Understanding and Troubleshooting Ports

Home , Alias (command), At (command), Command (computing), Convert (command), Help (command), More (command)

UnderStanding and TroubleShooting Ports

This document is intended to assist users understand current state of the connection for any Port in the system.

How does a system know to which port to address a communication? Many ports are defined by Internet standards as being used for a specific purpose or protocol. The list of ports can be viewed thru’ the below URL http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Among the different Transport Protocol layers that use ports, users are likely to encounter User Datagram Protocol (UDP) and the Transmission Control Protocol (TCP) very often.

There are a total of 65,535 TCP ports and a total of 65,535 different UDP ports. When a user informs that a communication is headed for a particular port (say port 53), then the next question that would usually follow is… if that is TCP port 53 or UDP port 53.

For a port to be used to receive a network communication, the port must be associated with some process. The process acts as a listener, waiting for connections to be made requesting some service on its assigned port.

In Windows, usually a Service is connected to a specific port (there might be exceptions as well).

Using Netstat to analyze and understand Communication thru’ Ports

The command “netstat” displays information about the network ports in use on the system. Netstat comes installed on all current releases of Windows systems. Run with no switches, netstat will simply display a list of active connections on the local system.

A netstat command with no switches would get you an output similar to the below one (Few digits in IP and few characters in name are masked for security reasons).

Screenshot: 1 – The netstat command with no switches

To keep this document short and to the point, let us only look @ the last column of the above screen shot. The last column shows the current state of the connection. This entry will normally be one of the following:

. LISTENING The port is open and listening for inbound connections.

. ESTABLISHED The connection is active between the two systems.

. TIMED_WAIT The connection has recently ended.

Other entries are possible, such as the following:

. SYN_SEND, SYN_RECEIVED Either of these may appear during the initial connection setup.

. FIN_WAIT_1, FIN_WAIT_2, CLOSE_WAIT, LAST_ACK Any of these may appear while a connection is being closed.

Of these states, the ones of greatest importance while investigating any issues are Listening, Established, and Timed_Wait. The other states are generally very short in duration and will not often be seen in netstat output.

Let us now examine some more useful forms of the netstat command. While netstat’s attempt at being user friendly may benefit some users, the name-resolution feature of this tool actually can confuse the user some ways.

For instance, in the following screen, you see :D2D instead of a Port#. Actually, this shows the connection for D2D which uses port 8014 by default. However, I have set the alias for Port 8014 in the Services file located under “C:\Windows\System32\drivers\etc”. Hence, instead of showing the port#, the result is now showing :D2D (which is the alias set for this port in services file).

This is not necessarily the best way to run netstat to obtain clear and accurate information. However, if you find names like this in the netstat output, you can look in the services file to find more information about the same.

Screenshot:2 – Netstat command without switches after modifying services file.

In summary, the netstat command run with no switches relies on the services file to indicate which service is being used rather than printing the actual port number.

The -n switch tells netstat to show all results in numeric format. This displays IP addresses and ports as numbers rather than trying to convert them to some type of name. This tends to give a clearer picture as to exactly what is happening on the system and eliminates any confusion that name resolution may induce.

Screenshot:3 - Output of netstat –n command

You can see that the output in earlier screenshot provides a clearer picture of exactly which computers are communicating and which ports are involved in the communication. There is another switch that you can use to provide more valuable information.

The -a switch will list all TCP and UDP connection information, including information about not only active connections but also ports that are currently open on the system.

The -a switch can be combined with the -n switch and output viewed will be similar to the following screenshot.

Screenshot:4 - The netstat -an command output

In the above screenshot, you can see that we now have a wealth of useful information about the ports on this system. In the Local Address column, you can see all TCP and UDP ports that are currently listening on the system as indicated by the LISTENING entry in the corresponding State column.

The format is for each entry. All of the IP addresses represent the local system, however there are three different IP addresses listed, namely 0.0.0.0, 127.0.0.1, and another IP address (which is partially masked for security reasons). The system from which the above output is taken has only one network interface card (NIC), and it is assigned IP address which is partially masked. Then what do those other IP addresses point to…

If a port is opened on a specific IP address, netstat will list that IP specifically in the Local Address column (such as the entries in earlier screenshot showing the Partially Masked IP address). If the port is open on all IP addresses that the box is currently using or that may get added in the future, then netstat will list the IP address 0.0.0.0 to indicate that all of the system’s IP addresses can receive connections to the port. Finally, every system has a loopback address that is used to communicate with itself (to run both a client and a server product on the same system). Windows uses the IP address 127.0.0.1 to designate the loopback address, so entries with this IP address in the Local Address column are listening for connection requests from another process running on the local system.

One further switch that is of use was introduced in Windows XP. The -o switch shows the process identifier (PID) of the process that is bound to a listening port or that is using an established connection. This can be extremely useful in determining why a particular port is open. The below screenshot shows netstat being run with the -o switch in conjunction with the -a and -n switches.

Screenshot:5 - The netstat -ano command output

Screenshot:5 shows you the correlation between each open port and the process that is using that port. This information can help us determine if the port is being used for a known, legitimate purpose or if an attacker has maliciously opened the port. By examining each process that is using a port, we can eliminate those that are nonthreatening and focus on those that may be spiteful.

The other switch that is of help with “netstat” is “netstat –ab”.

“Netstat –ab” shows the same info as “netstat –a” plus it shows process names listening on these ports. User can dump it to a file and search in a file for the process name

ScreenShot:6 Result of “netstat –ab” switch

Please refer the below documents for ports used by CA ARCserve Products http://www.arcserve-knowledgebase.com/index.php?View=entry&EntryID=3914 http://www.arcserve-knowledgebase.com/index.php?View=entry&EntryID=2305 http://www.arcserve-knowledgebase.com/index.php?View=entry&EntryID=598