What protocol does tcp port 80 use? What are computer network ports? Sender and Receiver Ports

To communicate with applications running on other network hosts (as well as with other applications on the same host).

The basic rule necessary to understand the operation of the port: 1) The port can be occupied by only one program and at this moment cannot be used by another. 2) All programs use ports to communicate with each other via the network.

For each of the TCP and UDP protocols, the standard specifies the ability to simultaneously allocate up to 65536 unique ports on a host, identified by numbers from 0 to 65535. When transmitted over a network, the port number in the packet header is used (together with the host IP address) to address a specific application (and specific network connection belonging to him).

Port numbers

TCP ports do not overlap with UDP ports. That is, TCP port 1234 will not interfere with UDP traffic over port 1234.

A number of port numbers are standardized (see List of TCP and UDP ports). The list is maintained by the non-profit organization IANA.

On most UNIX-like operating systems, listening on ports numbered 0-1023 (almost all of which are registered) requires special privileges. Each of the remaining ports can be seized by the first process that requested it. However, there are many more numbers registered than 1024.

Brief list of port numbers

TCP is assumed to be used unless otherwise noted.

DISCARD: 9, Discard port (RFC 863)
FTP: 21 for commands, 20 for data
SSH: 22 (remote access)
telnet: 23 (remote access)
SMTP: 25, 465, 587
isserver: 3055
XMPP (Jabber): 5222/5223 - client-server, 5269 - server-server
traceroute : above 33434 (UDP) (some sources indicate that it is enough to specify a port range from 33434 to 33534)

Sender and Receiver Ports

TCP or UDP packets always contain two port number fields: source and destination. The type of service program is determined by the recipient port of incoming requests, and the same number is the sender port of responses. The “reverse” port (port of the sender of requests, also known as the port of the recipient of responses) when connecting via TCP is determined arbitrarily by the client (although numbers less than 1024 and already occupied ports are not assigned), and is of no interest to the user. The use of reverse port numbers in UDP is implementation dependent.

Notes

Wikimedia Foundation. 2010.

See what "Port (TCP/IP)" is in other dictionaries:

Name: Transport Control Protocol Layer (OSI model): Transport Family: TCP/IP Port/ID: 6/IP Specification: RFC 793 / STD 7 Main implementations ... Wikipedia

Port: Wiktionary has an entry for “port” Port (Latin portus “harbour”, “pier”) ... Wikipedia

Name: Transmission Control Protocol Layer (OSI model): Transport Family: TCP/IP Port/ID: 6/IP Specification: RFC 793 / STD 7 Main implementations: Linux, Windows Extensibility ... Wikipedia

TCP/IP protocol stack (English Transmission Control Protocol/Internet Protocol) set network protocols different levels of the DOD networking model used in networks. Protocols work with each other in a stack (English stack, stack) ... ... Wikipedia

A TCP port number that identifies a process or application within a computer. For client applications, the port number is dynamically assigned by the operating system. For software servers, port numbers do not change and are prescribed by the Internet... ... Financial Dictionary

Network port is a parameter of the UDP protocols that determines the purpose of data packets in the format This is a conditional number from 0 to 65535, allowing different programs running on the same host to receive data independently of each other (provided like this ... ... Wikipedia

About computer network ports.

The article clearly describes what a system port is, why programs need it, how and what devices use ports to communicate on the network, and what ports have to do with the security of your data. Introductory article; We’ll talk another time about how to monitor system ports, configure and scan correctly, avoiding errors and understanding what’s happening.

Computer network ports: what are they?

As soon as computers are about to exchange information over a network, they immediately open information portals for exchange. In network architecture, communication between ANY two systems is based on five immutable principles. So that the data “flys” from the point A exactly B, should be known:

IP address of the information source
Recipient IP address
protocol by which devices will communicate
source transmit port
and the destination port used by the RFC793 transport protocol

Port- this is a kind of virtual extension, an addition to network address(as an addition in numbers to the name of the street or house at the address where you live). The postman will come to your street, but will not deliver the letter - he does not know to whom, because he does not know the apartment number. So the information will reach your computer via IP, but without the proper port number, the information will not get to the computer. The computer simply will not understand how to process it, using what application. Computer network ports- these are paths between services and that are running installed on the computer operating system and mother/sister processes on host computers, which are sometimes located thousands of kilometers away from you.

By the way, . These are physical connectors that, unlike those described, can be touched. But their function is essentially the same: all ports are designed to receive information from other devices.

Transport protocols (the most common and used are TCP and UDP) penetrate the computer, using in the message, among other things, numbers from the total number of ports. When an application wants to talk to another device, it directly asks the local OS to open a channel for transmission. Applications that can communicate using both protocols (UDP and TCP) can use the same port to do so, but this condition is not required.

What are computer ports: how many are there?

The exact number of ports on a computer is 65 535 . And they have their own gradation. So, ports with numbers up to 1023 Linux and Unix-like operating systems are considered “critical” systems for network operations, so access to them and the services associated with them often requires root rights. Windows also considers them system ones and closely monitors them.

Ports from 1024 before 49151 are marked “ready for registration”. This means that these ports are reserved or can be reserved for certain services. Fortunately or unfortunately, they are not assigned to these services by strong rules, but they can provide a key for recognition running program on the host side. The rest (starting from 49152 ) ports are not registered and are used at the discretion of OS users and are called “dynamic” ports. So remembering which port is dedicated to which service is often simply useless (at least today; however, the situation may change). But there is a list of ports that have been used by specific services “from time immemorial”:

20 : FTP data
21 : FTP control
22 : SSH
23 : Telnet<= незащищённый, так что не рекомендуется к использованию
25 : SMTP
43 : WHOIS
53 : DNS services
67 : DHCP service
68 : DHCP client
80 : HTTP traffic<= обычный веб трафик
110 : POP3 postal
113 : authentication services in IRC networks
143 : IMAP mail
161 : SNMP
194 : IRC
389 :LDAP
443 : HTTPS<= защищённый сетевой трафик
587 : SMTP<= добавление сообщений
631 : CUPS port for virtual printers.

There is something else you need to know when getting to know what computer ports are. These are special terms that characterize the state of ports in the sense of data exchange at the current moment. So:

Port– network localization in the operating system with the assignment of a specific numerical value for the exchange of information via appropriate protocols
Internet sockets- or simply sockets– file descriptors specifying the IP address and the associated port number plus a special transmission protocol that will work with data
Binding– the process of using an Internet socket by a service or service when transmitting and receiving files
Listening– an attempt to contact a service or service with a port/protocol/IP address or a combination of these components of the system’s network identification in order to wait for requests from the service client
– checking the status of ports in order to recognize their readiness for further actions

What are computer ports? Do you want to admire them?

You are familiar with the list of common ports, but some services may well use a port that is not assigned to them by default. Or, which is not uncommon, open ports are used as a backdoor for an attacker. So, if you decide to change the port settings yourself, you need to make sure that the law-abiding client and server will find each other. Otherwise, you should let Windows block the port, configure blocking in the router, or rely on the provider, who often blocks ports at the end of the day, without specifically asking the clientele.

You can see on your computer right now which ports are doing what. Type in the terminal:

less /etc/services

and scroll with your mouse until the end. Here they are in all their glory.

Kali Linux is useful in every sense nmap can also display a list of them:

Less /usr/share/nmap/nmap-services

If you are reading this article on Windows, to see currently open ports, run the Command Console as an administrator cmd and run the command in it:

Netstat -a

However, more extensive ports working in Windows will be opened to you by a small program called Process and port analyzer, which can be easily downloaded online. It will simply and clearly explain which ports are currently open and what programs these ports are listening to. Here is one of the utility tabs:

Using the program, you can easily check the location of this process in the system and determine how safe it is.

Computer Ports and Network Security

The programs and services that are described here allow you to see the ports that are open specifically in your OS(Windows and Linux) for some programs already running on the computer. However, remember that in the information transfer system between your computer and a distant web server somewhere in Holland, there are still many devices that filter traffic more seriously, including monitoring ports (by the way, including the one in your room router). Not yours, of course. But it's up to these servers to decide whether any data gets into your Windows. Your provider also has a hand in this, to whom you pay money for access to the network, blocking ports for security purposes or to prevent unnecessary network activity (what if you want to set up your own web server at home? - it won’t work).

Why is this being done? Let me continue the analogy with houses and streets. Imagine that you have decided to buy a garage for your car (computer) at a nearby co-op. The first thing to do is to protect and strengthen the inability to enter the premises: install good doors and install reliable locks (close ports). But what else can you do? Someone sets an alarm (special network scanners to check the status of ports). Save money and install an additional fence with a gate (router withbuilt-in firewall) so that you can park a motorcycle inside (tablet) . And so that the lawns are not spoiled by trucks, for its part, the board (provider) installed an automatic barrier (network anti- filters): everything seems to be open, but a stranger will not pass. And so on…

However, if you are still going to find out how your computer is visible from the global network (for example, to attackers trying to test your strength), the methods described here are completely unsuitable. We will develop this topic in future articles.

Transport layer

The task of the transport layer is to transfer data between various applications running on all network nodes. After the packet is delivered via IP to the receiving computer, the data must be sent to a special recipient process. Each computer can run multiple processes, and an application can have multiple entry points, acting as a destination for data packets.

Packets arriving at the transport layer of the operating system are organized into multiple queues at the entry points of various applications. In TCP/IP terminology, these entry points are called ports.

Transmission Control Protocol

Transmission Control Protocol(TCP) (Transmission Control Protocol) is a mandatory protocol of the TCP/IP standard, defined in RFC 793, "Transmission Control Protocol (TCP)".

TCP is a transport layer protocol that provides transportation (transmission) of a data stream, with the need to first establish a connection, thereby guaranteeing confidence in the integrity of the received data, and also performs a repeated request for data in the event of data loss or corruption. In addition, the TCP protocol monitors duplicate packets and, if detected, destroys duplicate packets.

Unlike the UDP protocol, it guarantees the integrity of the transmitted data and the sender’s confirmation of the results of the transfer. Used in file transfers where the loss of one packet can corrupt the entire file.

TCP achieves its reliability by:

Data from the application is divided into blocks of a certain size that will be sent.
When TCP sends a segment, it sets a timer, waiting for an acknowledgment of that segment to arrive from the remote end. If an acknowledgment is not received after time has elapsed, the segment is retransmitted.
When TCP receives data from the remote side of the connection, it sends an acknowledgment. This acknowledgment is not sent immediately, but is usually delayed for a fraction of a second.
TCP calculates a checksum for its header and data. This is a checksum calculated at the ends of the connection, the purpose of which is to detect any change in data during transmission. If a segment arrives with an incorrect checksum, TCP discards it and no acknowledgment is generated. (The sender is expected to time out and retransmit.)
Since TCP segments are transmitted as IP datagrams, and IP datagrams can arrive randomly, TCP segments can also arrive randomly. After receiving the data, TCP can resequence it as needed, so that the application receives the data in the correct order.
Since an IP datagram can be duplicated, the receiving TCP must discard the duplicated data.
TCP provides flow control. Each side of a TCP connection has a specific buffer space. TCP on the receiving end allows the remote end to send data only if the recipient can fit it into a buffer. This prevents slow hosts from overflowing their buffers with fast hosts.

The sequence number serves two purposes:

If the SYN flag is set, then this is the initial value of the sequence number - ISN (Initial Sequence Number), and the first byte of data that will be transmitted in the next packet will have a sequence number equal to ISN + 1.
Otherwise, if SYN is not set, the first byte of data transmitted in a given packet has this sequence number.

Acknowledgment Number - If the ACK flag is set, then this field contains the sequence number expected by the recipient next time. Marks this segment as confirmation of receipt.
Header length is specified in 32-bit words.
Window size is the number of bytes that the recipient is ready to receive without confirmation.
Checksum - includes pseudo header, header and data.
Urgency indicator - indicates the last byte of urgent data that must be responded to immediately.
URG - urgency flag, includes the "Urgency Indicator" field; if =0, then the field is ignored.
ACK - confirmation flag, includes the “Acknowledgment number” field, if =0 then the field is ignored.
PSH - the flag requires a push operation, the TCP module must urgently transfer the packet to the program.
RST - connection interrupt flag, used to refuse a connection
SYN - sequence number synchronization flag, used when establishing a connection.
FIN - end of transmission flag from the sender's side

Let's look at the header structure TCP using Wireshark network analyzer:

TCP ports

Since several programs can be running on the same computer, to deliver a TCP packet to a specific program, each program's unique identifier or port number is used.

Port number is a conditional 16-bit number from 1 to 65535 indicating which program the package is intended for.

TCP ports use a specific program port to deliver data transmitted using the Transmission Control Protocol (TCP). TCP ports are more complex and work differently than UDP ports. While a UDP port acts as a single message queue and as the entry point for a UDP connection, the final entry point for all TCP connections is a unique connection. Each TCP connection is uniquely identified by two entry points.

Each individual TCP server port can offer shared access to multiple connections because all TCP connections are identified by two values: an IP address and a TCP port (socket).

All TCP port numbers that are less than 1024 are reserved and registered with the Internet Assigned Numbers Authority (IANA).

UDP and TCP port numbers do not overlap.

TCP programs use reserved or well-known port numbers, as shown in the following figure.

Establishing a TCP connection

Let's now see how TCP connections are established. Suppose a process running on one host wants to establish a connection with another process on another host. Recall that the host that initiates the connection is called the "client", while the other host is called the "server".

Before transmitting any data, according to the TCP protocol, the parties must establish a connection. The connection is established in three stages (TCP "triple handshake" process).

The requester (usually called the client) sends a SYN segment indicating the port number of the server to which the client wants to connect and the client's original sequence number (ISN).
The server responds with its SYN segment containing the server's original sequence number. The server also acknowledges the arrival of the client's SYN using ACK (ISN + 1). A single sequence number is used per SYN.
The client must acknowledge the arrival of a SYN from the server with its SYN segments containing the client's original sequence number (ISN+1) and using an ACK (ISN+1). The SYN bit is set to 0 because the connection is established.

Once the TCP connection is established, these two hosts can transmit data to each other, since the TCP connection is full duplex, they can transmit data simultaneously.

Brief list of ports:
1. DISCARD: Discard port (RFC 863)
2. FTP: 21 for commands, 20 for data
3. SSH: 22 (remote access)
4. Telnet: 23 (remote access)
5. SMTP: 25, 587
6. DNS: 53 (UDP)
7.DHCP: 67, 68/UDP
8. TFTP: 69/UDP
9. HTTP: 80, 8080
10.POP3: 110
11. NTP: 123 (time server) (UDP)
12. IMAP: 143
13. SNMP: 161
14. HTTPS: 443
15. MySQL: 3306
16. Iserver: 3055
17. RDP: 3389 (remote access)
18. OSCAR (ICQ): 5190
19. XMPP (Jabber): 5222/5223/5269
20. Traceroute: above 33434 (UDP)
21. BitTorrent: 6969, 6881-6889
...

Description:

1. RFC 863 - Drop Protocol
This document contains a standard for the ARPA Internet community. ARPA Internet hosts that choose to support the Discard protocol are expected to conform to this specification. Discard is a useful tool for measurement and debugging. This service simply discards all received data.
The TCPO-based Discard service is one of the discard service variants that is implemented based on TCP. The server listens for TCP connections on port 9. Once the connection is established, all data received over it is discarded without sending any responses. Data discarding continues until the connection is terminated by the user.
UDP-Based Discard Service - Another variant of the discard service is built on top of UDP. The server listens for UDP datagrams on port 9 and when detected, discards the received datagrams without transmitting any information.

2. FTP (File Transfer Protocol) is a protocol designed for transferring files over computer networks. FTP allows you to connect to FTP servers, view directory contents, and download files from or to a server; In addition, a file transfer mode between servers is possible.
Outgoing port 20, opened on the server side, is used for data transmission, port 21 - for command transmission.

3. SSH (English: Secure SHell - “secure shell”) - a session-level network protocol that allows remote control of the operating system and tunneling of TCP connections (for example, for file transfer). Port 22 is used for remote administration through client programs ssh protocol (SSH - Secure SHell) You can close it by disabling the server control program.

4. TELNET (English TERminaL NETwork) - a network protocol for implementing a text interface over the network (in its modern form - using TCP transport).

5. SMTP (Simple Mail Transfer Protocol) is a network protocol designed for transmitting email over TCP/IP networks. To work via the SMTP protocol, the client creates a TCP connection to the server via port 25.
Sometimes providers prohibit sending mail through port 25, forcing the client to use only their SMTP servers. But, as you know, there is a cunning...
By default, postfix only works on port 25. But you can make it work on port 587. To do this, you just need to uncomment the line in the /etc/postfix/master.cf file:
submission inet n - - - - smtpd

6. DNS (English: Domain Name System) is a distributed computer system for obtaining information about domains. The DNS protocol uses TCP or UDP port 53 to respond to requests.

7. DHCP (Dynamic Host Configuration Protocol) is a network protocol that allows computers to automatically obtain an IP address and other parameters necessary to operate on a TCP/IP network. This protocol operates on a client-server model. For automatic configuration, the client computer, at the network device configuration stage, contacts the so-called DHCP server and receives the necessary parameters from it. The network administrator can specify the range of addresses distributed by the server among computers. This allows you to avoid manual configuration of network computers and reduces the number of errors. The DHCP protocol is used in most TCP/IP networks. The DHCP protocol is a client-server protocol, that is, it involves a DHCP client and a DHCP server. Data transmission is carried out using the UDP protocol, with the server receiving messages from clients on port 67 and sending messages to clients on port 68.

8. TFTP (English Trivial File Transfer Protocol) is used mainly for the initial boot of diskless workstations. TFTP, unlike FTP, does not contain authentication capabilities (although filtering by IP address is possible) and is based on the UDP transport protocol.

9. HTTP (abbreviated from the English HyperText Transfer Protocol - “hypertext transfer protocol”) - an application-level protocol for data transfer (initially in the form of hypertext documents). Port 80 is the port of web servers. Ports 80-83 are responsible for work via the HTTP protocol.

10. POP3. Port 110 (Opera POP3 connection) is responsible for sending and receiving mail.

11. Network Time Protocol (NTP) - a network protocol for synchronizing the computer’s internal clock using networks with variable latency. Setting up the time service (NTP) in Windows 2003 / 2008 / 2008 R2 ... with the source is carried out using the NTP protocol - 123 UDP port .

12. IMAP (Internet Message Access Protocol) is an application layer protocol for accessing email. It is based on the TCP transport protocol and uses port 143.

13. SNMP (Simple Network Management Protocol) is a communications network management protocol based on UDP architecture. Devices that usually support SNMP are routers, switches, servers, workstations, printers, modems, etc. SNMP service:
Uses Windows Sockets API.
Sends and receives messages using UDP (port 161) and uses IP to support SNMP message routing.
Comes with additional libraries (DLLs) to support non-standard MIBs.
Includes Microsoft Win32 SNMP Manager API to simplify SNMP application development.

14. HTTPS (Hypertext Transfer Protocol Secure) - an extension of the HTTP protocol that supports encryption. Data transmitted via the HTTPS protocol is “packed” in the SSL or TLS cryptographic protocol, thereby ensuring the protection of this data. Unlike HTTP, HTTPS uses TCP port 443 by default.

15. MySQL is a free database management system. ONE BUT mysql does not work. (STOPED WORKING FOR n TIME)

16. 3055-local network.

17. RDP (English: Remote Desktop Protocol) is a proprietary application-level protocol purchased by Microsoft from Citrix, used to ensure remote user work with a server running the terminal connection service. Clients exist for almost all versions of Windows (including Windows CE and Mobile), Linux, FreeBSD, Mac OS X, Android, Symbian. The default port is TCP 3389.

18. ICQ Server.

19. XMPP (Extensible Messaging and Presence Protocol), formerly known as Jabber.
5222/5223 - client-server, 5269 - server.

20. Traceroute is a computer utility program designed to determine data routes on TCP/IP networks. (some sources indicate that it is enough to specify the port range from 33434 to 33534)

21. BitTórrent (lit. English “bit stream”) - peer-to-peer (P2P) network protocol for cooperative file sharing over the Internet. 6969, 6881-6889 ports for access of torrent clients.

20:11:35 20

Network ports can provide vital information about the applications that access computers over the network. By knowing the applications that use the network and the corresponding network ports, you can create precise firewall rules and configure host computers to allow only useful traffic. By building a network profile and deploying tools to recognize network traffic, you can more effectively detect intruders - sometimes simply by analyzing the network traffic they generate. We began to consider this topic in the first part of the article published in the previous issue of the magazine. It provided basic information about TCP/IP ports as the foundation of network security. Part 2 will describe some network and host methods that can be used to identify applications listening on a network. Later in the article we will talk about how to evaluate the traffic passing through the network.

Blocking network applications

Network attack surface is a common term to describe network vulnerability. Many network attacks take place through vulnerable applications, and the attack surface can be significantly reduced by reducing the number of active applications on the network. In other words, you should disable unused services, install a firewall on the dedicated system to check the legitimacy of traffic, and create a comprehensive access control list (ACL) for the firewall at the network perimeter.

Each open network port represents an application listening on the network. The attack surface of each server connected to the network can be reduced by disabling all non-essential network services and applications. Windows Server 2003 is superior to previous versions of the operating system because it enables fewer network services by default. However, auditing is still necessary to detect newly installed applications and configuration changes that open unnecessary network ports.

Every open port is a potential backdoor for attackers to exploit spaces in the host application or surreptitiously access the application with another user's name and password (or use another legitimate authentication method). Either way, an important first step to protecting your network is to simply disable unused network applications.

Port scanning

Port scanning is the process of detecting listening applications by actively polling the network ports of a computer or other network device. Being able to read scan results and compare network reports with host port polling results allows you to get a clear picture of the traffic flowing through your network. Knowledge of network topology is important in preparing a strategic plan for scanning specific areas. For example, by scanning a range of external IP addresses, you can gather valuable data about an Internet attacker. Therefore, you should scan your network more often and close all unnecessary network ports.

External firewall port scanning can detect all responding services (such as the Web or email) hosted on internal servers. These servers should also be protected. Configure a familiar port scanner (for example, Network Mapper - Nmap) to scan the desired group of UDP or TCP ports. Typically, TCP port scanning is more reliable than UDP scanning due to deeper feedback from TCP's connection-oriented protocols. There are versions of Nmap for both Windows and Unix. Starting a basic scan is easy, although the program offers much more advanced features. To find open ports on the test computer, I ran the command

Nmap 192.168.0.161

Screen 1 shows the results of a scan session - in this case, a Windows 2003 computer in a standard configuration. The data collected from the port scan shows that there are six open TCP ports.

Screen 1: Basic Nmap scan session

Port 135 is used by the RPC endpoint mapping feature found in many Windows technologies - such as COM/DCOM applications, DFS, event logging, file replication, message queuing, and Microsoft Outlook. This port should be blocked by the network perimeter firewall, but it is difficult to block it and still maintain Windows functionality.
Port 139 is used by the NetBIOS session service, which enables the Find Other Computers Browser, File Sharing Services, Net Logon, and the Server service. It is difficult to close, just like port 135.
Port 445 is used by Windows for file sharing. To close this port, you must block File and Printer Sharing for Microsoft Networks. Closing this port does not prevent the computer from connecting to other remote resources; however, other computers will not be able to connect to this system.
Ports 1025 and 1026 are opened dynamically and are used by other Windows system processes, in particular various services.
Port 3389 is used by Remote Desktop, which is not enabled by default, but is active on my test computer. To close the port, go to the Remote tab in the System Properties dialog box and clear the Allow users to connect remotely to this computer check box.

Be sure to search for open UDP ports and close unnecessary ones. The scanning program shows the open ports of the computer that are visible from the network. Similar results can be obtained using tools located on the host system.

Host scan

In addition to using a network port scanner, open ports on the host system can be detected using the following command (run on the host system):

Netstat -an

This command works on both Windows and UNIX. Netstat provides a list of active ports on a computer. On Windows 2003 Windows XP, you must add the -o option to get the corresponding program identifier (PID). Figure 2 shows the Netstat output for the same computer that was previously port scanned. Please note that several ports that were previously active are closed.

Firewall Log Audit

Another useful way to detect network applications that are sending or receiving data over the network is to collect and analyze more data in the firewall log. Deny entries that provide information from the firewall's front end are unlikely to be useful due to the "noise traffic" (eg, worms, scanners, ping testing) that clogs the Internet. But if you log allowed packets from the internal interface, you can see all incoming and outgoing network traffic.

To see the raw traffic data on your network, you can install a network analyzer that connects to the network and records all detected network packets. The most widely used free network analyzer is Tcpdump for UNIX (the Windows version is called Windump), which is easy to install on your computer. After installing the program, you should configure it to work in the mode of receiving all network packets in order to log all traffic, and then connect it to a port monitor on the network switch and monitor all traffic passing through the network. Setting up a port monitor will be discussed below. Tcpdump is an extremely flexible program that can be used to view network traffic using specialized filters and show only information about IP addresses and ports or all packets. It is difficult to view network dumps on large networks without the help of appropriate filters, but care must be taken not to lose important data.

Combining Components

So far, we have looked at various methods and tools that can be used to detect applications using the network. It's time to combine them and show how to determine open network ports. It's amazing how chatty computers are on the network! First, it is recommended that you read the Microsoft document “Service overview and network port requirements for the Windows Server system” ( http://support.microsoft.com/default.aspx?scid=kb;en-us;832017), which lists the protocols (TCP and UDP) and port numbers used by applications and most core Windows Server services. The document describes these services and the associated network ports they use. We recommend that you download and print this helpful reference guide for Windows network administrators.

Setting up a network analyzer

It was previously noted that one way to determine the ports used by applications is to monitor traffic between computers using a network analyzer. To see all traffic, you need to connect a network analyzer to a hub or port monitor on the switch. Each port on a hub sees all the traffic from every computer connected to that hub, but hubs are an outdated technology and most companies are replacing them with switches, which provide good performance but are cumbersome to analyze: each switch port only accepts traffic destined for one computer connected to the hub. to this port. To analyze the entire network, you need to monitor the traffic sent to each switch port.

This requires setting up a port monitor (different vendors call it span port or mirrored port) on the switch. Installing a port monitor on a Cisco Catalyst switch from Cisco Systems is easy. You need to register on the switch and activate Enable mode, then go to configure terminal mode and enter the interface number of the switch port to which all monitored traffic should be sent. Finally, you must specify all monitored ports. For example, the following commands monitor three Fast Ethernet ports and forward a copy of the traffic to port 24.

Interface FastEthernet0/24 port monitor FastEthernet0/1 port monitor FastEthernet0/2 port monitor FastEthernet0/3 end

In this example, a network analyzer connected to port 24 will view all outgoing and incoming traffic from computers connected to the first three ports of the switch. To view the created configuration, enter the command

Write memory

Initial analysis

Let's look at an example of analyzing data passing through a network. If you are using a Linux computer for network analysis, you can get a comprehensive understanding of the type and frequency of packets on the network using a program such as IPTraf in Statistical mode. Traffic details can be found using the Tcpdump program.