The four layers of the DOD model :
This is the base of the model. It pulls and put frames on the wire. Examples are Ethernet, Token Ring, FDDI, Frame Relay, ATM, X25, etc.
The internet layer protocol encapsulates the packages and runs the routing algorithms. It contains four protocols :
IP (Internet protocol)
IP provides connectionless packet delivery. It does not guarantee packet arrival or correct packet sequence.
ARP (Address Resolution Protocol)
This is a MAC (Media Access Control) sublayer that is responsible for error-free data delivery and communicates with the network adapter. It maps ip-address to a mac-address by broadcasting the ip-address. The owner of the ip-address responses with sending the mac-address.
ICMP (Internet Control Message Protocol)
This protocol is used by hosts to communicate status- and error information. The ping-command is part of this protocol.
IGMP (Internet Group Management Protocol)
This protocol provide multicasting solutions to multicast programs like Microsoft NetShow.
The transport layer provides communication sessions between computers. It contains two protocols :
TCP
TCP is connection-oriented. It guarantees the delivery of packets by acknowledgements, the right sequence and provides a checksum.
UDP
UDP is a connectionless-oriented protocol. It does not guarantee delivery. This should be checked by the application if needed.
There are many standard TCP/IP utilities like FTP, Telnet, SNMP, etc. There are two interfaces that can be used to access the services of the TCP/IP protocol stack :
Winsock
This is the standard interface between socked-based applications and tcp/ip protocols.
NetBT
This serves as a standard interface for NetBios services including name, datagram and session services.
The OSI model is based on seven layers :
The application layer provides support to end-user applications via API's like the mail API (MAPI), MS Fax API (FAPI), Telephone API (TAPI), and Internet Server API (ISAPI). At this layer the software applications communicate with each other, they search for communication partners, determine resource availability and synchronize communication. There are two types of applications at this layer :
| TCP/IP applications like WWW, FTP, SMTP Telnet. |
| OSI applications. OSI applications are protocols like File transfer, access en management (FTAM), Virtual Terminal Protocol (VTP) and Common Management Information Protocol (CMIP) |
The presentation layer provides translation of data coming from or directed to the application layer. It modifies the data to a common set of rules. It handles common data representation formats (e.g. JPEG, MPEG), character representation (e.g EBCDIC, ASCII) encryption/decryption and compression/decompression. These translations offer data to be available at various computer systems while having a common meaning. (shared semantics)
The session layer takes care of the establishment, maintenance,
synchronization and recovery from failures on communication sessions. This layer
is divided into halves, the NetBIOS over TCP/IP (NetBT) and the Windows Sockets
(WinSock) side. Most of our utilities and all of the true Unix commands use the
WinSock interface, but the old NT commands (NET commands) still make use of
NetBIOS calls and as such, must pass through the NetBIOS interface or NetBT.
Most legacy application programs still require the NetBIOS interface, but
Windows 2000 is making inroads here.
Depending
on the type of application there will be a simplex, half-duplex, or full-duplex
data flow.
The devices on this level are gateways, protocols are RPC, NFS, SQL, NetBEUI,
Xwindows, Appletalk session protocol, Zone Information Protocol, Session Control
Protocol (DECnet), etc.
The transport layer should provide reliable communications. It guarantees
that the data is delivered in the right order and in a reliable manner e.g. by
using error checking and recovery, flow control, multiplexing and virtual
circuit management. The gateways on this level split the data into segments.
Flow control manages data transmission between devices so that the transmitting
device does not send more data than the receiving device can process.
Multiplexing enables data from several applications to be transmitted onto a
single physical link.
Transport-layer protocols are TCP, UDP and Name Binding Protocol. The Name
Binding Protocol (NBP) associates AppleTalk names with addresses.
Physical MAC-Layer addressing occurs at the Datalink Layer, logical addressing
at the network layer, and the Transport Layer concerns it self with Service
Addressing. Service addressing identifies addresses or ports which point to
upper layer network services. The transport level addressing also keeps track of
multiple connections or conversations which might occur on a network attached
computer system. It does this by tracking a connection identifier (connection
ID, port, or socket), or by a transaction identifier (which would track each
request, as opposed to tracking a conversation).
The network layer provides routing between internetworks and provides congestion
control. At this layer the first kind of addressing takes place by using logical
addresses. (e.g IP address). The devices on this layer are routers. Protocols at
the network layer are Border Gateway Protocol (BGP), an Internet interdomain
routing protocol; Open Shortest Path First (OSPF), a link-state routing
protocol, and Routing Information Protocol (RIP).
The data link layer provides reliable transfport of data across the physical
link. It provides formatting, error detection, link management, data flow
control and addressing at the hardware layer. (MAC address) The data link layer
breaks the data into (datalink) frames. Devices at this layer are bridges and
switches.
The data-link layer can be split into two sublayers, Logical Link Control (LLC)
and Media Access Control (MAC).
The Logical Link Control (LLC) sublayer of the data-link layer manages
communications between devices over a single link of a network. (e.g.frame
synchronization, flow control and error checking) The Media Access Control (MAC)
sublayer of the data link layer manages protocol access to the physical network
medium by using MAC addresses.
The physical layer accepts data from the data link layer and puts it in the right format for the physical medium. This layer specifies the requirements for the wire such as the voltage levels, connector types, maximum distances and handshake. Devices at this layer are hubs, repeaters, amplifiers and transceivers.
TCP/IP configuration information :
| IP address. |
The ip-address is a 32-bit address that identifies the host. It contains a Network ID and a Host ID.
| Subnet mask |
Subnets divide large networks into multiple physical networks. A subnetmask blocks out part of the address so it can be determined if a target address is on the local or on a remote network.
| Default gateway |
The default gateway receives all packets that were not for clients on the local network. It transfers them to the host needed or another router.
If a DHCP server is not available, Automatic Private IP Addressing is used to
assign ip-addresses to clients if the client is instructed to obtain an ip address
automatically. The APIPA-service generates an ip-address in the 169.254.x.x -
169.255.x.x. range for the client. It than pings the address to check if it is
not in use. If it's not it will be used until the DHCP-server is available. As
APIPA does not provide additional ip-info like a default-gateway, only machines
on the same subnet can communicate. APIPA can be disabled with the following
registry key :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
Adapter\IPAutoconfiguratioEnabled. Set the value to zero. By default APIPA is
activated. See summary DHCP/Apipa
Utilities for troubleshooting TCP/IP :
| PING (Packet InterNet Grober) |
Verifies configurations and test connections
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] destination-listOptions:
-t. Ping the specified host until stopped.
-a. Resolve addresses to hostnames.
-n. count number of echo requests to send.
-l size. Send buffer size.
-f. Set Don't Fragment flag in packet.
-i TTL. Time To Live.
-v TOS. Type Of Service.
-r count. Record route for count hops.
-s count. Timestamp for count hops.
-j hostlist. Loose source route along host-list.
-k hostlist. Strict source route along host-list.
-w timeout. Timeout in milliseconds to wait for each reply.
| ARP (Address Resolution Protocol) |
Displays locally resolved ip addresses as physical addresses. If you cannot ping a machine on a local subnet, use arp -a to check the cache and arp -d to flush the arp cache.
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr]-a. Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed.
-g. Same as -a.
inet_addr. Specifies an internet address.
-N. if_addr Displays the ARP entries for the network interface specified by if_addr.
-d Deletes the host specified by inet_addr. inet_addr may be wildcarded with * to delete all hosts.
-s Adds the host and associates the Internet address inet_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent.
eth_addr Specifies a physical address.
if_addr. If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used.
| Ipconfig |
This utility shows the ip-configuration and offers DHCP and DNS functionality /? Provides an overview of the various display possibilities. When using the default functionality it shows the DNS suffix, the ip address, the subnet mask and the default gateway for the network adapter. The utility also gives the ability the display DHCP information, renew DHCP leases, flush DNS cache, display the DNS cache and re-register at DNS.
Usage : ipconfig [/? | /all | /release [adapter] | /renew [adapter] | /flushdns | /registerdns | /showclassid adapter | /setclassid adapter [classidtoset] ]
adapter. Full name or pattern with '*' and '?' to 'match', * matches any character, ? matches one character.
/?. Display this help message.
/all. Display full configuration information.
/release. Release the IP address for the specified adapter.
/renew. Renew the IP address for the specified adapter.
/flushdns. Purges the DNS Resolver cache.
/registerdns. Refreshes all DHCP leases and re-registers DNS names
/displaydns. Display the contents of the DNS Resolver Cache.
/showclassid. Displays all the dhcp class IDs allowed for adapter.
/setclassid. Modifies the dhcp class id.
| Nbtstat |
Displays statistics and connections using NetBios over TCP/IP. You can use NBTStat -RR to re-register all entries in WINS.
Usage : NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]
-a. (adapter status) Lists the remote machine's name table given its name.
-A. (Adapter status) Lists the remote machine's name table given its IP address.
-c. (cache) Lists NBT's cache of remote [machine] names and their IP addresses.
-n. (names) Lists local NetBIOS names.
-r. (resolved) Lists names resolved by broadcast and via WINS
-R. (Reload) Purges and reloads the remote cache name table.
-S. (Sessions) Lists sessions table with the destination IP addresses
-s. (sessions) Lists sessions table converting destination IP addresses to computer NETBIOS names.
-RR. (ReleaseRefresh) Sends Name Release packets to WINs and then, starts Refresh RemoteName Remote host machine name.
IP address. Dotted decimal representation of the IP address.
interval. Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics.
| Netstat |
Displays TCP/IP statistics and connections. You can use Netstat -a to view all connections. Netstat -e gives an overview of Ethernet statistics.
Usage :NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a. Displays all connections and listening ports.
-e. Displays Ethernet statistics. This may be combined with the -s option.
-n. Displays addresses and port numbers in numerical form.
-p. proto. Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r. Displays the routing table.
-s. Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.
interval. Redisplays selected statistics, pausing interval seconds between each display.
| Pathping |
This new utility is a combination of ping and tracert. It measures the response for a host.
Usage: pathping [-n] [-h maximum_hops] [-g host-list] [-p period] [-q num_queries] [-w timeout] [-t] [-R] [-r] target_name
-n. Do not resolve addresses to hostnames.
-h. maximum_hops Maximum number of hops to search for target.
-g host-list. Loose source route along host-list.
-p period. Wait period milliseconds between pings.
-q num_queries. Number of queries per hop.
-w timeout. Wait timeout milliseconds for each reply.
-T. Test connectivity to each hop with Layer-2 priority tags.-R. Test if each hop is RSVP aware.
| Route |
Displays or modifies the routing table with the print option. By using the Add option you can add routes. You have to use the -p option to make them persistent.
Usage: ROUTE [-f] [-p] [command [destination]
[MASK netmask] [gateway] [METRIC metric] [IF interface]-f. Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command.
-p. When used with the ADD command, makes a route persistent across boots of the system. By default, routes are not preserved when the system is restarted. Ignored for all other commands, which always affect the appropriate persistent routes. This option is not supported in Windows 95.
Print. Prints a route.Add. Adds a route. Usage Route add network mask netmask gateway
Delete. Deletes a route.
Change. Modifies an existing route.
Destination. Specifies the host.
Mask. Specifies that the next parameter is the 'netmask' value.
Netmask. Specifies a subnet mask value for this route entry. If not specified, it defaults to 255.255.255.255.
Gateway. Specifies gateway.
Interface. the interface number for the specified route.
Metric specifies the metric, ie. cost for the destination.
| Hostname |
Returns the local computer's hostname for authentication by the Remote Copy Protocol (RCP), Remote Shell (RSH) and Remote Execution (REXEC) utilities.
| Tracert |
Checks a route to a remote system. It uses the TTL field and ICMP error messages.
Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
-d. Do not resolve addresses to hostnames.
-h. maximum_hops Maximum number of hops to search for target.
-j. host-list Loose source route along host-list.
-w. timeout Wait timeout milliseconds for each reply.
| FTP = Bidirectional file transfrers |
FTP [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-w:windowsize] [-A] [host]
-v. Suppresses display of remote server responses.
-n. Suppresses auto-login upon initial connection.
-i. Turns off interactive prompting during multiple f
transfers.
-d. Enables debugging.
-g. Disables filename globbing (see GLOB command).
-s:filename. Specifies a text file containing FTP commands; the commands will automatically run after FTP starts.
-a. Use any local interface when binding data connect.
-A. login as anonymous.
-w:buffersize Overrides the default transfer buffer size of 409.
host. Specifies the host name or IP address of the remo
host to connect to.
| TFTP = Bidirectional file transfers (Trivial File Transfer Protocol) |
TFTP [-i] host [GET | PUT] source [destination]
-i. Specifies binary image transfer mode (also called
octet). In binary image mode the file is moved
literally, byte by byte. Use this mode when
transferring binary files.
host. Specifies the local or remote host.
GET. Transfers the file destination on the remote host to the file source on the local host.
PUT. Transfers the file source on the local host to
the file destination on the remote host.
source. Specifies the file to transfer.
destination Specifies where to transfer the file.
| Telnet = Terminal emulation Telnet offers terminal emulation sessions to a server. You can restrict the telnet access by creating a local group called TelnetClients. (See Q250908) |
| RCP = Remote Copy Protocol. |
Copies files between a host and a server supporting RCP.
RCP [-a | -b] [-h] [-r] [host][.user:]source [host][.user:] path\destination
-a. Specifies ASCII transfer mode. This mode converts
the EOL characters to a carriage return for UNIX
and a carriage return/line feed for personal computers. This is the default transfer mode.
-b. Specifies binary image transfer mode.
-h. Transfers hidden files.
-r. Copies the contents of all subdirectories;
destination must be a directory.
host. Specifies the local or remote host. If host is
specified as an IP address OR if host name contains
dots, you must specify the user.
user. Specifies a user name to use, rather than the
current user name.
source. Specifes the files to copy.
path\destination. Specifies the path relative to the logon directory on the remote host. Use the escape characters (\ , ", or ') in remote paths to use wildcard characters on the remote host.
| RSH = Remote Shell |
Runs commands on a Unix host
RSH host [-l username] [-n] command
host. Specifies the remote host on which to run command.
-l username. Specifies the user name to use on the remote host. If omitted, the logged on user name is used.
-n Redirects the input of RSH to NULL.
command. Specifies the command to run.
| REXEC = Remote execution. |
Runs a process on a remote computer
REXEC host [-l username] [-n] command
host. Specifies the remote host on which to run command.
-l username. Specifies the user name on the remote host.
-n. Redirects the input of REXEC to NULL.
command Specifies the command to run.
| Finger |
Retrieves information from a remote computer that support TCP/IP and finger
FINGER [-l] [user]@host [...]
-l. Displays information in long list format.
user. Specifies the user you want information about. Omit the user parameter to display information about all users on the specifed host.
@host. Specifies the server on the remote system whose users you want information about.
You can use the ipconfig utility to check the tcp/ip settings. If the ip-address is initialized but already in use, the subnet mask is 0.0.0.0.
To check the ip-configuration, take the following steps :
| Ipconfig (/all) |
| Ping 127.0.0.1 (loopback address) to verify that ip is installed correctly and bound to the adapter. |
| Ping ip-address of computer to check if the ip-address is not double. |
| Ping ip-address default gateway. |
| Ping a remote host (on another subnet) |
The main performance improvements of TCP/IP in Windows 2000 are :
| Large window support. The TCP receive window size is the
amount of receive data (in bytes) that can be buffered at one time on a
connection. The sending host can send only that amount of data before waiting for an acknowledgment (ACK) and window update from
the
receiving host. Within Windows NT 4.0 this size was fixed, within Windows
2000 the window size is dynamically recalculated and increased if a large
number of packets is transmitted in a long session. By default large window
support is turned off and should be activated in the registry but the
default window size within Windows 2000 is 16 KB, in Windows NT 4.0 8 KB. |
| Selective acknowledgments. In NT 4.0 a sending host had to
retransmit all packets that were send after a negatively acknowledge packet.
In Windows 2000 only the single failed TCP/IP packet has to be
retransmitted. |
| Round trip time estimation. Windows 2000 uses better round trip
time estimation. The RTT is the estimate time it takes for a packet to
travel between the sender and the receiver. This time is used to calculate
time-out settings. |
| IPSec support. See summary IPSec |
| Generic quality of services. GQoS offers different bandwidths for applications. It uses the Resource Reservation Protocol (RSVP) and Subnet Bandwidth Mananger protocol (SBM) |
The NWLink protocol is Microsoft's implementation of Novell's IPX/SPX. It is
mostly used in environments where Microsoft's clients have to access Novell
servers prior to version 5 or where Netware clients need to access Microsoft
servers. The protocol is routable and faster than ip.
The protocol must be customized by entering a internal network number (normally
00000000) and a frame type. This frame type can be auto-detected. Supported
frame types are :
· Ethernet 802.2 (Default for NetWare 3.12 or later)
· Ethernet 802.3 (Default for NetWare 2.x and 3.11)
· Ethernet II
· Ethernet SNAP
When manually specifying a frame type you have to add a (external) frame type that is unique for each segment.
IPX = Internetwork Package Exchange
SPX = Sequenced Package Exchange
Windows 2000 supports Winsock and NetBIOS over IPX. It also provided File and Print services for Netware (FPNW). When configuring NWLINK, the following components should be customized :
| Frame type |
A frame type defines the way a network adapter card formats data. The NWLink frame type of a client must match the type the server uses. (Different type are possible if the server is a router, but it is inefficient) The following topologies and frame-types are supported :
Ethernet Ethernet II, 802.3, 802.2, and Sub Network Access Protocol (SNAP)
Token ring 802.5 and SNAP
FDDI 802.2 and SNAPDefault for Netware 2.2 and 3.11 on Ethernet is 802.3
Default for Netware 3.12 and later on Ethernet is 802.2Windows 2000 automatically detect the frame type. If 802.2 is detected, this is used.
| Network number |
All computers on the same network using the same frame type must have an identical network number to communicate. Windows 2000 will detect this automatically. The value can be changed in the registry. Use ipxroute config to display the networknumber, frametype and device in use.
| Internal network number |
A internal network number identifies a computer on the network for internal routing. It is an eight digit hexadecimal number that provides an internal virtual network in the computer. It should be used if :
| FPNW is installed and there are multiple frame types on a single adapter. |
| FPNW is installed and NWLink is bound to multiple adapters. |
| An application is using Netware Service Advertising Protocol. (SAP) |
NetBEUI (NetBIOS Extended User Interface) is a protocol for small lan's. It is self-configurating and tuning and does not use much memory. Main disadvantage is that it is not routable and broadcast based. Netbeui is the fastest protocol of NwLink and IP.
NetBIOS Frame (NBF) is the term Microsoft uses in documentation to refer to NetBEUI installed on a Windows 2000 computer. In Windows 2000 the NetBEUI version 3.0 used. This protocol provides compatibility with existing implementations of NetBEUI on Microsoft and non-Microsoft products. The main improvements are an unlimited number of NetBIOS sessions (the original specification was limited to 254 sessions), support for dial-up connectivity via NetBEUI, and enhanced memory management features.
Although NetBEUI cannot be routed, many implementations allow the encapsulation of NetBEUI within their frames. To provide this functionality, the NetBIOS standard has been built into protocols such as, PPTP, L2TP, TCP/IP, and IPX/SPX, so that the standard would not be limited by an incapability to route the traffic across different network segments.
NetBIOS is can only be installed via a work-around on Windows XP :
| Copy nbf.sys from the \Valueadd\MSFT\Net\NetBEUI folder on the Windows XP cd to the %systemroot%\System32\Driver folder. |
| Copy Netnbf.inf to the %systemroot%\Inf folder. |
| Open the Network connection folders and right click the card on which NetBEUI should be available. |
| Select Properties - General tab - Install - Protocol - Add. |
| Select NetBEUI and restart the computer after selecting Ok. |
NetBIOS over TCP/IP (NetBT) is detailed in RFC 1001 and RFC 1002. The Windows 2000 Workstation service and the Windows 2000 Server service (as well as a few others) use NetBT for communication with other Windows clients, such as Windows 98 and Windows NT 4.0. Windows 2000 does support direct hosting via DNS rather than legacy NetBIOS conventions. In an environment where only Windows 2000 machines exist, the NetBT interface can be disabled to force clients and servers to use direct hosting.
This protocol is used to communicate with other computers running the DLC
protocol stack like AS/400's. It is a non-routable protocol. It is also required
to connect to some devices that connect directly to the network like some
printers. In this case, the DLC-protocol should be installed on the print
server.
The AppleTalk protocol can be used to let Windows 2000 act as a router or dial-up server for Macintosh computers. When the protocol is installed it also gives the ability to connect to Macintosh printers. To share folders or printers for Macintosh clients, the File Services for Macintosh (AFP) are needed.
Network monitor is a utility that can be used to troubleshoot network problems. It can log network activity that can be analyzed or stored within a file. This activity is measured on the data-link layer but some application layer data traffic like http and ftp can also be analyzed. To use network monitor you need to install the Network monitor and a Network monitor driver. Both can be installed via Add/Remove programs, Windows components, Management and monitor tools, Network monitor tools. Installing the network monitor will add a Network segment object to the system monitor.
In Windows XP the network monitor is only available via the support tools. It can be started with various options via netcap /?.
The network bindings binds the adapters to the protocols and the protocols to the services. One adapter or service can be mapped to various protocols. It is also possible to specify the binding order to prioritize the most used protocol.
Class A subnet 1 - 126.x.y.z subnet 255.0.0.0
Class B subnet 128-191.x.y.z subnet 255.255.0.0
Class C subnet 192-223.x.y.z subnet 255.255.255.0
Class D multicasting
Class E Experimental use
The Simple Network Management Protocol can be used to remotely manage system. You can install a SNMP agent via Add/Remove programs, Windows components, Management and monitor tools, Simple Network Monitor Protocol. This will install an agent that informs SNMP management systems via a trap when a certain event occurs. The SNMP manager (third party tool like HP OpenView, BMC’s Patrol) can request information about e.g. DHCP, IIS or WINS from SNMP agents by sending a SNMP request. Additionally, installing SNMP will add new objects like DHCP, FTP, ICMP, Internet Information Server, IP, Network interface, TCP, UDP, and WINS to performance monitor.
There are two ways the secure IP packets :
TCP/IP filtering can control incoming data at ports (TCP/UDP) and at packet type. You can activate this setting via the TCP/IP properties, advanced button, options tab and set filters based on the TCP port number, UDP port number and IP protocol number. By default TCP/IP filtering is not enabled.
Using filters requires a good knowledge of the well-known protocol ports. If
you are looking for a copy, it can be found in RCF 1700. Note also that filters
can be enabled through the group policy editor If you need a quick reference for
the port and protocol numbers, check out the %systemroot%\system32\drivers\etc
directory. There you can find a file called services that contain the port
numbers.
You cannot block the TCP, UDP, ICMP, IGMP or IPSec protocols via TCP/IP
filtering.
Last update : 12 January 2003