TCP/IP Guide

This is my compilation of networking guides when I was studying Computer Technology and
Networking. The guides below are our actual class disscusion. I would like to share this section to
those who are interested to learn netowrking. I studied two years in Computer Technology
Networking including PC troubleshooting, Network data communication, Linux and Unix networking
and MCSE preparations. Unfortunately, I wasn't able to use my knowledge in networking due to my
decision to switch on Windows and Web development. Here it is! Enjoy and hope you learn from it.
Contents:
ARP
IP
TCP
UDP
TCP/IP Addressing
Subnetting
Static Routing
RIP
DHCP
NETBIOS
LMHOSTS
WINS
Browsing
Host Names
DNS
SNMP
Troubleshooting
ADDRESS RESOLUTION PROTOCOL(ARP)
LOCAL IP ADDRESS
When 2 computers try to communicate, an ARP request is initiated. If the IP address is on the local
network, the source host checks its ARP cache to see if it already has the hardware address(MAC
address) of the receiving host. If not, a broadcast is sent to all local hosts. If the receiving host finds
that the IP address of the source host matches it's own then it sends a reply to the source host with
it's hardware address. When received by the source host, it's ARP cache is updated to include this
info. If no hosts respond to the broadcast then the request is discarded.
REMOTE IP ADDRESS
This is a little different. When the destination address is found to be a remote host, the source host
checks the local routing table for a path to the recieving host. If one is not found then a broadcast is
sent to the router(gateway). The router replies with its hardware address and then the packet is sent
to the router. Essentially the router follows the same pattern. It checks its cache for a path to the
recieving host. If one is found then it fowards the packet. If not, it sends a broadcast and waits for a
reply from the host. It may again determine that it is a remote host and then the process repeats with
a broadcast to the next router and so on and so forth. Once the recieving host gets the request, it
sends an ICMP echo request.
WOULD YOU LIKE TO KNOW MORE?
ARP entries can be static or dynamic. If a dynamic entry is not used within 2 minutes then it is
deleted. If it is used then it will remain for 10 minutes. A static entry will hang around until the
computer is rebooted, it is deleted with arp -d, or a new hardware address is received via broadcast
in which case the entry becomes dynamic. A tornado or earthquake could also remove your static
entries.
Back to contents

ARP COMMANDS
1) arp -a or arp -g
Both of these commands do the same thing. They display the contents of your current arp cache.
2) arp -s ip_address hardware_address
This commands a static entry to the arp cache.
3) arp -d ip_address
Removes and entry from the arp cache.

INTERNET PROTOCOL(IP)
BACKGROUND
IP is a connectionless protocol, which means that a session is not created before sending data. IP is
responsible for addressing and routing of packets between computers. It does not guarantee
delivery and does not give acknowledgement of packets that are lost or sent out of order as this is
the responsibility of higher layer protocols such as TCP.
IP HEADER STRUCTURE - This is not on the exam
VERSION:
This field uses 4 bits to denote the version of IP.
HEADER LENGTH:
4 bits denote the number of 32-bit words in the header. Them minimum length is 20 bytes.
TYPE OF SERVICE:
8 bits that indicate the quality of service that the packet should receive. Includes precedence, delay,
throughput and reliability.
TOTAL LENGTH:
16 bits denote the total length of the packet.
IDENTIFICATION:
16 bits are used as a unique identifier so the packet can be reassembled in the event that it is
fragmented.
FRAGMENTATION FLAGS:
3 bits used in the fragmentation process.
FRAGMENT OFFSET:
13 bits used to determine the location of the fragment in regards to the original IP packet.
TIME TO LIVE(ttl):
8 bits that indicate the maximum number of hops that a packet can travel before being thrown away.
Asleep yet?
PROTOCOL:
8 bits are used to identify the original upper-layer protocol used.
HEADER CHECKSUM:
16 bits used to check for errors in the header only.
SOURCE ADDRESS:
32 bits that indicate the IP address of the sending host.
DESTINATION ADDRESS:
32 bits that indicate the IP address of the receiving host.
OPTIONS AND PADDING:
stores IP options.
I really don't think that any of this header structure info will be on the test. It is simply here for
reference purposes.
Back to contents

TRANSMISSION CONTROL PROTOCOL(TCP)

BACKGROUND
As opposed to IP, TCP is connection oriented and assures reliable delivery of packets. When the
destination host receives a segment it sends back an acknowledgement(ack). If an ack is not
received by the source host within a certain period of time then the data is retransmitted. TCP uses
sockets and ports to exchange data between applications. Ports provide a specific and universal
location for message delivery, while sockets use the host ip address, port number and the type of
service (TCP or UDP) to create a reliable connection. TCP uses sliding windows to buffer data
between hosts. A buffer that is too large or small can cause poor network performance. For example,
if you are shotgunning a beer your throat is like the buffer. If your throat isn't opened wide enough
then the beer travels to your stomach very slowly. If your throat is open too wide, then some of the
beer packets get lost in your lungs or you just throw up. You then have to retransmit the beer back to
your stomach.
THREE-WAY HANDSHAKE
A TCP session begins with a three-way - Handshake that is. This process synchronizes the sending
and receiving of data.
1) The source host sends a segment with the SYN flag set "on".
2) The destination host sends a reply with SYN flag "on", a sequence number and an ACK that
relays the next packet that the destination host is expecting.
3) The source host sends and ACK with received sequence number and an acknowledgement
number. The session is ended with a similar process.
TCP HEADER STRUCTURE - This is not on the exam
SOURCE PORT:
This is the TCP port of the source host.
DESTINATION PORT:
TCP port of receiving host
ACKNOWLEDGEMENT NUMBER:
The sequence number of the packet that the recieving host is expecting next.
DATA LENGTH:
Length of segment
RESERVED:
Crappy explanations everywhere so it must not be important.
FLAGS:
Denotes the content of the segment
WINDOW:
Specifies how much space is left in the TCP window.
CHECKSUM:
Makes sure that the header is not corrupted.
URGENT POINTER:
If there is a flag in the flags section that indicates that there is urgent data included, this field shows
where the end of this urgent data is.
Back to contents

USER DATAGRAM PROTOCOL(UDP)

BACKGROUND
UDP is a connectionless service that sends small amounts of data at one time and does not
guarantee delivery. It is commonly used with applications such as NETSTAT, TFTP, SNMP,
NETBIOS name service and NETBIOS datagram service. Like TCP, UDP uses ports to provide the
location to send packets.
HEADER STRUCTURE - This is not on the exam
SOURCE PORT:

UDP port of the source host

DESTINATION PORT:
UDP port of receiving host
MESSAGE LENGTH:
The total size of the UDP packet.
CHECKSUM:
Verifies that the header is intact.
Back to contents

TCP/IP ADDRESSING
BACKGROUND
Every IP address can be broken down into 2 parts, the Network ID(netid) and the Host ID(hostid). All
hosts on the same network must have the same netid. Each of these hosts must have a hostid that
is unique in relation to the netid. IP addresses are divided into 8 octets with each having a maximum
value of 255. We view IP addresses in decimal notation such as 124.35.62.181, but it is actually
utilized as binary data so one must be able to convert addresses back and forth.
CONVERTING IP ADDRESSES
DECIMAL BINARY
128

10000000 When converting binary data to decimal, a "0" is equal to 0. "1" is equal
01000000 to the number that corresponds to the field it is in. For example, the
number 213 would be 11010101 in binary notation. This is calculated as
00100000 follows: 128+64+0+16+0+4+0+1=213. Remember that this only
00010000 represents 1 octet of 8 bits, while a full IP address is 32 bits made up of
4 octets. This being true, the IP address 213.128.68.130 would look like
00001000
11010101 10000000 01000100 10000010. If you understand this then
00000100 you are a geek and all of your friends will laugh at you. Believe me - I
00000010 know!

00000001

64
32
16
8
4

CLASSES

Back to contents

CLASS RANGE
A
B
C

1-126

IP addresses can be class A, B or C. Class A addresses are for networks with

128-191 a large number of hosts. The first octet is the netid and the 3 remaining octets
are the hostid. Class B addresses are used in medium to large networks with
the first 2 octets making up the netid and the remaining 2 are the hostid. A
192-223 class C is for smaller networks with the first 3 octets making up the netid and
the last octet comprising the hostid.
Back to contents

SUBNETTING
BACKGROUND
A subnet mask blocks out a portion of an IP address and is used to differentiate between the hostid
and netid. The default subnet masks are as follows:
CLASS DEFAULT SUBNET # OF SUBNETS # OF HOSTS PER SUBNET

Class A 255.0.0.0

16,777,214

Class B 255.255.0.0

16,384

65,534

Class C 255.255.255.0

2,097,152

254

In these cases, the part of the IP address blocked out by 255 is the netid.
WOULD YOU LIKE TO KNOW MORE?
The table above shows the default subnet masks. What subnet mask do you use when you want
more that 1 subnet? Lets say, for example, that you want 8 subnets and will be using a class C
address. The first thing you want to do is convert the number of subnets into binary, so our example
would be 00001000. Moving from left to right, drop all zeros until you get to the first "1". For us that
would leave 1000. It takes 4 bits to make 8 in binary so we add a "1" to the first 4 high order bits of
the 4th octet of the subnet mask(since it is class C) as follows:
11111111.11111111.11111111.11110000 = 255.255.255.240. There is our subnet mask.
Lets try another one...Lets say that you are the network administrator for a chain of dry cleaning
stores in New York and you have stores in 20 different neighborhoods and you want to have a
separate subnet on your network for each store. It will be a class B network. First, we convert 20 to
binary - 00010100. We drop all zeros before the first "1" and that leaves 10100. It takes 5 bits to
make 20 in binary so we add a "1" to the first 5 high order bits which gives:
11111111.11111111.11111000.00000000 = 255.255.248.0. The following table shows a comparison
between the different subnet masks.
MASK # OF SUBNETS CLASS A HOSTS CLASS B HOSTS CLASS C HOSTS
192

4,194,302

16,382

62

224

2,097,150

8,190

30

240

14

1,048,574

4,094

14

248

30

524,286

2,046

252

62

262,142

1,022

254

126

131,070

510

Invalid

255

254

65,534

254

Invalid

Back to contents

STATIC ROUTING
BACKGROUND
A router or gateway is a hardware device that fowards packets from one logical network to another.
IP uses a routing table to determine which networks that packets can be forwarded to and will only
forward them to networks that it has been configured to do so. When a packet is to be sent, IP
determines whether or not the IP address is local or remote. If it is local, it forward the packet. If it is
remote, it consults the routing table to determine the path to the remote host. If there is no entry in
the routing table, then the default gateway is used instead. The routing table is checked at the router
and the process repeats. A packet can be forwarded from router to router. Each one of these steps is
called a "hop". If a route to the remote host is never found then an error message will return. On NT,
multiple gateways can be configured and if "Dead Gateway Detection" is set to "on" then IP will
attempt to use the next default gateway.
WOULD YOU LIKE TO KNOW MORE?
Routing can be either static or dynamic. Static routing involves manually programming the routing
table into the router. If you have a large network, this can be a real hassle especially if your network
constantly changes and the tables have to keep getting updated. Let's look at how this all works...

In this example you can see that our router is actually a computer. If one adds 2 network adapters to
an NT server, it can be used as a router. A computer that acts as a router in this way is said to be
getting it in both ends. Just kidding - it is called multihomed. The default gateway of Host A in this
example would be the local side of the router which would be 134.62.8.1. Conversely, Host B's
gateway would be 134.62.20.1. And that is all I have to say about that.
Back to contents
ROUTE COMMANDS
1) route add (IP_Address) mask (Subnet_Mask) (Gateway_address)
Add a route.
2) route -p add (IP_Address) mask (Subnet_Mask) (Gateway_address)
Add a persistent route. This type of entry is stored in the registry and are not affected by a power
cycle.
3) route delete (Subnet_Mask) (Gateway_address).
Delete a route.
4) route change (Subnet_Mask) (Gateway_address.)
Change a route.
5) route print
Shows the contents of the routing table.
6) route -f
Erases all routes.
Back to contents

RIP
BACKGROUND
This is a continuation of the routing discussion, but now we will be focusing on dynamic routing
which uses the Routing Information Protocol(RIP). RIP measures the distance from source to
destination by counting the number of hops(routers or gateways) that the packets must travel over.
RIP sets a maximum of 15 hops and considers any larger number of hops unreachable. RIP's real
advantage is that if there are multiple possible paths to a particular destination and the appropriate
entries exist in the routing table, it will choose the shortest route. Like me, RIP is all about the path of
least resistance. RIP uses an update interval which broadcasts its routing table over UDP port 520
after a specified period of time. Here is how it works...

OK...Router 1 and router 2 would broadcast their routing tables to each other every x seconds
depending on what the update interval is set to. Each router would then add any new routes to its
table. If a route already exists then the router would see if the new route has less hops then the one
it currently has stored.
WOULD YOU LIKE TO KNOW MORE?
The Microsoft text claims that RIP is best used on smaller networks. This is because larger networks
can have a crap-load of entries in their routing table. Due to the fact that RIP packets can be a
maximum of 512 bytes, larger tables would have to be sent as multiple packets which can bog down
the network.
Back to contents

DHCP
BACKGROUND
DHCP stands for Dynamic Host Configuration Protocol and provides a solution that automatically
assigns IP addresses to computers on a network. When a client is configured to receive an IP
address automatically, It will send out a broadcast to the DHCP server requesting an address. The
NT server will then issue a "lease" and assign it to that client. The time period that a lease will last
can be specified on the server. Some of the benefits of DHCP include the following:
Prevents users from making up their own IP addresses.
Prevents incorrect gateway or subnet masks from being entered.

Decreases amount of time spent configuring computers especially in environments where

computers get moved around all the time(I think that is everywhere, isn't it?).

Handy in situations where you have a large sales staff that work remotely. On that one day
they bring their laptops and they can just plug them into the network and they are all set.

HOW DOES THIS CRAZY THING WORK?

It all happens in 4 steps.
1) The client sends a broadcast that says "Hey, I need an IP address over here". Since it is not
configured for TCP/IP yet it uses a source address of 0.0.0.0 and a destination address of
255.255.255.255. The broadcast contains the computer's name and the MAC address so the DHCP
server knows where to reply. This is called the IP lease request.
2) The DHCP server/s send an offer. This broadcast contains the IP address, client's hardware
address, subnet mask, duration of lease and the IP address of the responding DHCP server. This
process is called a IP lease offer.
3) The client takes a look at the first offer that it receives and sends a message to all DHCP servers
to let them know that it has chosen an offer. This is known as the IP lease selection.
4) The DHCP server then sends an ack to the client, all other DHCP servers withdraw their offers
and cry in the corner and the clients now have an IP address. If an unsuccessful ack is received

then the client sends out another lease request. Easy eh? For all of you registry nuts, the client
stores its IP info in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentConrolSet\Services\adapter\Parameters\Tcpip.

Back to contents

LEASE RENEWAL
DHCP clients will attempt to renew their leases when %50 of the lease has expired. The client will
send a DHCPREQUEST message to the server that assigned the lease. Assuming the DHCP server
isn't on fire or anything it will send out a DHCPACK with the new lease. If the server is unavailable,
then the client can continue functioning as it has %50 remaining still. The client will continue as
normal until the lease reaches %87.5 used at which time it broadcast to all DHCP servers and
attempt to get a new lease. If the client receives a DHCPNACK message or the lease expires then
the client must start all over again and will get a different IP address. If the lease expires and the
client is unable to get a new one then the user will be whining to their IS dept. about it because they
will not be able to communicate over the network.

IPCONFIG
Below are the ipconfig switches that can be used at a command prompt.

ipconfig /all will display all of your IP settings.

ipconfig /renew forces the DHCP server, if available to renew a lease

ipconfig /release forces the release of a lease.

SETTING UP A DHCP SERVER

We have discussed how DHCP works for the clients, so now we should look at what happens on the
rest of the network. First question to ask yourself is how many subnets will the DHCP server serve. If
it is more than 1 then you have to make sure that all routers are configured as DHCP relay agents or
else only the local subnet will get leases. Next the "scope" needs to be defined. If there multiple
DHCP servers then each one will need to have a unique scope of IP addresses since DHCP servers
do not share information about leases with each other. According to Microsoft, each DHCP server
should be configured with %75 of the scope reserved for the local subnet and the remaining %25 for
remote subnets. This provides redundancy in case a client can't obtain a lease from the local server,
then it can get one from a remote server. Also, keep in mind that a DHCP server cannot also be a
DHCP client, meaning that the DHCP server must have static entries for its IP settings. Below are
the basic steps to set up a DHCP server:
1) The DHCP server service must be installed.
2) A scope must be defined. Note that each DHCP server must have unique scopes defined or else
duplicate IP addresses may be assigned. There are 3 scope options:
Global - This option is used when all DHCP clients will use the same IP setting, such as the
same subnet mask.
Scope - These options are only available to clients that are using an address specified by
the scope.

Client - Used for clients that use reserved addresses.

3) The server may be configured to always assign a particular address to a client.

4) "Map out" any static IP addresses on the network in the "exclusion range" fields.
The DHCP server database is backed up every hour(default) and can be restored when needed. It
can also be compacted in order to keep it running efficiently. NT 4.0 does this automatically, whereas
it must be done manually with earlier versions of NT.

DHCP RELAY AGENT

This service is used when routers separate clients from a DHCP server. An NT server on the same
subnet as the clients can be configured so that it automatically sends all DHCP messages directly to
the DHCP server. Included in the message to the server is the address of the originating client so
that the DHCP server can respond directly back to the client. This service is basically a middle-man.
Back to contents

NETBIOS
BACKGROUND
Get ready, because it is time to take it to the next level. When talking about Netbios, we typically
refer to the concept of a Netbios Name which is the name assigned to your computer. Netbios allows
applications to talk to each other using protocols such as TCP/IP that support Netbios. Netbios is
also a session/transport layer protocol that is typically seen in other forms such as Netbeui and
NetBT. These are the main functions that Netbios serves:
Starting and stopping sessions.
Name registration

Session layer data transfer(reliable)

Datagram data transfer(unreliable)

protocol driver and network adapter management functions.

Back to contents

NETBIOS NAMING
A Netbios name is either a unique name or a group name, the difference being that a unique name
is is used for communication with a specific process on a computer, whereas a group name is for
communication with multiple clients. Netbios name resolution resolves a computer's Netbios name
to an IP address. Microsoft offers several different ways to resolve Netbios names and each will be
disscussed below.
LOCAL BROADCAST - If the destination host is local, then first the Netbios name cache is
checked and a broadcast is not sent. If it is not found here, then a name query broadcast is
sent out that includes the destination Netbios name. Each computer that receives the
broadcast checks to see if it belongs to the name requested. The computer that owns the
name then uses ARP to determine the MAC address of the source host. Once obtained a
name query response is sent. NOTE: Some routers do not support the fowarding of these
broadcasts as they use UDP ports 137 and 138.
NETBIOS NAME SERVER - When using a Netbios name server, the cache is checked first
and if the name is not found the destination host's name is sent to the name server. After the
name server resolves the name to an IP address, it is returned to the source host. When the
source host receives the information it uses ARP to resolve the IP address of the destination
host to it's MAC address.

LMHOSTS FILE - More on this later...

HOSTS FILE - More on this later...

DNS - More on this later...

NBSTAT COMMANDS
1) nbstat -n Lists all registered Netbios names.
2) nbstat -c Shows the Netbios cache.
3) nbstat -R Reloads the Netbios name cache from the lmhosts file.

Back to contents
LMHOSTS
BACKGROUND
An lmhosts file is a text file that is used to manually configure Netbios names. In NT, it is located in
the \system32\Drivers\Etc directory. The file is configured with the keywords listed below:
#PRE - Denotes entries to be preloaded to the cache, which cuts down on broadcast traffic.
#DOM:domain name - provides logon validation, browsing and account syncronization.

#BEGIN_ALTERNATE and #END ALTERNATE - Provides alternate locations for other

lmhosts files using a UNC path.

#INCLUDE - Uses Netbios entries located in a different lmhosts file such as one that is
centrally shared.

#MH - For multi-homed computers, this adds extra entries.

Each entry in the lmhosts file must be unique, have a valid IP address for the Netbios name and be
spelled correctly.
Back to contents

WINS
BACKGROUND
Microsoft's definition of WINS is "An enhanced NetBIOS Name Server(NBNS) designed by Microsoft
to eliminate broadcast traffic associated with the B-node implementation of NetBIOS over TCP/IP. It
is used to register NetBIOS names and resolve them to IP addesses for both local and remote
hosts." If a WINS server is configured, then name resolution requests are sent directly to it and in
turn the WINS server will send the IP address to the requesting client. If the WINS server can't
resolve the name for some reason, then it will use a broadcast to try to resolve the name. A
secondary WINS server can be configured to prevent such situations. WINS is dynamically updated
which gets rid of the need to screw around with lmhosts files. If a client is configured to use WINS
then it will register it's name and IP address with the WINS server. When the computer is turned off,
it releases its lease on that name which may be used by a different computer. Microsoft
recommends 1 primary and secondary WINS server per 10,000 clients.
NAME RENWAL AND RELEASE
Back to contents
RENEWAL - Name registrations on the WINS server do not last forever and have a "time to
live" or TTL. After 1/8th of the TTL the client will attempt to refresh its name with the server.
If it is unable to do this it will try again every 2 minutes until 1/2 the TTL is expired at which
point it will start barking at the secondary WINS server if one is present. It will attempt to
register with the secondary WINS server 4 times(every 1/8th of the TTL until half is expired).
After a successful refresh it will attempt another at 1/2 TTL from there on out.
RELEASE - When a computer is shutdown normally(i.e. doesn't crash), it will make a
request to the WINS server that its name be released. If the server detects an error it will tell
the client "no". If everything checks out ok, the server will send a positive response and
releases the name making it available to other clients.
OTHER CONSIDERATIONS

Back to contents
NON-WINS CLIENTS - Static mappings should be made for non-WINS clients other wise a
lmhosts file must be configured. Once this is done you will want to set up a proxy agent to
that name registration requests are sent to the server. The proxy can be enable by editing
the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. Once
at this key, change the value for EnableProxy to 1.
DATABASE REPLICATION - If multiple WINS servers exist on a network, it is possible to
configure them to replicate each others databases for redundancy. In order for this small
miracle to happen each WINS server must be configured as a "push" or "pull" partner.
Basically, a push partner sends it's database entries to the pull partners. This happens after
a certain number of changes have occured in the push partners database and for that
reason is not recommended for larger networks as it could start replication during peak
traffic times. A pull partner will grab the changed database entries after a configurable
amount of time. Servers can also be configured as both push and pull partners which will
cause them to replicate their entries with each other.
BACKUP, RESTORING AND COMPACTING - A directory for the backup needs to be
established. Once this occurs, the database will be backed up every 24 hours. If the
database gets hosed and needs to be restored, you can do so by going to the WINS
Manager "mappings" menu and select "restore database". The database is compacted
automatically.
Back to contents

BROWSING
BACKGROUND
This section is about Microsoft's browsing service. Pay attention as browsing problems can be
difficult to fix. A select few computers on the network have the priveledge of being browsers, which
means that they are responsible for tracking the shared resources on a network. They obtain their
lists of resources from NetBIOS broadcasts. There are 3 different types of browsers:
MASTER BROWSER - The king of browsing. This computer keeps track of the list in it's
domain as well as keep a browse list on file for the other domains. It is also responsible for
making sure that the backup browsers have copies of the list.
BACKUP BROWSER - Upon request, this computer sends the list that it recieves from the
master browser to clients.

DOMAIN MASTER BROWSER - This one takes the browse lists from the master browsers
on the network and makes sure that they match.

Due to the fact that NetBIOS broadcasts are not typically routed because it can bog down the
network with traffic, WINS or lmhosts files need to be used to allow browsing across subnets. When
WINS is used, the destination host's IP address is retrieved directly from the WINS database. For
clients not using WINS, an lmhosts file must be configured with the name and address of the
browsers on the network.
CONFIGURING AN LMHOSTS FILE
For a master browser, the file would be configured as follows:
(ip_address)(domain_master_browser_name) #PRE #DOM (domain_name)
A domain master browser would be configured as follows:
(ip_address)(master_browser_name) #DOM (domain_name)
If you are on a large network, it is better to use WINS. Imagine trying to configure lmhosts files for
1,000 computers. Job security for sure, but what a pain.
Back to contents
HOST NAMES

BACKGROUND
Host names can be mapped to IP addresses to make referencing hosts easier as you don't have to
remember an IP address. Personally, it isn't any easier for me, but Microsoft is the boss. A host
name can be any string 256 characters or less and does not have to match the NetBIOS name.
There are several different ways that host names can be resolved to IP addresses. Below are the
standard methods:
HOSTS FILES - A text file that can be edited to manually map the host name to an IP
address.
DNS SERVER - A database of name/address mapping stored on a computer as is done with
WINS.

LOCAL HOST NAME - Unless configured otherwise, the default name is the host name of
the computer.

Microsoft adds several more options which follow:

LOCAL BROADCAST - A broadcast on the local network that attempts to discover the IP
address for the destination computer's NetBIOS name.
LMHOSTS FILES - Like a hosts file, this can be configured for name resolution.

NetBIOS NAME SERVER - Pretty self-explanatory. Microsoft uses WINS for this.

HOSTS FILE
The hosts file is a little different than the lmhosts file in that it will resolve both local and remote
names. If the host name can't be resolved and no other alternative name resolution processes are in
place, the user will receive an error. Once the host name is parsed from the host file, ARP takes over
and attempts to resolve the IP address to a MAC address. Like the lmhosts method, this is static
name resolution.
Back to contents

DNS
BACKGROUND
The internet used to use a hosts file to resolve IP addresses to host names or domain names. The
internet grew to the point where the administration and the traffic needed to maintain this file
became unbearable and DNS was born. A DNS client(aka resolver) sends requests to the DNS
nameserver which responds with the requested info, another server to pester or a failure message.
This process is very similar to calling information. You call them with a name, they check their
database and give you the phone number. There are 3 types of queries that a host will send to its
DNS servers and they are inverse, iterative and recursive. When the nameserver resolves a request
it is cached and given a TTL. There are a variety of roles a nameserver can satisfy within the zone
that they are responsible for:
PRIMARY NAMESERVER - Gathers DNS information from local files and is a focal point for
adding hosts and domains.
SECONDARY NAMESERVER - Gathers the data for its' zone(s) from another DNS server.
Secondary nameservers provide redundancy, traffic on primary server and quicker access
for locations that are remote in regards to the primary server.

CACHING ONLY SERVERS - These do not have a zone that they are responsible for. Their
databases only contain info that is received from resolutions that it has made since the the
server was last started.

Nameservers are distributed into tiers called domains which will be covered in a moment.
DOMAINS

Microsoft discusses domains in terms of a hierarchical "domain name space" which they refer to as
being like a tree structure. This probably makes a lot of sense to those of you migrating from the
clunky, yet powerful Netware side of things. There are several different domain levels as listed
below:
Back to contents
ROOT LEVEL DOMAINS - The top of the tree.
TOP LEVEL DOMAINS - These are divided into different categories. Com, net, mil, edu, org
and gov are the most common.

SECOND LEVEL DOMAINS - These domains make up the rest of networks as all subdomains are categorized under this heading. So if you visit Intel's site, you are visiting the
sub-domain intel.com. Within intel.com many other sub-domains may also exist.

HOSTS - Hosts are the final level in the hierarchy as they are the individual computers that
occupy or comprise a domain.

THE FILES BEHIND THE MADNESS

Normally, a DNS server will use 4 different files to resolve names. These are the database file,
reverse lookup file, cache file and boot file. Each of these will be discussed in detail below.
Back to contents
THE DATABASE FILE - This file will actually be called yourzone.dns and it is responsible
for storing DNS records. This is a file that replication servers push/pull from the primary
server in order to update their databases. This file contains several different entries. The first
thing that will be seen in this file is the "Start of Authority"(SOA)which defines a zone's
parameters. Next, there should be an entry called "Name Server Record" which lists other
namerservers on the network. Next, the "Host Record" is a static mapping of host names to
IP addresses and should list all of the hosts in a given zone. Finally, there is a "Canonical
Name"(CNAME) entry that allows one to assign multiple host names to an IP address, or in
other words, create aliases.
REVERSE LOOKUP FILE - This file allows for reverse DNS lookups. Somebody correct me
if I am wrong on this point, but I believe that is does this by mapping a host name to a
backwards IP address. For example, 192.62.70.50 would become 50.70.62.192. This is
accomplished by using "Pointer" records.

CACHE FILE - The cache.dns file is required as it contains the records of the root domain
servers. The default file that is included with NT 4 contains all of the root internet servers.

BOOT FILE - The boot file controls the start-up characteristics of a DNS server on the
Berkley Internet Name Daemon(BIND).

FINAL THOUGHTS ON DNS

DNS can be configured to use WINS in such a way that if the DNS can't solve the request, it will
query the WINS server for the information. In order for this to work a WINS -R(reverse lookup)
record must be created.
Back to contents
SNMP
BACKGROUND
No, it is not a venereal disease! SNMP(Simple Network Management Protocol) is a part of the
TCP/IP stack that allows for monitoring and status information on a network. SNMP can commuicate
with other NT computers, routers, gateways, mainframes, LAN manager servers, terminal servers
and wiring hubs. This service allows open files, arp tables, IP addresses, disk space, etc. to be
monitored. In order to do this, 3 basic commands are used.
GET - This command requests a specific value.

GET-NEXT - Allows for the next value to be viewed and is used for navigation.

SET - Allows a value to be altered. Most values are read only and can't be changed.

An SNMP agent sends out reports of events(traps) to as many hosts are configured to receive them.
3rd party Management Information Bases(MIBs) can be used with the Microsoft SNMP service. A
MIB contains the information that the agent can request. It essentially defines the scope of the types
of requests that can be made.
Back to contents
TROUBLESHOOTING
TOOLS
The following is a guide to the tools and techniques for troubleshooting TCP/IP so that you don't go
completely mental and kill your co-workers. Although this is not the largest section of the study
guide, it is probably one of the more important, so pay attention! First, we will list the tools that NT
offers and a description of what they are for.
PING

Probably the most important. This verifies that TCP/IP is configured

correctly and that a connection can be made.

IPCONFIG

Allows you to view TCP/IP settings and configuration.

TRACERT

Enables you to view the route to a specified host. This will show how
many hops the packets have to travel and how long it takes.

ROUTE

View or change entries in the routing table.

ARP

View and add entries to the ARP cache.

NETSTAT

Display protocol information and connection status

NBTSTAT

Check NETBIOS connections and update LMHOSTS cache.

NSLOOKUP

Find all of the mistakes that you made when setting up a DNS server.

SNMP

Manage status information with computers running an SNMP service.

EVENT VIEWER

View service events and error messages.

PERFORMANCE
MONITOR

Find out how well your network is performing and where the problems
are.

NETWORK MONITOR Basically a sniffer trace used to capture and analyze packets.
Back to contents
VERIFY YOUR COMMUNICATION
Billy Gates INC recommends that you troubleshoot networking problems from the bottom layer and
move toward the top. The first step is to always ping whatever it is you can't connect to. Next attempt
to establish a session of some sort. Now I will show you why the ping utility is so important. For
communication problems, if you follow a logical order, you can narrow down the trouble spot as
shown below.
1. Ping 127.0.0.1 - This is the loopback address and verifies that the computer that you are
pinging from can communicate via TCP/IP with its own ethernet adapter.
2. Ping own IP address - Verifies that a valid IP address was entered for this computer.
3. Ping default gateway - Typically this would be the near side of a router. If you can ping this
address, then you should be able to ping other hosts on your same subnet.
4. Ping far side of router - This will verify that the routing table is correct.
5. Ping remote host - If this works then it would appear that there are valid communications.

6. Ping host names - If all of the above work, try each again using the host name instead of the
IP address.
Once this is completed, attempt to establish a session by using the following methods:
1. See if a session can be established using the Net View or Net Use commands
2. Try a Telnet or FTP session.
If the above are unsuccessful, check the following:
Double check that the target host is using Netbios.
Make sure that the source and target host's scope IDs match.

Make sure that you are using the correct Netbios name.

If it is a remote host, check your WINS database or LMHOSTS file to make sure that the
name to address mappings are configured properly.

IP Address Tables By NCAT

Listed below are the IP address tables for Class A, Class B and Class C. Each
table presents:

The Maximum number of Subnets for a given mask

The Maximum number of hosts for a given mask

The first and second subnet information,as follows:

o

The Subnet number which is used for routing (this is the

number displayed in routing tables)

The valid IP address ranges for the subnets

The IP subnet broadcast address

Please note, the information on the first and last subnets has not
been displayed as some hosts are unable to use these subnets, see
RFC 1519 or 1812 for more information

No liability is taken for the correctness of the information supplied

on this page or any other page.

Class A IP Address Table

No:
of
Sub
net
bits

Subnet
Mask

Subnet No: No: Max

Mask in Subn Host No: of
Hex
ets
s Hosts
(Nets
*
Hosts
)

255.192.0. FF.C0.0
0
.0

255.224.0. FF.E0.0.
0
0

255.240.0. FF.F0.0.
0
0

255.248.0. FF.F8.0.
0
0

255.252.0. FF.FC.0
0
.0

1st
Subn
et
Addr.
Used
for
Routi
ng

1st
Subnet
Addr
Range

1st
Subnet
B'cast

2nd
Subne
t
Addr.
Used
for
Routi
ng

2nd
Subnet
Addr
Range

2nd
Subnet
B'cast

4194 83886
302
04

X.64.0.1
X.128.0.
X.64.
to
X.127.25 X.128. 1 to X.191.25
0.0 X.127.25 5.255
0.0 X.191.25 5.255
5.254
5.254

2097 12582
150 900

X.32.0.1
X.64.0.1
X.32.
to
X.63.255 X.64.0
to
X.95.255
0.0 X.63.255 .255
.0
X.95.0.2 .255
.254
54

14

1048 14680
574 036

X.32.0.1
X.16.0.1
X.31.255 X.32.0
to
X.16.
to
X.47.255
.255
.0 X.47.255
0.0 X.31.255
.255
.254
.254

30

5242 15728
86
580

X.8.0.1
X.16.0.1
to
X.15.255 X.16.0
to
X.23.255
X.8.0.
X.15.255 .255
.0 X.23.255 .255
0
.254
.254

62

X.4.0.1
X.8.0.1
to
X.7.255. X.8.0.
to
X.11.255
2621 16252
X.4.0.
42
804
X.7.255.
255
0 X.11.255 .255
0
254
.254

X.2.0.1
X.4.0.1
to
X.3.255. X.4.0.
to
X.5.255.
255.254.0. FF.FE.0
1310 16514 X.2.0.
7
126
0
.0
70
820
0
X.3.255.
255
0
X.5.255.
255
254
254
8

255.255.0. FF.FF.0.
6553 16645
254
0
0
4
636

X.1.0.1
X.2.0.1
to
X.1.255. X.2.0.
to
X.2.255.
X.1.0.
X.1.255.
255
0
X.2.255.
255
0
254
254

X.0.128.
X.1.0.1
1 to
X.0.255. X.1.0.
to
X.1.127.
3276 16710 X.0.1
510
6
660 28.0 X.0.255.
255
0
X.1.127. 255
254
254

255.255.1 FF.FF.8
28.0
0.0

10

255.255.1 FF.FF.C 1022 1638 16742

X.0.64.1 X.0.127. X.0.12 X.0.128. X.0.191.

92.0

0.0

to
X.0.6
404
X.0.127.
4.0
254

255

8.0

1 to
X.0.191.
254

255

X.0.64.1
X.0.32.1
X.0.63.2
X.0.64
to
X.0.95.2
255.255.2 FF.FF.E
16756
11
2046 8190
X.0.3
to
24.0
0.0
740
55
.0
X.0.95.2
55
2.0 X.0.63.2
54
54
X.0.16.1
X.0.32.1
X.0.1
to
X.0.31.2
X.0.32
to
X.0.47.2
255.255.2 FF.FF.F
16760
12
4094 4094
40.0
0.0
836
6.0 X.0.31.2
55
.0
X.0.47.2
55
54
54
X.0.8.1
X.0.16.1
to
X.0.15.2 X.0.16
to
X.0.23.2
255.255.2 FF.FF.F
16756 X.0.8.
13
8190 2046
48.0
8.0
740
0 X.0.15.2
55
.0
X.0.23.2
55
54
54
14

255.255.2 FF.FF.F 1638

16742
1022
52.0
C.0
2
404

X.0.4.1
X.0.8.1
to
X.0.7.25 X.0.8.
to
X.0.11.2
X.0.4.
X.0.7.25
5
0
X.0.11.2
55
0
4
54

X.0.2.1
X.0.4.1
X.0.2
to
X.0.3.25
X.0.4.
to
X.0.5.25
255.255.2 FF.FF.F 3276
16710
15
510
54.0
E.0
6
660
.0 X.0.3.25
5
0
X.0.5.25
5
4
4
X.0.1.1
X.0.2.1
to
X.0.1.25 X.0.2.
to
X.0.2.25
255.255.2 FF.FF.F 6553
16645 X.0.1.
16
254
55.0
F.0
4
636
0 X.0.1.25
5
0
X.0.2.25
5
4
4
17

255.255.2 FF.FF.F 1310

16514
126
55.128 F.80
70
820

X.0.0.12
X.0.1.1
X.0.0. 9 to
X.0.0.25 X.0.1.
to
X.0.1.12
128 X.0.0.25
5
0
X.0.1.12
7
4
6

18

255.255.2 FF.FF.F 2621

55.192 F.C0
42

62

16252
804

X.0.0.65
X.0.0.12
X.0.0
to
X.0.0.
9 to
X.0.0.19
X.0.0.12
.64 X.0.0.12
128 X.0.0.19
1
7
6
0

19

255.255.2 FF.FF.F 5242

55.224 F.E0
86

30

15728
580

X.0.0.33
X.0.0.65
X.0.0.
X.0.0.
to
to
X.0.0.95
X.0.0.63 64
32 X.0.0.62
X.0.0.94

20

255.255.2 FF.FF.F 1048

55.240 F.F0
574

14

14680
036

X.0.0.

X.0.0.17 X.0.0.31 X.0.0. X.0.0.33 X.0.0.47

to
32
to

16
21

255.255.2 FF.FF.F 2097

55.248 F.F8
150

22

255.255.2 FF.FF.F 4194

55.252 F.FC
302

X.0.0.30

X.0.0.46

12582
900

X.0.0.9
X.0.0.17
X.0.0.
X.0.0.
to
X.0.0.15
to
X.0.0.23
16
8 X.0.0.14
X.0.0.22

83886
04

X.0.0.5
X.0.0.
to
4
X.0.0.6

X.0.0.
X.0.0.7
8

X.0.0.9
to
X.0.0.11
X.0.0.10

Back to Top

Class B IP Address Table

tNo: Subnet
of
Mask
Sub
net
bitss

Subnet No: No: Max

Mask in Subn Hos No:
Hex
ets
ts of
Host
s
(Net
s*
Host
s)

255.255.19 FF.FF.C0
2.0
.0

255.255.22 FF.FF.E0
4.0
.0

255.255.24 FF.FF.F0
0.0
.0

255.255.24 FF.FF.F8
8.0
.0

255.255.25 FF.FF.FC
2.0
.0

1st
1st
1st
Subne Subnet Subnet
t Addr. Addr
B'cast
Used Range
for
Routin
g

2nd
2nd
2nd
Subne Subnet Subnet
t Addr. Addr
B'cast
Used Range
for
Routin
g

X.Y.64.1
X.Y.128.
X.Y.64
to X.Y.127. X.Y.12 1 to X.Y.191.
.0 X.Y.127. 255
8.0 X.Y.191. 255
254
254

163 3276
82
4

X.Y.32.1
X.Y.64.1
to
X.Y.63.2 X.Y.64
to
X.Y.95.2
819 4914 X.Y.32
0
0
.0 X.Y.63.2
55
.0 X.Y.95.2
55
54
54

14

X.Y.16.1
X.Y.32.1
to
X.Y.31.2 X.Y.32
to
X.Y.47.2
409 5731 X.Y.16
4
6
.0 X.Y.31.2
55
.0 X.Y.47.2
55
54
54

30

204 6138
6
0

62

X.Y.4.1
X.Y.8.1
to
X.Y.7.25 X.Y.8.
to
X.Y.11.2
102 6336 X.Y.4.
2
4
0
X.Y.7.25
5
0
X.Y.11.2
55
4
54

X.Y.8.1
X.Y.16.1
X.Y.8.
to
X.Y.15.2 X.Y.16
to
X.Y.23.2
0
X.Y.15.2
55
.0 X.Y.23.2
55
54
54

X.Y.2.1
X.Y.4.1
to
X.Y.3.25 X.Y.4.
to
X.Y.5.25
255.255.25 FF.FF.FE
6426 X.Y.2.
126 510
4.0
.0
0
0
X.Y.3.25
5
0
X.Y.5.25
5
4
4

255.255.25 FF.FF.FF
5.0
.0

X.Y.0.12
X.Y.1.1
X.Y.0.
9
to
X.Y.0.25
X.Y.1.
to
X.Y.1.12
255.255.25 FF.FF.FF
6426
510 126
5.128
.80
0
128 X.Y.0.25
5
0
X.Y.1.12
7
4
6

6451
254
6

254

X.Y.1.
0

X.Y.2.1
X.Y.1.1
X.Y.1.25 X.Y.2.
to
X.Y.2.25
to
5
0
X.Y.2.25
5
X.Y.254
4

X.Y.0.65
X.Y.0.12
to
X.Y.0.12 X.Y.0.
9 to X.Y.0.19
255.255.25 FF.FF.FF
6336 X.Y.0.
10
1022 62
5.192
.C0
4
64 X.Y.0.12
7
128 X.Y.0.19
1
6
0
11

255.255.25 FF.FF.FF
2046
5.224
.E0

30

6138
0

X.Y.0.
32

X.Y.0.33
X.Y.0.65
X.Y.0.
to
X.Y.0.63
to
X.Y.0.95
64
X.Y.0.62
X.Y.0.94

12

255.255.25 FF.FF.FF
4094
5.240
.F0

5731
14
6

X.Y.0.
16

X.Y.0.17
X.Y.0.33
X.Y.0.
to
X.Y.0.31
to
X.Y.0.47
32
X.Y.0.30
X.Y.0.46

13

255.255.25 FF.FF.FF
8190
5.248
.F8

4914
0

X.Y.0.
8

X.Y.0.9
X.Y.0.17
X.Y.0.
to
X.Y.0.15
to
X.Y.0.23
16
X.Y.0.14
X.Y.0.22

14

255.255.25 FF.FF.FF
16382
5.252
.FC

3276
4

X.Y.0.
4

X.Y.0.5
X.Y.0.9
X.Y.0.
to
X.Y.0.7
to
X.Y.0.11
8
X.Y.0.6
X.Y.0.10

Back to Top

Class C IP Address Table

No:
of
Subn

Subnet
Mask

Subnet
Mask in
Hex

No: No: Max

Subn Hos No:
ets
ts
of

1st
1st
1st
2nd
2nd
2nd
Subne Subnet Subnet Subnet Subnet Subnet

et
bits

Host
s
(Net
s*
Host
s)

t
Addr B'cast Addr. Addr B'cast
Addr. Range
Used Range
Used
for
for
Routin
Routi
g
ng

255.255.255 FF.FF.FF.
.192
C0

62

124

X.Y.Z.6
X.Y.Z.1
X.Y.Z. 5 to X.Y.Z.1 X.Y.Z.1 29 to X.Y.Z.1
64 X.Y.Z.1 27
28 X.Y.Z.1 91
26
90

255.255.255 FF.FF.FF.
.224
E0

30

180

X.Y.Z.3
X.Y.Z.6
X.Y.Z. 3 to X.Y.Z.6 X.Y.Z.6 5 to X.Y.Z.9
32 X.Y.Z.6
3
4
X.Y.Z.9
5
2
4

255.255.255 FF.FF.FF.
.240
F0

14

14

196

X.Y.Z.1
X.Y.Z.3
X.Y.Z. 7 to X.Y.Z.3 X.Y.Z.3 3 to X.Y.Z.4
16 X.Y.Z.3
1
2
X.Y.Z.4
7
0
6

255.255.255 FF.FF.FF.
.248
F8

30

180

X.Y.Z.9
X.Y.Z.1
X.Y.Z.
to X.Y.Z.1 X.Y.Z.1 7 to X.Y.Z.2
8
X.Y.Z.1
5
6
X.Y.Z.2
3
4
2

255.255.255 FF.FF.FF.
.252
FC

62

124

X.Y.Z.
4

X.Y.Z.9
X.Y.Z.5
to X.Y.Z.1
to
X.Y.Z.7 X.Y.Z.8
X.Y.Z.1
1
X.Y.Z.6
0

The 5-4-3-2-1 rule of computer network design

Hits: 11076 Rating:

(4.13) votes 3128

Rate: 1-star 2-stars 3-stars 4-stars 5-stars

E-mail to a friend

Bookmark this Networking FAQ

Answer:
The 5-4-3-2-1 rule embodies a simple recipe for network design. It may not be
easy to find examples in practice, but this rule neatly ties together several
important elements of design theory.
To understand this rule, it's first necessary to understand the concepts of collision
domains and propagation delay. Collision domains are portions of a network. When
a network packet is transmitted over Ethernet, for example, it is possible for

another packet from a different source to be transmitted close enough in time to

the first packet to cause a collision on the wire. The total range over which a packet
can travel and potentially collide with another is its collision domain.

Propagation delays are a property of the physical medium (e.g., Ethernet).

Propagation delays help determine how much of a time difference between
the sending of two packets on a collision domain is "close enough" to
actually cause a collision. The greater the propagation delay, the increased
likelihood of collisons.
The 5-4-3-2-1 rule limits the range of a collision domain by limiting the
propagation delay to a "reasonable" amount of time. The rule breaks down
as follows:
5 - the number of network segments
4 - the number of repeaters needed to join the segments into one collision
domain
3 - the number of network segments that have active (transmitting) devices
attached
2 - the number of segments that do not have active devices attached
1 - the number of collision domains
Because the last two elements of the recipe follow naturally from the others,
this rule is sometimes also known as the "5-4-3" rule for short.

What tools/sniffers can I use to monitor my network?

Hits: 3511 Rating:

(3.80) votes 1380

Rate: 1-star 2-stars 3-stars 4-stars 5-stars

E-mail to a friend

Bookmark this Networking FAQ

Answer:
Depending on your operating system, the following is an incomplete list of available
tools:

tcpdump: Found out-of-the-box on most BSD variants, and also available

separately from ftp://ftp.ee.lbl.gov/tcpdump.tar.Z along with libpcap (see
below) and various other tools. This tool, in particular, has been ported to

multiple platforms thanks to libpcap.

ipgrab Compatible with many systems. ipgrab displays link level, transport
level, and network level information on packets captured verbosely.
http://www.xnet.com/~cathmike/MSB/Software/
Ethereal (GUI) A network packet analyzer (uses GTK+). Supports many
systems. Available at: http://ethereal.zing.org/
tcptrace: http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html Not an
actual sniffer, but can read from the logs produced by many other well
known sniffers to produce output in different formats and in adjustable
details (includes diagnostics).
tcpflow http://www.circlemud.org/~jelson/software/tcpflow/ tcpflow is a
program that captures data transmitted as part of TCP connections (flows),
and stores the data in a way that is convenient for protocol analysis or
debugging.
snoop: Solaris, IRIX.
etherfind: SunOS.
Packetman: SunOS, DEC-MIPS, SGI, DEC-Alpha, and Solaris. Available at
ftp://ftp.cs.curtin.edu.au:/pub/netman/
nettl/ntfmt: HP/UX