Packets Dropping? Funny Routing Behavior? Start Here Before the Panic Sets In!

source: cybrary.it

What are we doing?

This lab consists of 6 exercises that guides us through the use of network utilities when trying to troubleshoot a misconfigured network connection. First exercise introduces us to the command ipconfig while exercise 2 and 3 introduces us to pathping and route. Next, exercise 4 brings us over to the Linux world and introduces us to iptables before heading into the commands tcpdump and nmap.

Why would we want to do this?

Network utilities like ipconfig and pathping are extremely useful troubleshooting and analysis tools when it comes to understanding what’s going on within our network. We need to learn how to better investigators when it comes to finding the problem. A lot of the times, our problem can be as complex as packets mysteriously dropping from one end user but not to the others. Knowing what tools we can use that are already readily available (and free) that can also provide us with the enlightenment needed to find a solution.

Who would use this?

Primarily, this would be used for anybody trying to troubleshooting their own network or trying to figure out why Janice’s computer suddenly won’t communicate with the rest of her executive team.

Thoughts?

Still thinking, stay tuned..

Vendor: Practice Labs

Lab: 1.15 — Troubleshoot Network Connectivity with Network Utilities

Lab Learning Outcomes:

After completing this lab, we will be able to:

CompTIA Network+ N10–007 Exam Objectives:

N10–0073.3: Explain common scanning, monitoring and patching processes and summarize their expected outputs:

N10–0074.5: Given a scenario, implement network device hardening:

N10–0075.2: Given a scenario, use the appropriate tool:

N10–0075.5: Given a scenario, troubleshoot common network service issues (Blocked TCP/UDP ports)

source: practice labs

Exercise 1

Using ipconfig

Ipconfig, short for Internet Protocol Configuration, is a tool to display all existing IP network configuration values. The tool is also used to change settings of Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS). The ipconfig command with the switch /all provides more detailed information than ipconfig.

The parameter /release releases the IP address for the specified adapter from DHCP server. The parameter /renew renews the IP address for the specified adapter from DHCP server.

Here’s a snapshot of the ipconfig guide from the Command Prompt Terminal:

terminal command: ipconfig /?

And here’s a Microsoft documentation/guide on ipconfig:

Learning Outcome:

After completing this exercise, we’ll be able to:

Task 1 — Use the Ipconfig Tool

In this task, we’ll learn the various commands of ipconfig tool by saving the ipconfig information on a text file for later viewing.

Step 1: Connect to our PLABWIN10 device, and open a Command Prompt Terminal and input:

ipconfig /all > ip.txt

Step 2: To read the contents of ip.txt in Notepad, input:

notepad ip.txt

The Notepad application window opens, indicating the IP settings of PLABWIN10.

Scroll down to see the other network details of this computer.

Close Notepad.

Minimize the Command Prompt window.

Task 1 Complete!

Now we know how to transfer ipconfig information to a text file for future referencing and documentation, which we’ll use in Task 2!

Task 2 — Modify Network Settings

We can disable or uninstall some network settings like IPv6 which will alter the output of the ipconfig command. Remember from the previous troubleshooting labs that turning IPv6 off is recommending when troubleshooting connectivity.

To modify network settings, perform the following steps:

Step 1: On PLABWIN10 device, click in the Type here to search text box, type:

control panel

As we type, the Control Panel options appears on popup menu. Select the option.

Step 2: On the Control Panel window, select the View network status and tasks link under the Network and Internet heading.

Step 3: On the Network and Sharing Center window, under the View your active networks section, click Ethernet link.

Step 4: On the Ethernet Status dialog box, click Properties.

Step 5: On the Ethernet Properties dialog box, clear Internet Protocol Version 6 (TCP/IPv6) check box.

Click OK.

Close all the open windows to access the desktop.

Step 6: Restore Command prompt from the taskbar.

Step 7: To get the updated IP settings, type:

ipconfig

Press Enter.

Step 8: Notice that the Ethernet adapter Ethernet section no longer has a Link-local IPv6 address as it did in its previous output. Review the ip.txt file to verify this if necessary.

Recall that we cleared the TCP/IPv6 check box for the Ethernet network connection and so all IPv6 parameters have been removed.

Keep the command prompt window open.

Exercise 1 Complete!

Now we know how to utilize the ipconfig command to verify IPv4/IPv6 connectivity!

Exercise 2

Using pathping

Pathping is a Windows-based TCP/IP diagnostic tool that provides information about the network path, network delays and dropped packets from the source to the destination network. This tool combines the functionality of tracert and ping commands to verify connectivity between devices.

Here’s a snapshot of the pathping guide from the command prompt terminal:

And here’s a link to a Microsoft documentation/guide on pathping:

Learning Outcome:

After completing this exercise, we’ll be able to:

Task 1 — Test Host Reachability Using Pathping

To use pathping tool, perform the following steps:

Step 1: Connect to our PLABWIN10 device.

On the command prompt window, input:

pathping 192.168.0.2

Press Enter.

This command traces the route and computes the network statistics from source to destination network.

Note: We can issue the cls command to clear the screen for ease of working.

After a few seconds, we get the information about network route taken and statistics on the network latency and packet loss.

Step 2: To send a pathping using a target host’s fully qualified domain name, type:

pathping plabdc01.practicelabs.com

Press Enter.

As in the earlier step, we get information about the network path taken and statistics of the network latency and packet loss.

Step 3: To test the route to a remote web site like google’s DNS server at 8.8.8.8, type:

pathping 8.8.8.8

Press Enter.

Note: The Practice Labs devices are running behind a firewall and will be unable to trace such routes. We can attempt this on our personal computer as well and compare results.

Wait while PLABWIN10 attempts to find the route starting from its IP address 192.168.0.5, then on to 192.168.0.250 which is the default gateway being used by the PLABWIN10 device.

Initially, pathping will report that destination host is unreachable because of network security policies on the corporate network and the target network the attempt to trace route from the source to destination network will fail.

On the Computing statistics section, notice the network information collected. The packet went back to the sending node and was unable to reach its destination.

Keep the command prompt window open for the next activity.

Exercise 2 Complete!

Now we know how to follow/trace a packet from point A to point B to see if its following the right path!

Exercise 3

Using Route

Route is a Windows-based command that allows for the viewing of the local routing table of the device as well as the manipulation of this routing table.

Here’s a snapshot of the route help/guide from the command prompt terminal:

And here’s a Microsoft documentation/guide on route:

Learning Outcome:

After completing this exercise, we’ll be able to:

Task 1 — View Routing Table

To use route tool and view the routing table of the PLABWIN10 device, perform the following steps:

Step 1: Connect to the PLABWIN10 device.

On the Command Prompt window, type the following:

route print

Press Enter.

The routing information of the device is displayed. Note the following:

Step 2: In the output of the routing information, locate the persistent routes. These are routes that have been configured that will remain in the configuration even after a reboot of the device.

Step 3: Attempt to ping the PLABWEB01 device which is on the 192.168.1.0/24 subnet. To do so, type the following command:

ping 192.168.1.1

Press Enter.

The ping is successful. This is because of the following persistent route:

Step 4: In this step, we’ll remove the persistent route. To do so, we require elevated privileges at the Command Prompt. To achieve this, click in the Type here to search text box, type cmd and on the popup menu, select Command Prompt > Run as Administrator.

Click Yes on the User Account Control dialog box.

Step 5: A new Command Prompt window appears. Type the following command to remove the route to the 192.168.1.0/24 subnet:

route delete 192.168.1.0 mask 255.255.255.0 192.168.0.1 metric 1

Press Enter.

Step 6: The command prompt confirms that the command was accepted. Type the following to examine the routing table:

route print

Step 7: Notice that the persistent route has been removed and only the default gateway remains. Close the active Command Prompt window.

Task 1 Complete!

Task 2 — Examine Routing Behavior

We’ll now examine the routing behavior of the device after the persistent route has been removed using the route tool

To do this, perform the following steps:

Step 1: On the PLABWIN10 device, access the command prompt window.

Ping the PLABWEB01 device using the following command:

ping 192.168.1.1

Press Enter.

The ping fails this time. Notice the IP address from which there is a reply: 192.168.0.250. This is the default gateway of the device. Since the persistent route to the 192.168.1.0/24 subnet has been removed, the device attempts to reach the 192.168.1.1 device via the 192.168.0.250 gateway. However, this gateway has no way to reach this host, so it returns an ICMP message indicating that the host is unreachable.

Step 2: Using tracert, verify that the next hop that is being used is indeed the 192.168.0.250 gateway. To do this, issue the following command:

tracert 192.168.1.1

Press Enter.

The next hop gateway being used is indeed the 192.168.0.250 device. Once it returns that the destination is unreachable, the trace ends.

Task 3 — Reinstate the Persistent Route

In this task, we’ll reinstate the persistent route to the 192.168.1.0/24 subnet via the 192.168.0.1 gateway using the route command.

To do this, perform the following steps:

Step 1: On the PLABWIN10 device, access the command prompt with elevated rights, as done earlier.

Type the following command:

route -p add 192.168.1.0 mask 255.255.255.0 192.168.0.1 metric 1

Press Enter.

Note the -p option makes the route persistent, that is, it will remain in the routing table even after a reboot of the device.

Step 2: The command line responds that the persistent route has been added. To verify that it has been added, type the following command:

route print

Press Enter.

Step 3: Locate and verify that the persistent route to the subnet has been added.

Close the active command prompt window.

Step 4: On the command prompt window with normal rights, attempt a ping PLABWEB01 once again using the following command:

ping 192.168.1.1

Press Enter.

The ping is now successful. The addition of the route made the 192.168.1.0/24 subnet reachable.

Exercise 3 Complete!

Now we know how to manually route traffic to a specific server on our network and determine if each system is using the right gateway!

Exercise 4

Using iptables

iptables is a utility program that allows a system administrator to configure specific rules that will be enforced by the device on all packets traversing the device. It acts as a packet filter and firewall that examines and directs traffic based on port, protocol, and other criteria. iptables is a Linux based utility. In this exercise, we’ll examine how it functions.

Here’s a snapshot of the iptables guide from the command prompt terminal:

And here’s documentation on iptables command:

And here’s another lab/guide on iptables that I found to be really useful:

Learning Outcome:

After completing this exercise, we’ll be able to:

Task 1 — Use iptables to Block a Source IP

In this task, we’ll examine the iptables utility and use it to block input and forwarded packets based on the source IP address. To use the iptables tool to do this, perform the following steps:

Step 1: Switch to the PLABRTR01 device.

Click the Terminal icon on the left.

Step 2: The terminal window appears. Maximize the window for ease of use.

Type the following command at the terminal prompt to view the current default settings of iptables:

sudo iptables -L -nv

Press Enter. When prompted, type the following password and press Enter:

Passw0rd

Step 3: Because there are no default rules in the iptables, there will be three empty chains in the output without any firewall rules. This means that all traffic traversing the router will be allowed.

In this step, we’ll configure a rule to block all traffic that comes from the PLABDC01 (192.168.0.2) device.

To configure this rule, type the following command and press Enter.

sudo iptables -I INPUT -s 192.168.0.2 -j DROP

Step 4: Examine the new rule that has been added by issuing the following command and pressing Enter:

sudo iptables -L -nv

Notice that a new policy has been applied to the INPUT chain where all packets, in either an inward or outward direction that have a source IP address of 192.168.0.2 will be blocked.

Step 5: In this step, we’ll test this rule.

Go to the PLABDC01 device, minimize the Server Manager and open a Command Prompt window.

Test the connectivity to the PLABRTR01 device by issuing the following command and pressing Enter:

ping 192.168.0.1

We can see that the ping has failed.

Step 6: Return to the PLABRTR01 device. Type the following command once again and press Enter.

sudo iptables -L -nv

Examine the output and notice that the number of Chain pkts and the number of INPUT bytes is no longer zero. This is the number of packets that have matched this rule and have been dropped as well as the total number of bytes these packets contained.

Step 7: To verify that the rule only applies to packets sourced from PLABDC01, connect to the PLABWIN10 device and attempt the same connectivity test. Open the Command Prompt window.

Type the following command and press Enter:

ping 192.168.0.1

The ping is successful.

Step 8: Connect once again to the PLABDC01 device. Attempt to ping the PLABWEB01 device from here. To do so, type the following command and press Enter:

ping 192.168.1.1

Note that any communication between PLABDC01 and PLABWEB01 will traverse the PLABRTR01 device and will be affected by iptable configuration in that device.

The ping is successful.

Intuitively, this should not be the case since the source of the ping was the PLABDC01 device.

Step 9: Return to the PLABRTR01 device. Enter the following command once again, press Enter and examine the output:

sudo iptables -L -nv

If it has been long enough from the last time we’ve entered the command, we may be asked to enter the administrator password once again. If so, enter Passw0rd and press Enter.

Upon examination, we’ll see that no additional packets have matched the criteria of the INPUT chain even though packets have traversed the device. This is because the INPUT chain matches only packets that have a destination of the PLABRTR01 device. It is the FORWARD chain that matches packets that are passed through the device and forwarded on to their destination, as is the case with the pings we initiated from PLABDC01 to PLABWEB01.

Step 10: To configure a rule that will block packets sourced from the PLABDC01 IP address that is forwarded through the device, enter the following command and press Enter:

sudo iptables -I FORWARD -s 192.168.0.2 -j DROP

Step 11: Examine the new rule that has been added by issuing the following command and pressing Enter:

sudo iptables -L -nv

Notice that a new rule has been added in the FORWARD chain with the appropriate parameters.

Step 12: Connect once again to the PLABDC01 device. Attempt to ping the PLABWEB01 device from here. To do so, type the following command and press Enter:

ping 192.168.1.1

Note that any communication between PLABDC01 and PLABWEB01 will traverse the PLABRTR01 device and will be affected by iptable configuration in that device.

The ping, as expected, is unsuccessful.

Step 13: Return to the PLABRTR01 device. Enter the following command once again, press Enter and examine the output:

sudo iptables -L -nv

Notice that four packets have matched the FORWARD chain. These correspond to the attempted ping from the PLABDC01 device to the PLABWEB01 device.

Task 1 Complete!

Now we know how to use the iptables command to block access to certain systems and ports!

Task 2 — Using iptables to Block a Destination Port

In this task, we’ll use the iptables utility to block input packets based on the destination port.

To use the iptables tool to do this, perform the following steps:

Step 1: Connect to the PLABWIN10 device and open Internet Explorer from the taskbar.

In the address bar, type the following address and press Enter.

http://plabrtr01/

Step 2: The default Apache website appears. We have verified that web connectivity from the PLABWIN10 device to the PLABRTR01 device is achievable.

Step 3: Connect to the PLABRTR01 device. In this step, we’ll block all incoming traffic that has a destination port of 80.

To do so, type the following command in the Terminal window and press Enter:

sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP -i eth0

Step 4: Examine the new rule added by issuing the following command and pressing Enter:

sudo iptables -L -nv

Notice the added rule for port 80. Because the -A parameter was used, the rule was appended to the end of the INPUT chain and did not replace the currently configured rule.

Step 5: Return to the PLABWIN10 device.

Click the refresh button beside the address bar to refresh the default Apache web page.

Step 6: After several seconds, the browser returns an error message. As expected, the iptables parameter has blocked port 80 on the PLABRTR01 device.

We may have to click refresh several times to get the same results as the browser may display a cached copy of the web page.

Close the Internet Explorer window and any other window that may have remained open.

Step 7: Return to the PLABRTR01 device. Type the following command once again and press Enter.

sudo iptables -L -nv

Examine the output and notice that the number of Chain pkts and the number of INPUT bytes for the new rule is no longer zero. Once again, this is the number of packets that have matched this rule and have been dropped as well as the total number of bytes these packets contained.

Step 8: Before going on to the next exercise, remove the rule that blocks all packets on port 80. To do so, the -A option is replaced with the -D parameter. Type the following command in the terminal window and press Enter.

sudo iptables -D INPUT -p tcp --destination-port 80 -j DROP -i eth0

Step 9: To verify that the rule is removed, type the following command again and press Enter.

sudo iptables -L -nv

Notice that the rule is indeed removed.

Exercise 4 Complete!

Now we know how to use iptables on Linux!

Exercise 5

Using tcpdump

tcpdump is a command line packet analyzer primarily used in Linux based systems. It essentially prints out the contents of network packets. It is useful while troubleshooting network problems on a packet by packet basis. In this exercise, we’ll examine how it functions.

Here’s a snapshot of the tcpdump guide from the command prompt terminal:

And here’s documentation on tcpdump:

Learning Outcome:

After completing this exercise, we’ll be able to:

Task 1 — Capture Packets Using tcpdump

To use the tcpdump tool to capture and examine ICMP packets, perform the following steps:

Step 1: Switch to the PLABRTR01 device and maximize the Terminal window for ease of use. Clear the contents of the Terminal window by typing the following command and pressing Enter:

clear

Step 2: To begin capturing all packets on the eth0 interface, type the following command and press Enter:

sudo tcpdump -i eth0

Step 3: As packets arrive on the interface, information about these begins to appear. Let several packets be captured and then cancel the capture by trying the following command:

Ctrl-C

The packets that are captured are Spanning Tree Protocol packets. Specifically, they are Rapid STP BPDUs and are used by network switches to avoid creating what are called layer 2 loops. The network interface of the PLABRTR01 device detects them, and they are captured by the tcpdump utility.

If we wait long enough, we may see other types of packets on the network as well. These will be examined later in this lab.

Step 4: We can make the output more verbose, that is, more information about each packet that is received can be displayed. Type the following command to show a more verbose output and press Enter:

sudo tcpdump -i eth0 -v

Step 5: Let the capture run until we see a different type of packet arrive. In the following screenshot, we’ll see the STP BPDUs that have been viewed before as well as a DHCP Discover message.

If we do not receive such a packet during our capture, examine the one in the screenshot below. We may receive additional types of packets during our capture, and we can examine each one at our leisure.

In each case, we can see the details of the information found in each packet. Spend some time examining the contents of the packets we capture.

Task 1 Complete!

Task 2 — Use tcpdump with additional parameters

tcpdump has the capability of capturing packets based on several parameters including protocol type and destination port. To use this tool with these parameters, perform the following steps:

Step 1: We’ll configure tcpdump to capture packets that use the ICMP protocol. In other words, ping packets will be captured. We’ll also limit the number of packets captured to 6. In order to do this, type the following command in the terminal Window and press Enter:

sudo tcpdump -i eth0 -c 6 icmp

If we are asked for the administrator password, type the following and press Enter:

Passw0rd

We are presented with a message stating that the utility is listening on eth0.

Step 2: Go to the PLABWIN10 device. Open the Command Prompt window if it is not already open. Ping PLABRTR01 by typing the following command and pressing Enter:

ping 192.168.0.1

Once complete, issue the above command a second time so that a total of 8 ICMP packets have been sent.

Step 3: Once the ping is complete, go back to PLABRTR01 and examine the output in the terminal window. A total of six entries have been made. Once those entries were made, the tcpdump terminated. Notice the information contained within each of the packet captures.

Step 4: Next, clear the terminal window, and configure tcpdump to capture packets that have a destination port of 80. To do this, type the following commands in the terminal window and press Enter after each one:

Clear the screen:

clear

Capture packets:

sudo tcpdump -i eth0 port 80

We are presented with a message stating that the utility is listening on eth0.

Step 5: Connect to the PLABWIN10 device and open Internet Explorer from the taskbar.

In the address bar, type the following address and press Enter.

http://plabtr01/

Step 6: The default Apache web page appears.

Step 7: Go back to the PLABRTR01 device and examine the output in the Terminal window. Several packets should have been captured. Type the following to end the packet capture:

Ctrl-C

Notice the summary at the end that indicates the total number of packets captured. Our values may vary.

Exercise 5 Complete!

Now we know how to utilize the tcpdump command on our Linux systems!

Exercise 6

Using nmap

nmap, which is short for Network Mapper, is a Linux based utility that, as its name suggests, maps a network. It can perform network scans to identify what services a host is running, determining the operating system it is using as well as the applications it may have running. Other information includes IP addresses, MAC addresses as well as an identification of the host firewall type a device may be using. nmap is a powerful tool that can be used by network admins but may also be leveraged by malicious users as well. In this exercise, we’ll examine how nmap functions.

Here’s a snapshot of the nmap guide from the command prompt terminal:

And here’s documentation for the nmap command:

Learning Outcome:

After completing this exercise, we’ll be able to:

Task 1 — Explore Working of nmap

To use nmap to determine the operating systems in use by hosts on the network, perform the following steps.

Step 1: Switch to PLABRTR01 and, if it has not already been done, maximize the terminal window for ease of use. Clear the contents of the terminal window by typing the following command and pressing Enter:

clear

Begin by installing nmap on PLABRTR01 by typing the following command and then pressing Enter:

sudo apt install nmap

When prompted, type y and press Enter.

Step 2: Once the installation is complete, scan the PLABWIN10 device by typing the following command and then pressing Enter:

nmap 192.168.0.5

We may receive a response stating that the host seems down. If this is received, please type:

nmap -Pn 192.168.0.5

If the command takes up to a minute to complete, we can press Enter to get a status report of the operation that includes the estimated time remaining.

Once the operation is complete, the report appears listing open and closed ports on the device as well as the amount of time the scan took.

Step 3: To list information about the operating system on PLABWIN10, a procedure also known as OS fingerprinting, issue the following command and press Enter.

sudo nmap -O 192.168.0.5

The parameter -O is the uppercase letter O as in OSI.

Note that this command requires root privileges and that is why it must be preceded by the sudo keyword. Enter a password of Passw0rd if we are requested for one. Once again, this operation may take up to a minute to complete.

Notice that the output lists information concerning the OS version including build numbers and service pack information.

Step 4: To perform a more aggressive scan of specific services and their parameters that may be running on PLABWIN10, issue the following command and press Enter.

sudo nmap -sV 192.168.0.5

We may need to scroll through the output to examine it more closely. Notice that in this output, for every open port, there is a more detailed description of the application running on it including the service name and its version.

We may also notice that additional service is running which returned data but is not recognized by the nmap utility. We are given a set of data known as a fingerprint that we are asked to submit to the nmap public repository. This is a good example of how users participate in the advancement and development of open source software.

Step 5: To scan the whole subnet using nmap, issue the following command and press Enter.

nmap 192.168.0.0/24

Because the whole subnet is being scanned, this may take a little longer than the previous scans. Once again, we can press Enter to obtain a status report and the estimated time to completion of the process.

Once the operation is complete, we can see the report stating the number of hosts found and scanned on the subnet.

Scroll up to examine the output further. Notice the following:

Exercise 6 Complete!

We should now be able to:

Anxious Buddhist | Hobby Eater | Maze Master

Anxious Buddhist | Hobby Eater | Maze Master