dynamically assigned port number

dynamic ports are client side and are used only for the active session. once it expires the port becomes available again. These are only used so the traffic comes back to the correct user".

I'd just amend that last word to "client".

Users aren't relevant, it's all about the computers. Users just facilitate the communication of the computers!

The server can use the IP to send it to the right computer(the client computer). It got a packet it sees the source IP of the packet it got and it can write that in as the dest IP when it sends the packet out.

Toomgo points out in his comment, that a process can start many "conversations".

The client port will identify which conversation that packet is part of.

I'd say well known ports are for listening. So, as you know, they're server side. The computer with the port that listens is the server (according to a main definition for server anyway)

NAT Routers if they're doing port forwarding, would port forward to them. But Port forwarding is something that if done, is done on the "NAT router" but you could connect from one computer in your LAN, to another computer in your LAN. No port forwarding. So it's not part of any definition of when you are using a well known port.

i'm not sure that I do either.

It looks like they might just be the same as well known ports but not as well known.. i.e. one could call them less well known ports. And the so-called well known ports are < 1024, and the so-called registered ports are over 1023.

Really technically it doesn't matter what IANA say a port is for. People can run servers on any port they want as long as they know or find out what is running on the port so they know what they're connecting to / what port to connect on. Of course if you're dealing with people that expect something to on a particular port or software expects it, then you might want to use that port. Like port 80 for webpages.. and some use port 8080 for internal web. Or as a memory aid you might want to stick to convention. As one layer of security people sometimes run a server on a high port so a hacker can't guess it.

A NAT router if doing port forwarding, would port forward to them too.

So the distinction you made, is the best. The dynamic client side ports, and the server side ports. And yeah if any NAT router is doing port forwarding, they'd do it to the server side ports. And IANA seems to have lists that name the server side ports numbers with what conventionally would be on there, and they categorize the lists, with the conventions for ports < 1024 as "well known"and the conventions for ports > 1023 as "registered" which I guess is like less well known. But technically I guess there isn't really a difference beyond that.

Your Answer

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged networking port-forwarding or ask your own question .

Hot Network Questions

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

Please note that Internet Explorer version 8.x is not supported as of January 1, 2016. Please refer to this page for more information.

Registered Port

Related terms:.

User Datagram Protocol

Walter Goralski , in The Illustrated Network (Second Edition) , 2017

Well-Known Ports

Port numbers can run from 0 to 65353. Port numbers from 0 to 1023 are reserved for common TCP/IP applications and are called well-known ports . The use of well-known ports allows client applications to easily locate the corresponding server application processes on other hosts. For example, a client process wanting to contact a DNS process running on a server must send the datagram to some destination port. The well-known port number for DNS is 53, and that’s where the server process should be listening for client requests. These ports are sometimes called “privileged” ports, although a number of applications that formerly ran in “privileged” mode, such as HTTP servers, do not run this way anymore except when binding to the port. It should be noted that it is getting harder and harder to register new applications in the space below 1023 (these often use registered ports in the range 1024 to 49151).

Ports used on servers are persistent in the sense that they last for a long time, or at least as long as the application is running. Ports used on clients are ephemeral (“lasting a short time,” although the term technically means “lasting a day”) in the sense that they “come and go” as the user runs client applications.

Technically, UDP port numbers are independent from TCP port numbers. In practice, most of the applications indexed by port numbers are the same in UDP or TCP (although a few applications can use either protocol), excepting a handful that are maintained for historical reasons. This does not imply that applications can use TCP or UDP as they choose. It just means that it’s easier to maintain one list rather than two. But no matter what port numbers are used, UDP port 1000 is a different application than TCP port 1000, even though both applications might perform the same function.

Some of the more common well-known port numbers are shown in Table 11.1 . In the table, the UDP and TCP port numbers are identical.

Table 11.1 . Some Well-Known Ports Used by UDP and TCP Services and Functions

Port numbers above 1023 can be either registered or dynamic (also called private or non-reserved ). Registered ports are in the range 1024 to 49151. Dynamic ports are in the range 49152 to 65535. As mentioned, most new port assignments are in the range from 1024 to 49151.

Registered port numbers are non–well-known ports that are used by vendors for their own server applications. After all, not every possible application capability will be reflected in a well-known port, and software vendors should be free to innovate. Of course, if another vendor chooses the same port number for a server process, and they are run on the same system, there would be no way to distinguish between these two seemingly identical applications.

Well-known ports —Ports in the range 0 to 1023 are assigned and controlled.

Registered ports —Ports in the range 1024 to 49151 are not assigned or controlled, but can be registered to prevent duplication.

Dynamic ports —Ports in the range 49152 to 65535 are not assigned, controlled, or registered. They are used for temporary or private ports. They are also known as private or non-reserved ports. Clients should choose ephemeral port numbers from this range, but many systems do not.

Vendors can register their application’s ports with ICANN. Other software vendors are supposed to respect these registered values and register their own server application port numbers from the pool of unused values. Some registered UDP and TCP protocol numbers are shown in Table 11.2 .

Table 11.2 . Selected Registered UDP and TCP Ports with Service and Brief Description of Meaning

The private, or dynamic, port numbers are used by clients and not servers. Datagrams sent from a client to a server are typically only sent to well-known or registered ports (although there are exceptions). Server applications are usually long lived, while client processes come and go as users run them. Client applications therefore are free to choose almost any port number not used for some other purpose (hence the term “dynamic”), and many use different source port numbers every time they are run. The server has no trouble replying to the proper client because the server can just reverse the source and destination port numbers to send a reply to the correct client (assuming the IP address of the client is correct).

All TCP/IP implementations must know the range of well-known, registered, and private ports when choosing a port number to use. Unix systems hold this information is the /etc/services file. Windows users can find this C:\ %SystemRoot% \system32\drivers\etc\SERVICES file, where %SystemRoot% will be automatically referred to a folder such as WinNT or WINDOWS . UDP or TCP, but some are unique to one or the other. For example, FTP control uses TCP port 21.

Here is the beginning of the file from winsrv2:

# This file contains port numbers for well-known services defined by IANA

# <service name> <port number>/<protocol> [aliases...] [#<comment>]

[many more lines not shown...]

For the latest global list of well-known, registered, and private port numbers, see www.iana.org/assignments/port-numbers . The port numbers are the same for IPv4 and IPv6.

Walter Goralski , in The Illustrated Network , 2009

PORT NUMBERS

Each application running above UDP (and TCP) and IP is indexed by its port number, allowing for the multiplexing of the IP layer. Just as frames with different types of packets inside (on Ethernet, IPv4 is 0x0800 and IPv6 is 0x86DD ) are multiplexed onto a single LAN interface, the individual IPv4 or IPv6 packets are multiplexed and distributed by the protocol number (UDP is IP protocol number 17, and TCP is 6).

The port numbers in turn multiplex and distribute datagrams from applications, allowing them to share a single UDP or TCP process, which is usually integrated closely with the operating system. This function of frame Ethertype, packet protocol, and datagram port is shown in Figure 10.5 . The figure shows how IPv4 data for DNS makes its way from frame through IPv4 through UDP to the DNS application listening on UDP port 53.

FIGURE 10.5 . UDP port multiplexing and distribution, showing how a single IP layer (IPv6 in this case) can be used by multiple transport protocols and applications.

Port numbers can run from 0 to 65353. Port numbers from 0 to 1023 are reserved for common TCP/IP applications and are called well-known ports . The use of well-known ports allows client applications to easily locate the corresponding server application processes on other hosts. For example, a client process wanting to contact a DNS process running on a server must send the datagram to some destination port. The well-known port number for DNS is 53, and that's where the server process should be listening for client requests. These ports are sometimes called “privileged” ports, although a number of applications that formerly ran in “privileged” mode, such as HTTP servers, do not run this way anymore except when binding to the port. It should be noted that it is getting harder and harder to register new applications in the space below 1023 (these often use registered ports in the range 1024 to 49151).

Technically, UDP port numbers are independent from TCP port numbers. In practice, most of the applications indexed by port numbers are the same in UDP or TCP (although a few applications can use either protocol), excepting a handful that are maintained for historical reasons. This does not imply that applications can use TCP or UDP as they choose. It just means that it's easier to maintain one list rather than two. But no matter what port numbers are used, UDP port 1000 is a different application than TCP port 1000, even though both applications might perform the same function.

Some of the more common well-known port numbers are shown in Table 10.1 . In the table, the UDP and TCP port numbers are identical.

Table 10.1 . Some Well-Known Ports Used by UDP and TCP Services and Functions

Vendors can register their application's ports with ICANN. Other software vendors are supposed to respect these registered values and register their own server application port numbers from the pool of unused values. Some registered UDP and TCP protocol numbers are shown in Table 10.2 .

Table 10.2 . Selected Registered UDP and TCP Ports with Service and Brief Description of Meaning

All TCP/IP implementations must know the range of well-known, registered, and private ports when choosing a port number to use. Unix systems hold this information is the /etc/services file. Windows users can find this C:\ %SystemRoot% \system32\drivers\etc\SERVICES file, where %SystemRoot% will be automatically referred to a folder such as WinNT or WINDOWS . Most ports are the same for UDP or TCP, but some are unique to one or the other. For example, FTP control uses TCP port 21.

The combination of IPv4 or IPv6 address and port numbers forms an abstract concept called a socket . We've mentioned the socket concept briefly before, and will do so again and again in later chapters. The socket concept is important for many reasons, and a later chapter will explore some of them more completely. For now, all that is important to mention is that, for each client–server interaction, there is a socket on each host at the endpoints of the network. The sockets at each end uniquely identify that particular client–server interaction, although the same sockets can be used for subsequent interactions.

Sockets are usually written in IPv4 and IPv6 by adding a colon ( : ) to the IP address, although sometimes a dot ( . ) is used instead. In IPv6, it is also necessary to add brackets to avoid confusion with the :: notation, such as in [FC00:490:f100:1000::1]:80 . A UDP socket on lnxclient , for example, would be 10.10.12.166:17 , while one on bsdserver would be 10.10.12.77:17 .

Configuring the Base System

Graham Speake , in Eleventh Hour Linux+ , 2010

TCP/IP Ports

There are a number of common networking ports that are used frequently. Ports 0 through 1023 are defined as well-known ports. Registered ports are from 1024 to 49151. The remainder of the ports from 49152 to 65535 can be used dynamically by applications. A brief description of these are as follows:

Port 20 and 21: FTP data and FTP control, respectively

Port 22: Remote login protocol secure shell (SSH)

Port 23: Telnet, used for accessing system remotely but is not very secure

Port 25: Simple Mail Transfer Protocol (SMTP) used by e-mail servers

Port 53: DNS protocol

Port 80: Used for accessing Web servers

Port 110: The POP service or Post Office Protocol used by local e-mail clients to retrieve mail from servers

Port 123: NTP to synchronize time with remote time servers

Port 143: E-mail clients can use the Internet Message Access Protocol (IMAP) to retrieve mail from servers

Port 443: This is the Hypertext Transfer Protocol (HTTP) Secure that combines the HTTP with a cryptographic protocol, which can be used for payment transactions and other secure transmission of data from Web pages.

Port 631: The Internet Printing Protocol (IPP) used to print to printers located remotely on the network

Port 3306: The standard port for MySQL

These ports are defined in the /etc/services file on Linux systems.

Securing the Infrastructure

Lauren Collins , in Cyber Security and IT Infrastructure Protection , 2014

Ports and Protocols

Between the protocols User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), there are 65,535 ports available for communication between devices. Among this impressive number are three classes of ports:

Well-known ports: Range from 0–1,023

Registered ports : Range from 1,024–49,151

Dynamic/Private ports: Range from 49,152–65,535

Understandably, not all of the ports listed in those three categories are secure. As a result, reference Table 10.1 , which enumerates the most commonly used ports and the service/protocol that utilizes the port.

Table 10.1 . Well-Known Port Numbers and Their Respective Service Description and Protocol.

Ideally, when architecting a system, one should plan out the intent for the environment and should only configure the services necessary for the network to pass traffic and servers to perform their intended functions.

Table 10.1 reflects protocols that may be open by default, as well as some that are necessary for the intended purpose of the environment. When installing equipment in Section I, it is imperative that the engineer be aware of the ports that need to be open for each device or piece of software and, if needed, can be referenced in the device white paper. It is also essential to recognize the variation between the numerous types of attacks and the respective ports on which such attacks would be executed. It is necessary to monitor the ports that are open in an effort to detect protocols that may leave the network vulnerable. Running netstat on a workstation will allow one to view the ports that are running and that are open. In addition, running a local port scan will also portray which ports are exposed.

Many protocols may still be used during an installation where system administrators and users are not aware, and those may leave the network vulnerable. Simple Network Management Protocol (SNMP) and Domain Naming Service (DNS) were deployed years ago, yet still present security risks. SNMP can be utilized for monitoring the health of network equipment, servers, and other peripheral equipment. However, susceptibilities associated with the SNMP derive from use of SNMP v1. Although such vulnerabilities were raised years ago (about 10 years), exposures are still reported while utilizing the current version of SNMP. Liabilities allow for authentication evasion and execution of proprietary code when utilizing SNMP. The SNMP infrastructure has three components:

SNMP managed connections

SNMP instruments

SNMP network management servers

Where the devices are concerned, they load the agent, which in turn assembles information and forwards it to the management servers. Network management servers collect a substantial amount of significant network information and are possibly targets of attacks due to their use of SNMP v1, which is not secure. A community name is a point of security; however, it may be similar to a password. Usually, the community name is public and is not secure, nor is it changed, thus permitting information to leak out to invasions. Conversely, SNMP v2 uses Message Digest Version 5 (MD5) for authentication. The transmission can also be encrypted. SNMP v 3 is used across firms as the criteria; however, a number of devices are not compatible and are left to use SNMP v1 or SNMP v2.

SNMP assists spiteful users to learn too much about a system, making password speculations easier. SNMP is often disregarded when checking for vulnerabilities due to the User Datagram Protocol (UDP) ports 161 and 162. Ensure network management servers are physically secured and secured on the network layer. Consider utilizing a segregate management subnet, protecting it by using a router with an access list. Unless the service is required, it should be shut off by default. In order to defend a network infrastructure from incidents aimed at obsolete or unfamiliar ports and/or protocols, remove any unnecessary protocols while creating access-control lists to allow traffic on defined ports. This eliminates the possibility of any obscure protocols being utilized, while minimizing the danger of an incident.

Layer 4: The Transport Layer

In Hack the Stack , 2006

Source and Destination Ports

Ports are ports. Irrespective of whether you are talking about TCP or UDP a port number is a 16-bit binary integer that identifies a program currently executing on a given host. The range of possible values is 0 to 65,535; however, the value 0 is reserved and implies an unspecified source or destination (see Figure 5.1 ). As a practical matter you will usually see random or dynamic port numbers used on the client side of an exchange. Well-known and registered port numbers generally reflect the server side of the conversation (e.g., your Web browser connecting to a Web server). Web servers generally listen on port number 80. Your browser will probably use a random port number on the client side.

Random port numbers (sometimes called ephemeral port numbers ) have values greater than 1024, which are assigned arbitrarily using TCP or UDP when the port used is not important. This is usually the client side of a client-server exchange. When a client sends something to the server, the server replies to whatever port number initiated the communication.

Another way to handle this scenario is to assign a dynamic port number in the range of 49,152 through 65,535 (sometimes referred to as private port numbers). Values in this range are handed out by newer protocol stack implementations instead of the older random port numbers. The latter values can be easily confused with the registered values. Also, you might see values in this range used in Port Address Translation (PAT) schemes on the outbound side of the translation process.

Registered port numbers in the 1,025 through 49,151 range reflect network services provided by a particular hardware or software developer’s products (e.g., the value 1,512 was registered by Microsoft for use by its NetBIOS Name Services implementation, commonly known as Windows Internet Name Services [WINS]). The Internet Assigned Numbers Authority (IANA) maintains this list of registered values as a service to the internetworking community. To see the details, go to their Web site at www.iana.org , follow the link to “Protocol Number Assignment Services,” and find the port numbers in RFC 2780.

The well-known port numbers reflect system or network services that are commonly active on a network host (e.g., port 25 for Simple Mail Transfer Protocol (SMTP) servers, port 53 for Domain Name Services (DNS) servers, and port 22 for Secure Shell (SSH).

Understanding these port numbers is very important from a hacking perspective. When trying to form a TCP connection with a well-known port number, we can ascertain whether the associated network service is active on the host being probed.

Network Forensics

Chet Hosmer , in Python Forensics , 2014

Network investigation basics

Investigating modern network environments can be fraught with difficulties. This is true whether you are responding to a breach, investigating insider activities, performing vulnerability assessments, monitoring network traffic, or validating regulatory compliance.

Many professional tools and technologies exist from major vendors like McAfee, Symantec, IBM, Saint, Tenable, and many others. However, a deep understanding of what they do, how they do it, and whether the investigative value is complete can be somewhat of a mystery. There are also free tools like Wireshark that perform network packet capture and analysis.

In order to uncloak some of the underpinnings of these technologies, I will examine the basics of network investigation methods. I will be leveraging the Python Standard Library, along with a couple of third-party libraries to accomplish the cookbook examples. I will be walking through the examples in considerable detail, so if this is your first interaction with network programming you will have sufficient detail to expand upon the examples.

What are these sockets?

When interacting with a network, sockets are the fundamental building block allowing us to leverage the underlying operating system capabilities to interface with the network. Sockets provide an information channel for communicating between network endpoints, for example, between a client and server. You can think about sockets as the endpoint of the connection between a client and a server. Applications developed in languages like Python, Java, C++, and C# interface with network sockets utilizing an application programming interface (API). The sockets API on most systems today is based upon the Berkeley sockets. Berkeley sockets were originally provided with UNIX BSD Version 4.2 back in 1983. Later around 1990, Berkeley released a license-free version that is the basis of today’s socket API across most operating systems (Linux, Mac OS, and Windows). This standardization provides consistency in implementation across platforms.

Figure 8.1 depicts a sample network where multiple hosts (endpoints) are connected to a network hub. Each host has a unique Internet Protocol (IP) address, and for this simple network we see that each host has a unique IP address.

Figure 8.1 . Simplest local area network.

These IP addresses are the most common that you will see in local area network setting. These specific addresses are based on the Internet Protocol Version 4 (IPv4) standard and represent a Class C network address. The Class C address is commonly written in a dotted notation such as 192.168.0.1. Breaking the address down into the component parts, the first three octets or the first 24 bits are considered the network address (aka the Network Identifier, or NETID). The fourth and final octet or 8 bits are considered the Local Host Address (aka the Host Identifier, or HOSTID).

In this example each host, network device, router, firewall, etc., on the local network would have the same network address portion of the IP address (192.168.0), but each will have a unique host address ranging from 0 to 255. This allows for 256 unique IP addresses within the local environment. Thus the range would be: 192.168.0.0-192.168.0.255. However, only 254 addresses are usable, this is because 192.168.0.0 is the network address and cannot be assigned to a local host, and 192.168.0.255 is dedicated as the broadcast address.

Based on this, I could use a few simple built-in Python language capabilities to create a list of IP addresses that represent the complete range. These language capabilities include a String, a List, the range function, and a “for loop.”

# Specify the Base Network Address (the first 3 octets)

ipBase = '192.168.0.'

# Next Create an Empty List that will hold the completed

# List of IP Addresses

ipList = []

# Finally, loop through the possible list of local host

# addresses 0-255 using the range function

# Then append each complete address to the ipList

# Notice that I use the str(ip) function in order

# concatenate the string ipBase with list of numbers 0-255

for ip in range(0,256):

ipList.append(ipBase+str(ip))

print ipList.pop()

Program Output Abbreviated

As you can see, manipulating IP addresses with standard Python language elements is straightforward. I will employ this technique in the Ping Sweep section later in this chapter.

The simplest network client server connect using sockets

As a way of an introduction to the sockets API provided by Python, I will create a simple network server and client. To do this I will use the same host (in other words the client and server will use the same IP address executing on the same machine), I will specifically use the special purpose and reserved localhost loopback IP address 127.0.0.1. This standard loopback IP is the same on virtually all systems and any messages sent to 127.0.0.1 never reach the outside world, and instead are automatically returned to the localhost . As you begin to experiment with network programming, use 127.0.0.1 as your IP address of choice until you perfect your code and are ready to operate on a real network ( Figure 8.2 ).

Figure 8.2 . Isolated localhost loopback.

In order to accomplish this, I will actually create two Python programs: (1) server.py and (2) client.py. In order to make this work, the two applications must agree on a port that will be used to support the communication channel. (We already have decided to use the localhost loopback IP address 127.0.0.1.) Port numbers range between 0 and 65,535 (basically, any unsigned 16-bit integer value). You should stay away from lower numbered ports < 1024 as they are assigned to standard network services (actually the registered ports now range as high as 49,500 but none of those are on my current system). For this application I will use port 5555 as it is easy to remember. Now that I have defined the IP address and port number, I have all the information that I need to make a connection.

IP Address and Port: One way to think about this in more physical terms. Think of the IP Address as the street address of a post office and the Port as the specific post-office box within the post office that I wish to address.

server.py code

# Server Objective

# 1) Setup a Simple listening Socket

# 2) Wait for a connection request

# 3) Accept a connection on port 5555

# 4) Upon a successful connection send a message to the client

import socket # Standard Library Socket Module

# Create Socket

myServerSocket = socket.socket()

# Get my local host address

localHost = socket.gethostname()

# Specify a local Port to accept connections on

localPort = 5555

# Bind myServerSocket to localHost and the specified Port

# Note the bind call requires one parameter, but that

# parameter is a tuple (notice the parenthesis usage)

myServerSocket.bind((localHost, localPort))

# Begin Listening for connections

myServerSocket.listen(1)

# Wait for a connection request

# Note this is a synchronous Call

# meaning the program will halt until

# a connection is received.

# Once a connection is received

# we will accept the connection and obtain the

# ipAddress of the connector

print 'Python-Forensics .... Waiting for Connection Request'

conn, clientInfo = myServerSocket.accept()

# Print a message to indicate we have received a connection

print 'Connection Received From: ', clientInfo

# Send a message to connector using the connection object 'conn'

# that was returned from the myServerSocket.accept() call

# Include the client IP Address and Port used in the response

conn.send('Connection Confirmed: '+ 'IP: ' + clientInfo[0] + ' Port: ' + str(clientInfo[1]))

client.py code

Next, the client code that will make a connection to the server

# Client Objective

# 1) Setup a Client Socket

# 2) Attempt a connection to the server on port 5555

# 3) Wait for a reply

# 4) Print out the message received from the server

MAX_BUFFER = 1024 # Set the maximum size to receive

# Create a Socket

myClientSocket = socket.socket()

# Specify a local Port to attempt a connection

# Attempt a connection to my localHost and localPort

myClientSocket.connect((localHost, localPort))

# Wait for a reply

# This is a synchronous call, meaning

# that the program will halt until a response is received

# or the program is terminated

msg = myClientSocket.recv(MAX_BUFFER)

# Close the Socket, this will terminate the connection

myClientSocket.close()

server.py and client.py program execution

Figure 8.3 depicts the program execution. I created two terminal windows, the top is the execution of server.py (which I started first) and the bottom is the execution of client.py. Notice that the client communicated from the source port 59,714, this was chosen by the socket service and not specified in the client code. The server port 5555 in this example is the destination port.

Figure 8.3 . server.py/client.py program execution.

I realize this does not provide any investigative value, however it does provide a good foundational understanding of how network sockets function and this is a prerequisite to understanding some of the probative or investigative programs.

What You DON’T Know About Your Network

Chet Hosmer , in Python Passive Network Mapping , 2015

What Open Ports or Services Don’t You Know About?

As was recently seen with the OpenSSL ’Heartbleed’ (CVE-2014-0160) and Shellshock (CVE-2014-6271) vulnerabilities, the ability to know what services are operating and on what systems is quite useful. Once again we could use tools like NMAP to discover open ports (at least during the snapshot) with the previously discussed risks. Standard network ports are assigned by the Internet Assigned Numbers Authority (IANA) via the Service Name and Transport Protocol Port Number Registry. Generally (as there is debate) an agreed upon port classification is as follows:

Service Ports: 1-1023 are considered well-known ports that represent services that most of us agree to abide by.

Service Ports: 1024 to 49151 are recognized as registered ports . They are assigned by IANA upon application and approval.

Service Ports: 49152–65535 are considered Dynamic, Private or Ephemeral (i.e. lasting for a short time or transient). For example, ports in this range are commonly used by clients making a connection to a server.

One way to leverage this knowledge of course is to detect traffic originating from, or going to one of these defined ports. By doing so we can deduce services that are running on these hosts and clients that are utilizing them.

In addition to the “agreed upon” port definitions above, organizations such as the SANS Internet Storm Center have created lists of known malicious ports. For example, one compiled list contains default ports utilized by Trojans. Therefore, if you find that one these ports is being probed, it may possibly indicate that someone is attempting to communicate with a Trojan that is running on your network. Thus mapping both the request, and potentially the response to one or more of these ports would be useful in mapping as well.

How is This Useful?

Based on the simple capture443.py script I presented earlier in this chapter, along with the results shown, we could deduce the following:

Local Client 192.168.0.13 has made a secure web page connection to the following servers:

199.16.156.201, 23.73.162.234, 66.153.250.229, 66.153.250.234, 66.153.250.238, 66.153.250.241, 74.125.137.132, 74.125.137.154, 74.125.196.99, 74.125.230.127

This deduction was made based on the following facts:

IP address 192.168.0.13 is a Class C private address block. According to RFC 1918, any Class C address in the range 192.168.0.0-192.168.255.255 (which can also be denoted 192.168.0.0/16) should be considered private and non-routable. This means that I cannot directly address any Class C address within that range unless I’m connected to that very same Class C physical network.

Each of the other IP addresses can be geographically located. For example, addresses 199.16.156.201 is located in the Mountain View, California area. The IP addresses 66.153.25 are located in South Carolina. Each of these IP addresses communicated with the client over service port 443, which by default is the http protocol running over a secure TLS or SSL connection.

In addition, I could infer that client 192.168.0.13 performed a web search that provided a link to the other servers identified. I can make this inference because IP addresses 74.125.137.x belongs to Google, and it is likely that client 192.168.0.13 performed the suggested search using Google.

Deductive vs Inductive Reasoning

Deductive reasoning is based on the premise that if the predicates are true, and the logic is sound the conclusion must be valid.

“All men are mortal” “Socrates was a man”

Therefore: Socrates was mortal

“All politicians I have met are deceitful” “I have just met David and he is a politician”

Therefore: David must be deceitful

“IP 192.168.0.13 connected to Google” “Google is the search engine that provides links to other web sites”

Therefore: the subsequent server IP addresses must have come from Google

In both of these cases the likelihood is probable, however unlike the deductive arguments other possible conclusions exist.

In order to perform Passive Network Mapping we will be using both deductive and inductive methods throughout the process. The quality of our arguments, premises, observations and logic will determine how accurate our results will be. Based on that, it will be important to craft these arguments and observations such that they can be improved with time.

Note: Active Network Mapping also uses both methods especially during the process of OS Fingerprinting.

Security Standards and Services

Naomi J. Alpern , Robert J. Shimonski , in Eleventh Hour Network+ , 2010

A firewall blocks access to an internal network from outside and blocks users of the internal network from accessing potentially dangerous external networks or ports. There are three distinct firewall technologies:

It works in two directions: to keep intruders at bay and to restrict access to the external network from internal users.

Allow by default – it allows all traffic to pass through the firewall except traffic that is specifically denied.

Deny by default – it blocks all traffic from passing through the firewall except for traffic that is explicitly allowed.

Ports 0 through 1023 are considered well-known ports. These ports are used for specific network services and should be considered the only ports allowed to transmit traffic through a firewall.

User ports range from 1024 to 49,151.

Dynamic/private ports range from 49,152 to 65,535.

Since only the header of a packet is examined, a packet-filtering firewall has speed.

A port is either open or closed.

It does not understand the contents of any packet beyond the header.

Stateful inspection Stateful inspection operates at the network and the transport layers of the OSI model, but it has the ability to monitor state information regarding a connection. In effect, when a connection is established between two hosts, the firewall will initially determine if the connection is allowable based on a set of rules about source and destination ports and IP addresses. Once the connection is deemed to be acceptable, the firewall remembers this. Therefore, subsequent traffic can be examined as either permissible or not within the context of the entire session. It then functions by checking each packet to verify that it is an expected response to a current communications session.

Application-layer gateways are much slower than packet filters.

A limited set of application rules are predefined and any application not included in the predefined list must have custom rules defined and loaded into the firewall.

Application-layer gateways must then rebuild packets from the top down and send them back out. This breaks the concept behind the client/server architecture and slows the firewall down even further.

Python Silent Network Mapping Tool (PSNMT)

Now that we have the basics for sniffing a network packet, I need to parse the data and extract the information I need. For this example, I am not interested in collecting packets and simply printing the results, rather I want to achieve the following objectives:

Collect IP addresses that are active on the network I am monitoring. (I plan to leave the monitor in place for a long period of time to capture network devices that only turn on periodically or sporadically.)

Collect IP addresses of remote computers that are interacting with my local network. These could be web, mail, or a plethora of Cloud services.

Collect service ports being used by local and/or remote computers. Specifically, I am interested in “Well Defined Ports”: 0-1023 or “ Registered Ports ”: 1024-49151.

Next I wish to report only unique entries. In other words, if the local host 192.168.0.5 is discovered and is found to be using host port 80, I only want to see that unique entry once, not each time it is discovered.

Finally, to limit the scope of the program, I want to collect only TCP or UDP packets within an IPv4 environment. The program can be easily expanded to handle other protocols and IPv6 in the future.

In order to meet the requirements stated above I only need to extract the following fields from the headers:

Source IP address

Destination IP address

Source port

Destination port

Examining Figures 9.4 and 9.5 , the Protocol field, along with the Source and Destination IP addresses exist in the IPv4 header, while the Source and Destination ports are in the TCP header. This means I will have to parse out both headers to obtain the needed information. I have also included Figure 9.6 which depicts the UDP header, which I also use to handle UDP packet extraction.

Figure 9.6 . Typical UDP packet header.

There are several technical issues that need to be addressed along with the high level requirements:

I am going to use a simple list to hold the data collected from the packets and append data to the lists for each packet received.

ipObservations = []

I am going to use the Python Standard Library signal module and integrate this into the collection loop. I set this up by first creating a class myTimeout that will be raised by a handler when a specified time has expired. I then integrate the myTimeout exception handler into the try/except handler of the receive packet loop.

class myTimeout(Exception):

def handler(signum, frame):

print 'timeout received', signum

raise myTimeout()

# Set the signal handler

signal.signal(signal.SIGALRM, handler)

# set the signal to expire in n seconds

signal.alarm(n)

while True:

recvBuffer, addr = mySocket.recvfrom(65535)

src,dst = decoder.PacketExtractor(recvBuffer,\ False)

sourceIPObservations.append(src)

destinationIPObservations.append(dst)

except myTimeout:

The code above will record every pair of source IP/Port and destination IP/Port, with a result being an unsorted list and will contain duplicate entries. To solve this problem, once the collection is complete, I will use a little knowledge of Python data types to help here. Once collection is completed (for the entire time frame), I first convert the list into a set , this will immediately collapse any duplicates (as this is a fundamental property of sets). Then I will convert the set back to a list and then sort the list.

uniqueSrc = set(map(tuple, ipObservations))

finalList = list(uniqueSrc)

finalList.sort()

In order to provide a workable list, the program will generate a comma-separated value (CSV) file that can then be further processed or examined in a worksheet.

Deep Learning for Network Traffic Monitoring and Analysis (NTMA): A Survey

Mahmoud Abbasi , ... Amir Taherkordi , in Computer Communications , 2021

5.1 DL for traffic classification

In its broadest definition, network traffic classification refers to a system in which a program assigns traffic flows to the sources (e.g., applications and protocols) that produce them. Traffic classification has attracted ever-increasing interest over the years as a crucial step towards the network management process. Moreover, traffic classification covers a wide variety of applications in QoS purposes, pricing in Internet service providers (ISPs), anomaly detection, etc. Due to the continuing growth in Internet-based applications and the number of connected devices, applying efficient traffic classification methods is critically important. Generally speaking, one can categorize network traffic classification techniques into three basic classes as listed below [80] :

port-based: These techniques simply associate services/applications to registered port numbers, e.g. HTTP port, and categorize the traffic according to the used port number. Port-based techniques are among the earliest traffic classification methods. Despite the advantages of port-based techniques such as simplicity on implementation, deploying new communication methods such as tunneling and random ports assignments techniques cause serious difficulties and affect the performance and applicability of them.

They run into difficulties with encrypted traffic classification.

Privacy policies may limit access to the contents of the packets.

Payload methods impose heavy computational overhead on communication systems

Flow-based: The underlying assumption behind the flow-based methods is that traffic associated with each application/service has almost unique statistical/time series characteristics. Hence, a flow-based classifier can handle both encrypted and normal traffic. Flow-based methods generally use traditional ML models, such as decision tree, logistic regression, and Support Vector Machine (SVM) for traffic classification. Despite this fact that ML models achieve a remarkable accuracy level, they need a massive amount of fully labeled data for modeling purposes.

With the rapid increase in the number of DL models, researchers have recently investigated these models for traffic classification and consequently reported great accuracy [49] . Motivated by the DL models proliferation, we provided a comprehensive review of traffic classification works.

Due to the complexity and low accuracy of MLP networks, pure MLP implementation has rarely been employed for network traffic classification. Pure MLP suffers from the disadvantages that it needs to tune some hyper-parameters, such as the number of hidden neurons and layers and sensitivity to feature scaling. A combination of MLP with other DL methods and pure MLP has been studied in some works, including in [81–92] .

Aceto et al. [81] studied DL-based models for mobile traffic classification. They reproduced several DL classifiers, e.g., MLP, LSTM, CNN, and SAE, from the traffic classification literature in order to make a comprehensive evaluation for showing the accuracy of these classifiers. Among DL-based classifiers, the best performance is related to 1D-CNN with 76.37%/85.70% accuracy and the F-measure of 75.56%/78.78% on FB-FBM and Android dataset, respectively. The authors acknowledge the fact that classical ML algorithms that employ experts- and manually-based methods for feature extraction are not appropriate for modern networks due to: (1) handheld devices’ massive deployment, such as smartphones and tablets, considerably increases mobile traffic volume, (2) the massive adoption of the encrypted network protocols, e.g., Transport Layer Security (TLS), reduces the effectiveness of DPI techniques based on ML algorithms, and (3) considering the ever-increasing development of mobile applications and the changing nature of mobile traffic, implementing up-to-date and accurate traffic classifiers through classical ML algorithms is challenging.

Wang et al. [82] also developed different DL-based traffic classifiers. Motivated by the recent advances in DL-based traffic classification and the weaknesses of the available traffic classification techniques, e.g., DPI, in giving real-time application awareness for encrypted network traffic, the authors used DL-based models, i.e., MLP, SAE, and CNN, to categorize traffic in the smart home use case. They used an open dataset with 200,000 encrypted data points from 15 applications to evaluate the models. The experimental results reveal the applicability of the evaluated models for smart home networks. More specifically, the average results of Precision, Recall and F1-Score on DataNet dataset are MLP = 0.9657%, 0.9653%, and 0.9653%, SAE = 0.9883% 0.9881%, and 0.9882%, CNN = 0.9847%, 0.9842%, and 0.9843%, respectively. The authors of [83] focused on media traffic classification through DL. They applied CNN and MLP methods to classify four types of media traffic, i.e., video, audio, image, and text. According to the results, MLP shows good performance in terms of accuracy (0.9983%) and training time (0.019 s) under different scenarios.

In [84] , IDS is considered by Ferreira and Shinoda since intrusion detection is a serious challenge in the context of NTMA. The authors introduced a new intrusion detection dataset and employed several traffic classification algorithms, such as MLP, J48, and Bayesian networks, to evaluate the dataset. Similarly, works in [85–92] proposed to use an MLP for traffic classification in IDS.

Despite difficulties with using pure MLP, some works use this model for traffic classification. For example, in [90] , Miller et al. used MLP to categorize encrypted VPN and non-VPN network traffic. The simulation results show 92% and 93% accuracy for VPN and non-VPN traffic classifiers, respectively. Similarly, Sahay et al. deployed MLP neural networks as a classification tool to detect misappropriation attacks in Low power and Lossy Networks (LLNs) [91] . The authors claim that the proposed method can also find the nodes affected by the attack and determine the malicious nodes. The pure MLP model has also been adopted in the context of IDS. Wang et al. used the MLP network in combination with the sequential feature selection technique in order to detect distributed denial of service (DDoS) attack [92] . They utilized these techniques to select the optimal features during the training phase. Moreover, to show the effectiveness of the proposed methodology ( ≈ 98 % accuracy), they compared it with some papers in the literature.

As mentioned, one of the main advantages of CNNs compared to conventional neural networks is the automatic detection of the important features and hierarchical feature extraction. A simple CNN model proposed in [93] for the categorization of encrypted traffic. This paper is one of the first works leveraging CNNs in the context of traffic classification, in which encrypted traffic is transformed into two-dimensional images, and then the images fed into the CNN model to be classified. The authors reported an accuracy of 1D-CNN = 1%, 82%, 98%, and 86%, and 2D-CNN = 1%, 80%, 97%, and 84% for four different experiments, respectively. The main advantages of the method presented in this work over the existing traffic classifiers, such as classical ML classifiers, include (1) integrating feature extraction/selection/classification phases into an end-to-end framework; (2) categorization of the encrypted network traffic which is a challenging task for the traditional classifiers. In [94] , the authors also adopted the CNN model for IP traffic classification. They converted sequences into images that fully represent the patterns of different applications, such as Facebook and Instagram. Then, the CNN model is employed to classify the images to different applications. Rezaei and Liu proposed a one-dimensional CNN-based semi-supervised approach to categorize five Google applications [95] . To reduce the need for large labeled traffic datasets, first, the model is pre-trained on a big unlabeled training test where the time series characteristics of a few samples of packets are considered as the input. The proposed method’s performance is evaluated with different sampling techniques (i.e., fixed step sampling, random sampling, and incremental sampling) on three different datasets, including the QUIC dataset, Unlabeled Waikato dataset, and Ariel dataset. The proposed pre-trained method achieved higher accuracy than its non-pre-trained counterpart, with 81.50%, 81.27%, and 80.76% on the QUIC dataset for the sampling techniques. As mentioned, the authors use a 1D-CNN as a classifier because they believe the using of new applications and network encryption techniques have considerably raised the complexity of the traffic classification tasks, mainly when one uses classical ML-based methods.

In [96] , a novel IDS, namely, HAST-IDS, is proposed, in which CNN and LSTM models are used to learn the low-level features of spatial information of network traffic and high-level features of temporal information, respectively. No feature engineering phase is used in the proposed system since the deep neural models automatically learn the key features. To measure the effectiveness of the system, DARPA1998 and ISCX2012 datasets have been used by the authors, where HAST-IDS outperformed its competitions in terms of training and testing time and accuracy in both datasets. For example, in the DARPA1998 dataset, the training and testing time is 58 min and 1.7 min, respectively, and accuracy on the ISCX2012 dataset is ≈ 99 . 5 % . Yeo et al. [97] applied CNN to malware detection tasks in an automated fashion. The authors claim that the introduced method can detect malware that uses unpredictable port numbers and protocols. This is mainly due to the fact that the model employs 35 different features captured from the packet flow, instead of features extracted from packets such as the port numbers and protocols. Besides, conventional networks have been used as traffic classifiers in IoT networks, where traffic classification can help distinguish between traffic/behavior of heterogeneous devices and services in these networks [98] . In this work, the authors combined CNN and RNN models to achieve the best detection results, around 97% accuracy when they use all features. The proposed method shows excellent performance in terms of detection scores, even under a highly unbalanced dataset. Compared to the classical ML techniques, the proposed DL models in [98] do not need to go through the feature engineering phase thanks to the convolutional layers that extract complex features automatically from the input data.

Tong et al. [99] provided the novel traffic classification based on CNN to categorize QUIC protocol traffic. They focus on the networks that use Google’s QUIC protocol since the traffic generated by such systems imposes several challenges for traffic classification tasks because this protocol decreases network traffic visibility. As a result, port- and payload-based traffic classification methods cannot be used for QUIC-based communications. To deal with this problem, CNN has been proposed, utilizing the flow- and packet-based features for further improvement. CNNs have also been adopted for malware traffic classification [100] . In this work, first, the network traffic is transformed into two-dimensional images. The convolutional network is then used to classify these images into different categories, such as Skype, FTP, and Outlook, , and the authors reported the average accuracy of 99.41%. Despite the advantages of the proposed method, the authors highlighted some limitations of their work, including (1) the size of the used dataset and classes number are fixed, while in the real-world use cases is not undoubtedly true, (2) the proposed method only utilized network traffic spatial features, while classical ML-based classification methods utilize different temporal features and show high accuracy.

For network traffic classification, RNN models are usually used with other DL models. For instance, in [98] , both the RNN and CNN models are used for traffic classification. Different DL models are implemented in this work, where a particular combination of CNN/RNN achieved the highest degree of accuracy. Radford et al. proposed a creative method in [101] for network anomaly detection through RNN. They converted network flow into sequences of words that form sentences, then these sentences are considered as the language model of a specific network. RNN is used to identify network activities that are malicious with respect to the model.

Auto-encoders are mainly used as an unsupervised technique to do automatic feature extraction and selection. More specifically, the output of the encoding part of an AE network can be used as a high-level set of discriminative features for a classification problem. Auto-encoders models have also been applied to classification problems, e.g., in [49] Lotfollahi et al. adopted an Stacked Autoencoders (SAE) model, called Deep Packet, for encrypted traffic classification. The SAE stacks several AEs to form a deep structure to obtain a better performance. The authors used the UNB ISCX VPN-nonVPN dataset to assess the performance of the introduced method. Deep Packet outperformed all of the introduced and compared classification methods on the used dataset, including two classical ML algorithms, i.e., k-NN and C4.5, an accuracy of 0.98% is compared to 0.94% and 0.90%, respectively. Moreover, given the increasing interactions between different components on the Internet and, consequently, the network’s considerable complexity and diversity, DL algorithms are necessary to perform traffic classification tasks. In [102] , Zhao et al. deployed AE to extract and aggregate features from traffic data. Then, they used the n-gram embedding strategy and k-means clustering to classify unknown traffic, i.e., network traffic generated by previously unknown applications or services. The authors have targeted network flow classification in [103] . They proposed an improved SAE, in which several basic Bayesian auto-encoders are stacked to understand the complex relations between the multi-source network flows. Moreover, the proposed SAE is trained through the back-propagation learning algorithm and in a supervised learning manner in order to learn the complex relations between the network flows. The simulation results show the improved SAE outperforms its ancestor in terms of accuracy (83.2 percent accuracy versus 82.9 percent). Last but not least, in [104] a comparison between the classical machine learning classification method and the DL method, i.e., SAE, has been made. The experiments revealed that DL model provides better accuracy (with 99.20%) than the classical ML model (with 95.22%). Furthermore, the authors claimed that in highly distributed networks, such as IoT systems, the traditional techniques such as classical ML techniques for NTMA purposes (e.g., attack detection) have less scalability. As a result, they proposed edge-based deep learning to deal with modern communication systems’ distributed and complex nature. The vast amount of data generated by IoT edge devices allow DL models to learn more useful than classical ML models.

In the context of network traffic classification, deep generative models can be used to deal with the imbalanced dataset problem. An imbalanced dataset refers to the situation in which the number of instances available for different data classes is considerably different. In such situations, predicting the classes with few instances is usually challenging for classical ML models. To alleviate this problem, oversampling and undersampling are two frequent and easy techniques. In the former, oversampling can be realized through duplicating instances of minor label classes, whereas by deleting some instances from major classes, one can implement an undersampling technique. In [105] , a deep generative model, namely Auxiliary Classifier GANs (AC-GAN), is proposed to address the problem of imbalanced classes of network data. More precisely, Generative Adversarial Network (GAN) has been deployed for the generation of synthesized data instances to create a balance between the minor and the major label classes. In [106] , Alom et al. used Deep Belief Neural Network (DBNN), a well known generative model, for intrusion detection. Furthermore, they compared the proposed method with some existing methods, such as SVM and DBNN-SBM. The proposed methods outperformed all these methods in terms of classification accuracy by achieving ≈ 97 % accuracy. The authors announced that their method is not only able to detect threats, but also categorize them in five classes with the accuracy of detection. Another advantage of the provided DL model is that it can detect any unknown attack that has not been considered in the training dataset. Iliyasu et al. introduced a semi-supervised learning technique by Deep Convolutional Generative Adversarial Network (DCGAN) for the classification of encrypted network traffic [107] . The main idea behind this method is to use DCGAN for instance generation, as well as utilizing unlabeled traffic data to increase the accuracy of the learner, even when a small number of labeled data is available for training purposes. The authors deployed QUIC and ISCX VPN-NonVPN datasets to demonstrate the accuracy of their model, where the model delivered 89% and 78% classification accuracy on both QUIC and ISCX VPN-NonVPN datasets, respectively. As another positive point, the proposed deep method can alleviate the problems connected with extensive dataset collecting and labeling, which are problematic for both classical ML and DL models.

A summary of the papers reviewed in this section is provided in Table 3 .

Table 3 . A summary of works on network traffic classification.

Join YourDictionary

By signing in, you agree to our Terms and Conditions and Privacy Policy .

We'll see you in your inbox soon.

Dynamic Port Definition

Synonymous with private port . A port that can be used by any computer application program to communicate with any other application program running Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), with no registration requirements. Dynamic ports are numbered from 49,152 through 65,535. See also port , registered port , and well-known port .

Rhyming Word Games: 7 Ways to Make Language Fun for Everyone

7 Basic Parts of a Computer and What They Do

List of All Countries in the World

Greek and Latin Root Words

Canadian Slang by Region

What Is a Dynamic Character? Examples and Purpose

Dynamic port is also mentioned in.

Find Similar Words

Words Starting With

Words ending with, unscrambles, words starting with d and ending with t, word length, words near dynamic port in the dictionary.

Stack Exchange Network

Stack Exchange network consists of 181 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Software Engineering Stack Exchange is a question and answer site for professionals, academics, and students working within the systems development life cycle. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Are there security implications to using dynamically-assigned TCP port numbers?

I'm getting pushback from operations for having a server process listen on a dynamically-assigned port number (i.e. it binds a socket to a port number of 0, triggering a dynamic assignment by the OS, which it retrieves using getsocketname()). The argument was that is "creates all kinds of issues for firewalling, routing, ACL, and security purposes". I haven't run across anything about this.

This is CentOS, our applications are in-house and restricted to a set of machines on a LAN that's heavily firewalled from the outer world.

Can someone knowledgeable weigh in on the subject?

UPDATE 1 : FTP dynamically assigns a port number, too, although I don't know if it's from the same range of numbers that I've seen elsewhere (32768-61000?). How do firewalls etc. deal with this?

Network administrators like to know exactly what ports your software will listen on, so that they can open only the required ports on the firewall defending their network from intrusion attacks. Protecting a network is all about knowing where an attack could come from. If your network, via its firewall, will never expect traffic on port 699, then if you ignore, discard or actively refuse all traffic requesting or transmitting on that port, an attacker can't get in to do his dirty deeds dirt cheap.

Your dynamic port scheme leaves the selection of the port up to the OS. If the OS can choose any non-reserved port for your service, then your network admin must keep all of those ports open between any two network addresses that may be using your software to communicate.

A "trusted" network environment is a misnomer. Most things you "trust" in IT security are things that are simply infeasible to not trust, or for which the reasons for your trust extend beyond the boundaries of the digital world. You may, for instance, have been given a public key certificate "offline" (via thumb drive, etc) and told it belongs to a particular website. By installing said certificate, you tell your computer that you trust the assertions made by the person who gave it to you. The computer then trusts your own judgement, but verifies that the certificate presented by the website matches exactly the cert it was told to trust.

To the case in point; your heavily-firewalled LAN is "trusted" only because using TLS (based partially on the above certificates) for all traffic inside the LAN, based on a PKI that touches every client machine, and administering firewalls between subnets and VLANs inside this environment, is more work than the network admin is willing to take responsibility for. He instead directs his efforts towards building a solid outer wall and gatekeeper system, ensuring that anything attempting to cross the boundary from the outside in ( or the inside out) is doing so with at least apparently valid purpose.

Now, in fact, your network admin may want to put firewalls up at key gateways between LAN subnets and across leased lines or VPNs. By having this program use any port it chooses, you force the network admin not to add this "defense in depth" as long as your program works this way. He's not going to like that, and he's going to push back, hard, on any attempt to tell him he can't do his job the way he sees fit.

As far as the argument that dynamic ports are used all the time to connect, that's true - for the client machine . The port your server computer listens on must be static. FTP was mentioned, so we'll use that. FTP uses two ports, usually 20 and 21, for data transfer and command/control respectively. These ports are the ports the server computer will keep open and listen on, and which a firewall on the server side must allow all incoming requests to pass through.

FTP has two connection modes; "Active" and "Passive", and the client machine chooses which. In "active mode", the client will itself begin listening on a second dynamic port, and as part of the negotiation on port 21, will tell the FTP server which other port to SYN. When the client computer is not behind a firewall or other NAT layer, this is better for the server, as the server can now use a dynamic outbound port to "push" messages to the client instead of waiting for the client to send a request to which it can respond, and the server can also distinguish traffic on this port as being between itself and only one client. However, because the client can't tell a firewall protecting the client's network that it's expecting a valid incoming connection on the dynamic port it chose, this scheme is incompatible with a client behind a firewall or other NAT layer, because the firewall will simply deny the incoming request from the server as being unexpected "inbound" traffic.

Instead, for clients that know or presume they are being firewalled/NATed, the client can request "passive" connection negotiation. When the server receives a "passive" request on port 21, it begins listening on a second one of its ports (port 20 is reserved for this purpose, for situations involving a firewall in front of the server as well) and sends this port identifier to the client, who can then make a second "outgoing" connection to the server on which the client's firewall will then expect traffic. As virtually all clients are at least NATed in current times (home networks are ubiquitous), many FTP client programs don't even bother trying an active connection, and FTP servers are built to take all the traffic they'll get on just the two static ports.

In your model, from what you've said, you're basically trying to use an "active" connection scheme, where your software begins listening on a dynamic port and ostensibly tells the remote computer this port to facilitate a return connection. This is, as described, incompatible with a firewall, and so as long as your software behaves this way and cannot behave in any other way, no firewall can exist between two computers using your software. This may be contrary to your network admin's plans for his network.

Your Answer

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged security sockets dynamic or ask your own question .

Hot Network Questions

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Dynamically choosing port number?

In Java, I need to grab a port number for communication between multiple instances of the same program. Now, I could simply pick some fixed number and go with it. But I'm wondering if there's a way to dynamically choose the port number, so that I don't have to bother my users with setting the port number.

Here's one idea I had, which works like this:

Does this strategy make sense? Or is there a better way to dynamically choose a port number?

3 Answers 3

If you bind to port 0, Java will use a system-generated port. :-) So, that's probably the easiest way to fall back if your desired port is already used.

4 ... and how will the instances find each other? Isn't that what the question is all about? – jldupont Feb 9, 2010 at 18:46

I would take the inverse and select a fixed high port for your app. Make it a config value so it could be changed if necessary. This will simplify configuration as often times users of apps need to request network operations to open ports. Work around the IANA assigned values:

http://www.iana.org/assignments/port-numbers

Scanning ports could turn your app into a bad citizen for many intrusion detection systems.

You could use Bonjour/ ZeroConf to advertise the services of each instance and enable an instance to find the others. Think of this as a directory service which could help manage your port namespace.

Each instance can just grab a dynamically assigned port in this case. A request for binding to port "0" will usually instruct the system to assign a dynamic port.

Your Answer

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged java tcp or ask your own question .

Hot Network Questions

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

C / C++ / MFC

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

IMAGES

[PDF] Port Number List PDF Download
Assigned Port Numbers
89 [FREE] UNASSIGNED PORT NUMBER LIST PRINTABLE HD PDF DOWNLOAD ZIP DOCX
What are port numbers, socket numbers, well-known ports and dynamically assigned ports
how to assign static COM port number to a device
Default Port Numbers You Need to Know as a Sysadmin

VIDEO

Lecture 7 (Port Programming)
Module 2 18EC63 M&A lecture 20: s parameters for a two port network with mismatched load
PixelCity
PROBLEMS ON TWO PORT NETWORK WITH DEPENDANT SOURCES
Plexus with blender geometry nodes
Inter-Relationship Between Parameters of Two Port Network-II

COMMENTS

What Is My Computer’s Port Number?
There is no one port number for a computer. Computers use multiple ports to accommodate different processes running on the computer. The port number in use varies on the software or service being used and the computer’s configuration.
What Are Numeric Numbers?
A numeric number, more commonly referred to as a numeral, is a symbol or name used to represent a number. A numeral may be expressed in words, such as seventy-five, or by arranging digits in a place-value system, such as by writing 75.
What Is the Difference Between a Number and a Numeral?
A number is a theoretical concept, and a numeral is the way that people denote that concept. A numeral contains one or more written symbols, but a number can be expressed in a range of ways. Number and numeral are often used interchangeably...
What are dynamic port numbers and how do they work?
A dynamic port -- also called a private port -- is one that is assigned to a process or service at the time the port is needed, usually when the process or
The default dynamic port range for TCP/IP has changed in Windows
You can view the dynamic port range on a computer that is running Windows Vista or Windows Server 2008 by using the following netsh commands:.
Static and Dynamic Ports
Dynamic ports are ports that are not assigned port numbers. Instead, the Informatica Service Manager dynamically allocates port numbers to each of the
What are the differences between the 3 port types?
dynamic ports are client side and are used only for the active session. once it expires the port becomes available again. These are only used so
Registered Port
Dynamic ports—Ports in the range 49152 to 65535 are not assigned, controlled, or registered. They are used for temporary or private ports. They are also known
Dynamic Port Definition & Meaning
Synonymous with private port. A port that can be used by any computer application program to communicate with any other application program running
Ephemeral port
Ephemeral ports are also called dynamic ports, because they are used on a per request basis, and are only known by number once allocated.
Are there security implications to using dynamically-assigned TCP
Your dynamic port scheme leaves the selection of the port up to the OS. If the OS can choose any non-reserved port for your service, then your
Port Numbers and Its types
Hello Guys , this video is about learning the importance and types of ports and their significance. I started with explaining the ports and
Dynamically choosing port number?
Pretty much all socket implementation I can remember use this "counter-intuitive" trick to ask for a dynamically assigned port... nothing so
Dynamic Port allocation
Basically it says that by assigning sin_port=0 the bind function knows it must allocate dynamically. But when i print the port number generated i get the portno