Wednesday, December 24, 2008

Merry Christmas

Merry Christmas from NWPS!

Update: we actually had a true white Christmas, the first since 1990. It was snowing today, we got around an inch of snow, but the forecast is for it all to melt. We've had snow on the ground for the last 10 days, so it's about time for it to be over -- I am done, ready for return to our perpetual fall.

NetScanTools (TM) Pro 10.80 USB Version Patch Ready

The USB version patch was posted to our secure site on Monday, Dec 22. Please use Check for New Version to access the site.

Thursday, December 18, 2008

New NetScanTools (TM) Pro Version 10.80

The newest release of NetScanTools Pro is finally done. This is the long form (or long-winded) explanation of some of the changes made in 10.80.

Several major changes have been made and they are mostly in the area of DNS Tools because that is where customer interest has been taking us. Current users take note -- the Name Server Lookup manual tool is GONE: but don't worry, it was reworked and renamed DNS Tools - Core. A few of the tools formerly on the Name Server Lookup tool were move to the new DNS Tools - Advanced tool, along with new tools. We have brought back the manual Zone Transfer tool where you specify the authoritative DNS to retrieve the zone from. New DNS Tools have been added including a DNS Version tool that retrieves the software version of the DNS, an Auth Serial Check used to compare the zone serial numbers of primary and secondary DNS, a new SPF/Domain Keys record retrieval tool and both DNS Tools groups have a new Batch Processing function. Batch Processing allows you to run the tools with a list of IPs, domain names or hostnames which is really handy if you have a group of queries to make. Autosave is included in both DNS Tools groups. There will be even more additions to the DNS Tools groups in future releases.

Speaking of Autosave, it has been added SNMP and to Traceroute. What is Autosave? It is a simple method of saving the results of all queries from a tool to a single user-defined text file. That way you can review all the data you have done in SNMP or Traceroute or the DNS Tools. Eventually we would like to put Autosave into every place it makes sense and SNMP and Traceroute were two that needed it the most right away.

SNMP has also had a minor facelift. The annoyingly short width OID entry field was made wider -- alot wider so that you can see what was entered before. The list of SNMP actions has been labeled too. The setup window has been improved.

Traceroute has the autosave function in setup and we also added a main tool quick select of the five kinds of traceroute (ICMP (MS), ICMP WinPcap, UDP variable port, UDP fixed port, and TCP). This means you don't have to go back into setup to change the traceroute mode.

Network Statistics also had a minor facelift mostly in the TCP/UDP connection endpoint list. More columns are visible. We split the Process:PID column into two and also split the IP/Port columns into two. A bit easier to read especially since it is now wider.

That's a few of the major changes, there are lots of other changes. The USB version will be done in a few days and the demo will be updated after Christmas to reflect 10.80 changes.

If you have an active Maintenance Plan, click on the Online left panel group, then click on Check for New Version, login and download the new version. Comments on the new version are appreciated and if you have any feature suggestions, let us know. If you don't have an active maintenance plan, go to our main page and look at the End of 2008 Special.

Weather and NST Pro release status

Tuesday morning it was 18F and clear, then Wednesday morning it was mixed rain/snow and 32F, then today it was 27F and light snow. Normally we hardly ever get snow before January and the last time there was snow on Christmas day was 1990.

I should have the 10.80 installed version release done later today. Just getting through email...

Sunday, December 14, 2008

the cold

I guess since we live in "Twilight territory" (Forks is west of us -- past Port Angeles -- we are all in Clallam County), I think with the current weather we can all qualify as "the cold ones". For the last two months we have been in a season of never ending Fall. The daytime highs never really were below 50F and the lows hardly touched freezing. Then all of a sudden, ouch! -- it got cold, 29F and dropping as I write this. To the credit of the weather forecasters, I will admit they DID predict this -- so I spent a good part of the last couple of days preparing for it: The cars were gassed up (we are down to the unheard of price of $1.79/gallon here finally after a few years of $2-$3-$4 prices), I got gas for the generator, checked and wrapped the faucets, moved the cows and put the heater in their water trough. All the little things. It all started on Friday as a simple windstorm -- we only lost the top half of one tree -- hurricane force wind gusts are common here on the North Olympic Peninsula -- something people don't realize. Then last night we got about 2-3 inches of dry snow. Now it's supposed to get cold (in the teens) -- the coldest we've seen since 1990. I know, midwesterners and east coasters think this is balmy...

Why say all of this? Well I intend to release 10.80 mid-week. But if the weather interferes (internet disruptions, power failures, more snow...), it may be delayed.

Friday, December 5, 2008


On Monday December 1, the National Bureau of Economic Research (NBER) placed the start of the recession at December 2007. I would place it a bit earlier. We noticed a definite drop in business beginning in September 2007.

Thursday, December 4, 2008

Specialized DNS Tools

Authoritative DNS servers are databases that contain all the records describing a domain in what are called 'zones'. When you do an IP address lookup of a hostname within a domain, that query may end up going all the way to the authoritative servers using a process known as recursion or it may come from a cached record along the way.

There are usually two authoritative servers, but sometimes more servers are used in the case of a large company with a distributed network. In some DNS implementations, the DNS maintainer changes a record like an MX record defining which machine handles SMTP email by hand and at the same time changes the serial number to show that the zone was altered. This serial number change is automated in other implementions.

The secondary servers get zone information from the primary server when they see that the serial number in SOA record in the primary server is different than the serial number currently in the secondary server. If the serial numbers are not the same, then a "zone transfer" is initiated either using a full zone AXFR or an incremental zone IXFR transfer.

As a side note, zone serial numbers are usually in one of two formats, the first being the most common: YYYYMMDDNN format, where YYYY is the year (four digits), MM is the month (two digits), DD is the day of month (two digits) and nn is the version per day (two digits); the second format is unix time, ie. the number of seconds since Jan 1, 1970. Some DNS maintainers use a simple incrementing number like a revision number.

If there is a breakdown in the process of replicating data between the primary and secondary servers (some DNS software can use methods other than zone transfers), the serial numbers may end up out of sync--especially if the serial number is maintained by hand. To check this, a DNS maintainer would have to individually query each authoritative DNS for its current serial number using NSLOOKUP or DIG to verify that they are all in sync.

To help speed up this process, I have created a new tool that finds the authoritative servers for a domain, then it quickly checks each authoritative server for serial number mismatches. It analyzes the results and tells you if there is a problem -- and since we show each authoritative server with its serial number for the zone, you can quickly see the results yourself. This new tool is tentatively called "Auth Serial Check" and it appears in the new DNS Tools - Advanced window in NetScanTools Pro 10.8 (which is not out yet -- be patient).

Thursday, November 27, 2008

Thanksgiving and Xbox

So I'm not sure how it happened...after all the family left Thanksgiving evening, my oldest son somehow talked us into letting him buy an Xbox 360. I can't believe we actually let him -- I guess the turkey made us sleepy and dulled our minds. It's his money though -- not mine. He works as a dishwasher in one of those high end Sequim retirement homes. I guess that's our contribution to keeping Walmart in business in this weird economy.

If only I had learned how to write games instead of networking software.

We have a Black Friday sale going on too on our website.

Friday, November 21, 2008

ENUM records

There are several DNS based registries (zones) where someone using VOIP can publish their SIP (or other) connection information. When a device like an IPPBX needs to connect to another internet phone or IPPBX, it can query DNS to find the service information.

For example, if you have a phone number you can query DNS in the, or namespaces (there are others) for DNS NAPTR records that describe how to connect to the machine handling the phone number. If the number has been registered in DNS, you will get the service type and a regular expression (regex) defining how the connection is to be made. The regex will have a portion delimited by the exclamation point character called a URI, typically in the format !! -- this part is used along with the service type to make the connection to the machine receiving the phone call via SIP or H323.

Our freeware ENUMresolver make it easy to see if the records are in DNS and it displays their format. It accepts a telephone number and can query your default DNS or a specific DNS for the records and displays them. You must include the country code in front of the phone number. Numbers in the North American Numbering Plan (US/Canada/Carribean) need to include the number "1" in front of the phone: 1 (360) 999-9999 is acceptable US format in ENUMresolver.

We just released v2.00 on November 19, so you can now tell it to query a specific DNS and it also has a list of root zones for you to select from -- of course you can enter any root zone you want.

You can get it at our freeware page.

Friday, November 14, 2008

dig +trace

If you are curious about how DNS works, you probably should have a look at dig +trace. Dig +trace gives you a hierarchical listing of the DNS servers responsible for each level of a domain name.

The tool starts by going to the top level name servers (you know, the 13 root servers that make DNS work) and asking for the top level domain name servers for .com or .net or .uk or .whatever. Then it picks one of those top level servers and asks for the servers responsible for the next level, like, etc. It does this until it finds the authoritative servers for the hostname or domain name or IP address you entered.

It's great for getting a top down view of how the DNS system works. You can also see if there are problems finding the authoritative servers. You can do this from the unix/linux command line (dig hostname +trace) or from our software.

Here is an example using as an input to NetScanTools Pro's Name Server Lookup tool:

[Start Query]
DiG Starting Timestamp: 11/14/08 21:03:54

; <<>> DiG 9.x <<>> +trace
. 65326 IN NS
. 65326 IN NS
;; Received 228 bytes from ( in 63 ms

;; Received 509 bytes from ( in 140 ms

(note: these are the authoritative domain servers for handling the queries for hostnames in the domain) 172800 IN NS 172800 IN NS 172800 IN NS 172800 IN NS 172800 IN NS
;; Received 209 bytes from H.GTLD-SERVERS.NET ( in 234 ms 3600 IN CNAME
;; Received 73 bytes from ( in 62 ms

[End Query]

With each level, you can see that a number was returned. This is the TTL (time-to-live) for the DNS record in seconds. If you do the dig +trace query again, the numbers for the root servers will be smaller reflecting the time you took between queries.

You can see that ns1 told us that is aliased to a server handled by Akamai. It did not tell us the IP address -- we did an 'ANY' query and the CNAME record was all that was returned to us.

Thursday, November 6, 2008

Managed Switch Port Mapping Tool v1.95 Released

The newest release of the Managed Switch Port Mapping Tool was released yesterday and posted this morning. This version has several internal changes which should allow more models of switches to be mapped.

It also has something that was long overdue: support for the Windows Common Controls v6+. When the program is run XP and Vista this gives a different more up-to-date look to things like checkboxes, radio buttons and other controls. Why did we wait so long? it was very hard to do using the Visual C++ 6 compiler. Remember, we only recently made the transition to using Visual C++ 2005 and we are now making the transition to 2008. And speaking of the common control look -- it doesn't work on Windows Server 2003 or 2008. A new milestone: This release of the program has finally been successfully tested on Windows Server 2008.

This release also marks the first time I've fully understood how the Side by Side (WinSxS) DLLs are to be handled properly -- at least I think I understand. The program is linked with the CRT and MFC DLLs so we need a certain version or later of those DLLs on the machine. Our installer now looks for the right version and if it does not find them, the Microsoft Visual C++ 2005 redistributable installer is launched to put the right DLLs in the right places. This was all supposed to stop DLL hell, but I think it created a significantly more complex situation -- if you don't believe me, just have a quick look in C:\windows\WinSxS. It definitely made our installer bigger.

As usual, we updated to the latest version of SQLite: 3.6.4. I can't say enough good things about SQLite. I find it to be very robust and easy to use. The SQL is powerful enough for our needs and it makes it very easy to work with the large amounts of data that we retrieve from the switch. I use a C++ wrapper that I found on CodeProject so the learning curve was really fast. Try SQLite sometime! -the link to their site is on the right.

You can get the latest version by clicking on Help/Check for Update or by going to the Switch Port Mapper website on the right.

Wednesday, October 22, 2008

Satellite TV R.I.P.

I watched most of the last presidential debate a week ago (boring...). I turned off the TV and came back later at 11 to watch the news. I turned on the TV and the satellite box as usual. No news. The TV worked fine but all I saw was error 015 Acquiring Satellite Signal with no progress being made -- it kept endlessly cycling through the satellites and the transponders. I tried resetting it but that didn't work.

So the next day I checked all the wiring inside and out. Then I called tech support. I tried the computerized voice command help. That was just plain weird and entirely unhelpful. I asked the computer for a technician (more weirdness). The first guy I got sounded Irish and far away. He probably was in Ireland. So I gave him my account details and he immediately said he could not (or would not) help me and he would transfer me to someone who would. Then I was promptly hung up on.

I called back and got someone in India. How do I know that? I didn't have to ask because she sounded far away and I've worked side by side with people from India before. She was helpful and walked me through the same simple tests I had already done, but our conclusion was something had failed. So she offered to schedule an appointment with a technician. I asked how much that was going to cost: $49.95 just for the tech to show up because we didn't spend $7 a month on insurance. And the costs would go up from there. I said no thanks, we would think about it.

We didn't think for long. It turns out that over the last 8 years since we got it, the TV viewing in our house has dropped precipitously. The only thing being watched was the 11 O'clock news and the first half of Jay Leno (the Seahawks weren't being watched this year). This is entirely due to the internet. I spend my full day on the internet, then some of the evening if I have to. News is at the click of a mouse whenever I want to look. And now all the TV networks have current and classic shows available to watch whenever I want to see them, not when satellite has them on. We had become more and more disappointed with the channel selection. The 500 or so channels we got were filled with boring shopping channels, infomercials, foreign language channels and duplicate shows all over the place. And PPV for about half of the rest.

So last Friday we simply said we were done and I cancelled the satellite by talking to someone in the US -- what a concept -- someone on the same continent! Now we save $40 a month that we can use to buy a whole year's TV series or a couple of movies each month. And we don't care about the Feb 2009 HDTV switchover now.


By the way, this has nothing to do with NetScanTools.

Monday, October 13, 2008

DHCP Servers

People have asked me to talk a bit about the DHCP Servers. As you probably know, DHCP is used on networks to automatically assign IP addresses to client computers (or devices) that connect to the network.

When a client without an IP address starts up on the network, it sends a DHCP_DISCOVER message. The DHCP server replies with a DHCP_OFFER to that client. The client then sends back a DHCP_REQUEST and the server acknowledges with a DHCP_ACK. Once this sequence is complete, the client can use that IP address for the duration of the time period contained in the offer packet.

Our DHCP Server Discovery Tool sends the DHCP_DISCOVER message and displays the returning DHCP_OFFERs. That means if you have more than one DHCP server on your network, you can see all of them and the information they are offerring.

Why is it important to see all the DHCP servers? Several reasons.

One is accidental conflicts. Two DHCP servers might be offerring overlapping ranges of IP addresses. This is not a good situation and could happen if a new device is put into the network that contains an active DHCP server that is active by default. Actiontec DSL routers, Windows Servers and Linux systems can all run DHCP servers.

Another similar situation that might occur is when a new device with an active DHCP server is added to a network by being moved from a previous location (a recycled device) and that device had a DHCP server offering a range of IP addresses from a different subnet than the subnet it is being moved to. Devices requesting new IP addresses might be offered an IP for a different (incorrect) subnet by the second DHCP server. This would mean that any device successfully obtaining an IP address from the new server would be prevented from talking on the network it is attached to because the IP address it has obtained is not within the subnet. This could be classified as a rogue server.

Another more dangerous scenario is when a "rogue" server is added for the specific purpose of offering legitimate IP addresses, while at the same time offering the IP address of a malicious DNS or router. The DHCP_OFFER packets contain more than just the offered IP address, they contain many other optional fields like DNS and router IPs.

Our DHCP Server Discovery Tool shows all the responding servers and the information they are offering including the IP address, subnet mask, DNS IPs, Router IPs, lease times etc. This way you can see the parameters and decided for yourself whether the information is correct -- especially if you find a second DHCP server on your network.

Stock Market Up Finally!

936 points up is amazing considering the drop over last week. Does it mean a turn-around? I don't know. I want to see a trend develop first. Hopefully it means something positive.

I would like to take issue with some of these columnists that say the losses were all on money that never existed. My 401K was down just to the amount of moneys that I put in there. Not fake imaginary money. Real money.

Tuesday, October 7, 2008

Stock Market Drops Again!

If the DJIA keeps falling at 500 points per day, it theoretically could be near zero in 19 days. Then what?

NetScanTools (TM) Pro 10.71 USB Version Patch Ready

On Monday October 6, we posted the patch to upgrade any previous NetScanTools (TM) Pro USB version to 10.71. This patch is available to those with active Maintenance Plans. Login through Check for New Version to download the patch.

The USB Version is a full portable version of NetScanTools Pro Edition that you can use on a Windows computer without the need for installation. Just plug it in, start the software and use it. No need to install and all data is saved on the USB flash drive.

Sunday, October 5, 2008

Windows Operating System traffic on our sites

As we approach the 2nd anniversary of the release of Windows Vista, I couldn't help but notice that the traffic on our sites still show a huge margin of Windows XP users. Here is the raw data on two of our sites. (10,700 hits)
On this site 93.4% of our hits are Windows users, 3.8% are Linux users and 2.3% are Mac users. Here is a breakdown of the Windows traffic:
77.8% Windows XP
17.2% Windows Vista
2.8% Windows Server 2003
2.2% Windows 2000
0.1% Windows 98
0.02% Window ME
and 1 person using NT4 (must be Boris) (600 hits)
On this site 92% of our hits are Windows users, 6.5% are Linux users and 1.2% are Mac users. Here is a breakdown of the Windows traffic:
81.1% Windows XP
14.6% Windows Vista
2.5% Windows Server 2003
1.8% Windows 2000

This data shows that people are not only still using XP, they are favoring XP. To be fair, there has been a couple of percentage points increase in Vista traffic since the first of 2008. I wonder what the market penetration was for XP at the two year mark? I just thought this was interesting.

Friday, October 3, 2008

New NetScanTools (TM) Pro Version 10.71

Released late today. The reason for the release was two-fold. The first is that if you entered a DNS name such as in to Name Server Lookup current DNS field, version 10.70 was not necessarily resolving that name to an IP address correctly. This problem only existed in 10.70 and it is now fixed. The second reason was to add a minor enhancement to the Name Server Lookup that Autosaves all results to a single text or log file after each tool completes the current query or action.

Thanks to Brian at Netmatrix for the finding the DNS resolve issue and thanks to Phil at Ford for suggesting Autosaving.

Revision history is on our website.

New Freeware Tool and other ramblings

It's Friday. Finally. It's been a difficult couple of weeks watching the market news and Congress try to bailout Wall Street and fix the credit crisis. Funny, but they never talk about bailing out small businesses...

I saw the BLS summary of the unemployment report for September and I can directly attest to things I saw in it: every time we send out a newsletter announcement or a new program version announcement we see new bounces. Some of those may be due changes in server level email filtering, but I think more and more of them are people who have lost their jobs. In fact some of them are long time users of our software which is even more disturbing.

Speaking of the newsletter, we are sending it out once a month. Usually during the third week of the month. If you are on our list (or you think you are on it), please whitelist email from both on your workstation or laptop AND on your email server. We know that the word "netscantools" sometimes triggers spam filters, so please whitelist us if you want email from us. In case you missed one, the newsletter archive here.

Back to reality.

On October 1, I released a little tool as freeware that I originally made a couple years ago. This tool takes as input an IPv4 address of a device on your local subnet, then when you press the Get MAC Address button, it uses ARP to get the MAC address of the device. If the device is on and it can communicate over the network, it must respond. It must respond even if it is protected by a firewall like Windows Firewall. So it can't hide. Since ARP packets are not routed, you cannot use it to get the MAC address of some computer halfway around the world. The tool does this one IP at a time and it only works on your local subnet. If you need to scan a whole subnet with ARP to find every active device, we have that in NetScanTools Pro.

The freeware tool is called IPtoMAC and it runs on Windows Vista/2003/XP/2000 (it is codesigned for your protection) and you can download it here. It was also my first serious use of the new Visual Studio 2008 VC++ compiler. More on the new compiler in another post.

Tuesday, September 30, 2008

Tech Support call about 169.254.x.x

I had an interesting call today from someone trying out the NetScanTools Pro 10 Demo. He wanted to know if it could help him figure out why his laptop was getting a 169.254.x.x IP ( subnet mask) when he plugged it into his work network. He was aware of the Microsoft Windows XP default action of using Automatic Private IP Addressing (APIPA) to assign an IP in that range whenever DHCP failed. But he wanted to confirm that DHCP was not working and just talk to someone about it I guess.

As a way of confirming my suspicions, I had him use the DHCP Discover Tool in NetScanTools Pro 10 Demo. When he pressed the Discover button, the DHCP server returned no data and the tool timed out. I had him do this a couple of times. The tool sends out a DHCP_DISCOVER message and looks for responses much like ipconfig does -- and there were no responses.

So either his physical network connection was bad or the DHCP server was dead. He was pretty sure his network cable was OK, so that left the DHCP server itself. I had him confirm this using ipconfig /release, then ipconfig /renew, then confirmed his computer was set up to use DHCP by looking at the results of ipconfig /all. Now that he was pretty sure of the program, he had a call into whoever was responsible for the DHCP server.

I also had him go to Network Statistics to check to make sure there was only one network interface in his system and he could see all the parameters for the single interface like IP, mask and MAC address. That way he could be sure that there were no other conflicts like a wireless and a wired interface.

Friday, September 26, 2008

ARP Ping

Here is a topic ripped from our September 2008 newletter.

The most popular search term bringing people to our website is ARP Ping. What does ARP Ping do?

If you have the purchased or even the demo version of NetScanTools Pro, you can access the tool by selecting Tools/ARP Ping. Once there, you can see that it has three options or modes. The first two are for sending an ARP Ping and the third is for searching for duplicate IP addresses. Let’s concentrate on ARP Ping first and learn what ARP Ping does and does not do.

ARP request packets are fairly simple in construction. In Ethernet networks, ARP is used to obtain the MAC address of the target given the target IP address. Our ARP packets contain the required target IP address. The broadcast MAC address is placed in the target MAC field. The Interface IP and MAC address are used in the packet to identify to the target device the sender of the ARP packet. When the target device with the IP address identified in the ARP request packet sees the ARP request packet, it fills in the target interface MAC address and sends an ARP reply packet back to the sender. The target IP is a requirement because the receiver will not reply unless it sees its own IP address in the packet. In our implementation, the act of sending an ARP request and receiving a reply is known as an ARP Ping and the timing of the packets gives us the Response Time. The timing is similar to what you would see with a command line PING, ie. packet round-trip-time milliseconds.

What about the broadcast and unicast options? The broadcast option means all ARP request packets we send are to the broadcast MAC address. The unicast option means the first packet uses the broadcast MAC address and all subsequent packets use the discovered MAC address of the target.

Can you input a target MAC address with the IP address blank in order to find the target’s IP address? No, because the ARP protocol does not work that way. If you were to send such a packet, it will not be responded to by any device because the IP address in the packet does not match the IP address of any receiving device.

Can you use this tool to get the MAC address of a device NOT on the same subnet as the computer running NetScanTools Pro? No, because none of the devices on the subnet will not recognize the target IP address and they will not respond. EXCEPT if the router that accepts packets destined for locations outside the subnet is set up to do proxy ARP. If so, it will see that the target IP is not within the subnet and respond to you with the MAC address of the router interface on your side of the subnet.

For more information on how ARP works, see RFC 826.

How to use the ARP Ping tool to search for duplicate IP addresses. A variation on ARP is to use it to detect duplicate IP addresses by the method outlined in RFC 5227. To do this you first select Search for Duplicate IP Addresses, then you select the source IP address to place in the ARP request packet ( is preferred in the RFC, but we also provide an option for placing the Interface IP in there instead), then you enter the target IP address and press Send ARP. The target IP address is the one you want to find duplicates for. All devices using that IP address will respond to your request along with their MAC address and they will be shown in the results grid.

That's a taste of some of the tips and explanations you will be seeing in this blog. It might bore you if you haven't got the faintest idea what I'm talking about...but enough people have wanted to know about ARP Ping for us to talk about it in more detail.

By the way, did you know I own four miniature herefords?

This is new for me...

Yes, this is new for me. I've done newsletters for years but never a blog. We'll see how this goes. A good friend of mine, Laura Chappell, recently put up a blog, so I decided is was time to start -- and probably long overdue. Laura's blog is here.

In case you are wondering, NetScanTools Pro is network discovery software and we are here to talk about how to use it. There will be tips published and "did you know?" types of things.

We may even talk about the timing of upcoming releases and other programs we have, so watch this space if you are interested in all things networking.