Doug Vitale Tech Blog

TCP/IP port numbers

The TCP/IP protocol suite (or stack) utilizes not only IP addresses but numbered ports to manage and maintain connections between network hosts. While IP addressing is used by the Internet Protocol (IP) at Layer 3 of the Open Systems Interconnection (OSI) model, ports are used by transport layer protocols like Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) at Layer 4. As the name implies, transport layer protocols are designed to transport or deliver data to network hosts during communication sessions.

As network interface cards, switches, and routers have physical ports into which you can plug network cables, think of transport layer ports as “virtual ports” that are used to classify and segregate data traffic between communicating hosts. For example, if your computer initiates an FTP connection with an FTP server, it sends data to port 21 on the server using TCP. If your computer sends an HTTP request to a web server, it does so on port 80 on the server using TCP. If your PC queries a DNS server for a host’s IP address, it does so on port 53 of the DNS server using UDP. Simultaneously, ports numbered higher than 1023 are opened on your PC to receive traffic from the servers (the TCP/IP protocol suite can support ports numbered from 0 to 65,535).

Jump to:

An example of why port numbers are so necessary would be when you browse multiple websites simultaneously. Your web browser would be sending out HTTP GET requests to port 80 on multiple web servers. When these web servers respond, they send back HTTP data to the corresponding listening ports on your PC, allowing your web browser to properly display content from multiple web servers. Below you will see the results of the netstat -n command issued while my browser was loading data from multiple websites; my laptop’s port number is to the right of the colon after my IP address of 192.168.10.100 (go here to brush up on your netstat knowledge).

Proto  Local Address          Foreign Address
TCP 192.168.10.100:1124 64.4.34.37:443
TCP 192.168.10.100:2856 72.21.214.128:443
TCP 192.168.10.100:2857 66.211.181.161:80
TCP 192.168.10.100:2858 66.135.215.61:80
TCP 192.168.10.100:2859 216.52.208.185:80
TCP 192.168.10.100:2860 173.8.22.107:80
TCP 192.168.10.100:2868 74.125.226.235:80
TCP 192.168.10.100:2871 96.17.10.96:80

As you can see, my laptop is listening on ports 1124, 2856, 2857, 2858, etc. during these HTTP sessions. Ports (along with IP addresses) let networked computers using TCP/IP keep track of the different types of data traffic they send and receive.

What’s important to remember is that in client/server networking, the server running various protocol-based services (such as DNS, DHCP, HTTP, SNMP, etc) listens for incoming connection requests on pre-determined well known ports, while the clients making the requests open registered or dynamic ports on themselves to facilitate the communication session.

The well known and registered ports are maintained by the Internet Assigned Numbers Authority, or IANA. IANA is a department of the Internet Corporation for Assigned Names and Numbers (ICANN) that is responsible for coordinating some of the key elements that keep the Internet running smoothly, including the root DNS namespace, public IP address allocation, communication protocol parameters, etc.

IANA’s registry of assigned port numbers is freely available to the public on Wikipedia and IANA’s own website, so I won’t reproduce them here (fair warning: this IANA link made my browser repeatedly freeze for 20-30 seconds). My preferred resource for quick and easily readable access to the well known and registered ports can be found on Gasmi.net; TCP port assignments are here and UDP port assignments are here. Stengel.net isn’t bad, either.

During your networking studies you will encounter the term socket. A TCP/IP socket is not the same as a port. Rather, it is a combination of a host’s IP address and the port on which it is listening to a particular stream of traffic. Sockets allow messages to be transferred between applications (unrelated processes) on different network hosts. Technically a socket consists of a protocol, a local address, a local port, a remote address, and a remote port.

It is very important for all IT professionals (ethical hackers in particular) to have a crystal clear understanding of ports and how they work. It is also critical to commit to memory the ports used by common and important protocols and services. Below you will see a table of such port numbers. Not only will these ports show up for you in the real world, but many IT certification exams will test your knowledge of them. If you are unfamiliar with any of the services listed below, it’s highly recommended that you read up on them as well.

Common ports, protocols, and services

Port and Protocol (UDP/TCP)

Service

20/TCP FTP data
21/TCP FTP command
22/TCP SSH
23/TCP Telnet
25/TCP SMTP
53/TCP DNS zone transfer
53/UDP DNS lookup
67/UDP DHCP client
68/UDP DHCP server
69/UDP TFTP
80/TCP HTTP
88/TCP Kerberos
88/UDP Kerberos
110/TCP POP3
119/TCP NNTP
123/UDP NTP
135/TCP Remote Procedure Call (RPC)
Recommended reading
137/UDP NetBIOS name query packets
138/UDP NetBIOS datagram packets
139/TCP NetBIOS session, Windows File and Printer Sharing
Recommended reading
143/TCP IMAP4
161/UDP SNMP
179/TCP BGP
389/TCP LDAP
443/TCP HTTPS (HTTP over SSL)
445/TCP Microsoft Directory Services:
Active Directory, Windows shares
Recommended reading
445/UDP Microsoft Directory Services: SMB file sharing
500/UDP ISAKMP/IKE
514/UDP Syslog
520/UDP RIPv1/RIPv2
521/UDP RIPng
1433/TCP Microsoft SQL
1521/TCP Oracle default listener
1701/TCP L2F, L2TP
1701/UDP L2F, L2TP
1723/TCP PPTP
1723/UDP PPTP
3268/TCP Global Catalog (Active Directory)
3306/TCP MySQL
3389/TCP Windows Terminal Server (Remote Desktop)
3544/UDP Teredo tunneling
4500/UDP NAT Traversal (NAT-T)
5800/TCP Virtual Network Computing (VNC)
5900/TCP Virtual Network Computing (VNC)
6660-6669/TCP Internet Relay Chat (IRC)
12222-12223/UDP Lightweight Access Point Protocol (LWAPP)

Recommended reading

The Sans Institute maintains a list of ports known to be used by Trojan horse malware.

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

TCP/IP Illustrated on Amazon TCP/IP Illustrated TCP/IP Protocol Suite on Amazon TCP/IP Protocol Suite

Guide to TCP/IP on Amazon Guide to TCP/IP Teach Yourself TCP/IP in 24 Hours on Amazon Teach Yourself TCP/IP

TCP/IP Network Administration on Amazon TCP/IP Network Administration TCP/IP Guide on Amazon TCP/IP Guide

About these ads

Written by Doug Vitale

December 1, 2011 at 1:34 AM

%d bloggers like this: