Identify the Results and Effects of the Solution
Upon testing your solution, you should be able to determine how and why the solution was
successful and what effects it had on users and functionality. For example, suppose you identi-
fied a symptom of excessively slow performance when saving and retrieving files to and from
a server on your LAN. You determined that all users were affected by the problem and that it
had worsened steadily in the past month. Your proposed solution was to replace the server
with one that contained a faster processor, more memory, greater hard disk capacity, and dual
NICs. You implemented the solution and then tested its outcome to make sure all users could
save and retrieve files to and from the new server. If all went well, the effect of the solution
might be an 80% increase in performance between clients and the server.
Most importantly, you want to avoid creating unintended, negative consequences as a result of
your solution. For example, in the process of diagnosing a problem with a user’s access to a
mail directory, you might have reconfigured his mail settings to log on with your own user name
to rule out the possibility of a physical connectivity error. After discovering that the problem
was actually due to an IP addressing conflict, you might fix the IP addressing problem but for-
get that you changed the user’s e-mail configuration. Having the user test your solution would
reveal this oversight—and prevent you from having to return to the workstation to solve another
problem.
After you have implemented and tested your solution and identified its results and effects, com-
municate your solution to your colleagues, thus adding to the store of knowledge about your
network. The next section discusses how best to document your troubleshooting efforts and
notify others of changes you’ve made.
Document the Solution and Process
Whether you are a one-person network support team or one of 100 network technicians at your
organization, you should always record the symptoms and cause (or causes) of a problem and
your solution. Given the volume of problems you and other analysts will troubleshoot, it will
be impossible to remember the circumstances of each incident. In addition, networking per-
sonnel frequently change jobs, and everyone appreciates clear, thorough documentation. An
effective way to document problems and solutions is in a centrally located database to which
all networking personnel have online access.
Staff Involved in Troubleshooting

Many staff members may contribute to troubleshooting a network problem. Often the division
of duties is formalized, with a help desk acting as the first, single point of contact for users to
call in regarding errors. A help desk is typically staffed with help desk analysts—people profi-
cient in basic (but not usually advanced) workstation and network troubleshooting. Larger orga-
nizations may group their help desk analysts into teams based on their expertise. For example,
a company that provides users with word-processing, spreadsheet, project planning, schedul-
ing, and graphics software might assign different technical support personnel at the help desk
to answer questions pertaining to each application.
542 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
NET+
4.9
The help desk analysts are often considered first-level support, because they provide the first
level of troubleshooting. When a user calls with a problem, a help desk analyst typically cre-
ates a record for the incident and attempts to diagnose the problem. The help desk analyst may
be able to solve a common problem over the phone within minutes by explaining something
to the user. On other occasions, the problem may be rare or complex. In such cases, the first-
level support analyst will refer the problem to a second-level support analyst. A second-level
support analyst is someone who has specialized knowledge in one or more aspects of a network.
For example, if a user complains that she can’t connect to a server, and the first-level support
person narrows down the problem to a failed file server, that first-level support analyst would
then refer the problem to the second-level support person.
In addition to having first- and second-level support analysts, most help desks include a help
desk coordinator. The help desk coordinator ensures that analysts are divided into the correct
teams, schedules shifts at the help desk, and maintains the infrastructure to enable analysts to
better perform their jobs. They may also serve as third-level support personnel, taking responsi-
bility for troubleshooting a problem when the second-level support analyst is unable to solve it.
Record Problems and Resolutions
For documenting problems, some organizations use a software program known as a call track-
ing system (also informally known as help desk software). Such programs provide user-friendly

graphical interfaces that prompt the user for every piece of information associated with the
problem. They assign unique identifying numbers to each problem, in addition to identifying
the caller, the nature of the problem, the time necessary to resolve it, and the nature of the
resolution.
Most call tracking systems are highly customizable, so you can tailor the form fields to your
particular computing environment. For example, if you work for an oil refinery, you might add
fields for identifying problems with the plant’s flow-control software. In addition, most call
tracking systems allow you to enter free-form text explanations of problems and solutions. Some
also offer Web-based interfaces.
If your organization does not have a call tracking system, you should at least keep records in a
simple electronic form. You can find an example of a network problem record in Appendix D.
A typical problem record form should include at least the following fields:
◆ The name, department, and phone number of the problem originator (the person
who first noticed the problem)
◆ Information regarding whether the problem is software- or hardware-related
◆ If the problem is software-related, the package to which it pertains; if the problem is
hardware-related, the device or component to which it pertains
◆ Symptoms of the problem, including when it was first noticed
◆ The name and telephone number of the network support contact
◆ The amount of time spent troubleshooting the problem
◆ The resolution of the problem
Chapter 12 543
TROUBLESHOOTING METHODOLOGY
NET+
4.9
As discussed earlier in this chapter, many organizations operate a help desk staffed with per-
sonnel who have only basic troubleshooting expertise and who record problems called in by
users. To effectively field network questions, an organization’s help desk staff must maintain
current and accurate records for network support personnel. Your department should take
responsibility for managing a supported services list that help desk personnel can use as a ref-

erence. A supported services list is a document (preferably online) that lists every service and
software package supported within an organization, plus the names of first- and second-level
support contacts for those services or software packages. Anything else you or your depart-
ment can do to increase communication and availability of support information will expedite
troubleshooting.
In addition to communicating problems and solutions to your peers whenever you work on a
network problem, you should follow up with the user who reported the problem. Make sure
that the client understands how or why the problem occurred, what you did to resolve the prob-
lem, and whom to contact should the problem recur. This type of education helps your clients
make better decisions about the type of support or training they need, and also improves their
understanding of and respect for your department.
Notify Others of Changes
After solving a particularly thorny network problem, you should record its resolution in your
call tracking system, and also notify others of your solution and what, if anything, you needed
to change to fix the problem. This communication serves two purposes: (1) It alerts others about
the problem and its solution, and (2) it notifies others of network changes you made, in case
they affect other services.
The importance of recording changes cannot be overemphasized. Imagine that you are the net-
work manager for a group of five network technicians who support a WAN consisting of three
different offices and 150 users. One day, the company’s CEO travels from headquarters to a
branch office for a meeting with an important client. At the branch office, she needs to print a
financial statement, but encounters a printing problem. Your network technician discovers
that her user account does not have rights to that office’s printer, because users on your WAN
do not have rights to printers outside the office to which they belong. The network technician
quickly takes care of the problem by granting all users rights to all printers across the WAN.
What are the implications of this change? If your technician tells no one about this change, at
best users may incorrectly print to a printer in Duluth from the St. Paul office. In a worst-case
scenario, a “guest” user account may gain rights to a networked printer, potentially creating a
security hole in your network.
Large organizations often implement change management systems to methodically track

changes on the network. A change management system is a process or program that provides
support personnel with a centralized means of documenting changes to the network. In smaller
organizations, a change management system may be as simple as one document on the net-
work to which networking personnel continually add entries to mark their changes. In larger
organizations, the system may consist of a database package complete with graphical interfaces
544 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
NET+
4.9
and customizable fields tailored to the computing environment. Whatever form your change
management system takes, the most important element is participation. If networking person-
nel do not record their changes, even the most sophisticated software is useless.
The types of changes that network personnel should record in a change management system
include the following:
◆ Adding or upgrading software on network servers or other devices
◆ Adding or upgrading hardware components on network servers or other devices
◆ Adding new hardware on the network (for example, a new server)
◆ Changing the network properties of a network device (for example, changing the IP
address or host name of a server)
◆ Increasing or decreasing rights for a group of users
◆ Physically moving networked devices
◆ Moving user accounts and their files and directories from one server to another
◆ Making changes in processes (for example, a new backup schedule or a new contact
for DNS support)
◆ Making changes in vendor policies or relationships (for example, a new hard disk
supplier)
It is generally not necessary to record minor modifications, such as changing a user’s password,
creating a new group for users, creating new directories, or changing a network drive mapping
for a user. Each organization will have unique requirements for its change management sys-
tem, and analysts who record change information should clearly understand these requirements.

Help to Prevent Future Problems
If you review the troubleshooting questions and examples in this chapter, you can predict how
some network problems can be averted by network maintenance, documentation, security, or
upgrades. Although not all network problems are preventable, many can be avoided. Just as
with your body’s health, the best prescription for network health is prevention.
For example, to avoid problems with users’ access levels for network resources, you can com-
prehensively assess users’ needs, set policies for groups, use a variety of groups, and communi-
cate to others who support the network why those groups exist. To prevent overusing network
segments, you should perform regular network health checks—perhaps even continual network
monitoring (discussed in the next section), with filters that isolate anomalous occurrences—
and ensure that you have the means to either redesign the network to distribute traffic or pur-
chase additional bandwidth well before utilization reaches critical levels. With experience, you
will be able to add more suggestions for network problem prevention. When planning or
upgrading a network, you should consciously think about how good network designs and poli-
cies can prevent later problems—not to mention, make your job easier and more fun.
Chapter 12 545
TROUBLESHOOTING METHODOLOGY
NET+
4.9
Troubleshooting Tools
You have already learned about some utilities that can help you troubleshoot network prob-
lems. For example, you can learn many things about a user’s workstation connection by attempt-
ing to ping different hosts on the network from that workstation. However, in some cases, the
most efficient troubleshooting approach is to use a tool specifically designed to analyze and iso-
late network problems. Several tools are available, ranging from simple continuity testers that
indicate whether a cable is faulty, to sophisticated protocol analyzers that capture and interpret
all types of data traveling over the network. The tool you choose depends on the particular
problem you need to investigate and the characteristics of your network.
The following sections describe a variety of network troubleshooting tools, their functions,
and their relative costs.

Crossover Cable
As you have learned, in a crossover cable the transmit and receive wire pairs in one of the con-
nectors are reversed. This reversal enables you to use a crossover cable to directly interconnect
two nodes without using an intervening connectivity device. A crossover cable is useful for
quickly and easily verifying that a node’s NIC is transmitting and receiving signals properly.
For example, suppose you are a network technician on your way to fix urgent network prob-
lems. A user flags you down and says that over the last week he occasionally had problems
connecting to the network and as of this morning, he hasn’t been able to connect at all. He’s
very frustrated, so you kindly say that if you can help him in 10 minutes, you will; otherwise,
he’ll have to call the help desk. You follow him to his workstation and, by asking around, you
determine that he is the only one suffering this problem. Thus, you can probably narrow the
problem down to his workstation (either hardware or software) or his cabling (or less likely, his
port on the hub in the telecommunications closet). Because you have your laptop and trou-
bleshooting gear in your bag, you quickly connect one plug of the crossover cable to his work-
station’s network adapter and the other plug to your laptop’s network adapter. You then try
logging on to your laptop from his workstation. Because this process is successful, you suggest
that the problem lies with his network cable, and not with his workstation’s software or hard-
ware. You quickly hand him a new patch cable to replace his old one and rush off to your orig-
inal destination.
Tone Generator and Tone Locator
Ideally, you and your networking colleagues would label each port and wire termination in a
telecommunications closet so that problems and changes can be easily managed. However,
because of personnel changes and time constraints, a telecommunications closet often is dis-
organized and poorly documented. If this is the case where you work, you may need a tone gen-
erator and a tone locator to determine where one pair of wires (out of possibly hundreds)
terminates.
546 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
NET+
3.3

4.8
A tone generator is a small electronic device that issues a signal on a wire pair. A tone loca-
tor is a device that emits a tone when it detects electrical activity on a wire pair. By placing the
tone generator at one end of a wire and attaching a tone locator to the other end, you can ver-
ify the location of the wire’s termination. Figure 12-4 depicts the use of a tone generator and
a tone locator. Of course, you must work by trial and error, guessing which termination corre-
sponds to the wire over which you’ve generated a signal until the tone locator indicates the
correct choice. This combination of devices is also known as a fox and hound, because the loca-
tor (the hound) chases the generator (the fox).
Chapter 12 547
TROUBLESHOOTING TOOLS
FIGURE 12-4 Use of a tone generator and tone locator
Tone generators and tone locators cannot be used to determine any characteristics about a cable,
such as whether it has defects or whether its length exceeds IEEE standards for a certain type
of network. They are only used to determine where a wire pair terminates.
A tone generator should never be used on a wire that’s connected to a device’s port
or network adapter. Because a tone generator transmits electricity over the wire, it
may damage the device or network adapter.
CAUTION
NET+
3.3
4.8
Multimeter
Cable testing tools are essential for both cable installers and network troubleshooters, as faulty
cables are often the cause of network problems. Symptoms of cabling problems can be as elusive as
occasional lost packets or as obvious as a break in network connectivity. You can easily test
cables for faults with specialized tools. In this section and in the ones following, you will learn
about different tools that can help isolate problems with network cables. The first device you
will learn about is a multimeter, a simple instrument that can measure many characteristics of
an electric circuit, including its resistance and voltage.

If you have taken an introductory electronics class, you are probably familiar with a voltmeter,
the instrument that measures the pressure, or voltage, of an electric current. Recall that volt-
age is used to create signals over a network wire. Thus, every time data travels over a wire, the
wire carries a small voltage. In addition, each wire has a certain amount of resistance, or oppo-
sition to electric current. Resistance is a fundamental property of wire that depends on a wire’s
molecular structure and size. Every type of wire has different resistance characteristics. Resis-
tance is measured in ohms, and the device used to measure resistance is called an ohmmeter.
Another characteristic of electrical circuits is impedance—the resistance that contributes to
controlling the signal. Impedance is also measured in ohms. Impedance is the telltale factor for
ascertaining where faults in a cable lie. A certain amount of impedance is required for a signal
to be properly transmitted and interpreted. However, very high or low levels of impedance can
signify a damaged wire, incorrect pairing, or a termination point. In other words, changes in
impedance can indicate where current is stopped or inhibited.
Although you could use separate instruments for measuring impedance, resistance, and volt-
age on a wire, it is more convenient to have one instrument that accomplishes all of these func-
tions. The multimeter is such an instrument. Figure 12-5 shows a multimeter.
548 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
FIGURE 12-5 A multimeter
NET+
3.3
4.8
As a network professional, you might use a multimeter to:
◆ Verify that a cable is properly conducting electricity—that is, whether its signal can
travel unimpeded from one node on the network to another
◆ Check for the presence of noise on a wire (by detecting extraneous voltage)
◆ Verify that the amount of resistance presented by terminators on coaxial cable net-
works is appropriate, or whether terminators are actually present and functional
◆ Test for short or open circuits in the wire (by detecting unexpected resistance or loss
of voltage)

Multimeters vary in their degree of sophistication and features. Some merely show voltage lev-
els, for example, whereas others can measure the level of noise on a circuit at any moment with
extreme precision. Costs for multimeters also vary; some, such as those available at any home
electronics store, cost as little as $30, while others cost as much as $4000. Multimeters capa-
ble of the greatest accuracy are most useful to electronics engineers. As a network technician,
you won’t often need to know the upper limit of noise on a cable within a small fraction of a
decibel, for example. However, you do need to know how to check whether a cable is con-
ducting current. Another instrument that can perform such a test is a continuity tester, which
is discussed next.
Cable Continuity Testers
In troubleshooting a Physical layer problem, you may find the cause of a problem by simply
testing whether your cable is carrying a signal to its destination. Tools used to make this deter-
mination are said to be testing the continuity of the cable and may be called cable checkers or
continuity testers. They may also be called cable testers. The term cable tester, however, is a
general term that also includes more sophisticated tools that can measure cable performance,
as discussed in the following section.
When used on a copper-based cable, a continuity tester applies a small amount of voltage to
each conductor at one end of the cable, and then checks whether that voltage is detectable at
the other end. That means that a continuity tester consists of two parts: the base unit that
generates the voltage and the remote unit that detects the voltage. Most cable checkers pro-
vide a series of lights that signal pass/fail. Some also indicate a cable pass/fail with an audible
tone. A pass/fail test provides a simple indicator of whether a component can perform its stated
function.
In addition to checking cable continuity, some continuity testers will verify that the wires in a
UTP or STP cable are paired correctly and that they are not shorted, exposed, or crossed. Recall
that different network models use specific wire pairings and follow cabling standards set forth
in TIA/EIA 568. Make sure that the cable checker you purchase can test the type of network
you use—for example, 10BASE-T, 100BASE-TX, or 1000BASE-T Ethernet.
Continuity testers for fiber-optic networks also exist. Rather than issuing voltage on a wire,
however, these testers issue light pulses on the fiber and determine whether they reached the

Chapter 12 549
TROUBLESHOOTING TOOLS
NET+
3.3
4.8
other end of the fiber. Some continuity testers offer the ability to test both copper and fiber-
optic cable.
Figure 12-6 depicts a basic continuity tester and a more sophisticated continuity tester.
550 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
FIGURE 12-6 Cable continuity testers
Whether you make your own cables or purchase cabling from a reputable vendor, test the cable
to ensure that it meets your network’s required standards. Just because a cable is labeled “CAT
6,” for example, does not necessarily mean that it will live up to that standard. Testing cabling
before installing it may save many hours of troubleshooting after the network is in place.
For convenience, most continuity testers are portable and lightweight, and typically use one 9-
volt battery. A simple continuity tester can cost between $100 and $300, and it may save many
hours of work. Popular manufacturers of these cable testing devices include Belkin, Fluke,
Microtest, and Paladin.
NET+
3.3
4.8
Do not use a continuity tester on a live network cable. Disconnect the cable from the
network, and then test its continuity.
CAUTION
Cable Performance Testers
If you need to know more than whether a cable is simply carrying current, you can use a cable
performance tester. The difference between continuity testers and performance testers lies in
their sophistication and price. A performance tester accomplishes the same continuity and fault
tests as a continuity tester, but can also perform the following tasks:

◆ Measure the distance to a connectivity device, termination point, or cable fault
◆ Measure attenuation along a cable
◆ Measure near-end crosstalk between wires
◆ Measure termination resistance and impedance
◆ Issue pass/fail ratings for CAT 3, CAT 5, CAT 5e, CAT 6, or CAT 7 standards
◆ Store and print cable testing results or directly save data to a computer database
◆ Graphically depict a cable’s attenuation and crosstalk characteristics over the length
of the cable
A sophisticated performance tester will include a TDR (time domain reflectometer). A TDR
issues a signal on a cable and then measures the way the signal bounces back (or reflects) to the
TDR. Connectors, crimps, bends, short circuits, cable mismatches, or other defects modify the
signal’s amplitude before it returns to the TDR, thus changing the way it reflects. The TDR
then accepts and analyzes the return signal, and based on its condition and the amount of time
the signal took to return, determines cable imperfections. In the case of a coaxial cable network,
a TDR can indicate whether terminators are properly
installed and functional. A TDR can also indicate the dis-
tance between nodes and segments.
In addition to performance testers for coaxial and twisted-
pair networks, you can also find performance testers for
fiber-optic networks. Such performance testers use OTDRs
(optical time domain reflectometers). Rather than issue an
electrical signal over the cable as twisted-pair cable testers
do, an OTDR transmits light-based signals of different
wavelengths over the fiber. Based on the type of return light
signal, the OTDR can accurately measure the length of the
fiber, determine the location of faulty splices, breaks, con-
nectors, or bends, and measure attenuation over the cable.
Because of their sophistication, performance testers for both
copper and fiber-optic cables cost significantly more than
continuity testers. A high-end unit may cost from $5000 to

$8000, and a low-end unit may cost between $1000 and
$4000. Popular performance tester manufacturers include
Fluke and Microtest. Figure 12-7 shows an example of a
high-end performance tester that is capable of measuring
the characteristics of both copper and fiber-optic cables.
Chapter 12 551
TROUBLESHOOTING TOOLS
FIGURE 12-7 A performance tester
NET+
3.3
4.8
Network Monitors
A network monitor is a software-based tool that continually monitors network traffic from a
server or workstation attached to the network. Network monitors typically can interpret up to
Layer 3 of the OSI Model. They can determine the protocols passed by each frame, but can’t
interpret the data inside the frame. By capturing data, they can provide either a snapshot of
network activity at one point in time or a historical record of network activity over a period of
time.
Some NOSs come with network monitoring tools. Microsoft Network Monitor is the tool that
ships with Windows Server 2003 as well as with Windows NT and Windows 2000 Server.
Novell NETMON, an NLM (NetWare Loadable Module), comes with NetWare 5.x and 6.x.
In addition, you can purchase or download for free network monitoring tools written by other
software companies. Hundreds of such programs exist. After you have worked with one net-
work monitoring tool, you will find that other products work in much the same way. Most
even use very similar graphical interfaces.
552 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
To take advantage of network monitoring and analyzing tools, the network adapter
installed in the machine running the software must support promiscuous mode. In
promiscuous mode, a device driver directs the NIC to pick up all frames that pass

over the network—not just those destined for the node served by the card. You can
determine whether your network adapter supports promiscuous mode by reading its
manual or checking with the manufacturer. Some network monitoring software ven-
dors may even suggest which network adapters to use with their software.
NOTE
Network monitoring tools can perform at least the following functions:
◆ Continuously monitor network traffic on a segment
◆ Capture network data transmitted on a segment
◆ Capture frames sent to or from a specific node
◆ Reproduce network conditions by transmitting a selected amount and type of data
◆ Generate statistics about network activity (for example, what percentage of the total
frames transmitted on a segment are broadcast frames)
Some network monitoring tools can also:
◆ Discover all network nodes on a segment
◆ Establish a baseline, or a record of how the network operates under normal condi-
tions, including its performance, collision rate, utilization rate, and so on
NET+
4.2
4.8
◆ Store traffic data and generate reports
◆ Trigger alarms when traffic conditions meet preconfigured conditions (for example,
if usage exceeds 50% of capacity)
How can capturing data help you solve a problem? Imagine that traffic on a segment of the
network you administer suddenly grinds to a halt one morning at about 8:00. You no sooner
step in the door than everyone from the help desk calls to tell you how slowly the network is
running. Nothing has changed on the network since last night, when it ran normally, so you
can think of no obvious reasons for problems.
At the workstation where you have previously installed a network monitoring tool, you cap-
ture all data transmissions for approximately five minutes. You then sort the frames in the net-
work monitoring software, arranging the nodes in order based on the volume of traffic each

has generated. You might find that one workstation appears at the top of the list with an inor-
dinately high number of bad transmissions. Or, you might discover that a server has been com-
promised by a hacker and is generating a flood of data over the network.
Before adopting a network monitor or protocol analyzer, you should be aware of some of the
data errors that these tools can distinguish. The following list defines some commonly used
terms for abnormal data patterns and packets, along with their characteristics:
◆ Local collisions—Collisions that occur when two or more stations are transmitting
simultaneously. A small number of collisions are normal on an Ethernet network.
Excessively high collision rates within the network usually result from cable or rout-
ing problems.
◆ Late collisions—Collisions that take place outside the window of time in which
they would normally be detected by the network and redressed. Late collisions are
usually caused by one of two problems: (1) a defective station (for example, a card or
transceiver) that is transmitting without first verifying line status, or (2) failure to
observe the configuration guidelines for cable length, which results in collisions
being recognized too late.
◆ Runts—Packets that are smaller than the medium’s minimum packet size. For
instance, any Ethernet packet that is smaller than 64 bytes is considered a runt.
Runts are often the result of collisions.
◆ Giants—Packets that exceed the medium’s maximum packet size. For example, an
Ethernet packet larger than 1518 bytes is considered a giant.
◆ Jabber—A device that handles electrical signals improperly, usually affecting the rest
of the network. A network analyzer will detect a jabber as a device that is always
retransmitting, effectively bringing the network to a halt. A jabber usually results
from a bad NIC. Occasionally, it can be caused by outside electrical interference.
◆ Negative frame sequence checks—The result of the CRC (Cyclic Redundancy
Check) generated by the originating node not matching the checksum calculated
from the data received. It usually indicates noise or transmission problems on the
Chapter 12 553
TROUBLESHOOTING TOOLS

NET+
4.2
4.8
LAN interface or cabling. A high number of negative CRCs usually result from
excessive collisions or a station transmitting bad data.
◆ Ghosts—Frames that are not actually data frames, but aberrations caused by a
device misinterpreting stray voltage on the wire. Unlike true data frames, ghosts
have no starting delimiter.
Protocol Analyzers
A protocol analyzer (or network analyzer) is another tool that can capture traffic. But a pro-
tocol analyzer can also analyze frames, typically all the way to Layer 7 of the OSI Model. For
example, it can identify that a frame uses TCP/IP and, more specifically, that it is an ARP
request from one particular workstation to a server. Analyzers can also interpret the payload
portion of frames, translating from binary or hexadecimal code to human-readable form. As a
result, network analyzers can capture passwords going over the network, if their transmission
is not encrypted. Some protocol analyzer software packages can run on a standard PC, but
others require PCs equipped with special network adapters and operating system software.
As with network monitoring software, a variety of protocol analyzer software is available. One
popular example is the free program called Ethereal. Essentially, a protocol analyzer performs
the same features as the network monitor software discussed previously, plus a few extras. It
can also generate traffic in an attempt to reproduce a network problem and monitor multiple
network segments simultaneously. Its graphical interface makes this product very easy to use,
readily revealing the traffic flow across the network. In addition, protocol analyzer software typ-
ically supports a multitude of protocols and network topologies.
Some protocol analyzers are not merely software tools, but hardware tools as well. Sniffer Tech-
nologies has led the way in developing hardware-based protocol analyzers, under the Sniffer
brand name. (Following the popularity of the Sniffer Technologies product, some networking
professionals generically refer to any hardware-based protocol analyzer as a “sniffer.”) Hard-
ware-based protocol analyzers usually resemble regular laptops, but are equipped with a spe-
cial network adapter and network analysis software. The sole job of this device is to identify

and assess network problems. Unlike laptops that have a network monitoring tool installed,
hardware-based protocol analyzers typically cannot be used for other purposes, because they
don’t depend on a familiar desktop operating system such as Windows. They have their own
proprietary operating system. Because they do not rely on a desktop operating system such as
Windows, hardware-based network analyzers have an advantage over network monitoring soft-
ware. They do not rely on Windows device drivers (for the NIC), for example, so they can cap-
ture information that the NIC would automatically discard, such as runt packets. Figure 12-8
illustrates how Sniffer Portable software can display network data. In this case, the screen
depicts the distribution of traffic captured by protocol type.
Hardware-based protocol analyzers are tailored to a particular type of network. For example,
one may be able to analyze both Ethernet and Token Ring networks, but another may be
necessary to analyze fiber-optic networks. Still others are designed especially for analyzing
554 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
NET+
4.2
4.8
wireless network traffic. A hardware-based protocol analyzer represents a significant invest-
ment, with costs ranging from $10,000 to $30,000.
Protocol analyzers offer a great deal of versatility in the type and depth of information they
can reveal. The danger in using this type of tool is that it may collect more information than
you or the machine can reasonably process, thus rendering your exercise futile. To avoid this
problem, you should set filters on the data gathered. For example, if you suspect that a certain
workstation is causing a traffic problem, you should filter the data collection to accept only
frames to or from that workstation’s MAC address. If you suspect that you have a gateway-
related TCP/IP problem, you would set a filter to capture only TCP/IP frames and to ignore
other protocols from the gateway’s MAC address.
Before using a network monitor or protocol analyzer on a network, it’s important to know what
traffic on your network normally looks like. To obtain this information, you can run the pro-
gram and capture data for a period of time on a regular basis—for example, every weekday

between 8:00 A.M. and noon. You’ll generate a lot of data, but you’ll also learn a lot about your
network. From this data, you can establish a baseline to use as a comparison with future traf-
fic analyses.
Chapter 12 555
TROUBLESHOOTING TOOLS
FIGURE 12-8 Traffic displayed by protocol type
NET+
4.2
4.8
Wireless Network Testers
Cable continuity testers and performance testers, of course, will tell you nothing about the wire-
less connections, stations, or APs (access points) on a network. For that, you need tools that
contain wireless NICs and run wireless protocols. In fact, you can learn some things about a
wireless environment by viewing the wireless network connection properties on your worksta-
tion. For example, after establishing a wireless connection in Windows XP, right-click the wire-
less connection icon in your system tray, and then click Status in the shortcut menu. The
Wireless Network Connection Status dialog box opens. The General tab in this dialog box
shows you the duration of your connection, the speed and strength of your signal, and the num-
ber of packets that have been exchanged, as shown in Figure 12-9.
However, viewing the status of the wireless connection on your workstation tells you only
a little about your wireless environment—and this information only applies to one work-
station. Many programs exist that can scan for wireless signals over a certain geographical range
556 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
Recall that using a switch logically separates a network into different segments. If a
network is fully switched (that is, if every node is connected to its own switch port),
your protocol analyzer can capture only frames destined for the port to which your
node is connected. The increasing use of switches has made network monitoring
more difficult, but not impossible. One solution to this problem is to reconfigure the
switch to reroute the traffic so that your network analyzer can pick up all traffic. Obvi-

ously, you would want to weigh the disruptive effects of this reconfiguration against the
potential benefits from being able to analyze the network traffic and solve a problem.
NOTE
FIGURE 12-9 Wireless Network Connection Status dialog box
NET+
4.2
4.8
NET+
4.8
and discover all the APs and wireless stations transmitting in the area. This is useful for deter-
mining whether an AP is functioning properly, whether it is positioned correctly so that all the
stations it serves are within its range, and whether stations and APs are communicating over
the proper channels within a frequency band. Some programs can also capture the data trans-
mitted between stations and APs. This information is useful for troubleshooting wireless con-
nection problems (for example, poor performance or intermittent faults) after you’ve verified
that connectivity is present. And some programs contain a spectrum analyzer, a tool that can
assess the quality of the wireless signal. Spectrum analysis is useful, for example, to ascertain
where noise (or interference) is greatest.
Software that can perform wireless network assessment is often available for free and may be
provided by the AP’s manufacturer. Following is a list of specific capabilities common to wire-
less network testing tools:
◆ Identify transmitting APs and stations and the channels over which they are com-
municating
◆ Measure signal strength from and determine the range of an access point
◆ Indicate the effects of attenuation, signal loss, and noise
◆ Interpret signal strength information to rate potential AP locations (from “very
good” to “poor”)
◆ Ensure proper association and reassociation when moving between APs
◆ Capture and interpret traffic exchanged between wireless APs and stations
◆ Measure throughput and assess data transmission errors

◆ Analyze the characteristics of each channel within a frequency band to indicate the
clearest channels
Some companies have created testing instruments whose sole purpose is to assess the sta-
tus of wireless networks. These tools can perform the same detection, data capture, and
spectrum analysis functions as the software tools described previously. One advantage to
using such devices, however, is that they are typically more portable than a laptop or desk-
top workstation. Second, they come installed with all the wireless network analysis tools
you’ll need, and these are usually accessible from one simple, graphical interface. A third
advantage is that most wireless testing tools contain more powerful antennas than a work-
station NIC. A more powerful antenna could mean the difference between assessing the
wireless network for an entire building from your desk versus walking around to each floor
with your laptop. Figure 12-10 shows one example of such a wireless network testing tool.
Chapter 12 557
TROUBLESHOOTING TOOLS
Wireless testing tools—both software- and hardware-based—are not only used for
troubleshooting, but are also critical for wireless site selection, or determining the
optimal placement for APs on a wireless LAN.
NOTE
NET+
4.8
Chapter Summary
◆ The key to solving network problems is to approach them methodically and logi-
cally, using your experience to inform your decisions, and knowing when to ask for
someone else’s help.
◆ The first step in troubleshooting is identifying the symptoms and potential causes
for a problem. Symptoms may include error messages, the inability to perform cer-
tain functions on the network, or the inability to connect to a network. Record what
you learn about symptoms.
◆ Next identify the affected area. In general, a network problem may be limited to one
user; all users on a segment; all users on a network; certain types of users, depart-

ments, or locations; or certain times of the day or week.
◆ At each point in the troubleshooting process, stop to consider what kind of changes
have occurred on the network that might have created a problem. Changes pertain-
ing to hardware may include the addition of a new device, the removal of an old
device, a component upgrade, a cabling upgrade, or an equipment move. Changes
pertaining to software may include an operating system upgrade, a device driver
upgrade, a new application, or a changed configuration.
558 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
FIGURE 12-10 Wireless network testing tool
NET+
4.8
◆ Based on an analysis of the symptoms and how changes might have affected the net-
work, select a probable cause for the problem. First ensure that the user is perform-
ing all functions correctly, then attempt to reproduce the problem’s symptoms, check
the physical connectivity of clients and devices involved in the problem, and deter-
mine whether software and hardware are configured correctly.
◆ After you have identified the probable cause, implement an action plan and your
solution, while considering the potential effects of the solution. Consider the num-
ber of users affected, costs, potential down time, and scalability of your solution.
Collect documentation about the hardware or software configuration you are work-
ing with and keep this handy while implementing your solution.
◆ After implementing your solution, test your result to ensure that you solved the
problem and haven’t created new problems. The type of testing you perform will
depend on your solution. Enlist the help of users to test the solution. If the solution
required significant network changes, revisit the solution a day or two after you
implement it to verify that it has truly worked and not caused additional problems.
◆ Next identify the effects and results of your solution. Verify that you have solved the
problem you set out to solve and that you have not created any new problems inad-
vertently as a result.

◆ Finally, document the solution and the process of solving the problem. Some organi-
zations use a software program for documenting problems, known as a call tracking
system (or help desk software). These programs provide a user-friendly graphical
interface that prompts the user for every piece of information associated with the
problem.
◆ When troubleshooting, record the following details about a problem: the originator’s
name, department, and phone number; whether the problem is software- or hard-
ware-related; if the problem is software-related, the package to which it pertains; if
the problem is hardware-related, the device or component to which it pertains; the
symptoms of the problem, including when it was first noticed; the name and tele-
phone number of the network support contact; the amount of time spent trou-
bleshooting the problem; and the resolution of the problem.
◆ A tone generator and tone locator are used to identify the terminating location of a wire
pair. This combination of devices may also be known as a fox and hound.
◆ A multimeter is a simple device that can measure the voltage, resistance, impedance,
and other characteristics of an electrical circuit.
◆ Basic cable continuity testers determine whether your cabling can provide connectiv-
ity. In the case of copper-based cables, they apply a small voltage to each conductor
at one end of the cable, and then check whether that voltage is detectable at the
other end. They may also verify that voltage cannot be detected on other conductors
in the cable. A good cable checker will also verify that the wires are paired correctly
and that they are not shorted, exposed, or crossed.
Chapter 12 559
CHAPTER SUMMARY
◆ A cable performance tester accomplishes the same continuity and fault tests as a
continuity tester, but also ensures that the cable length is not too long, measures the
distance to a cable fault, measures attenuation along a cable, measures near-end
crosstalk between wires, measures termination resistance and impedance, issues
pass/fail ratings for CAT 3, CAT 5, CAT 6, and CAT 7 standards, and stores and
prints test results.

◆ A network monitor is a software-based tool that monitors network traffic from a
server or workstation attached to the network. Network monitors typically can inter-
pret up to Layer 3 of the OSI Model. They can determine the protocols passed by
each packet, but can’t interpret the data inside the packet.
◆ Network Monitor is the name of the network monitoring software that comes with
Windows Server 2003 (and earlier versions of the Windows NOS). NETMON is
the network monitoring NLM provided with the NetWare NOS. Many other types
of network monitoring software are available.
◆ Protocol analyzers can typically interpret data up to Layer 7 of the OSI Model.
They can also interpret the payload portion of packets, translating from binary or
hexadecimal code to human-readable form. Protocol analyzers may be software pro-
grams or devices dedicated to protocol analysis.
◆ Wireless network testing tools can be dedicated instruments or software that runs on
a workstation (usually a laptop). They can: discover wireless APs and stations, mea-
sure signal strength and interference, capture and interpret wireless data, measure
throughput and identify data errors, and ensure proper association and reassociation
between stations and APs.
Key Terms
baseline—A record of how a network operates under normal conditions (including its perfor-
mance, collision rate, utilization rate, and so on). Baselines are used for comparison when con-
ditions change.
cable checker—See continuity tester.
cable performance tester—A troubleshooting tool that tests cables for continuity, but can also
measure crosstalk, attenuation, and impedance; identify the location of faults; and store or
print cable testing results.
cable tester—A device that tests cables for one or more of the following conditions: continu-
ity, segment length, distance to a fault, attenuation along a cable, near-end crosstalk, and ter-
mination resistance and impedance. Cable testers may also issue pass/fail ratings for wiring
standards or store and print cable testing results.
call tracking system—A software program used to document technical problems and how they

were resolved (also known as help desk software).
560 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
change management system—A process or program that provides support personnel with a
centralized means of documenting changes made to the network.
continuity tester—An instrument that tests whether voltage (or light, in the case of fiber-optic
cable) issued at one end of a cable can be detected at the opposite end of the cable. A conti-
nuity tester can indicate whether the cable will successfully transmit a signal.
fox and hound—Another term for the combination of devices known as a tone generator and
a tone locator. The tone locator is considered the hound because it follows the tone generator
(the fox).
ghost—A frame that is not actually a data frame, but rather an aberration caused by a device
misinterpreting stray voltage on the wire. Unlike true data frames, ghosts have no starting
delimiter.
giant—A packet that exceeds the medium’s maximum packet size. For example, any Ethernet
packet that is larger than 1518 bytes is considered a giant.
jabber—A device that handles electrical signals improperly, usually affecting the rest of the net-
work. A network analyzer will detect a jabber as a device that is always retransmitting, effec-
tively bringing the network to a halt. A jabber usually results from a bad NIC. Occasionally, it
can be caused by outside electrical interference.
late collision—A collision that takes place outside the normal window in which collisions are
detected and redressed. Late collisions are usually caused by a defective station (such as a card,
or transceiver) that is transmitting without first verifying line status or by failure to observe the
configuration guidelines for cable length, which results in collisions being recognized too late.
local collision—A collision that occurs when two or more stations are transmitting simulta-
neously. Excessively high collision rates within the network can usually be traced to cable or
routing problems.
multimeter—A simple instrument that can measure multiple characteristics of an electric cir-
cuit, including its resistance and voltage.
negative frame sequence check—The result of the CRC (cyclic redundancy check) generated

by the originating node not matching the checksum calculated from the data received. It usu-
ally indicates noise or transmission problems on the LAN interface or cabling. A high num-
ber of (nonmatching) CRCs usually results from excessive collisions or a station transmitting
bad data.
NETMON—Novell’s network monitoring NLM. NETMON is included in NetWare 5.x and
6.x.
network analyzer—See protocol analyzer.
network monitor—A software-based tool that monitors traffic on the network from a server
or workstation attached to the network. Network monitors typically can interpret up to Layer
3 of the OSI Model.
Chapter 12 561
KEY TERMS
Network Monitor—A network monitoring program that comes with Windows Server 2003
(as well as with Windows NT and Windows 2000 Server).
ohmmeter—A device used to measure resistance in an electrical circuit.
optical time domain reflectometer—See OTDR.
OTDR (optical time domain reflectometer)—A performance testing device for use with
fiber-optic networks. An OTDR works by issuing a light-based signal on a fiber-optic cable
and measuring the way in which the signal bounces back (or reflects) to the OTDR. By mea-
suring the length of time it takes the signal to return, an OTDR can determine the location
of a fault.
promiscuous mode—The feature of a network adapter that allows it to pick up all frames that
pass over the network—not just those destined for the node served by the card.
protocol analyzer—A software package or hardware-based tool that can capture and analyze
data on a network. Protocol analyzers are more sophisticated than network monitoring tools,
as they can typically interpret data up to Layer 7 of the OSI Model.
runt—A packet that is smaller than the medium’s minimum packet size. For instance, any Eth-
ernet packet that is smaller than 64 bytes is considered a runt.
site selection—The process of determining optimal locations for access points on a wireless
network.

spectrum analyzer—A tool that assesses the characteristics (for example, frequency, amplitude,
and the effects of interference) of wireless signals.
supported services list—A document that lists every service and software package supported
within an organization, plus the names of first- and second-level support contacts for those ser-
vices or software packages.
TDR (time domain reflectometer)—A high-end instrument for testing the qualities of a
cable. It works by issuing a signal on a cable and measuring the way in which the signal bounces
back (or reflects) to the TDR. Many performance testers rely on TDRs.
time domain reflectometer—See TDR.
tone generator—A small electronic device that issues a signal on a wire pair. When used in
conjunction with a tone locator, it can help locate the termination of a wire pair.
tone locator—A small electronic device that emits a tone when it detects electrical activity on
a wire pair. When used in conjunction with a tone generator, it can help locate the termina-
tion of a wire pair.
voltmeter—A device used to measure voltage (or electrical pressure) on an electrical
circuit.
562 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
Review Questions
1. _________________________ assign unique identifying numbers to each problem, in
addition to identifying the caller, the nature of the problem, the time necessary to
resolve it, and the nature of the resolution.
a. Call tracking systems
b. Jabbers
c. NETMONs
d. TDRs
2. A _________________________ is a software-based tool that continually monitors
network traffic from a server or workstation attached to the network.
a. change management system
b. jabber

c. network monitor
d. call tracking system
3. A _________________________ is a record of how the network operates under nor-
mal conditions.
a. ghost
b. runt
c. fox and hound
d. baseline
4. Which of the following is a device that handles electrical signals improperly, usually
affecting the rest of the network?
a. Runt
b. Ghost
c. Jabber
d. Giant
5. A _________________________ is a tool that can be used to assess the quality of a
wireless signal.
a. runt
b. spectrum analyzer
c. jabber
d. protocol analyzer
Chapter 12 563
REVIEW QUESTIONS
6. True or false? The time frequency with which a problem occurs can reveal subtle net-
work problems.
7. True or false? An excellent way to learn more about the causes of a problem is to
recreate the symptoms.
8. True or false? Physical connectivity problems typically result in software application
anomalies, the inability to use a single application, poor network performance, and
software licensing errors.
9. True or false? Whether you are a one-person network support team or one of 100 net-

work technicians, you should always record the symptoms and cause (or causes) of a
problem and your solution.
10. True or false? Any Ethernet packet that is larger than 64 bytes is considered a runt.
11. A(n) _________________________ is a document that lists every service and soft-
ware package supported within an organization, plus the names of first- and second-
level support contacts for those services or software packages.
12. A(n) _________________________ is a process or program that provides support
personnel with a centralized means of documenting changes to the network.
13. A(n) _________________________ cable is useful for quickly and easily verifying
that a node’s NIC is transmitting and receiving signals properly.
14. A(n) _________________________ is a device that emits a tone when it detects elec-
trical activity on a wire pair.
15. Resistance is measured in _________________________.
564 Chapter 12
TROUBLESHOOTING NETWORK PROBLEMS
Ensuring Integrity
and Availability
Chapter 13
After reading this chapter and completing the exercises, you will be able to:
■ Identify the characteristics of a network that keep data safe from loss or
damage
■ Protect an enterprise-wide network from viruses
■ Explain network- and system-level fault-tolerance techniques
■ Discuss issues related to network backup and recovery strategies
■ Describe the components of a useful disaster recovery plan and the
options for disaster contingencies
A
s networks take on more of the burden of transporting and storing a day’s work, you must
pay increasing attention to the risks involved. You can never assume that data is safe on
the network until you have taken explicit measures to protect the information. In this book,

you have learned about building scalable, reliable enterprise-wide networks as well as selecting
the most appropriate hardware and network operating systems to operate your network. But
all the best equipment and software cannot ensure that server hard drives will never fail or that
a malicious employee won’t sabotage your network.
Methods for protecting data evolve quickly as networks change and new threats, such as com-
puter viruses, are released. This chapter provides a broad overview of measures that you can
take to ensure that your data remain safe. The far-reaching topic of network security is covered
in the next chapter.
What Are Integrity and Availability?
Before learning how to ensure integrity and availability, you should fully understand what
these terms mean. Integrity refers to the soundness of a network’s programs, data, services,
devices, and connections. To ensure a network’s integrity, you must protect it from anything
that might render it unusable. Closely related to the concept of integrity is availability. Avail-
ability of a file or system refers to how consistently and reliably it can be accessed by autho-
rized personnel. For example, a server that allows staff to log on and use its programs and data
99.99% of the time is considered to be highly available, whereas one that is functional only
98% of the time is less available. To ensure high availability, you need a well-planned and well-
configured network, as well as data backups, redundant devices, and protection from malicious
intruders who could potentially immobilize the network.
A number of phenomena may compromise both integrity and availability, including security
breaches, natural disasters (such as tornadoes, floods, hurricanes, and ice storms), malicious
intruders, power flaws, and human error. Every network administrator should consider these
possibilities when designing a sound network. You can readily imagine the importance of
integrity and availability of data in a hospital, for example, in which the network stores patient
records and also provides quick medical reference material, video displays for surgical cameras,
and perhaps even control of critical care monitors.
If you have ever supported computer users, you know that they sometimes unintentionally harm data,
applications, software configurations, or even hardware. Networks may also be intentionally harmed
by users unless network administrators take precautionary measures and pay regular, close attention
to systems and networks so as to protect them.This section reminds you of commonsense approaches

to data integrity and availability. Later in this chapter, you will learn about more specific or formal
(and potentially more expensive) approaches to data protection.
NET+
3.11