Published: November 02, 2004 | Updated: April 16, 2007
Writer: Joe Davies
This chapter introduces Transmission Control Protocol/Internet Protocol (TCP/IP), both as an industry standard protocol suite and as it is supported in the Microsoft® Windows Server™ 2003 and Windows® XP operating systems. For the TCP/IP protocol suite, network administrators must understand its past, the current standards process, and the common terms used to describe network devices and portions of a network. For the TCP/IP components in Windows Server 2003 and Windows XP, network administrators must understand the installation and configuration differences of the Internet Protocol version 4 (IPv4)-based and Internet Protocol version 6 (IPv6)-based components and the primary tools for troubleshooting.
For a download of the entire "TCP/IP Fundamentals for Microsoft Windows" online book, which contains a version of this chapter that has been updated for Windows Vista and Windows Server 2008, click here.
On This Page
History of TCP/IP
The Internet Standards Process
TCP/IP Components in Windows
After completing this chapter, you will be able to:
Describe the purpose and history of the TCP/IP protocol suite.
Describe the Internet standards process and the purpose of a Request for Comments (RFC) document.
Define common terms used in TCP/IP.
Describe the advantages of TCP/IP components in Windows Server 2003 and Windows XP.
Describe how to configure the IPv4-based TCP/IP component in Windows.
Describe how to install and configure the IPv6-based TCP/IP component in Windows.
List and define the set of name resolution files and diagnostic tools used by the TCP/IP components in Windows.
Test the TCP/IP components of Windows with the Ipconfig and Ping tools.
Install and use Network Monitor.
Top of page
History of TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is an industry standard suite of protocols that is designed for large networks consisting of network segments that are connected by routers. TCP/IP is the protocol that is used on the Internet, which is the collection of thousands of networks worldwide that connect research facilities, universities, libraries, government agencies, private companies, and individuals.
The roots of TCP/IP can be traced back to research conducted by the United States Department of Defense (DoD) Advanced Research Projects Agency (DARPA) in the late 1960s and early 1970s. The following list highlights some important TCP/IP milestones:
In 1970, ARPANET hosts started to use Network Control Protocol (NCP), a preliminary form of what would become the Transmission Control Protocol (TCP).
In 1972, the Telnet protocol was introduced. Telnet is used for terminal emulation to connect dissimilar systems. In the early 1970s, these systems were different types of mainframe computers.
In 1973, the File Transfer Protocol (FTP) was introduced. FTP is used to exchange files between dissimilar systems.
In 1974, the Transmission Control Protocol (TCP) was specified in detail. TCP replaced NCP and provided enhanced reliable communication services.
In 1981, the Internet Protocol (IP) (also known as IP version 4 [IPv4]) was specified in detail. IP provides addressing and routing functions for end-to-end delivery.
In 1982, the Defense Communications Agency (DCA) and ARPA established the Transmission Control Protocol (TCP) and Internet Protocol (IP) as the TCP/IP protocol suite.
In 1983, ARPANET switched from NCP to TCP/IP.
In 1984, the Domain Name System (DNS) was introduced. DNS resolves domain names (such as www.example.com) to IP addresses (such as 192.168.5.18).
In 1995, Internet service providers (ISPs) began to offer Internet access to businesses and individuals.
In 1996, the Hypertext Transfer Protocol (HTTP) was introduced. The World Wide Web uses HTTP.
In 1996, the first set of IP version 6 (IPv6) standards were published.
For more information about these protocols and the layers of the TCP/IP protocol architecture, see Chapter 2, "Architectural Overview of the TCP/IP Protocol Suite."
With the refinement of the IPv6 standards and their growing acceptance, the chapters of this online book make the following definitions:
TCP/IP is the entire suite of protocols defined for use on private networks and the Internet. TCP/IP includes both the IPv4 and IPv6 sets of protocols.
IPv4 is the Internet layer of the TCP/IP protocol suite originally defined for use on the Internet. IPv4 is in widespread use today.
IPv6 is the Internet layer of the TCP/IP protocol suite that has been recently developed. IPv6 is gaining acceptance today.
IP is the term used to describe features or attributes that apply to both IPv4 and IPv6. For example, an IP address is either an IPv4 address or an IPv6 address.
Note Because the term IP indicates IPv4 in most of the TCP/IP implementations today, the term IP will be used for IPv4 in some instances. These references will be made clear in the context of the discussion. When possible, the chapters of this online book will use the term IP (IPv4).
Top of page
The Internet Standards Process
Because TCP/IP is the protocol of the Internet, it has evolved based on fundamental standards that have been created and adopted over more than 30 years. The future of TCP/IP is closely associated with the advances and administration of the Internet as additional standards continue to be developed. Although no one organization owns the Internet or its technologies, several organizations oversee and manage these new standards, such as the Internet Society and the Internet Architecture Board.
The Internet Society (ISOC) was created in 1992 and is a global organization responsible for the internetworking technologies and applications of the Internet. Although the society’s principal purpose is to encourage the development and availability of the Internet, it is also responsible for the further development of the standards and protocols that allow the Internet to function.
The ISOC sponsors the Internet Architecture Board (IAB), a technical advisory group that sets Internet standards, publishes RFCs, and oversees the Internet standards process. The IAB governs the following bodies:
The Internet Assigned Number Authority (IANA) oversees and coordinates the assignment of protocol identifiers used on the Internet.
The Internet Research Task Force (IRTF) coordinates all TCP/IP-related research projects.
The Internet Engineering Task Force (IETF) solves technical problems and needs as they arise on the Internet and develops Internet standards and protocols. IETF working groups define standards known as RFCs.
Requests for Comments (RFCs)
The standards for TCP/IP are published in a series of documents called Requests for Comments (RFCs). RFCs describe the internal workings of the Internet. TCP/IP standards are always published as RFCs, although not all RFCs specify standards. Some RFCs provide informational, experimental, or historical information only.
An RFC begins as an Internet draft, which is typically developed by one or more authors in an IETF working group. An IETF working group is a group of individuals that has a specific charter for an area of technology in the TCP/IP protocol suite. For example, the IPv6 working group devotes its efforts to furthering the standards of IPv6. After a period of review and a consensus of acceptance, the IETF publishes the final version of the Internet draft as an RFC and assigns it an RFC number.
RFCs also receive one of five requirement levels, as listed in Table 1-1.
Must be implemented on all TCP/IP-based hosts and gateways.
Encouraged that all TCP/IP-based hosts and gateways implement the RFC specifications. Recommended RFCs are usually implemented.
Implementation is optional. Its application has been agreed to but never widely used.
Not intended for general use.
Not recommended for implementation.
Table 1-1 Requirement Levels of RFCs
If an RFC is being considered as a standard, it goes through stages of development, testing, and acceptance. Within the Internet standards process, these stages are formally known as maturity levels.
Internet standards have one of three maturity levels, as listed in Table 1-2. Maturity levels are determined by the RFC's IETF working group and are independent of requirement levels.
A Proposed Standard specification is generally stable, has resolved known design choices, is believed to be well understood, has received significant community review, and appears to enjoy enough community interest to be considered valuable.
A Draft Standard specification must be well understood and known to be quite stable, both in its semantics and as a basis for developing an implementation.
An Internet Standard specification (which may simply be referred to as a Standard) is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community.
Table 1-2 Maturity Levels of Internet Standards
If an RFC-based standard must change, the IETF publishes a new Internet draft and, after a period of review, a new RFC with a new number. The original RFC is never updated. Therefore, you should verify that you have the most recent RFC on a particular topic or standard. For example, we reference RFCs throughout the chapters of this online book. If you decide to look up the technical details of an Internet standard in its RFC, make sure that you have the latest RFC that describes the standard.
You can obtain RFCs from http://www.ietf.org/rfc.html.
Top of page
The Internet standards use a specific set of terms when referring to network elements and concepts related to TCP/IP networking. These terms provide a foundation for subsequent chapters. Figure 1-1 illustrates the components of an IP network.
Figure 1-1 Elements of an IP network
Common terms and concepts in TCP/IP are defined as follows:
Node Any device, including routers and hosts, which runs an implementation of IP.
Router A node that can forward IP packets not explicitly addressed to itself. On an IPv6 network, a router also typically advertises its presence and host configuration information.
Host A node that cannot forward IP packets not explicitly addressed to itself (a non-router). A host is typically the source and the destination of IP traffic. A host silently discards traffic that it receives but that is not explicitly addressed to itself.
Upper-layer protocol A protocol above IP that uses IP as its transport. Examples include Internet layer protocols such as the Internet Control Message Protocol (ICMP) and Transport layer protocols such as the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). (However, Application layer protocols that use TCP and UDP as their transports are not considered upper-layer protocols. File Transfer Protocol [FTP] and Domain Name System [DNS] fall into this category). For details of the layers of the TCP/IP protocol suite, see Chapter 2, "Architectural Overview of the TCP/IP Protocol Suite."
LAN segment A portion of a subnet consisting of a single medium that is bounded by bridges or Layer 2 switches.
Subnet One or more LAN segments that are bounded by routers and use the same IP address prefix. Other terms for subnet are network segment and link.
Network Two or more subnets connected by routers. Another term for network is internetwork.
Neighbor A node connected to the same subnet as another node.
Interface The representation of a physical or logical attachment of a node to a subnet. An example of a physical interface is a network adapter. An example of a logical interface is a tunnel interface that is used to send IPv6 packets across an IPv4 network.
Address An identifier that can be used as the source or destination of IP packets and that is assigned at the Internet layer to an interface or set of interfaces.
Packet The protocol data unit (PDU) that exists at the Internet layer and comprises an IP header and payload.
Top of page
TCP/IP Components in Windows
Table 1-3 lists the advantages of the TCP/IP protocol suite and the inclusion of TCP/IP components in Windows.
Advantages of the TCP/IP protocol suite
Advantages of TCP/IP components in Windows
A standard, routable enterprise networking protocol that is the most complete and accepted protocol available. All modern operating systems support TCP/IP, and most large private networks rely on TCP/IP for much of their traffic.
TCP/IP components in Windows enable enterprise networking and connectivity for Windows and non-Windows–based computers.
A technology for connecting dissimilar systems. Many TCP/IP application protocols were designed to access and transfer data between dissimilar systems. These protocols include HTTP, FTP, and Telnet.
TCP/IP components in Windows allow standards-based connectivity to other operating system platforms.
A robust, scaleable, cross-platform client/server framework.
TCP/IP components in Windows support the Windows Sockets application programming interface, which developers use to create client/server applications.
A method of gaining access to the Internet.
Windows-based computers are Internet-ready.
Table 1-3 Advantages of the TCP/IP protocol suite and TCP/IP components in Windows
Windows includes both an IPv4-based and an IPv6-based TCP/IP component.
Configuring the IPv4-based TCP/IP Component in Windows
The IPv4-based TCP/IP component in Windows Server 2003 and Windows XP is installed by default and appears as the Internet Protocol (TCP/IP) component in the Network Connections folder. Unlike in previous versions of Windows, you cannot uninstall the Internet Protocol (TCP/IP) component. However, you can restore its default configuration by using the netsh interface ip reset command. For more information about Netsh commands, see Windows Server 2003 or Windows XP Help and Support.
The Internet Protocol (TCP/IP) component can be configured to obtain its configuration automatically or from manually specified settings. By default, this component is configured to obtain an address configuration automatically. Figure 1-2 shows the General tab of the Internet Protocol (TCP/IP) Properties dialog box.
Figure 1-2 The General tab of the properties dialog box for the Internet Protocol (TCP/IP) component
If you specify automatic configuration, the Internet Protocol (TCP/IP) component attempts to locate a Dynamic Host Configuration Protocol (DHCP) server and obtain a configuration when Windows starts. Many TCP/IP networks use DHCP servers that are configured to allocate TCP/IP configuration information to clients on the network. For more information about DHCP, see Chapter 6, "Dynamic Host Configuration Protocol."
If the Internet Protocol (TCP/IP) component fails to locate a DHCP server, TCP/IP checks the setting on the Alternate Configuration tab. Figure 1-3 shows this tab.
Figure 1-3 The Alternate Configuration tab of the Internet Protocol (TCP/IP) component
This tab contains two options:
Automatic Private IP Address If you choose this option, Automatic Private IP Addressing (APIPA) is used. The Internet Protocol (TCP/IP) component automatically chooses an IPv4 address from the range 169.254.0.1 to 169.254.255.254, using the subnet mask of 255.255.0.0. The DHCP client ensures that the IPv4 address that the Internet Protocol (TCP/IP) component has chosen is not already in use. If the address is in use, the Internet Protocol (TCP/IP) component chooses another IPv4 address and repeats this process for up to 10 addresses. When the Internet Protocol (TCP/IP) component has chosen an address that the DHCP client has verified as not in use, the Internet Protocol (TCP/IP) component configures the interface with this address. With APIPA, users on single-subnet Small Office/Home Office (SOHO) networks can use TCP/IP without having to perform manual configuration or set up a DHCP server. APIPA does not configure a default gateway. Therefore, only local subnet traffic is possible.
User Configured If you choose this option, the Internet Protocol (TCP/IP) component uses the configuration that you specify. This option is useful when a computer is used on more than one network, not all of the networks have a DHCP server, and an APIPA configuration is not wanted. For example, you might want to choose this option if you have a laptop computer that you use both at the office and at home. At the office, the laptop uses a TCP/IP configuration from a DHCP server. At home, where no DHCP server is present, the laptop automatically uses the alternate manual configuration. This option provides easy access to home network devices and the Internet and allows seamless operation on both networks, without requiring you to manually reconfigure the Internet Protocol (TCP/IP) component.
If you specify an APIPA configuration or an alternate manual configuration, the Internet Protocol (TCP/IP) component continues to check for a DHCP server in the background every 5 minutes. If TCP/IP finds a DHCP server, it stops using the APIPA or alternate manual configuration and uses the IPv4 address configuration offered by the DHCP server.
To configure the Internet Protocol (TCP/IP) component manually, also known as creating a static configuration, you must at a minimum assign the following:
IP address An IP (IPv4) address is a logical 32-bit address that is used to identify the interface of an IPv4-based TCP/IP node. Each IPv4 address has two parts: the subnet prefix and the host ID. The subnet prefix identifies all hosts that are on the same physical network. The host ID identifies a host on the network. Each interface on an IPv4-based TCP/IP network requires a unique IPv4 address, such as 22.214.171.124.
Subnet mask A subnet mask allows the Internet Protocol (TCP/IP) component to distinguish the subnet prefix from the host ID. An example of a subnet mask is 255.255.255.0.
For more information about IPv4 addresses and subnet masks, see Chapter 3, "IP Addressing," and Chapter 4, "Subnetting."
You must configure these parameters for each network adapter in the node that uses the Internet Protocol (TCP/IP) component. If you want to connect to nodes beyond the local subnet, you must also assign the IPv4 address of a default gateway, which is a router on the local subnet to which the node is attached. The Internet Protocol (TCP/IP) component sends packets that are destined for remote networks to the default gateway, if no other routes are configured on the local host.
You can also manually configure the IPv4 addresses of primary and alternate DNS servers. The Internet Protocol (TCP/IP) component uses DNS servers to resolve names, such as www.example.com, to IPv4 or IPv6 addresses.
Figure 1-4 shows an example of a manual configuration for the Internet Protocol (TCP/IP) component.
Figure 1-4 An example of a manual configuration for the Internet Protocol (TCP/IP)
You can also manually configure the Internet Protocol (TCP/IP) using netsh interface ip commands at a command prompt.
Installing and Configuring the IPv6-based TCP/IP Component in Windows
Windows XP with Service Pack 1 (SP1) and Windows Server 2003 are the first versions of Windows to support IPv6 for production use. You install IPv6 as a component in Network Connections; the component is named Microsoft TCP/IP Version 6 in Windows Server 2003and Windows XP with Service Pack 2 (SP2) and Microsoft IPv6 Developer Edition in Windows XP with SP1.
Note The Microsoft IPv6 Developer Edition component included in Windows XP with no service packs was intended for application developers only, not for use in production environments. Therefore, all of the Help topics for that version contain a disclaimer describing its limitations and supported uses. Windows XP SP1 and SP2 include a version of IPv6 that is intended for production use. However, the Help topics were not updated for Windows XP SP1 or SP2. Therefore, you can disregard the disclaimer if you have installed Windows XP SP1 or SP2.
Unlike the Internet Protocol (TCP/IP) component, the IPv6 component is not installed by default, and you can uninstall it. You can install the IPv6 component in the following ways:
Using the Network Connections folder.
Using the netsh interface ipv6 install command.
To install the IPv6 component in Windows Server 2003 using the Network Connections folder, do the following:
Click Start, point to Control Panel, and then double-click Network Connections.
Right-click any local area connection, and then click Properties.
In the Select Network Component Type dialog box, click Protocol, and then click Add.
In the Select Network Protocol dialog box, click Microsoft TCP/IP Version 6, and then click OK.
Click Close to save changes.
Unlike Internet Protocol (TCP/IP), the IPv6 component has no properties dialog box from which you can configure IPv6 addresses and settings. Configuration should be automatic for IPv6 hosts and manual for IPv6 routers.
The Microsoft TCP/IP Version 6 component supports address autoconfiguration. All IPv6 nodes automatically create unique IPv6 addresses for use between neighboring nodes on a subnet. To reach remote locations, each IPv6 host upon startup sends a Router Solicitation message in an attempt to discover the local routers on the subnet. An IPv6 router on the subnet responds with a Router Advertisement message, which the IPv6 host uses to automatically configure IPv6 addresses, the default router, and other IPv6 settings.
You do not need to configure the typical IPv6 host manually. If a host does require manual configuration, use the netsh interface ipv6 commands to add addresses or routes and configure other settings.
If you are configuring a computer running Windows XP with SP1, Windows XP with SP2, or Windows Server 2003 to be an IPv6 router, then you must use the netsh interface ipv6 commands to manually configure the IPv6 component with address prefixes.
For more information about configuring an IPv6 router, see Chapter 5, "IP Routing."
Name Resolution Files in Windows
The Internet Protocol (TCP/IP) and Microsoft TCP/IP Version 6 components support the use of name resolution files to resolve the names of destinations, networks, protocols, and services. Table 1-4 lists these name resolution files, which are stored in the Systemroot\System32\Drivers\Etc folder.
Resolves host names to IPv4 or IPv6 addresses. For more information, see Chapter 7, "Host Name Resolution."
Resolves network basic input/output system (NetBIOS) names to IPv4 addresses. A sample Lmhosts file (Lmhosts.sam) is included by default. You can create a different file named Lmhosts or you can rename or copy Lmhosts.sam to Lmhosts in this folder. For more information, see Chapter 11, "NetBIOS over TCP/IP."
Resolves network names to IPv4 subnet prefixes.
Resolves protocol names to RFC-defined protocol numbers. A protocol number is a field in the IPv4 header that identifies the upper-layer protocol (such as TCP or UDP) to which the IPv4 packet payload should be passed.
Resolves service names to port numbers and protocol names. Port numbers correspond to fields in the TCP or UDP headers that identify the application using TCP or UDP.
Table 1-4 Name Resolution Files in Windows
TCP/IP Tools in Windows
Table 1-5 lists the TCP/IP diagnostic tools that are included with Windows Server 2003 and Windows XP. You can use these tools to help identify or resolve TCP/IP networking problems.
Allows you to view and edit the Address Resolution Protocol (ARP) cache. The ARP cache maps IPv4 addresses to media access control (MAC) addresses. Windows uses these mappings to send data on the local network.
Displays the host name of the computer.
Displays current TCP/IP configuration values for both IPv4 and IPv6. Also used to manage DHCP configuration and the DNS client resolver cache.
Displays the status of print queues on print servers running Line Printer Daemon (LPD) software.
Checks the state of current NetBIOS over TCP/IP connections, updates the Lmhosts cache, and determines the registered names and scope ID.
Displays and allows you to administer settings for IPv4 or IPv6 on either the local computer or a remote computer.
Displays statistics and other information about current IPv4 and IPv6 connections.
Queries a DNS server.
Tests IPv4 or IPv6 connectivity to other IP nodes.
Allows you to view the local IPv4 and IPv6 routing tables and to modify the local IPv4 routing table.
Traces the route that an IPv4 or IPv6 packet takes to a destination.
Traces the route that an IPv4 or IPv6 packet takes to a destination and displays information on packet losses for each router and subnet in the path.
Table 1-5 TCP/IP diagnostic tools in Windows
Windows Server 2003 and Windows XP also include command-line tools for data transfer using FTP, Trivial File Transfer Protocol (TFTP), Telnet, and connectivity to UNIX-based resources.
After you have configured TCP/IP, you can use the Ipconfig and Ping tools to verify and test the configuration and connectivity to other TCP/IP hosts and networks.
The Ipconfig Tool
You can use the Ipconfig tool to verify the TCP/IP configuration parameters on a host, including the following:
For IPv4, the IPv4 address, subnet mask, and default gateway.
For IPv6, the IPv6 addresses and the default router.
Ipconfig is useful in determining whether the configuration is initialized and whether a duplicate IP address is configured. To view this information, type ipconfig at a command prompt.
Here is an example of the display of the Ipconfig tool for a computer that is using both IPv4 and IPv6:C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : wcoast.example.com IP Address. . . . . . . . . . . . : 126.96.36.199 Subnet Mask . . . . . . . . . . . : 255.255.252.0 IP Address. . . . . . . . . . . . : 2001:db8:ffff:f282:204:76ff:fe36:7363 IP Address. . . . . . . . . . . . : fec0::f282:204:76ff:fe36:7363%2 IP Address. . . . . . . . . . . . : fe80::204:76ff:fe36:7363 Default Gateway . . . . . . . . . : 188.8.131.52 2001:db8:1:21ad:210:ffff:fed6:58c0 Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : wcoast.example.com IP Address. . . . . . . . . . . . : 2001:db8:ffff:f70f:0:5efe:184.108.40.206 IP Address. . . . . . . . . . . . : fe80::5efe:220.127.116.11%2 Default Gateway . . . . . . . . . : fe80::5efe:18.104.22.168%2
Type ipconfig /all at a command prompt to view the IPv4 and IPv6 addresses of DNS servers, the IPv4 addresses of Windows Internet Name Service (WINS) servers (which resolve NetBIOS names to IP addresses), the IPv4 address of the DHCP server, and lease information for DHCP-configured IPv4 addresses.
The Ping Tool
After you verify the configuration with the Ipconfig tool, use the Ping tool to test connectivity. The Ping tool is a diagnostic tool that tests TCP/IP configurations and diagnoses connection failures. For IPv4, Ping uses ICMP Echo and Echo Reply messages to determine whether a particular IPv4-based host is available and functional. For IPv6, Ping uses ICMP for IPv6 (ICMPv6) Echo Request and Echo Reply messages. The basic command syntax is pingDestination, in which Destination is either an IPv4 or IPv6 address or a name that can be resolved to an IPv4 or IPv6 address.
Here is an example of the display of the Ping tool for an IPv4 destination:C:\>ping 22.214.171.124 Pinging 126.96.36.199 with 32 bytes of data: Reply from 188.8.131.52: bytes=32 time<1ms TTL=255 Reply from 184.108.40.206: bytes=32 time<1ms TTL=255 Reply from 220.127.116.11: bytes=32 time<1ms TTL=255 Reply from 18.104.22.168: bytes=32 time<1ms TTL=255 Ping statistics for 22.214.171.124: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Here is an example of the display of the Ping tool for an IPv6 destination:C:\>ping 2001:db8:1:21ad:210:ffff:fed6:58c0 Pinging 2001:db8:1:21ad:210:ffff:fed6:58c0 from 2001:DB8:1:21ad:204:76ff:fe36:7363 with 32 bytes of data: Reply from 2001:db8:1:21ad:210:ffff:fed6:58c0: time<1ms Reply from 2001:db8:1:21ad:210:ffff:fed6:58c0: time<1ms Reply from 2001:db8:1:21ad:210:ffff:fed6:58c0: time<1ms Reply from 2001:db8:1:21ad:210:ffff:fed6:58c0: time<1ms Ping statistics for 2001:db8:1:21ad:210:ffff:fed6:58c0: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
To verify a computer’s configuration and to test for router connections, do the following:
Type ipconfig at a command prompt to verify whether the TCP/IP configuration has initialized.
Ping the IPv4 address of the default gateway or the IPv6 address of the default router to verify whether they are functioning and whether you can communicate with a node on the local network.
Ping the IPv4 or IPv6 address of a remote node to verify whether you can communicate through a router.
If you start with step 3 and you are successful, then you can assume that you would be successful with steps 1 and 2.
Note You cannot use the Ping tool to troubleshoot connections if packet filtering routers and host-based firewalls are dropping ICMP and ICMPv6 traffic. For more information, see Chapter 13, "Internet Protocol Security (IPsec) and Packet Filtering."
You can use Network Monitor to simplify troubleshooting complex network problems because it monitors and captures network traffic for analysis. Network Monitor works by configuring a network adapter to capture all incoming and outgoing packets.
You can define capture filters so that only specific frames are saved. Filters can save frames based on source and destination MAC addresses, source and destination protocol addresses, and pattern matches. After a packet is captured, you can use display filtering to further isolate a problem. When a packet has been captured and filtered, Network Monitor interprets and displays the packet data in readable terms.
Note Windows Server 2003 includes a version of Network Monitor that can capture data for the local computer only. Microsoft Systems Management Server includes a version that can capture data for remote computers.
To install Network Monitor in Windows Server 2003, do the following:
Click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
In the Windows Components wizard, click Management and Monitoring Tools, and then click Details.
In Management And Monitoring Tools, select the Network Monitor Tools check box, and then click OK.
If you are prompted for additional files, insert the product CD, or type a path to the location of the files on the network.
Note To perform this procedure, you must be logged on as a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might also be able to perform this procedure.
To analyze network traffic with Network Monitor, you must start the capture, generate the network traffic you want to observe, stop the capture, and then view the data.
Starting a Capture
Network Monitor uses different windows to display data in different ways. One of the primary windows is the Capture window. Figure 1-5 shows an example of the Capture window.
Figure 1-5 The Capture window in Network Monitor
When this window is active, the toolbar has options to start, pause, stop, or stop and view captured data. On the Capture menu, click Start to start a capture. While the capture is running, statistical information appears in the Capture window.
Stopping a Capture
After you have generated the network traffic that you want to analyze, on the Capture menu, click Stop to stop the capture. You can then start another capture or display the current capture data. To stop a capture and immediately open it for viewing, on the Capture menu, click Stop and View.
Viewing the Data
When you open a capture to view, a Summary window appears, showing the list of frames in the capture. Each frame contains a frame number, the time of frame reception, source and destination addresses, the highest-layer protocol used in the frame, and a description of the frame. Figure 1-6 shows an example Summary window.
Figure 1-6 The Summary window of a capture in Network Monitor
For more detailed information about a specific frame, on the Window menu, click Zoom pane. In the zoom view, the Summary window shows two more panes, the Detail pane and the Hexadecimal pane. The Detail pane shows the protocol information in detail. The Hexadecimal pane shows the individual bytes in the frame. Figure 1-7 shows the zoom view of a frame within an example capture.
Figure 1-7 Zoom view of a frame in a capture in Network Monitor
Top of page
The chapter includes the following pieces of key information:
TCP/IP is an industry-standard suite of protocols that are designed for large-scale networks. The TCP/IP protocol suite includes both the IPv4 and IPv6 sets of protocols.
The standards for TCP/IP are published in a series of documents called RFCs.
On a TCP/IP-based network, a router can forward packets that are not addressed to the router, a host cannot, and a node is either a host or a router.
On a TCP/IP-based network, a subnet is one or more LAN segments that are bounded by routers and that use the same IP address prefix, and a network is two or more subnets connected by routers.
The IPv4-based TCP/IP component in Windows is the Internet Protocol (TCP/IP) component in Network Connections. This component is installed by default, and you cannot uninstall it. You configure it either automatically (by using DHCP or an alternate configuration) or manually (by using Network Connections or the Netsh tool).
The IPv6-based TCP/IP component in Windows is the Microsoft TCP/IP Version 6 or Microsoft IPv6 Developer Edition component in Network Connections. This component is not installed by default, and you can uninstall it. You configure it either automatically (by using router discovery) or manually (by using the Netsh tool).
Ipconfig and ping are the primary tools for troubleshooting basic IP configuration and connectivity.
You can use Network Monitor to troubleshoot complex network problems by capturing and viewing network traffic for analysis.
Top of page
address – An identifier that specifies the source or destination of IP packets and that is assigned at the IP layer to an interface or set of interfaces.
APIPA – See Automatic Private IP Addressing.
Automatic Private IP Addressing – A feature in Windows Server 2003 and Windows XP that automatically configures a unique IPv4 address from the range 169.254.0.1 through 169.254.255.254 and a subnet mask of 255.255.0.0. APIPA is used when the Internet Protocol (TCP/IP) component is configured for automatic addressing, no DHCP server is available, and the Automatic Private IP Address alternate configuration option is chosen.
host – A node that is typically the source and a destination of IP traffic. Hosts silently discard received packets that are not addressed to an IP address of the host.
interface – The representation of a physical or logical attachment of a node to a subnet. An example of a physical interface is a network adapter. An example of a logical interface is a tunnel interface that is used to send IPv6 packets across an IPv4 network.
IP – Features or attributes that apply to both IPv4 and IPv6. For example, an IP address is either an IPv4 address or an IPv6 address.
IPv4 – The Internet layer protocols of the TCP/IP protocol suite as defined in RFC 791. IPv4 is in widespread use today.
IPv6 – The Internet layer protocols of the TCP/IP protocol suite as defined in RFC 2460. IPv6 is gaining acceptance today.
LAN segment – A portion of a subnet that consists of a single medium that is bounded by bridges or Layer 2 switches.
neighbor – A node that is connected to the same subnet as another node.
network – Two or more subnets that are connected by routers. Another term for network is internetwork.
node – Any device, including routers and hosts, which runs an implementation of IP.
packet – The protocol data unit (PDU) that exists at the Internet layer and comprises an IP header and payload.
Request for Comments (RFC) - An official document that specifies the details for protocols included in the TCP/IP protocol suite. The Internet Engineering Task Force (IETF) creates and maintains RFCs for TCP/IP.
RFC – See Request for Comments (RFC).
router – A node that can be a source and destination for IP traffic and can also forward IP packets that are not addressed to an IP address of the router. On an IPv6 network, a router also typically advertises its presence and host configuration information.
subnet – One or more LAN segments that are bounded by routers and that use the same IP address prefix. Other terms for subnet are network segment and link.
TCP/IP – See Transmission Control Protocol/Internet Protocol (TCP/IP).
Transmission Control Protocol/Internet Protocol (TCP/IP) – A suite of networking protocols, including both IPv4 and IPv6, that are widely used on the Internet and that provide communication across interconnected networks of computers with diverse hardware architectures and various operating systems.
upper-layer protocol – A protocol above IP that uses IP as its transport. Examples of upper-layer protocols include Internet layer protocols such as the Internet Control Message Protocol (ICMP) and Transport layer protocols such as the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
Top of page
by Corey Nachreiner, CISSP, Director of Security Strategy and Research
Anyone who's used a networked computer probably has a functional understanding of Internet Protocol addresses (referred to as IP for short). An IP is a numeric identifier that represents a computer or device on a network. Your computer's IP is like your home's mailing address.
End-users really don't need to know much more about IPs than that. However, a mailman has to know more about a mailing address than the person sending a letter does. For similar reasons, a network administrator, or anyone configuring WatchGuard’s XTM and Firebox appliances needs to know the technical details behind IP addresses in order to recognize wider possibilities in managing a network.
The Security Fundamentals article, "Internet Protocol for Beginners," describes what IP addresses are, non-technically. In contrast, this article concentrates on describing the mathematics behind an IP address, down to the last binary detail. If you're already familiar with the technical details behind IP addresses, feel free to skip this article. However, if you're curious about how computers see IPs, or if you need a quick brush-up on binary math, read on.
How we see IP addresses
You know that an IP address is numbers that represent a device on a network, as a mailing address represents your home's location. But in order to actually assign and use IP addresses, you must understand the format of these "numerical identifiers" and the rules that pertain to them.
Let's first concentrate on how humans read and write IP addresses. To us, an IP address appears as four decimal numbers separated by periods. For example, you might use 126.96.36.199 as an IP for some device in your network. You probably noticed that the four numbers making up an IP are always between 0 to 255. Have you ever wondered why?
You may also have heard people referring to the four numerical values in an IP address as "octets". Octet is, in fact, the correct term for describing the four individual numbers that make up an IP address. But doesn't it seem odd that a word whose root means "eight" describes a number from 0 to 255? What does "eight" have to do with those values? To understand the answers to these questions, you have to look at an IP address from your computer's viewpoint.
Computers think in binary
Computers see everything in terms of binary. In binary systems, everything is described using two values or states: on or off, true or false, yes or no, 1 or 0. A light switch could be regarded as a binary system, since it is always either on or off.
As complex as they may seem, on a conceptual level computers are nothing more than boxes full of millions of "light switches." Each of the switches in a computer is called a bit, short for binary digit. A computer can turn each bit either on or off. Your computer likes to describe on as 1 and off as 0.
By itself, a single bit is kind of useless, as it can only represent one of two things. Imagine if you could only count using either zero or one. Alone, you could never count past one. On the other hand, if you got a bunch of buddies together who could also count using zero or one and you added all your buddies' ones together, your group of buddies could count as high as they wanted, dependent only on how many friends you had. Computers work in the same way. By arranging bits in groups, the computer is able to describe more complex ideas than just on or off. The most common arrangement of bits in a group is called a byte, which is a group of eight bits.
The act of creating large numbers from groups of binary units or bits is called binary arithmetic. Learning binary arithmetic helps you understand how your computer sees IPs (or any numbers greater than one).
In binary arithmetic, each bit within a group represents a power of two. Specifically, the first bit in a group represents 20 [Editor's note for non-math majors: mathematicians stipulate that any number raised to the power of zero equals 1], the second bit represents 21, the third bit represents 22, and so on. It's easy to understand binary because each successive bit in a group is exactly twice the value of the previous bit.
The following table represents the value for each bit in a byte (remember, a byte is 8 bits). In binary math, the values for the bits ascend from right to left, just as in the decimal system you're accustomed to:
|8th bit||7th bit||6th bit||5th bit||4th bit||3rd bit||2nd bit||1st bit|
|128 (27)||64 (26)||32 (25)||16 (24)||8 (23)||4 (22)||2 (21)||1 (20)|
Now that we know how to calculate the value for each bit in a byte, creating large numbers in binary is simply a matter of turning on certain bits and then adding together the values of those bits. So what does an 8-bit binary number like 01101110 represent? The following table dissects this number. Remember, a computer uses 1 to signify "on" and 0 to signify "off":
|128 (27)||64 (26)||32 (25)||16 (24)||8 (23)||4 (22)||2 (21)||1 (20)|
In the table above, you can see that the bits with the values 64, 32, 8, 4 and 2 are all turned on. As mentioned before, calculating the value of a binary number means totaling all the values for the "on" bits. So for the binary value in the table, 01101110, we add together 64+32+8+4+2 to get the number 110. Binary arithmetic is pretty easy once you know what's going on.
How computers see IP addresses
So now that you understand a bit about binary (pun intended), you can understand the technical definition of an IP address. To your computer, an IP address is a 32-bit number subdivided into four bytes.
Remember the example of an IP above, 188.8.131.52? Using binary arithmetic, we can convert that IP address to its binary equivalent. This is how your computer sees that IP:
Understanding binary also provides you with some of the rules pertaining to IPs. We wondered why the four segments of an IP were called octets. Well, now that you know that each octet is actually a byte, or eight bits, it makes a lot more sense to call it an octet. And remember how the values for each octet in an IP were within the range of 0 to 255, but we didn't know why? Using binary arithmetic, it's easy to calculate the highest number that a byte can represent. If you turn on all the bits in a byte (11111111) and then convert that byte to a decimal number (128 + 64 + 32 + 16 + 8 + 4 + 2 + 1), those bits total 255.
Why do I care?
Now that you understand binary and how computers see IP addresses, you might think, "That's interesting, but what's the point?" End users really don't need to understand the binary representation of an IP. In fact, we purposely write IPs in decimal so that it is easier for humans to understand and remember them. However, network administrators must know technically what's going on in order to implement anything but the simplest network.
In the two-part article "Understanding Subnetting," Rik Farrow describes one of the most important concepts necessary for creating TCP/IP networks, the subnet. As you will see, understanding binary is a fundamental requirement for subnetting. Just as a mailman must understand the postal delivery system in order to make sure every message reaches its destination, you'll find that being able to look at IP addresses the way your computer does will help you do a better job as a network administrator -- and more easily, too.
Read More Security Fundamentals »