non-persistent routes last only until the computer is restarted.

In order for two hosts to exchange IP datagrams, they must both have a route to each other, or use default gateways that know of a route. Normally, routers exchange information with each other using a protocol such as RIP.

Display Current TCP/IP Connections and Statistics by Using Netstat

Netstat displays protocol statistics and current TCP/IP connections. Netstat -a displays all connections, and netstat -r displays the route table plus active connections. The -n switch tells netstat not to convert addresses and port numbers to names. The following is sample output:

 C:\>netstat -e
 Interface Statistics

 Received      Sent
 Bytes  3995837940    47224622
 Unicast packets        120099        131015
 Non-unicast packets    7579544       3823
 Discards               0             0
 Errors                 0             0
 Unknown protocols      363054211

 C:\>netstat -a

 Active Connections
 
 Proto Local Address  Foreign Address   State
 TCP  davemac1:1572  172.16.48.10:nbsession ESTABLISHED
 TCP  davemac1:1589  172.16.48.10:nbsession ESTABLISHED
 TCP  davemac1:1606  172.16.105.245:nbsession ESTABLISHED
 TCP  davemac1:1632  172.16.48.213:nbsession ESTABLISHED
 TCP  davemac1:1659  172.16.48.169:nbsession ESTABLISHED
 TCP  davemac1:1714  172.16.48.203:nbsession ESTABLISHED
 TCP  davemac1:1719  172.16.48.36:nbsession ESTABLISHED
 TCP  davemac1:1241  172.16.48.101:nbsession ESTABLISHED
 UDP  davemac1:1025  *:*
 UDP  davemac1:snmp *:*
 UDP  davemac1:nbname  *:*
 UDP  davemac1:nbdatagram *:*
 UDP  davemac1:nbname     *:*
 UDP  davemac1:nbdatagram *:*
 
 C:\>netstat -s
 IP Statistics
 
 Packets Received             = 5378528
 Received Header Errors       = 738854
 Received Address Errors      = 23150
 Datagrams Forwarded          = 0
 Unknown Protocols Received   = 0
 Received Packets Discarded   = 0
 Received Packets Delivered   = 4616524
 Output Requests              = 132702
 Routing Discards             = 157
 Discarded Output Packets     = 0
 Output Packet No Route       = 0
 Reassembly Required          = 0
 Reassembly Successful             = 0
 Reassembly Failures               = 0
 Datagrams Successfully Fragmented = 0
 Datagrams Failing Fragmentation   = 0
 Fragments Created                 = 0
 
 ICMP Statistics
 Received  Sent
 Messages                 693       4
 Errors                   0         0
 Destination Unreachable  685       0
 Time Exceeded            0         0
 Parameter Problems       0         0
 Source Quenchs           0         0
 Redirects                0         0
 Echos                    4         0
 Echo Replies             0         4
 Timestamps               0         0
 Timestamp Replies        0         0
 Address Masks            0         0
 Address Mask Replies     0         0
 
 TCP Statistics
 
 Active Opens                 = 597
 Passive Opens                = 135
 Failed Connection Attempts   = 107
 Reset Connections            = 91
 Current Connections          = 8
 Segments Received            = 106770
 Segments Sent                = 118431
 Segments Retransmitted       = 461
 UDP Statistics
 
 Datagrams Received   = 4157136
 No Ports             = 351928
 Receive Errors       = 2
 Datagrams Sent       = 13809

Using Performance Monitor

The Windows NT Server and Windows NT Workstation Performance Monitor can be used to view many different TCP/IP-related counters. Because it accesses statistics that have been gathered by the SNMP service, the SNMP service must be installed on Windows NT-based computers where TCP/IP statistics are to be monitored. Performance Monitor counters are available for NIC, IP, ICMP, UDP, TCP, and NetBT.

One of the features of Performance Monitor is that it allows counters from various systems to be monitored from a single management window. It also supports setting alert levels for the counters being monitored.

Using the Microsoft Network Monitor

Microsoft Network Monitor is a tool developed by Microsoft to make the task of troubleshooting complex network problems much easier and more economical. It is packaged as part of the Microsoft Systems Management Server product but can be used as a stand-alone network monitor.

In addition, Windows NT Server, Windows NT Workstation, and Windows 95 distribution media include the Network Monitor Agent software. Stations running Network Monitor can attach to stations running the agent software over the network or using dial-up (RAS) to perform monitoring or tracing of remote network segments. This can be a very useful troubleshooting tool.

Network Monitor works by setting the NIC to allow you to capture traffic to and from the local computer. Capture filters can be defined so that only specific frames are saved for analysis. Filters can be defined based on source and destination NIC addresses, source and destination protocol addresses, and pattern matches. Once a capture has been obtained, display filtering can be used to further narrow down a problem. Display filtering allows specific protocols to be selected as well.

Once a capture has been obtained and filtered, Network Monitor protocol parsing interprets the binary trace data into readable terms using parsing DLLs. The following sample Server Message Block (SMB) frame is shown fully parsed:

_***************************************************************_
   Frame Time  Src Other Addr Dst Other Addr Protocol 
   Description                      
   7     0.020 172.16.48.36    172.16.48.10   SMB      
   C get attributes, 
   File = \temp 

   FRAME: Base frame properties
   FRAME: Time of capture = Jun 27, 1995 8:11:11.636
   FRAME: Time delta from previous physical frame: 3 
   milliseconds
   FRAME: Frame number: 7
   FRAME: Total frame length: 106 bytes
   FRAME: Capture frame length: 106 bytes
   FRAME: Frame data: Number of data bytes remaining 
   = 106 (0x006A)
   ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD 
   Internet Protocol
   ETHERNET: Destination address : 00608C0E6C6A
   ETHERNET: .......0 = Individual address
   ETHERNET: ......0. = Universally administered address
   ETHERNET: Source address : 0020AF1D2B91
   ETHERNET: .......0 = No routing information present
   ETHERNET: ......0. = Universally administered address
   ETHERNET: Frame Length : 106 (0x006A)
   ETHERNET: Ethernet Type : 0x0800 
   (IP: DOD Internet Protocol)
   ETHERNET: Ethernet Data: Number of data bytes 
   remaining = 92 (0x005C)
   IP: ID = 0x4072; Proto = TCP; Len: 92
   IP: Version = 4 (0x4)
   IP: Header Length = 20 (0x14)
   IP: Service Type = 0 (0x0)
   IP: Precedence = Routine
   IP: ...0.... = Normal Delay
   IP: ....0... = Normal Throughput
   IP: .....0.. = Normal Reliability
   IP: Total Length = 92 (0x5C)
   IP: Identification = 16498 (0x4072)
   IP: Flags Summary = 2 (0x2)
   IP: .......0 = Last fragment in datagram
   IP: ......1. = Cannot fragment datagram
   IP: Fragment Offset = 0 (0x0) bytes
   IP: Time to Live = 32 (0x20)
   IP: Protocol = TCP - Transmission Control
   IP: CheckSum = 0xC895
   IP: Source Address = 09.48.16.172
   IP: Destination Address = 172.16.48.10
   IP: Data: Number of data bytes remaining = 72 (0x0048)
   TCP: .AP..., len:  52, seq: 344830227, ack:  
   2524988, win: 8166, src:
     1677 dst: (NBT Session) 
   TCP: Source Port = 0x068D
   TCP: Destination Port = NETBIOS Session Service
   TCP: Sequence Number = 344830227 (0x148DB113)
   TCP: Acknowledgment Number = 2524988 (0x26873C)
   TCP: Data Offset = 20 (0x14)
   TCP: Reserved = 0 (0x0000)
   TCP: Flags = 0x18 : .AP...
   TCP: ..0..... = No urgent data
   TCP: ...1.... = Acknowledgement field significant
   TCP: ....1... = Push function
   TCP: .....0.. = No Reset
   TCP: ......0. = No Synchronize
   TCP: .......0 = No Fin
   TCP: Window = 8166 (0x1FE6)
   TCP: CheckSum = 0xC072
   TCP: Urgent Pointer = 0 (0x0)
   TCP: Data: Number of data bytes remaining =
    52 (0x0034)
   NBT: SS: Session Message, Len: 48
   NBT: Packet Type = Session Message
   NBT: Packet Flags = 0 (0x0)
   NBT: .......0 = Add 0 to Length
   NBT: Packet Length = 48 (0x30)
   NBT: SS Data: Number of data bytes remaining = 
   48 (0x0030)
   SMB: C get attributes, File = \temp
   SMB: SMB Status = Error Success
   SMB: Error class = No Error
   SMB: Error code = No Error
   SMB: Header: PID = 0xCAFE TID = 0x0800 MID =
    0x43C0 UID = 0x0800
   SMB: Tree ID   (TID) = 2048 (0x800)
   SMB: Process ID  (PID) = 51966 (0xCAFE)
   SMB: User ID   (UID) = 2048 (0x800)
   SMB: Multiplex ID (MID) = 17344 (0x43C0)
   SMB: Flags Summary = 24 (0x18)
   SMB: .......0 = Lock & Read and Write & 
   Unlock not supported
   SMB: ......0. = Send No Ack not supported
   SMB: ....1... = Using caseless pathnames
   SMB: ...1.... = Canonicalized pathnames
   SMB: ..0..... = No Opportunistic lock
   SMB: .0...... = No Change Notify
   SMB: 0....... = Client command
   SMB: flags2 Summary = 32771 (0x8003)
   SMB: ...............1 = Understands long filenames
   SMB: ..............1. = Understands extended attributes
   SMB: ..0............. = No paging of IO
   SMB: .0.............. = Using SMB status codes
   SMB: 1............... = Using UNICODE strings
   SMB: Command = C get attributes
   SMB: Word count = 0
   SMB: Byte count = 13
   SMB: Byte parameters
   SMB: Path name = \temp
   
   00000: 00 60 8C 0E 6C 6A 00 20 AF 1D 2B
   91 08 00 45 00  .`..lj. ..+...E.
   00010: 00 5C 40 72 40 00 20 06 C8 95 9D 
   39 09 8A 9D 39  .\@r@. ....9...9
   00020: 0D 98 06 8D 00 8B 14 8D B1 13 00 
   26 87 3C 50 18  ...........&.<P.
   00030: 1F E6 C0 72 00 00 00 00 00 30 FF 
   53 4D 42 08 00  ...r.....0.SMB..
   00040: 00 00 00 18 03 80 00 00 00 00 00 
   00 00 00 00 00  ................
   00050: 00 00 00 08 FE CA 00 08 C0 43 00 
   0D 00 04 5C 00  .........C....\.
   00060: 74 00 65 00 6D 00 70 00 00 00
              t.e.m.p...

The preceding parsed output example consists of three sections:

summary window
detailed description window
hex output

If you are sending traces to support personnel at Microsoft, they are most useful in electronic form rather than printed form, because they can be manipulated and scanned electronically. Large printed traces are time-consuming to read.

Using the Microsoft Knowledge Base

The Microsoft Knowledge Base (KB) is an excellent source of information on all aspects of Windows NT Server and Windows NT Workstation. It contains thousands of articles written by the support professionals in the Corporate Network Systems unit at Microsoft. Articles are updated daily, and topics include:

Installation and configuration information
Status on known problems and fixes
Service Pack updates
Technology discussions
Troubleshooting tips
Hardware-specific information

For example, to find additional information about the LMHOSTS file in Windows NT, query on the following words in the Microsoft Knowledge Base:

lmhosts and windows and nt

The Microsoft KB is available from many different sources, including the Internet (full-text search capabilities for WWW browsers on www.microsoft.com), several on-line services, and CD-ROM subscription services, such as Microsoft TechNet.

Troubleshooting Other Connection Problems

This section presents some possible TCP/IP symptoms with recommendations for using the diagnostic utilities to determine the source of the problems.

Error 53

To determine the cause of Error 53 when connecting to a server

If the computer is on the local subnet, confirm that the name is spelled correctly and that the target computer is running TCP/IP as well. If the computer is not on the local subnet, be sure that its name and IP address mapping are available in the LMHOSTS file or the WINS database.

Error 53 is returned if name resolution fails for a particular computer name.
If all TCP/IP elements appear to be installed properly, use ping with the remote computer to be sure that its TCP/IP software is working.

Long Connect Times When Using LMHOSTS for Name Resolution

To determine the cause of long connect times after adding an entry to LMHOSTS

Because this behavior can occur with a large LMHOSTS file with an entry at the end of the file, mark the entry in LMHOSTS as a preloaded entry by following the mapping with the #PRE tag. Then use the nbtstat -R command to update the local name cache immediately.

Or, place the mapping higher in the LMHOSTS file.

As discussed in Chapter 10, "Using LMHOSTS Files," the LMHOSTS file is parsed sequentially to locate entries without the #PRE keyword. Therefore, you should place frequently used entries near the top of the file and place the #PRE entries near the bottom.

Cannot Connect to a Specific Server

To determine the cause of connection problems when specifying a server name

Use the nbtstat -n command to determine what name the server registered on the network.

The output of this command lists several names that the computer has registered. A name resembling the computer's computer name should be present. If not, try one of the other unique names displayed by nbtstat.

The nbtstat utility can also be used to display the cached entries for remote computers from either #PRE entries in LMHOSTS or recently resolved names. If the name the remote computers are using for the server is the same, and the other computers are on a remote subnet, be sure that they have the computer's mapping in their LMHOSTS files.

Cannot Connect to Foreign Systems When Using Host Name

To determine why only IP addresses but not host names work for connections to remote computers

Make sure that the appropriate HOSTS file and DNS setup have been configured for the computer by checking the host name resolution configuration using the Network icon in Control Panel and then choosing the DNS tab in the Microsoft TCP/IP Properties dialog box.
If you are using a HOSTS file, make sure that the name of the remote computer is spelled the same and capitalized the same in the file and by the application using it.
If you are using DNS, be sure that the IP addresses of the DNS servers are correct and in the proper order. Use ping with the remote computer by typing both the host name and IP address to determine whether the host name is being resolved properly.

TCP/IP Connection to Remote Host Appears To Be Hung

To determine why a TCP/IP connection to a remote computer is not working properly

Use the netstat -a command to show the status of all activity on TCP and UDP ports on the local computer.

The state of a good TCP connection is usually established with 0 bytes in the send and receive queues. If data is blocked in either queue or if the state is irregular, there is probably a problem with the connection. If not, you are probably experiencing network or application delay.

Troubleshooting Telnet

To determine why the banner displayed with Telnet identifies a different computer, even when specifying the correct IP address

Make sure the DNS name and HOSTS table are up to date.
Make sure that two computers on the same network are not mistakenly configured with the same IP address.

The Ethernet and IP address mapping is done by the ARP module, which believes the first response it receives. Therefore, the impostor computer's reply sometimes comes back before the intended computer's reply.

These problems are difficult to isolate and track down. Use the arp -g command to display the mappings in the ARP cache. If you know the Ethernet address for the intended remote computer, you can easily determine whether the two match. If not, use arp -d to delete the entry; then use ping with the same address (forcing an ARP), and check the Ethernet address in the cache again by using arp -g.

Chances are that if both computers are on the same network, you will eventually get a different response. If not, you might have to filter the traffic from the impostor host to determine the owner or location of the system.

Troubleshooting Gateways

To determine the cause of the message, "Your default gateway does not belong to one of the configured interfaces..." during Setup

Find out whether the default gateway is located on the same logical network as the computer's network adapter by comparing the network ID portion of the default gateway's IP address with the network ID(s) of any of the computer's network adapters.

For example, a computer with a single network adapter configured with an IP address of 102.54.0.1 and a subnet mask of 255.255.0.0 would require that the default gateway be of the form 102.54.a.b because the network ID portion of the IP interface is 102.54.

Troubleshooting TCP/IP Database Files

The following table lists the UNIX-style database files that are stored in the \systemroot\System32\Drivers\Etc directory when you install Microsoft TCP/IP:

Table 12.2 UNIX-style Database Files

File name	Use
HOSTS	Provides host name-to-IP-address resolution for Windows Sockets applications
LMHOSTS	Provides NetBIOS name-to-IP-address resolution for Windows-based networking
Networks	Provides network name-to-network ID resolution for TCP/IP management
Protocols	Provides protocol name-to-protocol ID resolution for Windows Sockets applications
Services	Provides service name-to-port ID resolution for Windows Sockets applications

To troubleshoot any of these files on a local computer:

Make sure the format of entries in each file matches the format defined in the sample file originally installed with Microsoft TCP/IP.
Check for spelling or capitalization errors.
Check for invalid IP addresses and identifiers.

Reinstalling TCP\IP

When you attempt to reinstall a TCP\IP service, the following error message may appear:

The Registry Subkey Already Exists.

To correct this problem, ensure that all the components of a given TCP\IP service are properly removed and then remove the appropriate registry subkeys.

Warning: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the incorrect use of Registry Editor can be solved. Use this tool at your own risk.

Connectivity Utilities

If you have removed the TCP/IP service components, you must also remove the following registry subkeys:

HKEY_LOCAL_MACHINE \Software \Microsoft \NetBT
HKEY_LOCAL_MACHINE \Software \Microsoft \Tcpip
HKEY_LOCAL_MACHINE \Software \Microsoft \TcpipCU
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services \DHCP
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services \LMHosts
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services'NetDriver'\Parameters\Tcpip
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services \NetBT

SNMP Service

If you have removed the SNMP service components, you must also remove the following registry subkeys:

HKEY_LOCAL_MACHINE \Software \Microsoft \RFC1156Agent
HKEY_LOCAL_MACHINE \Software \Microsoft \Snmp
HKEY_LOCAL_MACHINE \System \CCS \Services \Snmp

TCP\IP Network Printing Support

If you have removed the LPDSVC line printer service components, you must also remove the following registry subkeys:

HKEY_LOCAL_MACHINE \Software \Microsoft \Lpdsvc
HKEY_LOCAL_MACHINE \Software \Microsoft \TcpPrint
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services \LpdsvcSimple TCP\IP Services

If you have removed the simple TCP/IP services components, you must also remove the following registry subkeys:

HKEY_LOCAL_MACHINE \Software \Microsoft \SimpTcp
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services \SimpTcp

DHCP Server Service

If you have removed the DHCP Server service components, you must also remove the following registry subkeys:

HKEY_LOCAL_MACHINE \Software \Microsoft \DhcpMibAgent
HKEY_LOCAL_MACHINE \Software \Microsoft \DhcpServer
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services \DhcpServer

WINS Server Service

If you have removed the WINS Server service components, you must also remove the following registry subkeys:

HKEY_LOCAL_MACHINE \Software \Microsoft \Wins
HKEY_LOCAL_MACHINE \Software \Microsoft \WinsMibAgent
HKEY_LOCAL_MACHINE \SYSTEM \CCS \Services \Wins

Cannot Ping Across a Router when Using TCP/IP as a RAS Client

This problem occurs if you have Use default gateway on remote network selected under TCP/IP settings in the RAS Phonebook. This feature adds a route to the route table, and the new route allows IP addresses that are not resolved by other entries in the route table to be routed to the gateway on the RAS link. However, to use Internet utilities, such as a WEB browser or FTP, this feature must be enabled.

To ping or otherwise connect to computers in a remote subnet across a router while you are connected as a RAS client to a remote Windows NT RAS Server

Use the route add command to add the route of the subnet you are attempting to use and tie that route to the local LAN gateway by adding the appropriate subnet mask.

AI Skills Fest

Share via