Escolar Documentos
Profissional Documentos
Cultura Documentos
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no
longer exist.
Many excellent network troubleshooting tools are available for Windows NT Server and Windows NT Workstation. Most are included with the product or in the Windows
NT Server and Windows NT Workstation Resource Kits. Microsoft Network Monitor is an excellent network tracing tool that is included in the Microsoft Systems
Management Server product.
When troubleshooting any problem, it is helpful to use a logical approach. Some questions to ask are:
Troubleshooting a problem "from the bottom up" is often a good way to quickly isolate it. The troubleshooting tasks discussed in this chapter are organized using this
"bottom up" approach.
The first section of this chapter gives an overview of TCP/IP troubleshooting tools. The next section discusses various TCP/IP troubleshooting tasks, followed by a section
on using Performance Monitor and Network Monitor to analyze network behavior. The final section of this chapter provides information about common TCP/IP networking
problems.
On This Page
Overview of TCP/IP Troubleshooting Tools
Identify the TCP/IP Configuration by Using IPConfig
Test Connection to the TCP/IP Network by Using Ping
Understanding Address and Name Resolution
Troubleshoot NetBIOS Name Resolution by Using NBTStat
Test IP-address-to-MAC-address Resolution by Using ARP
Understanding IP Routing for Windows NT
Examine the Route Between Network Connections by Using Tracert
Examine the Route Table by Using Route
Display Current TCP/IP Connections and Statistics by Using Netstat
Using Performance Monitor
Using the Microsoft Network Monitor
Using the Microsoft Knowledge Base
Troubleshooting Other Connection Problems
Used to
arp
View the ARP (address resolution protocol) table on the local computer to detect invalid entries.
hostname
ipconfig
Display current TCP/IP network configuration values, and update or release TCP/IP network configuration values.
nbtstat
Check the state of current NetBIOS over TCP/IP connections, update the LMHOSTS cache, and determine the registered name and scope ID.
netstat
nslookup
Check records, domain host aliases, domain host services, and operating system information by querying Internet domain name servers.
ping
Verify whether TCP/IP is configured correctly and that a remote TCP/IP system is available.
route
tracert
For complete details about the TCP/IP utilities, see Appendix A, "TCP/IP Utilities Reference."
These additional Windows NT tools can be used for TCP/IP troubleshooting:
In general, when troubleshooting it is usually best to first verify that the computer TCP/IP configuration is correct, and then verify that a connection and route exist between
the computer and network host by using ping, as described in the section "Test Connection to the TCP/IP Network by Using Ping" later in this chapter.
Compile a list of what works and what doesn't work, and then study the list to help isolate the failure. If link reliability is in question, try a large number of pings of various
sizes at different times of the day, and plot the success rate. When all else fails, using a protocol analyzer, such as Microsoft Network Monitor, can be helpful.
Top Of Page
Windows NT IP Configuration
Host Name . . . . . . . . .
DNS Servers . . . . . . . .
Node Type . . . . . . . . .
NetBIOS Scope ID. . . . . .
IP Routing Enabled. . . . .
WINS Proxy Enabled. . . . .
NetBIOS Resolution Uses DNS
Ethernet adapter Elnk31:
Description . . . . . . . .
Physical Address. . . . . .
DHCP Enabled. . . . . . . .
IP Address. . . . . . . . .
Subnet Mask . . . . . . . .
Default Gateway . . . . . .
DHCP Server . . . . . . . .
Primary WINS Server . . . .
Secondary WINS Server . . .
Lease Obtained. . . . . . .
PM
Lease Expires . . . . . . .
11:43:01 PM
Ethernet adapter NdisWan5:
Description . . . . . . . .
Physical Address. . . . . .
DHCP Enabled. . . . . . . .
IP Address. . . . . . . . .
Subnet Mask . . . . . . . .
Default Gateway . . . . . .
:
:
:
:
:
:
:
davemac1.terraflora.com
172.16.48.03
Hybrid
:
:
:
:
:
:
:
:
:
:
No
No
No
:
:
:
:
:
:
00-00-00-00-00-00
No
0.0.0.0
0.0.0.0
If no problems appear in the TCP/IP configuration, the next step is to test the ability to connect to other host computers on the TCP/IP network.
Top Of Page
1. Ping the loopback address to verify that TCP/IP is installed and configured correctly on the local computer.
Ping 127.0.0.1
2. Ping the IP address of the local computer to verify that it was added to the network correctly.
Ping IP_address_of_local_host
3. Ping the IP address of the default gateway to verify that the default gateway is functioning and that you can communicate with a local host on the local network.
Ping IP_address_of_default_gateway
4. Ping the IP address of a remote host to verify that you can communicate through a router.
Ping IP_address_of_remote_host
Ping uses Windows Sockets-style name resolution to resolve a computer name to an IP address, so if pinging by address succeeds, but fails by name, then the problem
lies in address or name resolution, not network connectivity. Refer to the section "Test IP-address-to-MAC-address Resolution by Using ARP" later in this chapter.
If you cannot use ping successfully at any point, check the following:
The computer was restarted after TCP/IP was installed and configured.
The local computer's IP address is valid and appears correctly in the IP Address tab of the Microsoft TCP/IP Properties dialog box.
IP routing is enabled and the link between routers is operational.
Type ping -? to see what command-line options are available. For example, ping allows you to specify the size of packets to use, how many to send, whether to record the
route used, what time-to-live (TTL) value to use, and whether to set the "don't fragment" flag.
The following example illustrates how to send two pings, each 1450 bytes in size, to address 172.16.48.10:
IP address
Host name
NetBIOS name
If you get the correct response when using ping with an IP address but an incorrect response when using ping with the host name or NetBIOS name, you have a name
resolution problem. The following sections describe the processes that occur when using a host name or a NetBIOS name, instead of an IP address, to connect with hosts
on a TCP/IP network.
172.16.48.10jsmith_nt
Note: Host name resolution using a Domain Name System (DNS) server is similar to the preceding steps. Instead of parsing the HOSTS file in Step 2, the DNS server looks
up the host name of Computer B in its database and resolves it to an IP address.
The following types of problems can occur because of errors related to the HOSTS file:
The HOSTS file or the DNS server does not contain the particular host name.
The host name in the HOSTS file or in the command is misspelled or uses different capitalization. (Host names are case-sensitive.)
An invalid IP address is entered for the host name in the HOSTS file.
The HOSTS file contains multiple entries for the same host on separate lines; if so, the first entry is the one that is used.
A mapping for a computer name-to-IP-address was mistakenly added to the HOSTS file (rather than LMHOSTS).
Top Of Page
server query, broadcast, DNS server query, and LMHOSTS and HOSTS lookup.
Nbtstat is a useful tool for troubleshooting NetBIOS name resolution problems. The nbstat command allows for removing or correcting preloaded entries.
nbtstat - n displays the names that were registered locally on the system by applications such as the server and redirector.
nbtstat -c shows the NetBIOS name cache, which contains name-to-address mappings for other computers.
nbtstat -R purges the name cache and reloads it from the LMHOSTS file.
nbtstat -a <name> performs a NetBIOS adapter status command against the computer specified by name. The adapter status command returns the local NetBIOS
name table for that computer plus the MAC address of the adapter card.
nbtstat -S lists the current NetBIOS sessions and their status, including statistics, as shown in the following example:
Network Address
Netmask
Gateway Address
Interface
0.0.0.0
127.0.0.0
172.16.16.0
172.16.48.169
172.16.255.255
224.0.0.0
255.255.255.255
0.0.0.0
255.0.0.0
255.255.248.0
255.255.255.255
255.255.255.255
224.0.0.0
255.255.255.255
172.16.16.1
127.0.0.1
172.16.16.169
127.0.0.1
172.16.48.169
172.16.48.169
172.16.48.169
172.16.48.169
127.0.0.1
172.16.16.169
127.0.0.1
172.16.48.169
172.16.48.169
172.16.48.169
Metric
1
1
1
1
1
1
1
Network Address
The network address in the route table is the destination address. The network address column can contain:
Host address
Subnet address
Network address
Default gateway
Netmask
The netmask defines which portion of the network address must match in order for that route to be used. When the mask is written in binary, a 1 is significant (must match)
and a 0 need not match. For example, a 255.255.255.255 mask is used for a host entry.
The mask of all 255s (all 1s) means that the destination address of the packet to be routed must exactly match the network address in order for this route to be used. For
another example, the network address 172.16.48.0 has a netmask of 255.255.192.0. This netmask means that the first two octets must match exactly, the first 2 bits of the
third octet must match (192=11000000), and the last octet does not matter. Because 18 in the decimal number system is equivalent to 00110000 in binary, a match would
have to start with 0011. Thus, any address of 172.16 and the third octet of 48 through 255 (255=11111111) will use this route. This is a netmask for a subnet route and is
therefore called the subnet mask.
Gateway Address
The gateway address is where the packet needs to be sent. This can be the local network card or a gateway (router) on the local subnet.
Interface
The interface is the address of the network card over which the packet should be sent out. 127.0.0.1 is the software loopback address.
Metric
The metric is the number of hops to the destination. Anything on the local LAN is one hop, and each router crossed after that is an additional hop. The metric is used to
determine the best route.
Multihomed Router
The following is the default route table of a multihomed Windows NT host:
Network Address
Netmask
Gateway Address
Interface
Metric
0.0.0.0
0.0.0.0
172.16.24.1
172.16.24.193
0.0.0.0
0.0.0.0
172.16.40.1
172.16.40.139
127.0.0.0
255.0.0.0
127.0.0.1
127.0.0.1
172.16.24.0
255.255.248.0
172.16.24.193
172.16.24.193
172.16.24.193
255.255.255.255
127.0.0.1
127.0.0.1
172.16.40.0
255.255.255.0
172.16.40.139
172.16.40.139
172.16.40.139
255.255.255.255
127.0.0.1
127.0.0.1
172.16.40.255
255.255.255.255
172.16.40.139
172.16.40.139
224.0.0.0
224.0.0.0
172.16.24.193
172.16.24.193
224.0.0.0
224.0.0.0
172.16.40.139
172.16.40.139
255.255.255.255
255.255.255.255
172.16.40.139
172.16.40.139
To enable routing, check Enable IP Forwarding on the Routing tab of the Microsoft TCP/IP Properties dialog box. At this point, Windows NT will route between these
two subnets.
A note on default gateways: in the TCP/IP configuration, you can add a default route for each network card. This will create a 0.0.0.0 route for each. However, only one
default route will actually be used. In this case, the 199.199.40.139 is the first card in the TCP/IP bindings, and therefore the default route for this card is used. Because only
one default gateway will be used, configure only one card to have a default gateway. This will reduce confusion and ensure the results you intended.
If the Windows NT router does not have an interface on a given subnet, it will need a route to get there. This can be done by adding static routes or by using MPR.
Adding a Static Route
The following is an example route.
C:\>netstat -e
Interface Statistics
Received
Sent
Bytes 3995837940
Unicast packets
Non-unicast packets
Discards
Errors
Unknown protocols
47224622
120099
7579544
0
0
363054211
131015
3823
0
0
C:\>netstat -a
Active Connections
Proto Local Address Foreign Address
State
TCP davemac1:1572 172.16.48.10:nbsession ESTABLISHED
TCP davemac1:1589 172.16.48.10:nbsession ESTABLISHED
TCP davemac1:1606 172.16.105.245:nbsession ESTABLISHED
TCP davemac1:1632 172.16.48.213:nbsession ESTABLISHED
TCP davemac1:1659 172.16.48.169:nbsession ESTABLISHED
TCP davemac1:1714 172.16.48.203:nbsession ESTABLISHED
TCP davemac1:1719 172.16.48.36:nbsession ESTABLISHED
TCP davemac1:1241 172.16.48.101:nbsession ESTABLISHED
UDP davemac1:1025 *:*
UDP davemac1:snmp *:*
UDP davemac1:nbname *:*
UDP davemac1:nbdatagram *:*
UDP davemac1:nbname
*:*
UDP davemac1:nbdatagram *:*
C:\>netstat -s
IP Statistics
Packets Received
= 5378528
Received Header Errors
= 738854
Received Address Errors
= 23150
Datagrams Forwarded
= 0
Unknown Protocols Received
= 0
Received Packets Discarded
= 0
Received Packets Delivered
= 4616524
Output Requests
= 132702
Routing Discards
= 157
Discarded Output Packets
= 0
Output Packet No Route
= 0
Reassembly Required
= 0
Reassembly Successful
= 0
Reassembly Failures
= 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation
= 0
Fragments Created
= 0
ICMP Statistics
Received Sent
Messages
Errors
Destination Unreachable
Time Exceeded
Parameter Problems
Source Quenchs
Redirects
Echos
Echo Replies
Timestamps
Timestamp Replies
Address Masks
Address Mask Replies
693
0
685
0
0
0
0
4
0
0
0
0
0
4
0
0
0
0
0
0
0
4
0
0
0
0
TCP Statistics
Active Opens
Passive Opens
Failed Connection Attempts
Reset Connections
Current Connections
Segments Received
Segments Sent
Segments Retransmitted
UDP Statistics
Datagrams Received
No Ports
Receive Errors
Datagrams Sent
=
=
=
=
=
=
=
=
=
=
=
=
4157136
351928
2
13809
Top Of Page
597
135
107
91
8
106770
118431
461
The Windows NT Server and Windows NT Workstation Performance Monitor can be used to view many different TCP/IP-related counters. Because it accesses statistics that
have been gathered by the SNMP service, the SNMP service must be installed on Windows NT-based computers where TCP/IP statistics are to be monitored. Performance
Monitor counters are available for NIC, IP, ICMP, UDP, TCP, and NetBT.
One of the features of Performance Monitor is that it allows counters from various systems to be monitored from a single management window. It also supports setting
alert levels for the counters being monitored.
Top Of Page
*****************************************************************
Frame Time Src Other Addr Dst Other Addr Protocol
Description
7
0.020 172.16.48.36
172.16.48.10
SMB
C get attributes,
File = \temp
FRAME: Base frame properties
FRAME: Time of capture = Jun 27, 1995 8:11:11.636
FRAME: Time delta from previous physical frame: 3
milliseconds
FRAME: Frame number: 7
FRAME: Total frame length: 106 bytes
FRAME: Capture frame length: 106 bytes
FRAME: Frame data: Number of data bytes remaining
= 106 (0x006A)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD
Internet Protocol
ETHERNET: Destination address : 00608C0E6C6A
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0020AF1D2B91
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 106 (0x006A)
ETHERNET: Ethernet Type : 0x0800
(IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes
remaining = 92 (0x005C)
IP: ID = 0x4072; Proto = TCP; Len: 92
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 92 (0x5C)
IP: Identification = 16498 (0x4072)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 32 (0x20)
IP: Protocol = TCP - Transmission Control
IP: CheckSum = 0xC895
IP: Source Address = 09.48.16.172
IP: Destination Address = 172.16.48.10
IP: Data: Number of data bytes remaining = 72 (0x0048)
TCP: .AP..., len: 52, seq: 344830227, ack:
2524988, win: 8166, src:
1677 dst: (NBT Session)
TCP: Source Port = 0x068D
TCP: Destination Port = NETBIOS Session Service
TCP: Sequence Number = 344830227 (0x148DB113)
TCP: Acknowledgment Number = 2524988 (0x26873C)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
1D 2B
95 9D
13 00
30 FF
00 00
43 00
00
summary window
detailed description window
hex output
If you are sending traces to support personnel at Microsoft, they are most useful in electronic form rather than printed form, because they can be manipulated and
scanned electronically. Large printed traces are time-consuming to read.
Top Of Page
Hardware-specific information
For example, to find additional information about the LMHOSTS file in Windows NT, query on the following words in the Microsoft Knowledge Base:
Error 53
To determine the cause of Error 53 when connecting to a server
1. If the computer is on the local subnet, confirm that the name is spelled correctly and that the target computer is running TCP/IP as well. If the computer is not on the
local subnet, be sure that its name and IP address mapping are available in the LMHOSTS file or the WINS database.
Error 53 is returned if name resolution fails for a particular computer name.
2. If all TCP/IP elements appear to be installed properly, use ping with the remote computer to be sure that its TCP/IP software is working.
Because this behavior can occur with a large LMHOSTS file with an entry at the end of the file, mark the entry in LMHOSTS as a preloaded entry by following the
mapping with the #PRE tag. Then use the nbtstat -R command to update the local name cache immediately.
Or, place the mapping higher in the LMHOSTS file.
As discussed in Chapter 10, "Using LMHOSTS Files," the LMHOSTS file is parsed sequentially to locate entries without the #PRE keyword. Therefore, you should place
frequently used entries near the top of the file and place the #PRE entries near the bottom.
Use the nbtstat -n command to determine what name the server registered on the network.
The output of this command lists several names that the computer has registered. A name resembling the computer's computer name should be present. If not, try
one of the other unique names displayed by nbtstat.
The nbtstat utility can also be used to display the cached entries for remote computers from either #PRE entries in LMHOSTS or recently resolved names. If the
name the remote computers are using for the server is the same, and the other computers are on a remote subnet, be sure that they have the computer's mapping
in their LMHOSTS files.
1. Make sure that the appropriate HOSTS file and DNS setup have been configured for the computer by checking the host name resolution configuration using the
Network icon in Control Panel and then choosing the DNS tab in the Microsoft TCP/IP Properties dialog box.
2. If you are using a HOSTS file, make sure that the name of the remote computer is spelled the same and capitalized the same in the file and by the application using
it.
3. If you are using DNS, be sure that the IP addresses of the DNS servers are correct and in the proper order. Use ping with the remote computer by typing both the
host name and IP address to determine whether the host name is being resolved properly.
Use the netstat -a command to show the status of all activity on TCP and UDP ports on the local computer.
The state of a good TCP connection is usually established with 0 bytes in the send and receive queues. If data is blocked in either queue or if the state is irregular,
there is probably a problem with the connection. If not, you are probably experiencing network or application delay.
Troubleshooting Telnet
To determine why the banner displayed with Telnet identifies a different computer, even when specifying the correct IP address
1. Make sure the DNS name and HOSTS table are up to date.
2. Make sure that two computers on the same network are not mistakenly configured with the same IP address.
The Ethernet and IP address mapping is done by the ARP module, which believes the first response it receives. Therefore, the impostor computer's reply sometimes
comes back before the intended computer's reply.
These problems are difficult to isolate and track down. Use the arp -g command to display the mappings in the ARP cache. If you know the Ethernet address for the
intended remote computer, you can easily determine whether the two match. If not, use arp -d to delete the entry; then use ping with the same address (forcing an
ARP), and check the Ethernet address in the cache again by using arp -g.
Chances are that if both computers are on the same network, you will eventually get a different response. If not, you might have to filter the traffic from the impostor
host to determine the owner or location of the system.
Troubleshooting Gateways
To determine the cause of the message, "Your default gateway does not belong to one of the configured interfaces..." during Setup
Find out whether the default gateway is located on the same logical network as the computer's network adapter by comparing the network ID portion of the default
gateway's IP address with the network ID(s) of any of the computer's network adapters.
For example, a computer with a single network adapter configured with an IP address of 102.54.0.1 and a subnet mask of 255.255.0.0 would require that the default
gateway be of the form 102.54.a.b because the network ID portion of the IP interface is 102.54.
Use
HOSTS
LMHOSTS
Networks
Protocols
Services
Make sure the format of entries in each file matches the format defined in the sample file originally installed with Microsoft TCP/IP.
Check for spelling or capitalization errors.
Check for invalid IP addresses and identifiers.
Reinstalling TCP\IP
When you attempt to reinstall a TCP\IP service, the following error message may appear:
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
SNMP Service
If you have removed the SNMP service components, you must also remove the following registry subkeys:
Use the route add command to add the route of the subnet you are attempting to use and tie that route to the local LAN gateway by adding the appropriate
subnet mask.
Top Of Page
2013 Microsoft. All rights reserved.