Subtitles of the Movie

In continuing our discussion on TCP and UDP, I'd like to go ahead and talk about ports a little bit more in depth. Now, one of the things that TCP and UDP have in common is that they use ports. Now, these ports are basically port numbers assigned to a particular application layer protocol, which tells the TCP/IP Stack which protocol is being used, which one is being sent and received. Often you may see port numbers combined with an IP address. Together this is called a Socket. It may look something like 192.168.10.1:80. That would tell you that that particular IP address and that port number is a web server, OK? Because that port tells you that the application layer protocol that's being used is normally HTTP. Now, computers run various application layer protocols that use these particular ports and when they use these ports, they're said to be listening on these ports. So a web server will normally be listening on port 80 waiting for communications connections to it. Now, if there is in fact an active TCP communication session going on between two computers, then the port that's being used is said to be established. Now, some of the common ports that we've seen are port 80 for web traffic, HTTP, port 443 for SSL or Secure Sockets Layer traffic. You may have seen this as HTTPS in your browser. Port 53, the Domain Name System is often used for DNS queries and if you're using a Windows Box, you may see ports 135, 137, 138, 139 and 445 used frequently. Those are the ports that Windows uses for NetBIOS Name Services, File Sharing and Active Director Services. But there are many other ports out there. In fact, port numbers zero through 1023, all 1,024 of those ports are called the Well-Known Ports because they are well-known application protocols that use those ports and there are many more ports. In fact, there are 65,000 plus ports. So as a network professional and a security professional, I would highly recommend that you take the time to learn the ports and learn most of the basic ones that are in use. Now, there are some protocols, as I mentioned before, that use both TCP and UDP. One example might be the DNS System. It uses both UDP and TCP port 53 for both of those protocols. Another example, DHCP, is UDP-based but it uses ports 67 and 68 on UDP. Now, computers use primarily both a source and a destination port. Now, the destination port is the one we're usually concerned with. It's the one that's tied to an application layer protocol such as HTTP. Basically what happens is when two computers try to connect and talk to each other, destination port is what the source computer, the sending computer is trying to get to. For example, a web server listening on port 80, the host computer might be trying to get to that web server, to that web page and it will try to get to it with a destination of port 80. The host computer, the sending computer is also, also uses the port as well and that's called a source port. Now, a source port is usually determined by the TCP/IP Stack that's running on the computer. It's not an in-stone number. It's usually above 1024 for sure, but it may be a random number, it maybe used so algorithm generated by the TCP/IP Stack on the computer itself. But it's usually not any given particular number and it could change with each communication session. Now, I want to give you a quick example of ports and how, so you can understand basically what they're used for. A port basically tells you what application layer traffic is being used. Computers get, send and receive a lot of traffic so you may be reading your email at one time at the same time as you're surfing the web or chatting. So how does the computer know where to send all that traffic to, to which application? Well, that's where ports come in. Ports basically route that traffic to the application layer protocol that's using that traffic. A good example might be an apartment complex, for an example. The address of the apartment complex is 100 Main Street. Well, that could be like the IP address of your computer. Now, if mail goes to that apartment complex, how do you know what apartment it's for? Which person it's for? Well, that's where the apartment number comes in. So if you send a letter to 100 Main Street, it could go to anyone there, but if you specify apartment 33, then you know it goes to that particular apartment. Ports are the same way. You send traffic to a particular IP address, if you specify the port, which applications do, you know which application gets it. I want to take a minute or two now to show you basically an example of how your computer listens to traffic on ports so you can kind of see how that works. OK. We're in our Windows XP box. Kind of what I want to show you is just a quick example of a Windows Box listening on its network ports. We're going to run a NetStat Command at the command line and we're going to use the N Switch. There are different switches for NetStat. You can use whichever ones you like. NetStat will also work on Linux too, by the way. If you look at the screen, you can see in the Command Box that these are the ports that this particular Windows XP Professional Box is listening on. On the left-hand side it has the protocol listed, TCP and UDP. The local address, which could mean the computer's loop-back address, it could mean the computer's network address, are all zeros. Then you have the foreign address in the next column or destination address. That's the address that it would be connected to if there were an established connection and in the state of that connection. The computer's listening on those particular ports right there. Now, let's go ahead and go to a web page and we're going to go to the VirtualTrainingCompany.com site and just going to that site created some network traffic and probably established a connection. Let's see. Let's run NetStat-n again and sure enough, we have a different set of ports that are now established and listening on. Now, what you see right here, this is interesting. This address is the address of the network adapter for the proxy that's going out on the network, this particular proxy box is on and this is the destination addresses. OK? These are the addresses that the computer connected to on the web on port 80. Now, right here what we see is the source address; the source port. We actually don't see the destination port unless we look over here to where the destination address is. So you see the IP address and you see the colon and the 80. That means that the computer went to a website. We know that because it's port 80. And then that connection is currently established. There are states that a connection can be in as well, such as closed, waiting and so forth. That's just a quick example of how computers listen on ports and connect on ports.