77 This can take a bit of experience to interpret. Begin by looking for statistics showing a large number of errors. Next, identify the type of errors. Typically, input errors are caused by faulty hardware. Output errors are a problem on or at the local host. Data corruption, such as faulty checksums, frequently occurs at routers. And, as noted before, congestion is indicated by collisions. Of course, these are generalizations, so dont read too much into them.

4.3 Microsoft Windows

Most of the tools we have been discussing are available in one form or another for Windows platforms. Microsofts implementation of traceroute, known as tracert, has both superficial and fundamental differences from the original implementation. Like ping, tracert requires a DOS window to run. We have already seen an example of its output. tracert has fewer options, and there are some superficial differences in their flags. But most of traceroutes options are rarely used anyway, so this isnt much of a problem. A more fundamental difference between Microsofts tracert and its Unix relative is that tracert uses ICMP packets rather than UDP packets. This isnt necessarily bad, just different. In fact, if you have access to both traceroute and tracert, you may be able to use this to your advantage in some unusual circumstances. Its behavior may be surprising in some cases. One obvious implication is that routers that block ICMP messages will block tracert, while traceroutes UDP packets will be passed. As noted earlier in this chapter, Mentors Java implementation of ttcp runs under Windows if you can find it. Both netperf and iperf have also been ported to Windows. Another freely available program worth considering is Qcheck from Ganymede Software, Inc. This program requires that Ganymedes Performance Endpoints software be installed on systems at each end of the link. This software is also provided at no cost and is available for a wide variety of systems ranging from Windows to MVS. In addition to supporting IP, the software supports SPX and IPX protocols. The software provides ping- like connectivity checks, as well as response time and throughput measurements. As noted in Chapter 2 , Microsoft also provides its own version of netstat. The options of interest here are -e and -s. The -e option gives a brief summary of activity on any Ethernet interface: C:\netstat -e Interface Statistics Received Sent Bytes 9840233 2475741 Unicast packets 15327 16414 Non-unicast packets 9268 174 Discards 0 0 Errors 0 0 Unknown protocols 969 The -s option gives the per-protocol statistics: C:\netstat -s IP Statistics Packets Received = 22070 Received Header Errors = 0 78 Received Address Errors = 6 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 22064 Output Requests = 16473 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0 ICMP Statistics Received Sent Messages 20 8 Errors 0 0 Destination Unreachable 18 8 Time Exceeded 0 0 Parameter Problems 0 0 Source Quenchs 0 0 Redirects 0 0 Echos 0 0 Echo Replies 0 0 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 TCP Statistics Active Opens = 489 Passive Opens = 2 Failed Connection Attempts = 69 Reset Connections = 66 Current Connections = 4 Segments Received = 12548 Segments Sent = 13614 Segments Retransmitted = 134 UDP Statistics Datagrams Received = 8654 No Ports = 860 Receive Errors = 0 Datagrams Sent = 2717 Interpretation is basically the same as with the Unix version. 79

Chapter 5. Packet Capture

Packet capture and analysis is the most powerful technique that will be discussed in this book—it is the ultimate troubleshooting tool. If you really want to know what is happening on your network, you will need to capture traffic. No other tool provides more information. On the other hand, no other tool requires the same degree of sophistication to use. If misused, it can compromise your systems security and invade the privacy of your users. Of the software described in this book, packet capture software is the most difficult to use to its full potential and requires a thorough understanding of the underlying protocols to be used effectively. As noted in Chapter 1 , you must ensure that what you do conforms to your organizations policies and any applicable laws. You should also be aware of the ethical implications of your actions. This chapter begins with a discussion of the type of tools available and various issues involved in traffic capture. Next I describe tcpdump, a ubiquitous and powerful packet capture tool. This is followed by a brief description of other closely related tools. Next is a discussion of ethereal, a powerful protocol analyzer that is rapidly gaining popularity. Next I describe some of the problems created by traffic capture. The chapter concludes with a discussion of packet capture tools available for use with Microsoft Windows platforms.