JavaScript Editor Source code editor     Website development 

Main Page

Previous Section Next Section

Protocol Dysfunction and Misconfiguration

Like any software, TCP/IP protocol software sometimes doesn't get installed properly. Even after it is installed, it might stop working because of a corrupt file or some change to the system configuration. For example, even if the software is working, the computer might not be able to connect to other computers because its IP address and subnet mask are incorrect.

The TCP/IP protocol suite provides a number of useful utilities that help you determine whether TCP/IP is functioning and properly configured, such as

  • Ping— This utility is an extremely useful diagnostic tool that initiates a simple test of network connectivity and reports on whether the other computer responds.

  • Configuration information utilities— Each OS vendor provides some form of utility that displays TCP/IP configuration information and lets you check whether the IP address, subnet mask, DNS server, and other parameters are configured properly.

  • arp— This lets you view and configure the contents of the ARP cache (see Hour 4, "The Internet Layer"), which associates IP addresses with physical/MAC addresses.

These utilities come standard with TCP/IP implementations for all operating systems. The following sections discuss these important TCP/IP configuration utilities.


If you notice that your computer can't complete a network operation, the first question you should ask is whether it can complete any other network operation. In other words, is your computer currently functioning as a member of the network? The ping utility initiates the most minimal test of network connectivity. It sends a message to another computer that says "Are you there?" and waits for the other computer to respond.

By the Way

The name ping is based on the sonar technology used by submarines and ships to locate other objects. Ping is an acronym for Packet Internet Groper.

The basic form of a ping command is

ping <IP_address>

where IP address is the address of the computer to which you'd like to connect. Like other utilities, ping offers a number of additional command-line options. These options differ, depending on the implementation and the operating system.

The ping utility sends a message to the recipient computer using the ICMP echo request command. (For more information on ICMP, see Hour 4.) If the recipient computer is present and operational, it responds using the ICMP Echo Reply message.

When the sending computer receives the reply, it outputs a message stating that the ping was successful.

Successful completion of the ping command verifies that both the pinging and the pinged computers are on the network and able to communicate. However, keep in mind that ping is a very minimal application. It requires only that the bottom two layers of the TCP/IP stack are operational. You could have problems with TCP, UDP, or applications in the upper two layers and ping would still operate. If ping operates correctly, you can largely rule out problems with items such as the Network Access layer, the network adapter, cabling, and even routers.

Ping offers a number of options that make it particularly useful for troubleshooting network problems. You can

  • Ping the local IP software using a special IP address called the loopback address: If the command ping is successful, your TCP/IP protocol software is functioning properly.

  • Ping your own IP address (in other words, ping yourself). If you can ping the IP address assigned to your network adapter, you know that the adapter is properly configured and interfaced with the TCP/IP software.

  • Ping by hostname. Most systems let you substitute a hostname for the IP address in the ping command. If you can ping a computer by IP address, but you can't ping the same computer by its hostname, you know that the problem is related to name resolution.

In a typical troubleshooting scenario, a network administrator performs the following ping commands (in this order):

  1. Ping the loopback address ( to verify that TCP/IP is working properly on the local computer.

  2. Ping the local IP address to verify that the network adapter is functioning and the local IP address is configured.

  3. Ping the default gateway to verify that the computer can communicate with the local subnet and to verify that the default gateway is online.

  4. Ping an address beyond the default gateway to verify that the gateway is successfully forwarding packets beyond the local network segment.

  5. Ping the local host and remote hosts by hostname to verify that name resolution is functioning.

The preceding steps are a good beginning for searching out a network problem. You might not find an answer, but at least you'll get a clue about where to look.

Looking Closer at Ping Output

The output for the ping command varies according to the implementation. In some systems, such as Solaris 8, the output is a single line stating <ip_address> is alive. Some versions of Linux (by default) send ICMP packets and output packet response information continuously until you press Ctrl+C. Windows NT, Windows 2000, and Windows XP (by default) send four ICMP echo requests and output four responses. It is not uncommon to receive three or even fewer responses to those four echo requests. You should not consider the occasional dropped datagram a failure, though, since the IP protocol does not guarantee delivery. However, missing responses could be an indication of an overcrowded network. Dropped packets notwithstanding, the most common responses to a ping are that all requests were successful (indicating that the connection is working) or that all requests were unsuccessful (indicating that the connection isn't working).

Some versions of the ping utility display the time in milliseconds from the time the Echo Request message is sent until the Echo Reply message is returned. Short response times indicate that a datagram does not have to pass through too many routers or through slow networks. If ping responses are returning with a TTL value near zero, it might be an indication that the connection is near the TTL threshold and some packets are getting lost or resent.

Configuration Information Utilities

All modern operating systems offer a utility that lets you view the current TCP/IP configuration. These utilities output information such as the IP address, subnet mask, and default gateway for the local computer. You can use these utilities to verify that the IP address information for the computer is what you expect. With the recent popularity of DHCP, you can't always determine the IP address information from configuration files or setup dialog boxes. The configuration information utilities tell you the address that the computer is actually using. If your computer is configured for DHCP, you might even discover that the computer has no IP address at all, indicating a problem with the DHCP server connection.

Of course, these utilities don't tell what your IP address and subnet mask should be. They just tell what address and mask your computer is using. It is then up to you to verify that the address parameters are consistent with the IP addressing scheme for your network (see Hours 5, "Subnetting" and 6, "The Transport Layer").

Unix and Linux systems use the ifconfig command to display address information. As you will recall from earlier hours, the IP address is actually associated with a network interface (such as a network adapter card) rather than with the computer itself. If a computer has two network interfaces, it will have two IP addresses. The ifconfig command displays address information associated with each network interface.

To display IP address information using ifconfig, enter

ifconfig <interface_name>

where <interface_name> is the name of the network interface for which you'd like to display address information. (In Unix and Linux, each network interface is assigned a name by the configuration file that defines the interface and is referenced by that name.) For example,

ifconfig eth0

displays the current IP address and netmask (and other parameters depending on the Unix/Linux version) for the interface called eth0.

ifconfig also lets you directly configure IP address information for a network interface by typing the IP address and netmask directly at the command line:

ifconfig eth0 <IP_Address> netmask <netmask>

where <IP_Address> is the address of the interface and <netmask> is the network mask of the interface.

The ifconfig up and down options let you enable and disable the network interface. For example

ifconfig eth0 up
ifconfig eth0 down

Other ifconfig options are also available. Options vary with the version. Consult the ifconfig man page on your Unix/Linux system for more on ifconfig:

man ifconfig

Windows NT, Windows 2000, and Windows XP use the ipconfig command to display local TCP/IP configuration settings.

ipconfig options include the following:

  • Default (no options)— When ipconfig is used without options, it displays the IP address, subnet mask, and default gateway values for each configured interface, as shown in the upper portion of Figure 13.1.

    Figure 13.1. The ipconfig and ipconfig /all commands and responses.


  • all— When the all option (ipconfig /all) is used, ipconfig displays additional information such as the IP addresses for the DNS and WINS server(s) it is configured to use, as well as the physical address burned into local network adapters. If addresses were leased from a DHCP server, ipconfig displays the IP address of the DHCP server and the date the lease is scheduled to expire. (Setting up a DHCP server is an advanced topic that is covered in Hour 12, "Dynamic Host Configuration Protocol (DHCP).")

  • releaserenew— These optional parameters work only on computers that lease their IP address from a DHCP server. If you enter ipconfig /release, the leased IP addresses for all interfaces are released back to the DHCP server(s). Conversely, if you enter ipconfig /renew, the local computer attempts to contact a DHCP server and lease an IP address. Be aware that in many cases the network adapter(s) will be reassigned the same IP addresses previously assigned.

By the Way

A variation on the release and renew options can be used to release or renew one adapter at a time in a computer that contains multiple network adapters. Assuming one of the computer adapters is named Elnk31, this one adapter can be released or renewed by using the command ipconfig /release Elnk31 or ipconfig /renew Elnk31.

If you are using Windows 95 or 98, you use the command winipcfg instead of ipconfig. Winipcfg displays a graphical interface with the same information as displayed by ipconfig, and it provides the same options for releasing and renewing IP addresses. (See Figure 13.2.)

Figure 13.2. Output from the Windows winipcfg utility.


Address Resolution Protocol (ARP)

ARP is a key TCP/IP protocol used to determine the physical address that corresponds to an IP address. Each host on a TCP/IP network maintains an ARP cache—a table used to connect IP addresses to physical addresses. The arp command enables you to view the current contents of the ARP cache of either the local computer or another computer. In most cases, the protocol software takes care of updating the ARP cache, and cases in which you need to use the arp command to troubleshoot a network connection are rare. However, the arp command is occasionally useful for tracing subtler problems related to the association of IP addresses with physical addresses. Some Unix and Linux systems, for instance, still require manual configuration of the physical address.

The arp command also enables you to enter desired physical/IP address pairs manually. You might want to do this for commonly used hosts such as the default gateway and local servers. This helps reduce traffic on the network.

Entries in the ARP cache are dynamic by default. Entries are automatically added to the cache whenever a directed datagram is sent and a current entry does not exist in the cache of the destination computer. The cache entries start to expire as soon as they are entered. Therefore, don't be surprised if there are few or no entries in the ARP cache. Entries can be added by performing pings of another computer or router. The following arp commands can be used to view cache entries:

  • arp -a— Use this command to view all ARP cache entries.

  • arp -g— Use this command to view all ARP cache entries.

    By the Way

    You can use either arp -a or arp -g. The -g option has for many years been the option used on Unix platforms to display all ARP cache entries. Windows NT/2000 uses arp -a (think of -a as all), but it also accepts the more traditional -g option.

  • arp -a <IP address>— If you have multiple network adapters, you can see just the ARP cache entries associated with one interface by using arp -a plus the IP address of the interface, for example, arp -a

  • arp -s — You can add a permanent static entry to the ARP cache manually. This entry remains in effect across boots of the computer, and is updated automatically if errors occur using manually configured physical addresses. For example, to add an entry for a server manually using IP address with a physical address of 0080C7E07EC5, enter arp -s 00-80-C7-E0-7E-C5.

  • arp -d <IP address>— Use this command to delete a static entry manually. For example, enter arp -d

See Figure 13.3 for examples of arp commands and responses.

Figure 13.3. arp commands and responses.


    Previous Section Next Section

    JavaScript Editor Source code editor     Website development