Lab 4.5.1 Observing TCP and UDP Using Netstat (Instructor Version)

Lab 4.5.1: Observing TCP and UDP using Netstat (Instructor Version) Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway S0/0/0 10.10.10.6 255.255.255.252 N/A Fa0/0 192.168.254.253 255.255.255.0 S0/0/0 10.10.10.5 255.255.255.252 10.10.10.6 Fa0/0 172.16.255.254 255.255.0.0 N/A 192.168.254.254 255.255.255.0 192.168.254.253 N/A 172.31.24.254 255.255.255.0 N/A hostPod#A N/A 172.16.Pod#.1 255.255.0.0 172.16.255.254 hostPod#B N/A 172.16.Pod#.2 255.255.0.0 172.16.255.254 S1-Central N/A 172.16.254.1 255.255.0.0 172.16.255.254 R1-ISP N/A R2-Central Eagle Server N/A All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 7 172. the lab topology may have been modified before this class. Open a terminal window by clicking on Start | Run.5. and can ping R2Central. Page 2 of 7 . R2-Central. and press OK. host computer routing table information. Background netstat is an abbreviation for the network statistics utility.6. 2.com. troubleshoot end-to-end network connectivity: 1. and adjust netstat output options to analyze and understand TCP/IP Transport Layer protocol status. Passing optional parameters with the command will change output information. Verify that the host computer has the correct IP address. To display help information about the netstat command.1: Observing TCP and UDP using Netstat Learning Objectives   Explain common netstat command parameters and outputs. available on both Windows and Unix / Linux computers.com. and interface statistics.10.255. R1-ISP. If an individual host computer cannot connect to Eagle Server. Scenario In this lab the student will examine the netstat command on a pod host computer. 172. Inc. If the default web page cannot be accessed from eagle-server. and Eagle Server is on.254. Finally. netstat displays incoming and outgoing network connections (TCP and UDP). Verify that all network equipment is powered on. If the ping test fails. ping eagle-server.255. check the cable connection between the host and S1-Central.example. Verify that the host computer has the correct Gateway IP address.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4. Task 1: Explain common netstat command parameters and outputs. All rights reserved. This document is Cisco Public Information.example.16. 3. Use netstat to examine protocol information on a pod host computer. and finally eagle-server. use the /? options.16. as shown: C:\> netstat /? <ENTER> All contents are Copyright © 1992–2007 Cisco Systems. shown in the logical addressing table above.254. 10.example.10. Take corrective action on devices that fail ping tests. Depending on the classroom situation. and can ping eagle-server. ping S1-Central. Type cmd. and can ping R1-ISP.com. verify that the host has the correct DNS address. It is best to use one host to verify infrastructure connectivity. From a known good host computer. Redisplay statistics every five seconds. proto may be any of: IP. compiled from RFC 793. proto may be any of: TCP. Answer: Option -a -n 5 -p -an 5 No options Description Display all connections and listening ports. 1981. UDP. Press CTRL+C to stop redisplaying statistics. Shows connections for the protocol specified by proto. the connection passes through a series of states. proto may be any of: IP. The following table is a summary of TCP states. When netstat statistics are displayed for TCP connections. UDP. IPv6. UDP. Redisplay all connections and listening ports every 30 seconds. or UDPv6. ICMPv6. TCPv6. Display only open connections. Page 3 of 7 . TCPv6.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4. IPv6. September. Redisplay statistics every five seconds. Shows connections for the protocol specified by proto. This is a tricky problem. Display addresses and port numbers in numerical form. UDP. This is a tricky problem. Inc. TCP. or UDPv6. Display addresses and port numbers in numerical form. TCPv6. as reported by netstat: All contents are Copyright © 1992–2007 Cisco Systems. During the life of a TCP connection. All rights reserved. Display only open connections. proto may be any of: TCP. or UDPv6. ICMP. Press CTRL+C to stop redisplaying statistics. If used with the –s option to display per-protocol statistics. If used with the –s option to display per-protocol statistics.5. ICMPv6. Transmission Control Protocol. the TCP state is displayed. ICMP. or UDPv6. TCP. This document is Cisco Public Information. Redisplay all connections and listening ports every 30 seconds. TCPv6.1: Observing TCP and UDP using Netstat Use the output of the netstat /? command as reference to fill in the appropriate option that best matches the description: Option Description Display all connections and listening ports. Step 1: Use netstat to view existing connections. All contents are Copyright © 1992–2007 Cisco Systems. The local connection is waiting for a response after sending a connection request. Addresses and protocols that can be translated into names are displayed. and data may be exchanged through the connection. Inc. A global address.0 Remote Address Description This address refers to the local host. The connection should transition quickly through this state. The local connection is waiting a default period of time after sending a connection termination request before closing the connection. but is waiting for a termination request from the local user. From the terminal window. From the terminal window in Task 1. The –n option forces netstat to display output in raw format. Multiple connections in SYN_RECEIVED state may indicate a TCP SYN attack. and will normally last between 30 . The address of the remote device that has a connection with this computer.0. noting how well-known port numbers are changed to names.1: Observing TCP and UDP using Netstat Connection Description The local connection is waiting for a connection request from any remote device. issue the command netstat –a: C:\> netstat –a <ENTER> A table will be displayed that lists protocol (TCP and UDP).0. This document is Cisco Public Information.120 seconds. This is a normal condition. IP addresses displayed by netstat fall into several categories: IP Address 127.5. All rights reserved. and State information. Foreign address. issue the command netstat –an: C:\> netstat –an <ENTER> Use the window vertical scroll bar to go back and forth between the outputs of the two commands. meaning “ANY”. This is the normal state for the data transfer phase of the connection. Page 4 of 7 . The connection is closed.CCNA Exploration Network Fundamentals: OSI Transport Layer State LISTEN ESTABLISHED TIME-WAIT CLOSE-WAIT SYN-SENT SYN_RECEIVED Lab 4. or this computer. Local address.0. The local connection is waiting for a confirming connection request acknowledgment. The connection is open. above. Compare outputs. Task 2: Use netstat to Examine Protocol Information on a Pod Host Computer.0.1 0. The connection should transition quickly through this state. 0:445 0.0.0:0 LISTENING TCP GW-desktop-hom:netbios-ssn GW-desktop-hom:0 LISTENING TCP 192. Connection Proto Local Address Foreign Address State Answers will vary.1: Observing TCP and UDP using Netstat Write down three TCP and three UDP connections from the netstat –a output.0:135 0.0:0 LISTENING TCP GW-desktop-hom:microsoft-ds GW-desktop-hom:0 LISTENING TCP 0. If there are fewer than three connections that translate.0. the host computer has made a TCP connection with itself. A new network engineer suspects that his host computer has been compromised by an outside attack against ports 1070 and 1071.168.1:1070 State ESTABLISHED ESTABLISHED _______________________________________________________________________________ _______________________________________________________________________________ Because the foreign address is 127.0.0. How would you respond? C:\> netstat –n Active Connections Proto Local Address TCP 127.1.0.0.1:137 *:* UDP GW-desktop-hom:netbios-dgm *:* UDP 192.0.0.0.0.0.0:0 LISTENING UDP GW-desktop-hom:ntp *:* UDP 192.0.0. All rights reserved.5.168.168.1:1071 C:\> Foreign Address 127.254.1:138 *:* Refer to the following netstat output.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4. and the corresponding translated port numbers from the netstat –an output.1:139 0.254.0.0.254. Page 5 of 7 . Inc.1:123 *:* UDP GW-desktop-hom:netbios-ns *:* UDP 192. This document is Cisco Public Information. note that in your table. Following is a list of several common services on a host computer: Connection Proto Local Address Foreign Address State TCP GW-desktop-hom:epmap GW-desktop-hom:0 LISTENING TCP 0.168.0.0. All contents are Copyright © 1992–2007 Cisco Systems.254.1:1071 127.0.0.1:1070 TCP 127.0. We will use:     DNS. The netstat utility displays incoming and outgoing network connections (TCP and UDP).5. connections should terminate from inactivity.254.168.254:23 ESTABLISHED Task 3: Reflection. The four terminal windows that will be used for telnet connections to Eagle Server can be relatively small.1:1691 192.254.168. thus providing several protocols to examine with netstat. Proto Local Address Foreign Address State TCP 192. In this task. The venerable telnet command will be used to access Eagle Server network services.1:1693 192. and interface statistics.254.168.SMTP mail server. The command for a telnet connection on port 21 is shown below: C:\> telnet eagle-server. port 25 TELNET.1:1691 192. If typing is slow.example.254. telnet on port 21.254. All rights reserved.254:23 ESTABLISHED Answer: Proto Local Address Foreign Address State TCP 192. telnet on port 25.domain name server. press the <CTRL> ] keys together.168. All contents are Copyright © 1992–2007 Cisco Systems.254:21 ESTABLISHED TCP 192. Output should look similar to the following. The terminal windows that will be used to collect connection information should be ½ screen width by full screen height. Eventually.254.254.254:53 ESTABLISHED TCP 192. Microsoft Telnet>. Several network services on Eagle Server will respond to a telnet connection.254.254:21 ESTABLISHED TCP 192.1: Observing TCP and UDP using Netstat Step 2: Establish multiple concurrent TCP connections and record netstat output.254.254:25 ESTABLISHED TCP 192.168.168.254. Arrange the windows so that all are visible. Open an additional four terminal windows. In the fourth terminal window.254:53 ESTABLISHED TCP 192.FTP server.com 53 In the large terminal window. In the second terminal window.168.254.1:1688 192.1:1694 192. telnet to Eagle Server on port 53.254.168. approximately ½ screen width by ¼ screen height. several simultaneous connections will be made with Eagle Server.254.168. In the first telnet terminal window.254.168. Type quit <ENTER> to close the session. host computer routing table information.168. Page 6 of 7 . To close a telnet connection. a connection may close before all connections have been made.254:25 ESTABLISHED TCP 192. Inc.168.168. That will bring up the telnet prompt. telnet on port 23.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4.1:1694 192. port 23 Why should telnet to UDP ports fail? _______________________________________________________________________________ _______________________________________________________________________________ Telnet is a TCP protocol.254. port 21 SMTP. record established connections with Eagle Server. In the third terminal window. and UDP cannot build the TCP session.168. port 53 FTP.1:1693 192.254.Telnet server.168. This document is Cisco Public Information.1:1688 192.168. Task 5: Cleanup. and issue the netstat –an command. Unless directed otherwise by the instructor.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4.1: Observing TCP and UDP using Netstat Task 4: Challenge. Close Established sessions abruptly (close the terminal window). This document is Cisco Public Information.5. All rights reserved. Try to view connections in stages different from ESTABLISHED. turn off power to the host computers. All contents are Copyright © 1992–2007 Cisco Systems. and leave the room ready for the next class. Page 7 of 7 . Remove anything that was brought into the lab. Inc.