| When a network infrastructure includes | | | | Test TCP (Ttcp.exe) is a tool that you |
| router-based firewalls, the function of | | | | can use to listen for and send TCP |
| the firewall, which is to silently | | | | segment data or UDP messages between two |
| discard traffic that the firewall has | | | | nodes. Ttcp.exe is provided with Windows |
| not been configured to forward, can | | | | Server 2003 in the |
| impair specific networking functions. | | | | Valueadd\Msft\Net\Tools folder of the |
| For example, if a firewall between two | | | | Windows Server 2003 product CD-ROM. |
| Microsoft Windows Active Directory | | | | Test TCP differs from Port Query in the |
| directory service domain controllers has | | | | following ways: |
| not been configured to allow all of the | | | | With Test TCP, you can configure a |
| different types of traffic that domain | | | | computer to listen on a specific TCP or |
| controllers use to synchronize the | | | | UDP port without having to install the |
| Active Directory database, replication | | | | application or service on the computer. |
| can fail. | | | | This allows you to test network |
| When troubleshooting networking | | | | connectivity for specific traffic before |
| functions and reachability, a common | | | | the services are in place. For example, |
| step is to use the Ping tool (Ping.exe) | | | | you could use Test TCP to test for |
| and ping one computer from another. | | | | domain replication traffic to a computer |
| However, the Ping tool uses Internet | | | | before you make the computer a domain |
| Control Message Protocol (ICMP) Echo and | | | | controller. |
| Echo Reply messages, which is typically | | | | Test TCP also supports Internet Protocol |
| not the same traffic being used for the | | | | version 6 (IPv6) traffic. |
| network function that is impaired. The | | | | The basic syntax for Ttcp.exe on the |
| firewalls between the two computers | | | | listening node (the receiver) is the |
| might be allowing ICMP traffic or might | | | | following: |
| be dropping it. In either case, because | | | | ttcp -r -pPort (to listen on a TCP port) |
| the network function that is impaired is | | | | ttcp -r -pPort-u (to listen on a UDP |
| not using ICMP Echo traffic, the | | | | port) |
| connectivity test with the Ping tool | | | | The basic syntax for Ttcp.exe on the |
| does not provide conclusive diagnostic | | | | sending node (the transmitter) is the |
| information about the traffic that is | | | | following: |
| being discarded (dropped) by the | | | | ttcp -t -pPort (to send to a TCP port) |
| intermediate firewalls. | | | | ttcp -t -pPort-u (to send to a UDP port) |
| For definitive diagnostic information, | | | | For additional command line options, |
| you must be able to duplicate the exact | | | | type ttcp at the command prompt. |
| type of traffic of the impaired network | | | | Ttcp.exe can only listen on or send to a |
| function using a tool that can report | | | | single port. To configure a computer to |
| connectivity success or failure. Once | | | | listen on multiple ports, run Ttcp.exe |
| you have determined the types of traffic | | | | in separate command prompt windows. |
| that are being dropped by intermediate | | | | Top of pageTop of page |
| firewalls, you can configure the | | | | Common Types of Traffic Problems |
| firewalls to forward the dropped traffic | | | | The most common types of traffic that |
| to restore connectivity for the impaired | | | | are blocked by firewalls and can impair |
| network function. | | | | Windows networking functionality are the |
| Tools for Testing Network Paths for | | | | following: |
| Specific Types of Traffic | | | | Active Directory domain traffic |
| Microsoft provides the following tools | | | | DNS traffic |
| to test network paths for specific types | | | | VPN traffic |
| of traffic: | | | | ICMP traffic |
| Port Query | | | | Other traffic |
| PPTP Ping | | | | Active Directory Domain Traffic |
| Telnet | | | | Active Directory domain traffic includes |
| Test TCP | | | | the following domain operations: |
| Port Query (Portqry.exe and | | | | Active Directory replication between |
| Portqueryui.exe) | | | | domain controllers |
| Port Query is a free tool from Microsoft | | | | Promotion of a new domain controller |
| that you can use to help troubleshoot | | | | with the Dcpromo.exe tool |
| TCP/IP connectivity issues for specific | | | | Domain logon |
| types of Transmission Control Protocol | | | | Domain authentication |
| (TCP) and User Datagram Protocol (UDP) | | | | Establishing domain trusts |
| traffic. Port Query has a command-line | | | | The traffic used for these types of |
| version (Portqry.exe) (available at | | | | domain operations is described in detail |
| PortQry Command Line Port Scanner | | | | in the How to Configure a Firewall for |
| Version 2.0) and a graphical user | | | | Domains and Trusts Microsoft Knowledge |
| interface version (Portqueryui.exe) | | | | Base article and includes the following: |
| (available at PortQryUI - User Interface | | | | TCP port 135 for Remote Procedure Call |
| for the PortQry Command Line Port | | | | (RPC) traffic |
| Scanner. Both versions run on Windows | | | | TCP port 389 and UDP port 389 for LDAP |
| 2000, Windows XP, and Windows Server | | | | traffic |
| 2003-based computers. | | | | TCP port 636 for LDAP over Secure |
| Portqry.exe has the following features: | | | | Sockets Layer (SSL) traffic |
| A command-line mode that you can use to | | | | TCP port 3268 for LDAP Global Catalog |
| query TCP, UDP, or both for a single | | | | (GC) traffic |
| port, an ordered list of ports, or a | | | | TCP port 3269 for LDAP GC SSL traffic |
| sequential range of ports. | | | | TCP port 53 and UDP port 53 for DNS |
| An interactive mode from which you can | | | | traffic |
| issue sequential commands more easily | | | | TCP port 88 and UDP port 88 for Kerberos |
| and use a series of shortcuts, or | | | | traffic |
| predefined queries for common traffic | | | | TCP port 445 for Server Message Block |
| such as Domain Name System (DNS) or | | | | (SMB) (also known as Common Internet |
| Lightweight Directory Access Protocol | | | | File System [CIFS]) traffic |
| (LDAP). | | | | You can test your network paths for |
| A local host mode that you can use to | | | | domain traffic on an individual port |
| obtain detailed information about the | | | | basis with the Portqry.exe tool if the |
| TCP and UDP ports being used on the | | | | domain controller is already in place or |
| local computer on which Portqry.exe | | | | with the Ttcp.exe tool to listen and |
| runs. | | | | send domain traffic if the computer that |
| For details of the three different modes | | | | is being promoted to a domain controller |
| and command syntax, see New features and | | | | has not yet been promoted. |
| functionality in PortQry version 2.0. | | | | The easiest way to test for all of these |
| This Microsoft Knowledge Base article | | | | ports at one time is to use |
| contains example commands and sample | | | | Portqueryui.exe and the "Domains and |
| output. | | | | Trusts" predefined service, which by |
| Portqueryui.exe allows you to more | | | | default queries the following sets of |
| easily query ports with a Windows-based | | | | ports: |
| graphical user interface. From this | | | | TCP port 135 (RPC traffic) |
| window, you can specify the name or IP | | | | TCP port 398 and UDP port 389 (LDAP |
| address of the computer to query, select | | | | traffic) |
| a pre-defined service, manually specify | | | | TCP port 636 (LDAP over SSL traffic) |
| the port, ports, or port ranges to query | | | | TCP port 3268 (LDAP GC traffic) |
| in a specified order, and the protocol | | | | TCP port 3269 (LDAP GC SSL traffic) |
| to query (TCP, UDP, or both). When you | | | | TCP port 53 and UDP port 53 (DNS |
| click Query, the results are displayed | | | | traffic) |
| in the Query Result portion of the | | | | TCP port 88 and UDP port 88 (Kerberos |
| window. | | | | traffic) |
| To determine the set of ports queried | | | | TCP port 445 (SMB traffic) |
| for the predefined services, click Help, | | | | UDP port 137 (Network Basic Input/Output |
| and then click Predefined Services. You | | | | System [NetBIOS] name service traffic) |
| can modify the set of ports queried for | | | | UDP port 138 (NetBIOS NetLogon and |
| each predefined service or create your | | | | browsing traffic) |
| own predefined services by modifying the | | | | TCP port 139 (NetBIOS session traffic) |
| contents of the Config.xml file. For | | | | TCP port 42 (Windows Internet Name |
| information about the syntax for | | | | Service [WINS] replication traffic) |
| specifying ports in the Config.xml file, | | | | The set of ports queried with the |
| see the Portqueryui.doc file. Both the | | | | "Domains and Trusts" predefined service |
| Config.xml and Portqueryui.doc file are | | | | includes all of the ports listed in the |
| stored in the Portqueryui.exe | | | | How to Configure a Firewall for Domains |
| installation folder. | | | | and Trusts Microsoft Knowledge Base |
| When either version of the Port Query | | | | article. |
| tool queries a port, it reports the | | | | DNS Traffic |
| status of a port as being in one of the | | | | To test for DNS traffic, you can use the |
| following states: | | | | following methods: |
| LISTENING | | | | Use Portqry.exe with the following |
| Port Query received a positive response | | | | syntax: |
| and a process is listening on the TCP or | | | | portqry -n DNS_server_name_or_IP_address |
| UDP port that was queried. | | | | -p BOTH -e 53 |
| NOT LISTENING | | | | Alternately, you can use the q dns |
| Port Query received a negative response | | | | shortcut command at the Portqry.exe |
| and a process is not listening on the | | | | interactive command prompt. |
| TCP or UDP port that was queried. For a | | | | Use Portqueryui.exe and the "Networking" |
| TCP port, Port Query received a TCP | | | | predefined service, which queries DNS |
| connection reset segment. For a UDP | | | | along with other networking protocols |
| port, Port Query received an ICMP | | | | VPN Traffic |
| Destination Unreachable-Port Unreachable | | | | To use PPTP Ping to test for PPTP-based |
| message. | | | | VPN traffic, do the following: |
| FILTERED | | | | 1.On the VPN server computer: |
| Port Query received no response to the | | | | If needed, stop the Routing and Remote |
| query. A process may or may not be | | | | Access service using the Routing and |
| listening on the port. The FILTERED | | | | Remote Access or Services snap-ins. This |
| status indicates that the query traffic | | | | step ensures that Pptpsrv.exe can use |
| could have been dropped by an | | | | TCP port 1723 and IP protocol 47. |
| intermediate firewall. By default, Port | | | | Run Pptpsrv.exe. |
| Query tries TCP ports three times and | | | | 2.On the VPN client computer: |
| UDP ports once. | | | | Run Pptpclnt.exe with the following |
| PPTP Ping | | | | syntax: |
| PPTP Ping is a set of two tools | | | | pptpclnt.exe servername_or_IP_Address |
| (Pptpsrv.exe and Pptpclnt.exe) that are | | | | When prompted, type some text to send to |
| provided with the Windows 2000 or | | | | the VPN server computer and then press |
| Windows Server 2003 Support Tools, | | | | ENTER. |
| located in the Support\Tools folder of | | | | If PPTP traffic can be successfully |
| the Windows 2000 or Windows Server 2003 | | | | exchanged between the VPN server and VPN |
| product CD-ROMs. After installing the | | | | client computers, Pptpsrv.exe on the VPN |
| Support Tools, Pptpsrv.exe and | | | | server computer will display the text |
| Pptpclnt.exe are stored in the Program | | | | that was sent by the VPN client computer |
| Files\Support Tools folder on the | | | | and an exchange of five GRE messages. If |
| Windows system drive. For Windows XP | | | | not, Pptpsrv.exe will indicate what |
| Service Pack2, you can obtain an updated | | | | types of PPTP traffic were unsuccessful. |
| versions of Pptpsrv.exe and Pptpclnt.exe | | | | If you are using a site-to-site VPN |
| from Windows XP Service Pack 2 Support | | | | connection (also known as a |
| Tools. | | | | router-to-router VPN connection) to |
| PPTP Ping allows you to test whether | | | | connect two sites of your organization |
| Point-to-Point Tunneling Protocol (PPTP) | | | | and both Routing and Remote Access |
| traffic, consisting of TCP port 1723 | | | | server computers can initiate the VPN |
| traffic for PPTP tunnel maintenance and | | | | connection, use the above procedure |
| IP protocol 47 for Generic Routing | | | | again, reversing the roles of the two |
| Encapsulation (GRE) traffic for PPTP | | | | computers. Because either server |
| tunneled data, can be successfully sent | | | | computer can initiate the connection, |
| and received between a client and server | | | | you must ensure that both servers can |
| computer. PPTP Ping does not verify that | | | | act as both VPN clients and VPN servers. |
| a successful PTPP connection can be made | | | | ICMP Traffic |
| (which requires a user authentication | | | | ICMP traffic is used by protocol stack |
| process), only that PPTP traffic can be | | | | components, system services, and |
| exchanged with a specified destination. | | | | applications for various networking |
| For PPTP traffic, the problem is | | | | functions. Here are some examples of |
| typically a firewall that filters GRE | | | | Windows networking functions that use |
| traffic. To correct this problem, | | | | ICMP traffic: |
| configure your firewalls to forward GRE | | | | To determine whether the link to the |
| traffic (IP protocol 47) to the VPN | | | | Active Directory domain controller is a |
| server computer. | | | | fast link or a slow link for the |
| Telnet | | | | purposes of downloading Group Policy |
| Telnet (Telnet.exe) is a tool included | | | | settings, Active Directory clients send |
| with Windows that you typically use to | | | | ICMP Echo messages. |
| login to a Telnet server. You can also | | | | To automatically determine the path |
| use the Telnet tool to test TCP | | | | maximum transmission unit (PMTU) between |
| connectivity for any TCP destination | | | | two peers, the Windows TCP/IP stack uses |
| port. To verify that a TCP connection | | | | the receipt of ICMP Destination |
| can be established using the known | | | | Unreachable-Fragmentation Needed and |
| destination TCP port number of the | | | | Don't Fragment Set messages. For more |
| application of the destination, you can | | | | information, see Path Maximum |
| use the telnet IPv4AddressPort command. | | | | Transmission Unit (PMTU) Black Hole |
| For example, to verify whether the Web | | | | Routers, the July 2004 The Cable Guy |
| server service on the computer with the | | | | article. |
| IPv4 address of 131.107.78.12 is | | | | In either case, you can test for |
| accepting TCP connections, use the | | | | intermediate firewalls that block ICMP |
| telnet 131.107.78.12 80 command. | | | | traffic with the Ping tool. |
| If the Telnet tool is successful in | | | | Other Traffic |
| creating a TCP connection, the command | | | | For other types of traffic, you can use |
| prompt window will clear and-depending | | | | the following methods: |
| on the protocol-might display some text. | | | | Use Portqry.exe to specify individual |
| This window allows you to type in | | | | ports at the command line or use the |
| commands to the service to which you | | | | shortcuts in interactive mode. |
| have connected. Type Control-C to exit | | | | Use Portqueryui.exe to specify |
| the Telnet tool. If the Telnet tool is | | | | individual ports or use the predefined |
| not successful in creating a TCP | | | | services. |
| connection, it displays the message | | | | Use Telnet.exe to test for TCP |
| "Connecting To IPv4Address...Could not | | | | connectivity on specific ports. |
| open connection to the host, on port | | | | Use Ttcp.exe to set up listening and |
| Port: Connect failed". | | | | sending nodes. |
| Test TCP | | | | |