Home > Articles > Cisco Certification > CCNP > Shooting Trouble with IP

Shooting Trouble with IP

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Jul 11, 2003.

Chapter Description

As more and more companies are adopting IP-based networks, the jobs of network engineers and analysts are becoming more demanding. Learn about IP protocols and packets, addressing, and routing protocol topics to get you started with IP troubleshooting.

Protocols and Packets

This section covers some of the protocols, applications, and utilities at each layer of the TCP/IP suite that may assist you with supporting day-to-day internetworks. First the Internet Layer is discussed, then the Transport Layer, and finally the Application Layers. Each layered subsection contains protocol analysis and packet captures, including a review of the packet headers, to help you better understand the packet traces and prepare you for troubleshooting on your own.

Table 3-2 and the following subsections provide a layered perspective of many of the TCP/IP-related protocols, applications, and utilities.


The asterisk (*) next to the protocols in Table 3-2 is just to draw your attention to the fact that protocols and applications are written to perform functions. The * denotes that these particular protocols, applications, and utilities are generally classified at Layer 3 (as discussed in the previous chapters). Although I hesitate to bring it up because it is such a point of contention, OSPF and EIGRP are not transports; they are routing protocol (applications). They run as independent processes/applications. As with all applications, the developer can decide to use Transport Control Protocol (TCP) or User Datagram Protocol (UDP) or to create his/her own. The latter was done for both of these. ARP is similar in this regard; it is not a Network Layer protocol. It is an application that bolts directly onto the Data Link Layer. Therefore, it would be more accurate to say that the intervening layers are skipped. A whole different way to characterize these message types is as control plane, management plane, and data plane. This is why I suggested you read the RFCs in the first chapter. However, my objective here is to briefly review the protocols, applications, and utilities and use a protocol analyzer to analyze the layers for troubleshooting purposes.

Table 3-2 TCP/IP Protocols, Applications, and Utilities


ISO's OSI Model

DoD TCP/IP Suite

Protocols, Applications, and Utilities






















Data Link

Data Link

Ethernet, Token Ring, FDDI, Frame Relay, ATM, ISDN, HDLC, over various media types





Frame Types

Encapsulation, frame format, frame type—they all mean the same thing, which is packaging the upper-layer data, voice, or video into an Layer 2 frame. See Chapter 4, "Shooting Trouble with Novell IPX," and the detailed Layer 2 LAN and WAN chapters for frame type information. Part III of this book covers supporting Ethernet, switches, and virtual LANs (VLANs) and Part IV is about supporting the WAN.

Internet Layer Protocols, Applications, and Utilities

Internet protocols such as those listed in the Table 3-2 are well suited for LAN and WAN heterogeneous communications. The Internet suite of protocols includes not only TCP and IP but also many upper-layer applications and utilities for file, print, messaging, database, and other common practical services.

Ensure that your lab is up and running properly so that you spend your efforts on what happens behind the scenes when hosta pings hostc from an IP standpoint. In this section, you turn on your Sniffer on segment 1 and at least capture a ping from hosta to hostc so that you can walk through the fields in the IP header.

Example 3-26 lists in bold the recommended steps to perform from hosta while capturing the packets with Sniffer Pro or the protocol analyzer you are using for your lab.

Example 3-26 Steps Performed on hosta While Capturing the Packets with Sniffer Pro

Pinging with 32 bytes of data:
Request timed out.
Reply from bytes=32 time=20ms TTL=126
Reply from bytes=32 time=10ms TTL=126
Reply from bytes=32 time=10ms TTL=126
Ping statistics for
  Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
  Minimum = 10ms, Maximum = 20ms, Average = 10ms
Pinging with 32 bytes of data:
Reply from bytes=32 time=10ms TTL=126
Reply from bytes=32 time=10ms TTL=126
Reply from bytes=32 time=10ms TTL=126
Reply from bytes=32 time=20ms TTL=126
Ping statistics for
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
  Minimum = 10ms, Maximum = 20ms, Average = 12ms
Tracing route to HOSTC []
over a maximum of 30 hops:
 1  10 ms  <10 ms  <10 ms
 2  20 ms  20 ms  20 ms
 3  20 ms  30 ms  30 ms HOSTC []
Trace complete.
Tracing route to HOSTC []
over a maximum of 30 hops:
 0 HOSTA []
 3 HOSTC []
Computing statistics for 75 seconds...
      Source to Here  This Node/Link
Hop RTT  Lost/Sent = Pct Lost/Sent = Pct Address
 0                      HOSTA []
                0/ 100 = 0%  |
 1  0ms   0/ 100 = 0%   0/ 100 = 0%
                0/ 100 = 0%  |
 2  20ms   0/ 100 = 0%   0/ 100 = 0%
                0/ 100 = 0%  |
 3  20ms   0/ 100 = 0%   0/ 100 = 0% HOSTC []
Trace complete.
C:\>arp -a
Interface: on Interface 0x1000005
 Internet Address   Physical Address   Type      00-00-0c-8d-67-05   dynamic

Table 3-3 lists the fields of the IP header (packet or datagram), and Figure 3-5 shows the first significant ping lines of the Sniffer packet capture of hosta pinging hostc. Refer to the file chapter 3 ping from hosta to hostc sniffer capture.


The practical studies lab-based nature of the rest of the material in this book assumes some basic knowledge of shooting trouble and working with tools. As necessary, refer back to the Chapter 1 encapsulation topic to review the way data is packaged in an IP packet. For a review of the Sniffer Pro interface and how to use the tool, refer back to Chapter 2, "What's in Your Tool Bag?"

Table 3-3 The IP Header (Packet or Datagram)






Version of IP.

Header length


Length in 32-bit words (HLEN).

Priority and TOS

8 (more detail)

Datagram handling for the upper-layer protocol (delay, throughput, reliability, and cost).

Total length


Maximum length of datagram is 65535 bytes (data and header).






Identifies smaller fragments that need to be re-assembled back into the same packet.



Specify whether packet can be fragmented and whether there are any more fragments.

Fragment offset


The order (byte count) of the fragment in the big packet for re-assembly purposes.



Time-to-live for the packet. When it decrements to 0, the packet is discarded. Keeps packets from looping forever.



Pointer to the upper-layer protocol.

Header checksum


For header integrity.

Source IP address


32-bit sending node.

Destination IP address


32-bit receiving node.



Allows IP to support such options as security, testing, or debugging.



The actual data and upper-layer information.

Figure 05Figure 3-5 Hosta ARPs the Router

View the summary pane to be aware of the general packet flow when hosta initiated a ping to hostc in Figure 3-5. Hosta is on network, and hostc is on network, so hosta relied on its default gateway (local router interface) in which to hand the packets. Line 28 shows the local ARP request as a broadcast command, and line 29 shows the unicast ARP response from (default gateway). Compare this to the arp –a output on hosta back in Example 3-26. Lines 30 to 37 illustrate the ICMP Echo Requests and Echo Replies. Normally, Microsoft hosts issue four requests and four replies, whereas Cisco routers give you five by default. However, there are not four replies here. Look back at Example 3-26 to analyze why.

Move along to the Echo Request packet on line 32 in Figure 3-6. Notice how I sized my windows to see more of the detailed IP header. These are the same fields that are in Table 3-3. Compare them one-by-one until you are comfortable with the IP packet structure (although this will not be your last chance to do this). Also note the differences between the Echo Request and the Echo Reply packet. Figure 3-7 displays the output of an Echo Reply.

Figure 06Figure 3-6 Analyzing the IP Header of an Echo Request Packet

Figure 07Figure 3-7 Analyzing the IP Header of an Echo Reply Packet

The main differences you should have noted in the Sniffer traces include the following:

  • The source and destination MAC addresses are reversed per the Data Link Control (DLC) header.

  • The source and destination IP addresses are reversed per the IP header.

  • The Internet Control Message Protocol (ICMP) type is 8 for the Echo Request and 0 for the Echo Reply per the ICMP header.

Real-world packet analysis should make you a little more comfortable with how IP works, but I'll certainly test that out in the upcoming Trouble Tickets. IP is the main protocol at the Internet Layer that has helpers such as ARP and ICMP to assist it with its duties. ARP is for resolving an IP address to a MAC address, whereas Reverse Address Resolution Protocol (RARP) is for resolving a MAC address to an IP address. ICMP is for status and error reporting. Look back at Example 3-26 to see the status lines, such as Reply from..., and the error reporting, such as Request timed out. Obviously, this is why you didn't have four successful replies in the protocol analyzer capture. Also note in the Example that is nowhere to be found in the ARP cache; instead, the default gateway IP and MAC address is there. Example 3-27 displays the e0 interface on r1 so that you can compare this information. Also note that r1 has hosta in its IP and ARP cache.

Example 3-27 r1 Ethernet 0 IP and MAC Addresses

r1#show interfaces ethernet 0
Ethernet0 is up, line protocol is up 
 Hardware is Lance, address is 0000.0c8d.6705 (bia 0000.0c8d.6705)
 Description: e0 to hosta and hostb
 Internet address is
 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
 Encapsulation ARPA, loopback not set, keepalive set (10 sec)
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:00:00, output 00:00:09, output hang never
 Last clearing of "show interface" counters never
Queueing strategy: fifo
 Output queue 0/40, 0 drops; input queue 1/75, 0 drops
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
   2358 packets input, 361385 bytes, 0 no buffer
   Received 1949 broadcasts, 0 runts, 0 giants, 0 throttles
   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
   0 input packets with dribble condition detected
   2889 packets output, 320787 bytes, 0 underruns
   0 output errors, 11 collisions, 2 interface resets
   0 babbles, 0 late collision, 15 deferred
   0 lost carrier, 0 no carrier
   0 output buffer failures, 0 output buffers swapped out
r1#show ip cache
IP routing cache 1 entry, 172 bytes
  5 adds, 4 invalidates, 0 refcounts
Minimum invalidation interval 2 seconds, maximum interval 5 seconds,
  quiet interval 3 seconds, threshold 0 requests
Invalidation rate 0 in last second, 0 in last 3 seconds
Prefix/Length     Age    Interface    Next Hop     03:02:54 Ethernet0
r1#show arp
Protocol Address           Age (min) Hardware Addr  Type  Interface
Internet      34        0010.4ba5.ae50 ARPA  Ethernet0
Internet       -         0000.0c8d.6705 ARPA  Ethernet0
Internet       -         0000.0c8d.6706 ARPA  Ethernet1
Internet       42        0000.0c38.a05d ARPA  Ethernet1


ARP is dynamic in nature, but once in a while in troubleshooting you may need to manually clear an entry or two. On a router, clear arp-cache does not truly clear the table; instead, it refreshes the entire table, and depending on the number of entries this could be more of an impact than you intend. Use shut / no shut to remove the entries associated with a given interface. On a Windows-based machine, the command is arp -d ip address to remove a particular address.

I want to continue the layered approach to discussing TCP/IP, so next the discussion moves up the stack to the Transport Layer. After I discuss the Transport and Application Layers, I spend a bit more time on addressing and protocols before venturing into the Trouble Tickets.

Transport (Host-to-Host) Layer Protocols, Applications, and Utilities

Recall from the OSI model in Chapter 1, the Transport Layer is all about host-to-host delivery. TCP and UDP are the Transport Layer twins. TCP is connection-oriented (logical connection) and reliable (ACKs).

UDP, like IP at the Internet Layer, is connectionless and unreliable; therefore it relies on the upper layers for reliability. TCP is like the certified mail protocol, whereas UDP is like the regular mail (or better yet, bulk mail) protocol.

UDP is connectionless, which means it does not require an established connection before communications can occur. It is unreliable at the Transport Layer, which means that its reliability is left up to the application. Compare the TCP and UDP packet formats in Tables 3-4 and 3-5.


Perhaps the word unreliable is a bit harsh for UDP. What I mean is that UDP is not reliable because it has no built-in mechanism to detect and overcome errors, so it must hand off to an upper-layer protocol to perform that task.

Table 3-4 The TCP Segment




Source Port


Sending port.

Destination Port


Receiving port.

Sequence Number


Tracks byte transfer.

Acknowledgment Number


Confirms byte transfer. Forward referenced and expectational in that it contains the sequence number of the next byte expected.

Data Offset


Number of 32-bit words in the header.



For future use.


6 flags of TCP

Synchronization (SYN)
Acknowledgement (ACK)
Finish (FIN)
Push (PSH)
Urgent (URG)
Reset (RST)

Window Size


How many bytes are sent per segment. Size of sender's receive window. Incoming buffer space. (How many pizzas can you put in the warming bag if you are the delivery person?)



Sender generates and receiver verifies to see whether the header was damaged in transit.

Urgent Pointer


Points to first urgent data byte, such as Ctrl+Z to end urgent data.



Various options must end on a 32-bit boundary, and padding guarantees this.



Upper-layer information.

Table 3-5 The UDP Datagram




Source Port


Sending port

Destination Port


Receiving port

UDP Length


Data and header






Upper-layer information

The 20-byte TCP header is a lot more sophisticated than the 8-byte UDP header, as you will again confirm with Sniffer. First, open the previous Sniffer Pro trace where you issued the ping and tracert commands in Example 3-26. I named my file chapter 3 ping from hosta to hostc sniffer capture. Use this file to analyze the layers or refer to Figure 3-8, in which I emphasize the layers of a RIP packet.

Although the focus in this subsection is the Transport Layer, remember that each layer depends on the functionality of another layer to carry out communications. The Sniffer trace certainly illustrates that. For example, the RIP packet at the Data Link Layer is a good example of multicast communications. RIPv2 works via multicast address 01005E000009 at Layer 2, whereas RIPv1 works via broadcast, which would be shown as all Fs at Layer 2. The EtherType is 0800, which tells the Data Link Layer to hand off to IP at the Internet Layer for further processing.

Review the IP header fields—Version, Header length, TOS, Total length, Identification, Flags, Fragment offset, TTL, Protocol, Checksum, Addresses, and Options. The IP header contains the Protocol field to hand off to at the next layer in the stack. In Figure 3-8, for example, the protocol number is 17, which means to hand up to UDP. The source address is the Ethernet 0 interface on r1, and the destination is again the reserved multicast address of for RIPv2, but this time at the Internet Layer.

IANA has reserved addresses from through, such as those in Table 3-6, for local multicasts.

Figure 08Figure 3-8 Analyzing the RIP Packet at Layers 2, 3, and 4

Table 3-6 Local Multicast Addresses

Multicast Address


All systems on this subnet

All routers on this subnet

OSPF routers

OSPF designated routers


Globally scoped addresses from through can be used to multicast data between organizations and across the Internet. An example of an IANA reserved address is for Network Time Protocol (NTP).


Refer to http://www.iana.org/assignments/multicast-addresses for more information and examples.

In addition, IANA owns a block of Ethernet MAC addresses that start with 01:00:5E, where half of the block (0100.5e00.0000 through 0100.5e7f.ffff) is allocated for multicast addresses. In the Ethernet address, 23 bits correspond to the IP multicast group address. Search for "ethernet mac multicast" at Cisco.com to get a detailed explanation and pictures. With this mapping, the upper 5 bits of the IP multicast address are dropped and the resulting address is not unique, which results in different multicast group IDs that all map to the same Ethernet address. The Internet Group Management Protocol (IGMP) dynamically registers individual hosts in a multicast group. The hosts send IGMP messages to their router. The routers listen and periodically send out queries to discover which groups are active or inactive on a particular subnet.

The Transport Layer contains the fields listed Table 3-5 for the UDP datagram. RIP works via UDP port 520, which is clearly revealed here. UDP port 520 is how the Transport Layer hands off to the Application Layer for RIP communications (as discussed in more detail later). For now, look at the details of TCP.

TCP provides end-to-end full-duplex delivery, flow control through windowing, and error-detection and -correction services. Data moves in a continuous byte stream, in which bytes are identified by sequence numbers. TCP hides lower-layer intricacies from the upper layers on the receiving host. It segments and re-assembles data for upper-layer applications based on various port numbers. Unlike UDP, however, a 3-way handshake must occur before communications can begin. This establishes the virtual connection between the two communicating parties (see Figure 3-9).

Figure 09Figure 3-9 The TCP 3-Way Handshake Sequence

A good example of an application that uses TCP is telnet. Try it out and telnet from hosta (at the command prompt) to r1. Capture your results with Sniffer (see Figure 3-10). Save the Sniffer file as chapter 3 telnet from hosta to r1 sniffer capture so that you can refer back to it later. Analyze your own capture or look at my Sniffer trace. It may prove helpful to use the Sniffer output to label the 3-way handshake in Figure 3-9, including flags, ports, sequence, and acknowledgement numbers.

Figure 10Figure 3-10 Analyzing Telnet and the 3-Way Handshake

In the preceding example, hosta was configured with the local router IP address as its default gateway. Because of this, hosta sent an ARP request packet to its default gateway to learn the MAC address of the Ethernet 0 interface on r1. The command arp –a on the host would have shown this, whereas show ip arp is the command on the router. ARP frames are not part of the 3-way handshake or TCP session, but are certainly required for hosta to transmit data.

Study TCP in the Sniffer capture and drawing. It is often referred to as the 3-way handshake. Step 1 of the 3-way handshake (SYN) is like me introducing myself to you and giving you my basic communication parameters so that we can talk. Step 2 is like you saying, "Okay (ACK), Donna, I want to talk, too; here are my communication parameters (SYN)." Step 3 is my okay (ACK) to you. After a 3-way handshake, the two communicating parties are virtually connected and TCP communications can then occur. Some applications require multiple handshakes. A bona fide example is anything involving the World Wide Web (WWW). Every time you click a link on a web page, another TCP session starts. Another example is a phone call. The connection is set up and you talk; then the logical connection is torn down and is available for someone else.

Next look a little closer at the exact packets in the Sniffer capture for the 3-way handshake. You can glean a lot from the summary pane on this one, but the detail pane is shown as well. The shaded line 7 starts the handshake described in Figure 3-9. It shows the SYN from hosta ( to the router ( The source port (S) is random (ephemeral) port number 1079, but the destination port is the well-known port number 23 for telnet.

Ports are places to leave stuff for applications to pick up, as you will continue to see throughout this book. A client typically establishes a port within first 4 bytes of the Transport Layer header. Notice how the ports reverse depending on who is doing the talking, hosta or the router. Line 8 shows the router responding back to hosta with ACK number ...2608, which if you look close is one more than the previous SEQ number of ...2607. The SEQ of Step 2 of the handshake is ...3396. Step 3 of the handshake in line 9 ACKs the previous SEQ number with ...3397. When the TCP session has been established, the numbers increment by the actual number of bytes transferred.

Instead of analyzing the telnet details, I want you to pay attention to the TCP session tear down next. Open your Sniffer capture and refer to the very end of the file as I illustrate in Figure 3-11.

Figure 11Figure 3-11 TCP Session Disconnect

Frame 132 starts the TCP disconnect with the FIN flag from the router. Hosta ACKs in frame 133 and says, "Hey, I am also finished," in frame 134 (FIN). The router gives the final ACK in the last frame. A 4-way disconnect like this is common.

Next I want you to think outside the box a little. What would have happened if the default gateway was not configured on the host or if the router was not local in the preceding testing? You can give me the number one phrase that most support people give, which is, it depends; as usual, however, I'll cringe at that answer. In many cases, however, that is the best answer. Actually, the packets may still get to their destination assuming proxy ARP is enabled on the router and that hosta will ARP for nonlocal destinations.

Proxy ARP helps hosts reach remote subnets without configuring routing or a default gateway. Configuring the host with a smaller subnet mask would make the host ARP for everything and thus send all packets via the router. The router just replies to the host with its MAC address assuming that it is configured to accept and respond to proxy ARP. Obviously, there are security and overhead disadvantages to proxy ARP. The Cisco IOS interface command no ip proxy-arp turns this off and is shown in Example 3-28.

Example 3-28 Proxy ARP

r1#show run interface ethernet 0
interface Ethernet0
 description e0 to hosta and hostb
 ip address
 no ip directed-broadcast
r1#configure terminal
r1(config)#interface ethernet 0
r1(config-if)#no ip proxy-arp
r1#show run interface ethernet 0 
interface Ethernet0
 description e0 to hosta and hostb
 ip address
 no ip directed-broadcast
 no ip proxy-arp
r1#configure terminal
r1(config)#interface e0
r1(config-if)#ip proxy-arp 

Prior to the thinking outside the box exercise, you were working with telnet, which is an application based on TCP port 23. TCP port 23 is the pointer from the Transport Layer to the Application Layer, just as the IP packet contains a protocol number such as 6 to link to the Transport Layer TCP protocol for further processing. Figure 3-12 shows this layer linkage for the UDP and TCP applications you previously examined. You can always compare this to your saved Sniffer traces to validate the theory from the lower layers to the upper layers.

Figure 12Figure 3-12 Protocols, Applications, and Utilities

Many applications have well-known port numbers assigned. Ports greater than 1024 are referred to as ephemeral, random, short-lived, or temporary, whereas numbers below 1024 are considered well-known ports.

Figure 3-13, http://www.iana.org, and RFC 1700 provide you with more detail. Ports are often categorized as follows:

  • 0–1023 Well-known

  • 1024–49151 Registered

  • 49152–65535 Dynamic (private)

Figure 13Figure 3-13 Application Port Numbers

As you have seen in the previous subsections, after you have eliminated Physical Layer issues, protocol connections are troubleshooting targets that must be considered. After the protocol connections have been confirmed as operational, it is time to move up to the Application Layers. I could not begin to cover the vast variety of upper-layer applications in use today, but I will introduce some of the major Application Layer protocols of the TCP/IP suite.

Upper-Layer Protocols, Applications, and Utilities

This subsection covers applications such as telnet, FTP, TFTP, SMTP, POP3, DNS, SNMP, RIP, HTTP, HTTPS, and DHCP. Obviously, these are not the only applications you will need to troubleshoot, but they are very common.

First look at the terminal emulation protocol telnet from an application perspective. Review Figures 3-9 and 3-10 and your Sniffer capture file (chapter 3 telnet from hosta to r1 sniffer capture). Figure 3-14 illustrates the telnet session from hosta on port 1079 to r1 on port 23. Line 10 starts the telnet session, which was dependent on the TCP 3-way handshake in lines 7, 8, and 9. Notice the echo, window size, and terminal negotiation in lines 10 to 15. Frame 12 is waiting for the login that eventually appears in lines 17 to 25 one character at a time. In addition, notice how that after the user-level password I typed the necessary command and password to get into enable mode. Although I do not show all this in the screen capture of Figure 3-14, if you have your own file you can see the rest of the commands that were typed on the router, letter for letter. It is pretty obvious here that the standard telnet programs do not encrypt the login information, and I doubt that this is what you want people to see when you telnet to your devices to configure them. In the real-world application of telnet where security is more of a concern, many people use secure telnet programs (Secure Shell [SSH] port 22). Examples include SecureCRT, CommNet, and PuTTY.SSH.

Figure 14Figure 3-14 Telnet from an Application Perspective

Next look at TFTP and FTP. As I illustrated in Figure 3-13, TFTP typically operates over UDP port 69, and FTP typically operates over TCP port 21 for control and 20 for data. When I say typically, I really mean that this is entirely up to the developer. FTP and TFTP are very useful applications in the support environment. For instance, what happens if you lose the configuration on one of your routers? Hopefully, you have an automated way to restore it instead of having to type in the configuration line-for-line.

To test TFTP, I am using a freeware program called PumpKin in Figure 3-15. You can download PumpKin, set up another router as a TFTP server, or use any TFTP application you like. I started and configured PumpKin to put and get all files, started a new Sniffer capture, and proceeded to copy my r1 configuration file to the TFTP server for this test. You should even go a few steps further to wipe your configuration with the erase startup-config or write erase command to ensure this really works. After all, this is the type of thing you should do in a lab environment many times so that you are prepared for the unexpected. Use Example 3-29 as a guide for this exercise.


The shaded output in Example 3-29 is not required for the TFTP exercise. It is meant to review that the effect of copying anything to the running configuration is a merge rather than a replace to the existing configuration.

Save the Sniffer file as chapter 3 tftp from r1 to hosta and back sniffer capture for further review.


Just as I am in the habit of typing write mem (wr) to save my running configuration to the startup configuration, I typically type write erase (wr er) to erase the startup. However, write mem and write erase are the old way; copy running-config startup-config and erase startup-config are the newer (10.3+) commands. I thought I would point this out in case you see the old commands in some of my examples or Sniffer traces.

Figure 15Figure 3-15 Using PumpKin for a TFTP Server

Example 3-29 Copying r1 Configuration to a TFTP Server

 r1#copy running-config tftp
Address or name of remote host []?
Destination filename [running-config]? hosta-config
1093 bytes copied in 5.888 secs (218 bytes/sec)
r1#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm]
Erase of nvram: complete
!!!The next 2 shaded commands are not necessary for the tftp exercise
!!!However, it is a good time to review when files are replaced or 
!!!just modified.
r1#copy startup-config running-config
Destination filename [running-config]? 
r1#show running-config
Building configuration...
Current configuration:
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname r1
enable password donna
ip subnet-zero
ip host r1
ip host r2
ip host r3
ip host r4
ip host r5

Next reload the router as in Example 3-30.

Example 3-30 Reloading the Router

Proceed with reload? [confirm]
02:21:13: %SYS-5-RELOAD: Reload requested
System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
Copyright 1986-1995 by cisco Systems
2500 processor with 2048 Kbytes of main memory
F3: 7464832+102636+503004 at 0x3000060
       Restricted Rights Legend
Cisco Internetwork Operating System Software 
IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(5), RELEASE SOFTWARE (fc1)
Copyright 1986-1999 by cisco Systems, Inc.
Compiled Tue 15-Jun-99 19:57 by phanguye
Image text-base: 0x0303D744, data-base: 0x00001000
cisco 2500 (68030) processor (revision L) with 2048K/2048K bytes of memory.
Processor board ID 03074719, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read ONLY)
%Error opening tftp:// (Timed out)
%Error opening tftp:// (Timed out)
SETUP: new interface Ethernet0 placed in "shutdown" state
SETUP: new interface Ethernet1 placed in "shutdown" state
%Error opening tftp:// (Timed out)
%Error opening tftp:// (Timed out)
%Error opening tftp:// (Timed out)
%Error opening tftp:// (Timed out)
Press RETURN to get started!
00:03:45: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software 
IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(5), RELEASE SOFTWARE (fc1)
Copyright 1986-1999 by cisc
Router>o Systems, Inc.
Compiled Tue 15-Jun-99 19:57 by phanguye
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface ethernet 0
Router(config-if)#ip address
Router(config-if)#no shut

Now copy the file from the TFTP to r1 as in Example 3-31. By the way, a router with no configuration is often referred to as a router out of the box (ROTB).

Example 3-31 Copying the Configuration from the TFTP Server

Router#copy tftp running-config
Address or name of remote host []?
Source filename []? hosta-config
Destination filename [running-config]? 
Accessing tftp://
Loading hosta-config from (via Ethernet0): !
[OK - 1093/2048 bytes]
1093 bytes copied in 5.124 secs (218 bytes/sec)
r1#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...


Remember to stop and save the Sniffer file as chapter 3 tftp from r1 to hosta and back sniffer capture.

In the preceding example, I copied my file to a TFTP server and made sure it was really there. Then I performed an erase start on the router to erase the startup configuration. When I tried to overwrite the running configuration with the startup configuration, however, it acted as a merge, which is what you should expect. To really get rid of the running configuration, you must reload the router; so I did. When the router came back up, it had no configuration, but it was certainly looking for one (as you can see from the shaded output in Example 3-30). Next I configured the IP address on the Ethernet 0 interface and issued a no shut. If the TFTP server were not local, a default gateway would be required as well. Now that I had TCP/IP communications, I continued and copied the configuration file from the TFTP server back to the router and saved the configuration.

TFTP and FTP can assist you with saving configurations and IOS images depending on your IOS version. To explore the differences, save the TFTP capture or refer to my Sniffer files to later compare it to FTP. Make a list of the major differences as you observe the two applications.

Before you experiment with FTP, take a few minutes to decode the TFTP Sniffer capture. The shaded line in Figure 3-16 highlights a TFTP write request, which Sniffer portrays as opcode 2 in the detail pane. Lines 63 to 69 include the actual file transfer. Line 64 is an opcode 3 and is the first data packet transfer. Notice that the first block, or 512 bytes, of data was transferred and line 65 is the application acknowledgement to the first data packet with an opcode 4. Table 3-7 lists the common opcodes.


My TFTP Sniffer captures have an error in them because of an old Sniffer bug. In Figures 3-16 and 3-17, for example, frame 60 must actually follow frames 61 and 62. I prefer not to doctor my Sniffer capture but rather tell you that it's not possible for it to behave as shown.

Table 3-7 OpCodes

OpCode Text

OpCode Number

Read request


Write request








Figure 16Figure 3-16 TFTP Write Request

Also note that the Sniffer trace does not in any way hide the configuration while it is transferring. Figure 3-17 shows the ending configuration, including passwords. Notice how you can read the entire configuration file when you open each data packet individually.

Using the Sniffer capture, take a few minutes to draw a simple picture of what happens when you transfer a file using TFTP. Include communications between r1 and hosta, including line numbers, ports, and opcodes, as I did in Figure 3-18.

Many UDP-based applications such as some implementations of TFTP and DNS use a fixed data length (such as 512 bytes) to operate, but the maximum per segment is 65535 bytes.


In the Cisco environment, you may need to use FTP to update large IOS images (over 16 MB) or transfer larger files. A more likely reason to use FTP over TFTP is that the latter operates in a ping-pong, request/response fashion with no windowing, which greatly impacts throughput in high-latency paths. In addition, the retransmit timers are fixed, so they do not adapt to the round-trip time as does TCP.

Figure 17Figure 3-17 TFTP Clear Text

Figure 18Figure 3-18 TFTP Communications

As you verified in the previous figures, TFTP transfers text in the clear. Use FTP to perform the same file transfer as in the TFTP exercise. Actually, I transferred the configuration from r1 and r2 to the FTP server in my test. Any FTP application is appropriate. I am using 3CDaemon in Figure 3-19, a freeware program I downloaded from support.3com.com/infodeli/swlib/utilities_for_windows_32_bit.htm for the lab in Example 3-32. Use Sniffer to capture the results, analyze your findings, list or draw a picture of what happens when you transfer a file using FTP, and, last but not least, compare the two IP-based applications.

Figure 19Figure 3-19 FTP Server Software

Example 3-32 Copying r1 and r2 Configuration to an FTP Server

r1(config)#ip ftp username anonymous
r1(config)#ip ftp password donna@shoretraining.com
r1#copy running-config startup-config
r1#copy running-config ftp
Address or name of remote host []?
Destination filename [running-config]? r1-config
Writing r1-config !
1169 bytes copied in 8.836 secs (146 bytes/sec)

I did not take the time to erase my configuration and test this out as I did with the TFTP example. If you need more practice, you can do just that. My chapter 3 ftp from r1 and r2 to hosta sniffer capture file displays in Figure 3-20. Follow the TCP sessions and data transfer, including the sequence and acknowledgement numbers for a review.

Figure 20Figure 3-20 FTP Write Request

Feel free to draw a more specific picture with line numbers, ports, and sequence and acknowledgement numbers. However, the following gives a general picture of how FTP works:

  • ARP and TCP 3-way handshake (FTP control port 21)

  • FTP user login (anonymous) and password (donna@shoretraining.com)

  • TCP 3-way handshake (FTP data transfer port 20)

  • FTP data transfer (clear text)

  • Session tear down (data port 20)

  • Session tear down (control port 21)

The main difference is that the program I used for the test does not use an individual port 20 for each data transfer, but instead uses a separate ephemeral port.


Actually my FTP client specified a PASV (passive) transfer mode, and the 3CDaemon server supported it. This makes FTP a little confusing because, as I just illustrated, the data port is not always port 20. In passive-mode FTP, the client initiates both the control and data connection to the server. Obviously this can be good or bad depending on server and firewall configurations. Research FTP modes for more detail.

You should have notes similar to the following to compare TFTP and FTP communications:

  • The client uses an ephemeral port to initiate communications to TFTP server port 69 and the server picks an ephemeral port to respond to the client. FTP uses port 21 for control and a separate port 20 for file transfer, and the server port doesn't need to change for multiple clients because of the TCP session.

  • No login, username, or password is used for TFTP. FTP requires login and can allow anonymous login with the e-mail address for the password.

  • TFTP transfers a minimum of 512 bytes of data per datagram, and the application ACKs each one individually because UDP has no reliability mechanism; FTP, on the other hand, uses a TCP session for each file transfer.

  • TFTP and FTP use clear-text data transmission. FTP secure implementations are available.

In addition, TFTP and FTP are very helpful in the Cisco environment to copy not only configurations but also Cisco Operating System images. Many times I set up my router as a TFTP server so that I can copy the IOS to another location. Appendix B provides more detail on such topics.

As you can see, it is helpful to understand the basics of how applications work to more easily troubleshoot them. Next take a look at the Simple Mail Transfer Protocol (SMTP) and Post Office Protocol (POP3) in Figure 3-21.

Figure 21Figure 3-21 SMTP and POP3

SMTP is like the mail truck delivering from post office to post office. If you work for Cisco Press and you want to set up your mail client to send your mail, for example, you may set up smtp.ciscopress.com, which by default occurs on TCP port 25.

POP3 is more of a server to the client mail delivery protocol that operates by default on TCP port 110. Therefore if you work for Cisco Press and want to set up your mail client, you may set up pop3.ciscopress.com to receive your mail.

Assume user@ciscopress.com wants to send an e-mail to donna@shoretraining.com. That user clicks Send and SMTP is used to transfer the e-mail from the user to his mail server using SMTP TCP port 25. The mail server delivers the mail to the shoretraining.com domain over port 25. When I check my mail on shoretraining, my e-mail program establishes a connection to my mail server over POP3 port 110.

Knowing the overall SMTP/POP3 delivery process may assist you with troubleshooting your e-mail one day. For example, I have been in situations where I could send e-mail but not receive, which turned out to be a POP3 issue. Perhaps a particular port or address was blocked by an access list. I have also been in situations where the opposite occurs. For example, many times you may have the luxury of using a higher-speed network connection but your ISP may not allow you to "relay" through another system. However, troubleshooting e-mail issues happens to be another book in itself (as are most applications).


Like telnet, SMTP and POP3 are clear-text protocols for all e-mail and password information. You can add security with better alternatives. Secure POP (SPOP, port 995) uses Secure Sockets Layer (SSL). SMTP (still port 25) can use SSL as well. Internet Message Access Protocol (IMAP, port 143) is inherently more secure than POP3 is. Previously in this chapter, I compared SSH (port 22) to telnet (port 23).

DNS is another application that it is quite helpful to understand in the support world. I would much rather type http://www.cisco.com than its IP address every time I want to look up something on Cisco.com. DNS maps an IP address to a hostname so that humans can relate to it a little better.

Hostname resolution once was a flat hosts file, but who would have enough memory to open such a thing today? Hosts files are still available for use, however. You have them on each of your routers now. Type show hosts with me on r1 as in Example 3-33.

Example 3-33 Cisco Hosts File

r1>show hosts
Default domain is not set
Name/address lookup uses domain service
Name servers are
Host           Flags   Age Type  Address(es)
r1            (perm, OK) 23  IP
r2            (perm, OK) 23  IP
r3            (perm, OK) 23  IP
r4            (perm, OK) 23  IP
r5            (perm, OK) 23  IP

Hosts files on PCs are typically found in locations such as \Windows, \Etc, \Winnt\System32\Drivers\Etc and are named hosts. Reference Figure 3-22 for a sample Windows 2000 hosts file.

Figure 22Figure 3-22 Windows 2000 Hosts File

The other files listed in Figure 3-22 can be quite helpful, too. Lmhosts is for NetBIOS name resolution. The other files contain common network, protocol, and port numbers. At the upper layers, I often ask myself whether a hostname or a NetBIOS issue exists. Figure 3-23 provides some examples, as does Table 3-1 earlier in this chapter.

Figure 23Figure 3-23 Name and Address Resolution

DNS is hierarchical in nature; therefore, fully qualified domain names (FQDN) must be unique. Upper-level domain names include such domain names as com, edu, net, and gov. Second-level domain names must be registered. For example, ciscopress.com and shoretraining.com are both part of the top-level com domain. Cisco Press has authority over what they do under ciscopress.com, and I have control over what I do under shoretraining.com. Obviously, these second-level domains must be registered through Internet service providers (ISPs) or companies such as VeriSign.


Some implementations of DNS do not allow hostnames with underscores (_).

The name space contains domains, subdomains, and hosts. The servers contain zones, which are database files with various record types. Common record types include alias (canonical name) or mail (MX) records.

Why do you care? Name resolution is certainly something to check for in the upper layers. If you can ping the IP address but not the hostname, for example, chances are you have a hostname resolution issue. If you can issue a Start > Run \\ but not a Start > Run \\hostb, the problem is probably NetBIOS name resolution. These could in turn be DNS or WINS issues, depending on the applications and settings in your environment.

If you were capturing DNS information with Sniffer, you would see that queries typically are done over UDP port 53, whereas zone transfers are completed over TCP port 53. Next take a look at SNMP, which is everything but simple.

SNMP was originally for remote management of network hardware devices, but today is used for lots more. A management console sends a request to an agent (managed device) over UDP port 161, and the agent generates a trap on port 162 to a specific address. An agent really can't initiate anything on its own, but it can notify the manager of events, such as a link up or down or a software mail problem. The requests are part of a database referred to as a Management Information Base (MIB) in the SNMP world. Communities are groups that talk to one another to assist with security, and public is the default community. CiscoWorks, Cisco Info Center (CIC), and HP OpenView are examples of network management platforms that support SNMP-based management.

Next I review the RIP application. RIP is the routing protocol you set up earlier in the chapter so that one end system could get to another end system. RIP is an application that operates over UDP port 520. RIPv2 still operates over UDP port 520, but it uses as a destination IP multicast address. Although each of the prefix entries includes a mask, RIPv2 is more considerate of the hosts, which are not interested in its messages, because their NICs will filter the frames at Layer 2. Figure 3-24 enables you to analyze the RIP header. Does my capture display RIPv1 or RIPv2?

Figure 24Figure 3-24 RIP

You are correct if you said Figure 3-24 displays RIPv2 because the destination is the multicast address rather than a local broadcast.

Now look at another application that is common in a day-to-day environment; Hypertext Transport Protocol (HTTP) uses TCP port 80 to provide web services. It also uses clear-text data transmission. Obviously this is a very big issue with purchasing items over the Internet. E-commerce applications make use of more secure protocols such as HTTPS over TCP port 443. If you compare a Sniffer trace of HTTP and HTTPS traffic, the HTTPS data is encrypted. Figure 3-25 shows you what people can sniff when you use HTTP to access a switch. I had to turn port monitoring on for this to work. Those details are covered more depth in the switch chapters, Chapter 6, "Shooting Trouble with CatOS and IOS," and Chapter 7, "Shooting Trouble with VLANs on Routers and Switches." For now, analyze the layered approach to HTTP as you have done with the other applications.

Figure 25Figure 3-25 HTTP to a 1900 Switch


HTTP 1.0 opens a new TCP connection for each item, but HTTP 1.1 does not, as you can verify at http://www.w3.org/Protocols/Activity.html. In addition, this Sniffer decode offers a good opportunity to point out the default behavior of most TCPs, to acknowledge every other packet.

Now that I have touched on all the layers of the TCP/IP suite to lead into the addressing section, I will discuss DHCP. First there was RARP, then BOOTP, and now DHCP. The basic concept is the same. Take RARP, for example. It is used to resolve MAC addresses to IP addresses. It is the opposite of ARP, with which I know you have become pretty comfortable by now. The Bootstrap Protocol (BOOTP) was developed to allow diskless workstations to obtain IP information upon bootup. BOOTP spawned DHCP, which is widely used today.

DHCP is not fully automatic because someone must configure the server with a range of IP addresses (scope) and other optional parameters such as the mask, gateway, DNS server, WINS server, and so on. Clients request DHCP parameters via Layer 2 and Layer 3 broadcasts to UDP port 67. The server sends messages to the client on UDP port 68. However, it would defeat the purpose of a router if it were allowed to forward all broadcasts. On the other hand, it is possible for you to open up certain ports for routers to forward via the ip helper-address [ipaddress] command. Request forwarding is also possible via DHCP proxy agents. Figure 3-26 provides examples of the ip helper command. Helpers in effect change the local broadcast destination to a unicast or directed broadcast to reach the DHCP server. Table 3-8 shows DHCP frames that you should capture sometime with a protocol analyzer.

Figure 26Figure 3-26 IP Helper


To forward fewer than the eight default ports that IP helper opens up, you can use the ip forward-protocol udp port command for the ports you want to forward followed by the no ip forward-protocol udp port for the ports you do not want to forward.

Table 3-8 DHCP Frames

DHCP Frame



Client is looking for DHCP server (broadcast).


DHCP servers respond (broadcast).


Client asks for first server that offered (broadcast).


DHCP server sends.


Client sends an ARP to check for duplicate addresses.

3. Addressing | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020