CHAPTER 11: Network Troubleshooting Tools 526
own header to the packet. When a network packet is passed from one host to
another, the receiving host will read or analyze the packet one layer at a time,
with the application layer reading the application layer header, the presenta-
tion layer reading the header from the presentation layer, and so forth.
You can use your understanding of the OSI model to improve your trou-
bleshooting techniques. It’s important to understand what takes place at
each layer of the OSI model, and which devices operate at these layers. When
it comes to network troubleshooting, the most important layers of the model
are the physical, data link, network, and transport layers. Let’s take a look at
each of these layers in turn.
The Physical Layer
The physical layer is the lowest layer of the OSI model, and it involves the
actual electrical signals that are going from the network cables into the NIC
of a computer, switch, router, or hub. A failure at the hardware level will
usually involve the physical components of a computer or device, such as
the cable that connects the computer to the network or the network card
itself. Network hubs also operate at the physical layer, so a failure in a net-
work hub could also lead to connectivity issues that occur at the physical
layer. The physical layer is responsible for a number of different functions,
including:
The type of signal transmission used
The cable type
The actual layout or path of the network wiring
The voltage and electrical signals being used by the network cabling
When using the OSI model for troubleshooting, you should know which
devices operate at which layer. The following physical devices function at the
physical layer of the OSI model:
Network cabling
Network interface cards
Active and passive hubs

Repeaters
Note
We are only going to touch on the function of each layer here – refer back to previous
chapters for an in-depth look at the layers of the OSI model.
The OSI Model 527
When troubleshooting at the physical layer, be on the lookout for issues
with NIC drivers, as well as physical failures of a NIC, hub, or length of
cabling.
The Data Link Layer
The data link layer is responsible for taking the information from the
physical layer and organizing it into frames. The data link layer takes the
information that it receives from higher up in the OSI model and passes it
down to the physical layer to be transmitted across the wire. The functions
of the data link layer include error checking, where the data link layer will
add error-checking information onto each frame of data that it transmits.
The data link layer is also responsible for error-free delivery of these data
frames as well as maintaining the reliability of the communications between
two computers.
The two types of devices that operate at the data link layer of the OSI
model are switches and bridges. Bridges are able to divide a network into
multiple segments, but they aren’t able to actually subnet a network the
way that a router does. So, if you use a bridge to physically separate two
areas of the network, it will still appear to be one big network to higher-
level protocols in the network layer, transport layer, and above. Bridges and
switches are useful for cutting down on network congestion because they can
do some basic filtering of data traffic based on the MAC address of the des-
tination computer. When a transmission reaches the bridge, the bridge will
not pass it across to the other side of the network if the MAC address of the
destination computer is known to be on the same side of the network as the
sending computer. As a part of this process, the bridge or switch will build

tables (similar to a routing table) indicating which addresses are on which
side, and use them to determine whether to let the transmission across.
Test Day Tip
An active hub will boost the signal that’s being sent before transmitting it to the nodes
attached to the hub. A passive hub will simply transmit the information without any sort
of boost.
Test Day Tip
At the data link layer, frames are addressed from one computer to another by way of the
physical MAC address that’s burned into every NIC card.
CHAPTER 11: Network Troubleshooting Tools 528
The Network Layer
The network layer is where the majority of troubleshooting issues will
occur. The network layer takes the frames it receives from the data link
layer and organizes them into packets. The network layer is also the layer
where physical MAC addresses are translated into IP addresses. Unlike
MAC addresses, which are physically assigned to each NIC and can never be
changed, IP addresses are logical addresses that can be added, modified, and
removed as often as you want. This allows a single computer to be moved
and reconfigured to belong to many different IP subnets throughout the
course of its life. This flexibility comes at a price, because these IP addresses
are assigned by human administrators and are therefore somewhat prone to
misconfiguration and error. If you misconfigure a network card’s IP address
or subnet mask by even a single digit, that computer will experience con-
nectivity issues and may not be able to connect with other local and remote
computers. The most important physical device at the network layer is the
router. This is the device that uses the logical IP addresses of the network
layer to transmit network packets from one subnet to another.
Depending on where the problem occurs, failures at the network layer
can create connectivity issues for a single client or an entire subnet. When
this happens, the devices in question will not be able to communicate with

another portion of a network, either because of a physical device failure or
because a router has been configured with an incorrect route, subnet mask,
or some other key piece of information. Because network layer issues can
render a computer entirely unable to communicate on a routed network,
they tend to be the most visible troubleshooting issues, so you should have
a firm grasp of the functions of the network layer and the tools you can use
to troubleshoot here. The best tools to check connectivity at the network
layer are ping, tracert, traceroute, and pathping, which we’ll discuss in a later
section.
The Transport Layer
Once a packet has left the network layer, the transport layer takes over. This
is where network packets are even further differentiated by the port num-
ber that they are using to communicate – these port numbers can be for
either connection-oriented TCP communications or low-overhead connec-
tionless User Datagram Protocol (UDP) applications. Any application that
has to communicate between two networked computers will have to use a
particular port number, and the most common services all have well-known
port numbers that have been assigned by the Internet Assigned Numbers
Authority (IANA). Firewalls and proxy servers will often work at the transport
Windows Tools 529
layer to filter traffic based on the TCP or UDP port that it’s using. If you’re
having issues at the transport layer, you’ll probably find individual network
applications that aren’t functioning properly – like a user who can Telnet to
a particular host, but is unable to connect to the Web server running on the
same computer.
The transport layer is responsible for making sure that data sent by one
computer arrives at its intended destination in good condition. Sending and
receiving computers also need a way to differentiate between different com-
munications that may be addressed to different applications on the same
computer, which is where TCP and UPD port numbers become useful. Trou-

bleshooting the transport layer is quite similar to working at the application
layer, as the TCP and UDP protocols form the basis of the ports that are
used by all network applications. So you can use telnet to see if a particular
port is listening on the destination machine, and you can use the netstat
utility, which will be discussed in the next section, to see a list of all ports
that are listening on a particular machine.
WINDOWS TOOLS
Because TCP/IP has become the default network protocol for Windows
operating systems, it’s important to have a good understanding of TCP/IP
troubleshooting when working with any of the Microsoft operating systems.
Windows computers have a number of built-in utilities that will assist you
in troubleshooting TCP/IP problems relating to basic connectivity and name
resolution. The most common tools that you should be aware of include the
following:
 ping
 nslookup
 tracert
 arp
 ipconfig
 nbtstat
 netstat
 pathping
In this section, we’ll take a detailed look at each of these tools, including
what the tool is used for and what type of output it produces. We’ll also look
CHAPTER 11: Network Troubleshooting Tools 530
at some examples of how to apply these tools, and other more advanced tools
that won’t necessarily appear on the Network+ exam, but can still be used
to troubleshoot a particular problem.
Utilizing the ping Command
The ping command, which stands for Packet INternet Groper, uses Internet

Control Message Protocol (ICMP) echo messages to communicate with other
computers. You will usually use the ping command to test basic TCP/IP con-
nectivity between two computers. You can ping a computer using either its
IP address or its hostname.
In Figure 11.3, we are using a hostname to test connectivity with a target
machine.
The ping command has the following switches:
 ping–t will ping a specified host continuously until you stop it by
typing Ctrl + C. Typing Ctrl + Break will show you statistics on
the ping results and then continue.
 –a resolves IP addresses to hostnames. For example, if you ping a
computer with the IP address 192.168.1.101 and you need to find out
its Domain Name System (DNS) name, you can ping using the –a
switch. The output of utilizing this switch is displayed in Figure 11.4.
 –n will let you specify the number of ping packets to send. For
example, the command ping –n 10 192.168.1.101 will send 10 ping
packets to the specified host.
FIGURE 11.3 Utilizing a Hostname with the ping Command.
Windows Tools 531
FIGURE 11.4 Utilizing the ping Command with the – a Switch.
 –w specifies how long each packet should wait before it times out and
returns a “Request timed out” error. The default value is 1000 ms.
 –i will change the default Time To Live (TTL) for the ICMP echo
messages used by the ping command. By default, the TTL is 252,
which means that a ping command can pass through 252 router hops
before the packet is dropped. You can alter this value using the –i
switch.
Utilizing the tracert Command
The tracert utility allows you to trace the path that a network packet will
take from one host to another. A network packet will often have to pass

through several routers or hops to reach its destination, and you can use
tracert to determine whether one of these routers, or a link between two
routers, is overloaded or has failed. The tracert utility works by sending a
series of ICMP echo requests, much like the ping utility. For example, when
you type tracert www.digitalthink.com at the command prompt, you’ll see
output that resembles the output displayed in Figure 11.5. Each line in the
tracert output indicates one hop on the path between your local computer
and the destination.
The second column of each row in Figure 11.5 indicates the round-trip
response time for a single ping to get to that router and back. As you can see
in the example mentioned earlier, this ping is sent three times to each router
CHAPTER 11: Network Troubleshooting Tools 532
FIGURE 11.5 Utilizing the tracert Command.
HEAD OF THE CLASS…
Understanding ICMP
The ICMP is documented in RFC 792, which
you can read online at www.freesoft.org/CIE/RFC/
792/index.htm. ICMP is part of the TCP/IP proto-
col suite that operates at the network layer. ICMP
messages are primarily used to send messages related
to network troubleshooting, so an understanding of
ICMP is a critical part of the network troubleshoot-
ing process. Some of ICMP’s main functions are as
follows:
 Reporting network connectivity issues For
instance if a particular computer or a larger
portion of a network becomes unavailable or
unreachable. Whenever a computer or router
forwards an IP datagram to a remote host, the
forwarding device will decrement the TTL field

of an IP header by one. If this TTL ever reaches
0, ICMP will create a “time to live exceeded in
transit” message and send it back to the host
that initiated the message.
 Inform users of network congestion If a router
is receiving too many packets to process effi-
ciently, it will create an ICMP Source Quench
message and forward this message to the host
that is sending the large number of packets.
This message will cause the source machine to
slow down how quickly it is sending packets to
allow the router to “catch up”.
 Provide Information for Network Troubleshooting
Most common network utilities use ICMP to
communicate, including ping, tracert, and tra-
ceroute. These utilities will look for ICMP “time
to live exceeded in transit” messages, as well as
“destination unreachable” messages, to deter-
mine whether a particular host or group of hosts
is reachable.
Windows Tools 533
so there are three column depicting millisecond response time. There are also
command line switches that you can use to customize the tracert output:
 tracert–d will instruct tracert not to resolve IP addresses to host-
names (this will increase the speed of the tracert).
 tracert–h maximum_hops will indicate the maximum number of
hops that tracert will use to search for a target. If tracert reaches
this maximum number and hasn’t reached the target yet, it will
quit. The default value is 30 hops.
 tracert–w timeout indicates the amount of time each ping will wait

for each reply in milliseconds. The default value is 1000 ms.
Utilizing the pathping Command
The pathping utility is an updated and expanded version of ping. The pathping
utility will send ICMP echo request messages to each router along the path
to the destination host and will calculate how long it takes each router to
reply. The pathping tool combines the capabilities of both tracert and ping,
and gives you additional information that you can’t get easily from using
either tool individually. Pathping will calculate the following information
each time it runs:
The amount of time it takes the ping packet to get to the 
destination host and back, called the round-trip.
The amount of time it takes to ping each individual router.
The percent of ping requests that are lost at each router.
The percent of ping requests lost between the routers.
Pathping provides some interesting statistics for network troubleshoot-
ing because it gives you information regarding where packet loss is taking
place, which can indicate that a particular router may be overloaded or mal-
functioning. You can see an illustration of this in Figure 11.6.
Exam Warning
Do not get confused between tracert and traceroute; they are essentially the same tool
with different names. Tracert is used on Microsoft Windows systems and traceroute is
used on other systems such as Cisco’s Internetwork Operating System (IOS) as well as
UNIX and Linux.
CHAPTER 11: Network Troubleshooting Tools 534
One thing to be aware of before running pathping on a Windows
Vista machine is that you will need to launch the command window as
administrator for the command to execute properly. Once you run the
command, you should notice that pathping first runs a tracert to the remote
host and identifies all of the routers along the path to the destination, and
FIGURE 11.6 Following a Packet Through a Large Network.

Windows Tools 535
shows you a list of those routers in the first section of the output. Then,
pathping provides statistics about each router and each link between the
routers. For example, when you enter the command pathping www.micro-
soft.com, you’ll see the output shown in Figure 11.7.
From this information, you can assess whether an individual router is
being overworked, or whether there is congestion on a link between routers.
The last two columns of the pathping output provide the most useful infor-
mation when you’re troubleshooting routers and the links between them.
Notice in the last column you can see the name of the router, the IP address,
and a percentage listed to the left of the router. If this percentage is a high
number, it means that a large number of ping packets are being lost when
they’re sent to that router. This is an indication that the router itself may
be overloaded.
FIGURE 11.7 Utilizing the pathping Command.