A Quick Primer on TCP Server Port Numbers

It’s quite simple to watch how TCP/IP manages the issue of port numbers, you simply need to watch a server.  For example enable Telnet on a server and allow clients to connect.  You can watch the connections by using the netstat command.

For example use this command – netstat -a -n -f inet

There are various flags for the netstat command but here are some of the most useful.  The -a reports every network end point, that is includes every endpoint not just  the ’established’ ones. The -n flag prints out all the addresses as decimal numbers instead of trying to resolve to names, it also prints the port numbers out in a numeric format.  The -f option restricts the output to just TCP and UDP end points.

For instance in our example running on a telnet enabled server you’d expect to see the local address listed with  the notation *.23. This means that the connection to the port for telnet (23) would be accepted on any local interface of the server.  If the server had many Network interfaces installed then we could specify an exact IP address and connections would be established on this one only.


Video Available on YouTube – How to Get A Fake IP Address

If you see the foreign address listed as *.* this doesn’t mean that the server is waiting for a specific connection perhaps from a US IP address.  It simply suggests that the IP address and the port number are not known yet as the end point is still in a listening state and no connection has arrived yet.

If you connect from a client to the server using telnet session then the netstat output will be updated.  You’ll then see the Foreign Address populated with the IP address of the client and the port number assigned, the state of this connection will be set to ’established’.  The port number assigned to the local address will stay on 23 the default listening port for a telnet session.

There are a couple of things to remember regarding the connection request queue. Each listening end point has a limited and fixed length of connections,  It’s sometimes difficult to spot TCP accepting a connection and an application receiving an already accepted connection of the queue.  The application also will specify a backlog to the queue which is effectively a limit on it’s size.  To analyse the connection it’s often useful to monitor something like a large download or perhaps stream a video like this, it enables you to see the ports opening and closing in real time using Wireshark or Ethereal.   Remember to stop the monitor when you’ve got enough data though, too much will make it harder to analyse properly although Wireshark does have an impressive number of filters which can help you sort through the data.