Menu
homeInternet

Standard ports. How does TCP differ from UDP in simple terms?

The TCP/IP protocol is the foundation of the Internet, through which computers send and receive information from anywhere in the world, regardless of geographic location. Accessing a TCP/IP computer in another country is as easy as accessing a computer in the next room. The access procedure is identical in both cases, although connecting to a machine in another country may take a few milliseconds longer. As a result, citizens of any country can easily shop on Amazon.com; however, due to logical proximity, the task of information security becomes more complicated: any owner of a computer connected to the Internet anywhere in the world can try to establish an unauthorized connection with any other machine.

It is the responsibility of IT professionals to install firewalls and systems to detect suspicious traffic. Packet analysis retrieves information about the source and destination IP addresses and the network ports involved. The value of network ports is not inferior to IP addresses; these are the most important criteria for separating useful traffic from fake and harmful messages entering and leaving the network. Most Internet network traffic consists of TCP and UDP packets, which contain information about the network ports that computers use to route traffic from one application to another. A prerequisite for firewall and network security is for the administrator to have a thorough understanding of how computers and network devices use these ports.

Studying ports

Knowledge of the basic principles of network ports operation will be useful to any system administrator. With a basic understanding of TCP and UDP ports, an administrator can independently diagnose a failed network application or protect a computer that will access the Internet without calling a network engineer or firewall consultant.

The first part of this article (consisting of two parts) describes the basic concepts necessary to discuss network ports. The place of network ports in the general network model and the role of network ports and NAT (Network Address Translation) firewall in the connections of company computers to the Internet will be shown. Finally, network points will be indicated at which it is convenient to identify and filter network traffic on the corresponding network ports. Part 2 looks at some of the ports used by common applications and operating systems and introduces some tools for finding open network ports.

Brief overview of network protocols

TCP/IP is a set of network protocols through which computers communicate with each other. The TCP/IP suite is nothing more than pieces of software code installed in the operating system that provide access to these protocols. TCP/IP is a standard, so TCP/IP applications on a Windows machine should communicate successfully with the same application on a UNIX machine. In the early days of networking, in 1983, engineers developed the seven-layer OSI interconnection model to describe computer networking processes, from cable to application. The OSI model consists of physical, data link, network, transport, session, and application layers. Administrators who constantly work with the Internet and TCP/IP primarily deal with the network, transport and application layers, but for successful diagnostics it is necessary to know other layers. Despite the advanced age of the OSI model, it is still used by many specialists. For example, when a network engineer talks about Layer 1 or Layer 2 switches, or a firewall vendor talks about Layer 7 control, they are talking about the layers defined in the OSI model.

This article talks about network ports located at layer 4 - transport. In the TCP/IP suite, these ports are used by the TCP and UDP protocols. But before going into detail about one layer, it's necessary to briefly familiarize yourself with the seven OSI layers and the role they play in modern TCP/IP networks.

Layers 1 and 2: Physical cables and MAC addresses

Layer 1, physical, represents the actual medium through which the signal travels, such as copper cable, fiber optic cable, or radio signals (in the case of Wi-Fi). Layer 2, data link, describes the data format for transmission in the physical medium. At Layer 2, packets are organized into frames and basic flow control and error handling functions can be implemented. The IEEE 802.3 standard, better known as Ethernet, is the most common Layer 2 standard for modern local area networks. A typical network switch is a Layer 2 device through which multiple computers physically connect and exchange data with each other. Sometimes two computers cannot connect to each other even though the IP addresses appear to be correct; the problem may be caused by errors in the Address Resolution Protocol (ARP) cache, indicating a problem at Layer 2. Additionally, some wireless access points (Access Point, AP) provide MAC address filtering, allowing only network adapters with a specific MAC address to connect to a wireless AP.

Layers 3 and 4: IP addresses and network ports

Layer 3, networking, supports routing. In TCP/IP, routing is implemented in IP. The packet's IP address belongs to Layer 3. Network routers are Layer 3 devices that analyze packet IP addresses and forward the packets to another router or deliver packets to local computers. If a suspicious packet is detected on the network, the first step is to check the IP address of the packet to determine the origin of the packet.

Together with the network layer, layer 4 (transport) is a good starting point for diagnosing network problems. On the Internet, Layer 4 contains the TCP and UDP protocols and information about the network port that associates a packet with a specific application. A computer's networking stack uses a TCP or UDP network port association with an application to direct network traffic to that application. For example, TCP port 80 is associated with a Web server application. This mapping of ports to applications is known as a service.

TCP and UDP are different. Essentially, TCP provides a reliable connection for communication between two applications. Before communication can begin, the two applications must establish a connection by completing the three-step TCP handshake process. UDP is more of a fire-and-forget approach. The reliability of the connection for TCP applications is ensured by the protocol, but the UDP application has to independently check the reliability of the connection.

The network port is a number between 1 and 65535 that is specified and known to both applications between which communication is being established. For example, a client typically sends an unencrypted request to a server at a target address on TCP port 80. Typically, a computer sends a DNS request to a DNS server at a target address on UDP port 53. The client and server have a source and destination IP address, and the source and destination network port, which may vary. Historically, all port numbers below 1024 are called "known port numbers" and are registered with the Internet Assigned Numbers Authority (IANA). On some operating systems, only system processes can use ports in this range. Additionally, organizations can register ports 1024 through 49151 with IANA to associate the port with their application. This registration provides a structure that helps avoid conflicts between applications attempting to use the same port number. However, in general, there is nothing to prevent an application from requesting a specific port as long as it is not occupied by another active program.

Historically, the server could listen on low-numbered ports, and the client could initiate a connection on a high-numbered port (above 1024). For example, a Web client might open a connection to a Web server on destination port 80, but associate a randomly selected source port, such as TCP port 1025. When responding to the client, the Web server addresses the packet to the client with source port 80 and destination port 1025. The combination of an IP address and port is called a socket and must be unique on the computer. For this reason, when setting up a Web server with two separate Web sites on the same computer, you must use multiple IP addresses, such as address1:80 and address2:80, or configure the Web server to listen on multiple network ports, such as address1:80 and address1:81. Some Web servers allow multiple Web sites to run on a single port by requesting a host header, but this function is actually performed by the Web server application at a higher layer 7.

As networking capabilities became available in operating systems and applications, programmers began using port numbers higher than 1024 without registering all applications with IANA. By searching the Internet for any network port, you can usually quickly find information about applications that use that port. Or you can search for Well Known Ports and find many sites that list the most common ports.

When blocking network applications on a computer or troubleshooting firewall flaws, most of the work comes from classifying and filtering Layer 3 IP addresses and Layer 4 protocols and network ports. To quickly distinguish between legitimate and suspicious traffic, you should learn to recognize the 20 most widely used ones in the enterprise TCP and UDP ports.

Learning to recognize and become familiar with network ports goes beyond assigning firewall rules. For example, some Microsoft security patches describe how to close NetBIOS ports. This measure helps limit the spread of worms that penetrate through vulnerabilities in the operating system. Knowing how and where to close these ports can help reduce network security risks while preparing to deploy a critical patch.

And straight to level 7

It's rare to hear about Layer 5 (session) and Layer 6 (presentation) these days, but Layer 7 (application) is a hot topic among firewall vendors. The newest trend in network firewalls is Layer 7 inspection, which describes the techniques used to analyze how an application interacts with network protocols. By analyzing the payload of a network packet, a firewall can determine whether the traffic passing through it is legitimate. For example, a Web request contains a GET statement inside a Layer 4 packet (TCP port 80). If your firewall has Layer 7 functionality, you can verify that the GET statement is correct. Another example is that many peer-to-peer (P2P) file sharing programs can hijack port 80. As a result, an outsider can configure the program to use a port of their own choosing - most likely a port that should be left open in a given firewall. If a company's employees need access to the Internet, port 80 must be opened, but to distinguish legitimate Web traffic from P2P traffic directed by someone to port 80, the firewall must provide layer 7 control.

Role of the firewall

Having described the network layers, we can move on to describe the mechanism for communication between network applications through firewalls, paying particular attention to the network ports used. In the following example, a client browser communicates with a Web server on the other side of the firewall, just as a company employee would communicate with a Web server on the Internet.

Most Internet firewalls operate at layers 3 and 4 to examine and then allow or block incoming and outgoing network traffic. In general, the administrator writes access control lists (ACLs) that define the IP addresses and network ports of traffic that is blocked or allowed. For example, to access the Web, you need to launch a browser and point it at the Web site. The computer initiates an outgoing connection by sending a sequence of IP packets consisting of a header and payload information. The header contains route information and other packet attributes. Firewall rules are often written with routing information in mind and typically contain the source and destination IP addresses (layer 3) and the packet protocol (layer 4). When browsing the Web, the destination IP address belongs to the Web server, and the protocol and destination port (by default) are TCP 80. The source IP address is the address of the computer from which the user accesses the Web, and the source port is usually a dynamically assigned number , greater than 1024. The useful information is independent of the header and is generated by the user application; in this case, it is a request to the Web server to provide a Web page.

The firewall analyzes outgoing traffic and allows it according to the firewall rules. Many companies allow all outbound traffic from their network. This approach simplifies configuration and deployment, but reduces security due to the lack of control over the data leaving the network. For example, a Trojan horse can infect a computer on a business network and send information from that computer to another computer on the Internet. It makes sense to create access control lists to block such outgoing information.

In contrast to the outgoing approach of many firewalls, most are configured to block incoming traffic. Typically, firewalls only allow incoming traffic in two situations. The first is traffic arriving in response to an outgoing request sent previously by the user. For example, if you point your browser to the address of a Web page, the firewall allows HTML code and other components of the Web page to enter the network. The second case is hosting an internal service on the Internet, such as a mail server, Web or FTP site. Hosting such a service is usually called port translation or server publishing. The implementation of port translation varies among firewall vendors, but the underlying principle is the same. The administrator defines a service, such as TCP port 80 for the Web server and a back-end server to host the service. If packets enter the firewall through the external interface corresponding to this service, then the port translation mechanism forwards them to a specific computer on the network hidden behind the firewall. Port translation is used in conjunction with the NAT service described below.

NAT Basics

With NAT, multiple computers in a company can share a small public IP address space. A company's DHCP server can allocate an IP address from one of the private, Internet-non-routable IP address blocks defined in Request for Comments (RFC) No. 1918. Multiple companies can also share the same private IP address space. Examples of private IP subnets are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Internet routers block any packets directed to one of the private addresses. NAT is a firewall feature that allows companies using private IP addresses to communicate with other computers on the Internet. The firewall knows how to translate incoming and outgoing traffic to private internal IP addresses so that every computer can access the Internet.

A port in computer networks is the end point of communication in the OS. This term also applies to hardware devices, but in software it refers to a logical construct that identifies a specific type of service or process. A port is always associated with the host's IP address or communication protocol type. It completes the session address assignment. A port is identified for each protocol and address using a 16-bit number, also known as a port number. Often specific port numbers are used to identify specific services. Of the several thousand listed, 1,024 known numbers are protected under a special agreement. They define specific types of services on the host. Protocols that primarily use ports are used to control processes. An example is the Transmission Control Protocol (TCP) or the User Datagram Protocol from the Internet protocol suite.

Meaning

TCP ports are not needed over direct point-to-point links where the computers at each end can only run one program at a time. The need for them arose after these machines turned out to be capable of executing more than one program at the same time. They found themselves connected to modern packet-switched networks. In the client-server architecture model, ports, applications, and network clients are connected to initiate service. They provide multiplexing services after the initial exchange of information is associated with a port number. It is released by switching each instance of request servicing to a dedicated line. A connection is made to a specific number. Thanks to this, additional customers can be served without any waiting.

Details

The UDP and TCP data transfer protocols are used to indicate the destination and source port number in their segment headers. The port number is an unsigned 16-bit number. It can range from 0 to 65535. TCP ports, however, cannot use the number 0. For UDP, the source port is not required. A value equal to zero means its absence. This process connects input or output channels using a transport protocol, port number and IP address over an Internet socket. This process is also known as binding. It makes it possible to receive and transmit information through the network. The operating system network software is used to transmit outgoing data from all application ports to the network. It also forwards incoming network packets by matching the number and IP address. Only one process can be bound to a specific IP address and port combination using the same transport protocol. Application crashes, also called application collisions, occur when multiple programs try to communicate with the same port numbers on the same IP address using the same protocol.

How are they used?

Applications that implement shared services quite often use a specially reserved and known list of UDP and TCP ports to accept client service requests. This process is also known as listening. It involves receiving a request from a well-known port and establishing a back-to-back conversation between the client and server using the same local port number. Other clients can continue to connect. This is possible because a TCP connection is identified as a chain that consists of local and remote ports and addresses. Standard UDP and TCP ports may be defined by agreement under the control of IANA or the Internet Assigned Numbers Authority. Typically, the core network services, most notably the World Wide Web, use small port numbers, less than 1024. On many operating systems, applications require special privileges to bind to them. For this reason, they are often considered critical to the operation of IP networks. The end client of the connection, on the other hand, tends to use a larger number of them, allocated for short-term use. For this reason, so-called ephemeral ports exist.

Structure

TCP ports are encoded in the packet header of the transport packet. They can easily be interpreted not only by the receiving and transmitting PCs, but also by other components of the network infrastructure. Firewalls in particular are typically configured to differentiate between packets based on destination port numbers and their source. A classic example of this is redirection. Attempting to connect sequentially to a range of ports on the same computer is also known as port scanning. Such procedures are usually associated with either malicious failure attempts or the fact that network administrators are specifically looking for possible vulnerabilities in order to prevent such attacks. Actions aimed at opening a TCP port are recorded and controlled using computers. This technique uses a number of redundant connections to ensure uninterrupted communication with the server.

Examples of using

The main example in which UDP and TCP ports are actively used is the Internet mail system. The server is used to work with email. Overall it needs two services. The first service is used for transport by email and from other servers. This is achieved using Simple Mail Transfer Protocol (SMTP). The SMTP service application typically listens on TCP port number 25 in order to process incoming requests. Another service is POP or IMAP. They are required for email client applications on users' machines in order to receive email messages from the server. POP services listen for numbers on TCP port 110. All of the above services can run on the same host computer. The port number, when this occurs, distinguishes the service requested by the remote device. If the server listening port number is determined correctly, this parameter for the client is determined from the dynamic range. Clients and server separately in some cases use specific TCP ports that are assigned in IANA. A good example is DHCP. Here the client in any case uses UDP 68, and the server uses UDP 67.

Usage in URLs

Sometimes port numbers are clearly visible on the Internet or other uniform resource locators, such as URLs. HTTP by default uses TCP port 80, and HTTPS uses port 443. There are other variations as well. So, for example, the URL http://www.example.com:8080/path indicates that the web browser is connecting to the 8080 instead of an HTTP server.

List of UDP and TCP ports

As noted earlier, the IANA, or InternetA designated Numbers Authority, is responsible for the global coordination of DNS-Root, IP addressing, and other Internet Protocol resources. These procedures include registering frequently used ports for known Internet services. All port numbers are divided into three ranges: well-known, registered and private or dynamic. Well-known ports are those with numbers from 0 to 1023. They are also called system ports. The requirements for new values ​​in this range are more stringent than for other registrations.

Examples

Examples of ports on the known list include:

  • TCP port 443 – HTTPS;
  • 21 – File Transfer Protocol;
  • 22- Secure Shell;
  • 25 – simple mail transfer protocol STMP;
  • 53 – domain name system DNS;
  • 119 – Network News Transfer Protocol or NNTP;
  • 80 – Hypertext Transfer Protocol HTTP;
  • 143 – Internet Message Access Protocol;
  • 123 – NTP network time protocol;
  • 161 - simple network management protocol SNMP.

Registered ports must have numbers from 1024 to 49151. The Internet Assigned Numbers Authority maintains an official list of all known and registered ranges. Frequency or dynamic ports range from 29152 to 65535. One use of this range is temporary ports.

History of creation

The concept of port numbers was developed by the early creators of ARPANET. It was developed through informal collaboration between software authors and system administrators. At that time, the term "port number" was not yet used. The remote host number sequence was a 40-bit number. The first 32 bits resembled today's IPv4 address. The most significant ones were the first 8 bits. The less significant part of the number (these are bits 33 to 40) designated an object called AEN. It was a prototype of the modern port number. The creation of a socket number directory was first proposed on March 26, 1972. Network administrators were then called upon to describe each fixed number in terms of network services and its functions. This catalog was subsequently published as RFC 433 in the winter of 1972. It included a list of hosts, their port numbers, and the corresponding function used in each node on the network. The first official port number values ​​were documented in May 1972. At the same time, a special administrative function for maintaining this register was proposed. The first list of TCP ports included 256 AEN values. They were divided into the following ranges:

— from 0 to 63 – standard functions of the entire network;

— from 64 to 127 – host-specific functions;

— from 128 to 239 – functions reserved for future use;

— from 240 to 255 – any experimental function.

The term AEN, in the early days of the ARPANET, also referred to the name of the socket that was used with the original connection protocol and network management program component, or NCP. In this case, NCP represented the forerunner of modern Internet protocols that use TCP/IP ports.

There are two types of computer-to-computer data exchange - datathunders And sessions. Datagram is a message that does not require confirmation of receipt from the receiving party, and if such confirmation is necessary, the addressee must send a special message himself. To exchange data in this way, the receiving and transmitting parties must strictly adhere to a certain protocol to avoid loss of information. Each datagram is an independent message, and if there are several datagrams on the LAN, their delivery to the addressee, generally speaking, is not guaranteed. In this case, a datagram is usually part of a message, and on most LANs the transmission speed of datagrams is much higher than messages in sessions.

IN session it is assumed that a logical connection is created for the exchange of messages between computers and the receipt of messages is guaranteed. While datagrams can be transmitted at random times, in a session the session is terminated before the message is transmitted, and the session must be closed when the data exchange is complete.

The operating systems of most computers support multiprogramming mode, i.e. several programs are running simultaneously (several processes running in parallel). With some degree of accuracy, we can say that the process is the final destination for the message. However, because processes are created and terminated dynamically, the sender rarely has enough information to identify the process on another computer. Therefore, it becomes necessary to determine the destination of data based on the functions performed by the processes, without knowing anything about the processes that are implemented by these functions.

In practice, rather than thinking of a process as a final destination, each computer is thought to have a set of destinations called protocol ports. Each port is identified by a positive integer (0 to 65535). In this case, the operating system provides a communication mechanism used by processes to indicate the port on which they are running or the port to which they need access. Typically ports are Buffered, and data arriving at a particular port before a process is ready to receive it will not be lost: it will be queued until the process retrieves it.

To better understand port technology, imagine that you go to a bank to make a deposit. To do this, you need to go to a certain window, where the operator will fill out the documents and you will open an account. In this example, the bank represents a computer, and the bank operators are programs that perform specific work. But the windows are the ports, and each window in the bank is often numbered (1, 2,3 ...).

The same applies to ports, therefore, in order to communicate with a port on another computer, the sender must know both the IP address of the recipient computer and the port number on the computer. Each message contains both the port number of the computer to which the message is addressed, and the number of the source port of the computer to which the response should be sent. This makes it possible to reply to the sender for each process.

TCP/IP ports numbered 0 to 1023 are privileged and are used by network services, which, in turn, run with administrator (super user) privileges. For example, the Windows File and Folder Sharing service uses port 139, but if it is not running on the computer, then when you try to access this service (that is, this port), you will receive an error message.

TCP/IP ports 1023 to 65535 are unprivileged and are used by client programs to receive responses from servers. For example, a user's web browser, when accessing a web server, uses port 44587 of his computer, but accesses port 80 of the web server. Having received the request, the web server sends a response to port 44587, which is used by the web browser.

Network ports can provide vital information about the applications that access computers over the network. By knowing the applications that use the network and the corresponding network ports, you can create precise firewall rules and configure host computers to allow only useful traffic. By building a network profile and deploying tools to recognize network traffic, you can more effectively detect intruders - sometimes simply by analyzing the network traffic they generate. We began to consider this topic in the first part of the article published in the previous issue of the magazine. It provided basic information about TCP/IP ports as the foundation of network security. Part 2 will describe some network and host methods that can be used to identify applications listening on a network. Later in the article we will talk about how to evaluate the traffic passing through the network.

Blocking network applications

Network attack surface is a common term to describe network vulnerability. Many network attacks take place through vulnerable applications, and the attack surface can be significantly reduced by reducing the number of active applications on the network. In other words, you should disable unused services, install a firewall on the dedicated system to check the legitimacy of traffic, and create a comprehensive access control list (ACL) for the firewall at the network perimeter.

Each open network port represents an application listening on the network. The attack surface of each server connected to the network can be reduced by disabling all non-essential network services and applications. Windows Server 2003 is superior to previous versions of the operating system because it enables fewer network services by default. However, auditing is still necessary to detect newly installed applications and configuration changes that open unnecessary network ports.

Every open port is a potential backdoor for attackers to exploit spaces in the host application or surreptitiously access the application with another user's name and password (or use another legitimate authentication method). Either way, an important first step to protecting your network is to simply disable unused network applications.

Port scanning

Port scanning is the process of detecting listening applications by actively polling the network ports of a computer or other network device. Being able to read scan results and compare network reports with host port polling results allows you to get a clear picture of the traffic flowing through your network. Knowledge of network topology is important in preparing a strategic plan for scanning specific areas. For example, by scanning a range of external IP addresses, you can gather valuable data about an Internet attacker. Therefore, you should scan your network more often and close all unnecessary network ports.

External firewall port scanning can detect all responding services (such as the Web or email) hosted on internal servers. These servers should also be protected. Configure a familiar port scanner (for example, Network Mapper - Nmap) to scan the desired group of UDP or TCP ports. Typically, TCP port scanning is more reliable than UDP scanning due to deeper feedback from TCP's connection-oriented protocols. There are versions of Nmap for both Windows and Unix. Starting a basic scan is easy, although the program offers much more advanced features. To find open ports on the test computer, I ran the command

Nmap 192.168.0.161

Screen 1 shows the results of a scan session - in this case, a Windows 2003 computer in a standard configuration. The data collected from the port scan shows that there are six open TCP ports.

Screen 1: Basic Nmap scan session
  • Port 135 is used by the RPC endpoint mapping feature found in many Windows technologies, such as COM/DCOM applications, DFS, event logging, file replication, message queuing, and Microsoft Outlook. This port should be blocked by the network perimeter firewall, but it is difficult to block it and still maintain Windows functionality.
  • Port 139 is used by the NetBIOS session service, which enables the Find Other Computers Browser, File Sharing Services, Net Logon, and the Server service. It is difficult to close, just like port 135.
  • Port 445 is used by Windows for file sharing. To close this port, you must block File and Printer Sharing for Microsoft Networks. Closing this port does not prevent the computer from connecting to other remote resources; however, other computers will not be able to connect to this system.
  • Ports 1025 and 1026 are opened dynamically and are used by other Windows system processes, in particular various services.
  • Port 3389 is used by Remote Desktop, which is not enabled by default, but is active on my test computer. To close the port, go to the Remote tab in the System Properties dialog box and clear the Allow users to connect remotely to this computer check box.

Be sure to search for open UDP ports and close unnecessary ones. The scanning program shows the open ports of the computer that are visible from the network. Similar results can be obtained using tools located on the host system.

Host scan

In addition to using a network port scanner, open ports on the host system can be detected using the following command (run on the host system):

Netstat -an

This command works on both Windows and UNIX. Netstat provides a list of active ports on a computer. On Windows 2003 Windows XP, you must add the -o option to get the corresponding program identifier (PID). Figure 2 shows the Netstat output for the same computer that was previously port scanned. Please note that several ports that were previously active are closed.

Firewall Log Audit

Another useful way to detect network applications that are sending or receiving data over the network is to collect and analyze more data in the firewall log. Deny entries that provide information from the firewall's front end are unlikely to be useful due to the "noise traffic" (eg, from worms, scanners, ping testing) that clogs the Internet. But if you log allowed packets from the internal interface, you can see all incoming and outgoing network traffic.

To see the raw traffic data on your network, you can install a network analyzer that connects to the network and records all detected network packets. The most widely used free network analyzer is Tcpdump for UNIX (the Windows version is called Windump), which is easy to install on your computer. After installing the program, you should configure it to work in the mode of receiving all network packets in order to log all traffic, and then connect it to a port monitor on the network switch and monitor all traffic passing through the network. Setting up a port monitor will be discussed below. Tcpdump is an extremely flexible program that can be used to view network traffic using specialized filters and show only information about IP addresses and ports or all packets. It is difficult to view network dumps on large networks without the help of appropriate filters, but care must be taken not to lose important data.

Combining Components

So far, we have looked at various methods and tools that can be used to detect applications using the network. It's time to combine them and show how to identify open network ports. It's amazing how chatty computers are on the network! First, it is recommended that you read the Microsoft document “Service overview and network port requirements for the Windows Server system” ( http://support.microsoft.com/default.aspx?scid=kb;en-us;832017), which lists the protocols (TCP and UDP) and port numbers used by applications and most core Windows Server services. This document describes these services and the associated network ports they use. We recommend that you download and print this helpful reference guide for Windows network administrators.

Setting up a network analyzer

It was previously noted that one way to determine the ports used by applications is to monitor traffic between computers using a network analyzer. To see all traffic, you need to connect a network analyzer to a hub or port monitor on the switch. Each port on a hub sees all the traffic from every computer connected to that hub, but hubs are an outdated technology and most companies are replacing them with switches, which provide good performance but are cumbersome to analyze: each switch port only accepts traffic destined for one computer connected to the hub. to this port. To analyze the entire network, you need to monitor the traffic sent to each switch port.

This requires setting up a port monitor (different vendors call it span port or mirrored port) on the switch. Installing a port monitor on a Cisco Catalyst switch from Cisco Systems is easy. You need to register on the switch and activate Enable mode, then go to configure terminal mode and enter the interface number of the switch port to which all monitored traffic should be sent. Finally, you must specify all monitored ports. For example, the following commands monitor three Fast Ethernet ports and forward a copy of the traffic to port 24.

Interface FastEthernet0/24 port monitor FastEthernet0/1 port monitor FastEthernet0/2 port monitor FastEthernet0/3 end

In this example, a network analyzer connected to port 24 will view all outgoing and incoming traffic from computers connected to the first three ports of the switch. To view the created configuration, enter the command

Write memory

Initial analysis

Let's look at an example of analyzing data passing through a network. If you are using a Linux computer for network analysis, you can get a comprehensive understanding of the type and frequency of packets on the network using a program such as IPTraf in Statistical mode. Traffic details can be found using the Tcpdump program.

UDP APPLICATIONS

UDP also supports Trivial File Transfer Protocol (TFTP), Simple Network Management Protocol (SNMP), and Routing Information Protocol (RIP), among many other applications.
TFTP (Typical File Transfer Protocol). It is mainly used for copying and installing an operating system on a computer from a file server,

TFTP. TFTP is a smaller application than File Transfer Protocol (FTP). Generally, TFTP is used on networks for simple file transfer. TFTP includes its own error control and sequence numbering mechanism and, therefore, this protocol does not require additional services at the transport layer.

SNMP (Simple Network Management Protocol) monitors and manages networks and devices attached to them, and collects information about network performance. SNMP sends PDU messages that allow network management software to monitor devices on the network.

RIP (Routing Information Protocol) is an internal routing protocol, which means it is used within an organization but not on the Internet.

TCP APPLICATIONS

TCP also supports FTP, Telnet, and Simple Mail Transfer Protocol (SMTP), among many other applications.

FTP (File Transfer Protocol) is a full-featured application that is used to copy files using a running client application on one computer linked to an FTP server application on another remote computer. Using this application, files can be received and sent.

Telnet allows you to establish terminal sessions with a remote device, typically a UNIX host, router, or switch. This gives the network administrator the ability to manage the network device as if it were in close proximity, using the computer's serial port for control. Telnet's usefulness is limited to systems that use character-based command syntax. Telnet does not support control of the user's graphical environment.

SMTP (Simple Mail Transfer Protocol) is a mail transfer protocol for the Internet. It supports the transfer of email messages between email clients and email servers.

WELL KNOWN PORTS
Well-known ports are assigned by IANA and range from 1023 and below. They are assigned to applications that are core to the Internet.

REGISTERED PORTS
Registered ports are cataloged by the IANA and range from 1024 to 49151. These ports are used by licensed applications such as Lotus Mail.

DYNAMICALLY ASSIGNED PORTS
Dynamically assigned ports are numbered from 49152 to 65535. The numbers for these ports are assigned dynamically for the duration of a specific session.