Port number concepts? - networking

I am trying to understand the concept of port number. As much as I know it identifies a specific process or a network service.
Can anyone give me a real life example. So, it could be easier to understand.
Some doubts that I currently have-
I heard, there are 65536 ports. Does, that mean, a system can identify 65536 processes simultaneously?
I have seen that some ports are reserve for some specific service. So, does it mean, it can't be used for any other service?
What is the command to know which port numbers are free or to use?
What is the command to know which port numbers are not free and what are they used for?
If I try to access a system through remote desktop from my computer, it asks for a port number. What should I mention?
If possible please share a link. I am currently getting confused with too much technical theory. Thank you!!!

I heard, there are 65536 ports.
You heard wrong. There are 65535: 1 .. 65535. Zero is not a valid port number.
Does, that mean, a system can identify 65536 processes simultaneously?
It means a system can identify 65535 ports simultaneously.
I have seen that some ports are reserve for some specific service. So, does it mean, it can't be used for any other service?
That is the meaning of the word 'reserve'.
What is the command to know which port numbers are free or to use?
It isn't a command. It is either a search at the IETF website for reserved ports or the use of the number zero, which means the next available port.
What is the command to know which port numbers are not free and what are they used for?
It isn't necessarily a command. It is a search at the IETF website for reserved ports, or the netstat command for ports actively in use on the localhost.
If I try to access a system through remote desktop from my computer, it asks for a port number. What should I mention?
The port number that you're trying to connect to in the remote system.

Here is more clarification:
I heard, there are 65536 ports.
A port is 16 bit i.e. 2^16 =65536 so right
"Port Zero does not officially exist. It is defined as an invalid port number. But valid Internet packets can be formed and sent over the wire to and from port 0 just as with any other ports." https://www.grc.com/port_0.htm
Does, that mean, a system can identify 65536 processes simultaneously?
You do not care about a system, you care about an IP. For every Ip you can use 65536 processes simultaneously.
I have seen that some ports are reserve for some specific service. So, does it mean, it can't be used for any other service?
Of course, otherwise there will be a port conflict.
What is the command to know which port numbers are free or to use?
Refer my post here https://stackoverflow.com/a/54760498/2197108
Netstat: in Linux and Windows displays connections and ports
What is the command to know which port numbers are not free and what are they used for?
It should be clear now
If I try to access a system through remote desktop from my computer, it asks for a port number. What should I mention?
Remote desktop asks for IP address of the remote machine. However, it may ask for user credentials of the remote machine.
In case it asks for IP and Port it means IP and Port of the remote desktop software (server) in the remote machine.

Related

Can't access device through network

I'm trying to interface a device with python.
The device is connected to another machine in the same network (the university network) and I know it's Port number.
I can access the device from the PC where it is plugged with the following code:
dev = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
dev.connect(('137.195.53.140',51019))
where '137.195.53.140' is the PC ip, and 51019 is the port number.
However, if I try the same from another machine, ipython gets stack at the command "dev.connect(('137.195.53.140',51019))", and when I abort the evaluation and then look at "dev" I get this:
<socket.socket fd=15, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('137.195.204.85', 50393)>
where '137.195.204.85' is the IP of the machine I'm using, and the port number I've no idea.
Since ssh works with no problem within this network, I thought that my approach for accessing the device would have worked as well.
Does anyone have any clue for this? I'm sorry if I haven't been clear, but I know absolutely nothing of networking (and not very much of Python either tbh).
There's couple of things to consider:
Your university network ports
Your device's opened ports
Your network might have the 51019 port blocked. Also, ssh uses port 22 to make it's connection. Every port is a world, so there's the chance that just because 22 is open, it doesn't mean that another is. School networks usually have a pretty rigid policy on port closing for security and blocking unwanted sites too.
You can test your device access by pinging it as
$ ping 137.195.204.85
If that works, then you can go trying different ports

IP masquerading, what if the router runs out of ports?

I have recently discovered ip masquerading.
My question is simple: if routers actually map hosts ports to their own ports, what if they run out of ports ? Suppose the network has got 4 hosts on IPs 192.168.0.{2,3,4,5}, each using 20000 ports, how does a router map 80000 ports to his 65000.
Although I couldn't find any information on this, I am guessing masquerading occurs on traffic only, thus there shouldn't be 20k ports to map per host, but why not ? I can't figure it out.
It depends what you mean by 'using 20000 ports'. If you had an application which was listening on 20000 ports on each of 192.168.0.{2,3,4,5} (perhaps allocating the external mapping dynamically using UPnP, it would exhaust the available ports eventually. It's possible that a quota would prevent anywhere near 65000 being allocated. See https://www.rfc-editor.org/rfc/rfc6887#section-17.2
However, you are probably talking about connections out from 192.168.0.{2,3,4,5} to the wider Internet. In this case, no ~65000 limit would apply because a socket is a defined based on the {source ip, source port, dest ip and dest port}. N.B. It's possible to open more than ~65000 sockets from a single server (assuming the OS is so configured), and therefore it's also possible, in theory, to do so with IP masquerading.
A more comprehensive answer is here:
https://serverfault.com/questions/541699/nat-gateway-maximum-connection-limit

Is there a way to detect the number of connections active on a Wifi network?

If I want to detect the number of connections active on my home Wifi network, how should I go ahead doing it? This can be useful for building applications which would serve as monitoring unidentified/unrecognized people being fraudulently misusing a person's Wifi network.
How to know whether your neighbors or others are using your wireless network is rather complicated.
If your neighbors are experienced Wi-Fi hackers, you might not be able to tell at all.
If they're just stealing your Internet connection, you may be able to tell from the logs on your router.
To find out who's on your wireless network, you'll need to start by taking inventory of all the devices that are meant to be connected. Find out their MAC IDs and their IP addresses (if they're static).
To find out the MAC ID/IP address on a PC, click the Start menu and choose Run. Type cmd and click OK. In the screen that opens, type ipconfig /all and hit Enter. The MAC address will be shown as the physical address. Once you know the MAC addresses of each of the PCs on your network, you will recognize any addresses that don’t belong under the screen that shows the MAC addresses of current connections.
Check IP addresses
Likewise you may be able to see how many IP addresses have been dished out by the DHCP server. If you check the IP addresses of each of your PCs, you can see if other IP addresses have been served.
To find out your IP address from the Start menu, click Run. Then type in cmd and click OK. In the screen that comes up, type ipconfig which will display the IP address for that computer. (Bear in mind, however, that if the PC is set to auto detect settings, then the PC's IP address will change the next time the computer is rebooted or switched on. Sometimes previously served numbers have not yet expired, so you may think someone is connected when they are not.)
Dealing with intruders
If you do find someone using your connection, they may well not be doing so maliciously or even knowingly. Sometimes people can’t tell which is their own connection and they may honestly believe that they are using their Wi-Fi router rather than yours. The best way to deal with this is to set up your own security and maybe you can help them find their own router!
The optimal solution is to set up a strong password using WPA or WPA 2 of almost 20 to 30 digits and numbers. Once your network is functioning, you can switch off the SSID broadcast (which prevents it from advertising the name of your network) so it would effectively disappear as far as your neighbors are concerned, and the first you might hear of it is when someone complains that their Web connection has disappeared.
You could look for logs such as current LAN clients, connection or status log, or connected MAC addresses.
Be Happy :-)
Do you have access to the Access Point management ?
Look for MAC addresses and their filtering. Modern APs allow you to filter devices and or limit the timeframe during which devices can authenticate themselves, using a hardware button.
A link on how to secure your AP here, and a good start to know what to play with !
You can Either USE this Command... On your Router or Modem... Some Modem's have console for Ping and Commands like that....
ipconfig -all

How do I get a MAC address for a remote system when I only know it's IP address?

I'm working on a Wake on LAN service that will run from a web site and should interact with many different platforms - therefore, no Windows-only solutions. When a user registers their system with the web site, I need to get the MAC address to use in constructing the "magic" packet. I have a Java Applet that is able to do this for me and am aware of an ActiveX control that will work, but I'm wondering if there is a way to do this server-side by querying routers/switches. Since the system may be on any of a number of different physical subnets, using ARP won't work -- unless there's a way to configure the router(s) to perform the ARP on my behalf.
Anyone know of any network APIs, proprietary or otherwise, that can be used to look up MAC addresses given an IP address? I think we're using Cisco routers, but it's a complicated network and there may be multiple vendors involved at various levels. I'd like to get some background information on possible solutions before I go to make a sacrifice to the network gods. No point in abasing myself if it's not technically possible. :-)
EDIT: We do have the network infrastructure set up to allow directed broadcast, though figuring out the exact broadcast address since netmasks are not always /24 is another conundrum that I need to solve.
If you are on a local network that uses DHCP you might be able to look in the servers database to get the MAC of the last user with that address. In the future you could watch the network for ARP requests and cache the responses in some sort of table. You might also look at using RMON or SNMP to try and query the Address Tables on the switches and routers.
It should be noted that to use WoL across routers you either need to enable Directed Broadcasts or you need to have a relay server in the local segment.
Been a while since I played routers and swtiches but this might be a starting point for what to query using SNMP http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml
Use the following:
getmac /s destIp
To get the remote session Mac address.
I don't know if these might be helpful but take a look:
http://www.webdeveloper.com/forum/showthread.php?t=134120
http://www.qualitycodes.com/tutorial.php?articleid=19
You've said everything I can think of...
The source MAC address changes as a packet hops from device to device so unless the client is on the same subnet, the server won't be able to get the MAC address. (You would do it via ARP)
A signed java applet or activex control would be the easiest solution. It would be able to (almost passively) get all the networking info you need (IE doesn't even prompt to run a signed applet)
If you are fully aware of the network that is using the service then you could probably query a gateway's client-list via SNMP or CDP. You would be able to map out IP-Addresses to MAC addresses... but this is really vendor dependent (but common) and wouldn't be much better (imo) than having an applet.
Currently the application is using a Java 6 applet that allows me to extract both the hostname and the MAC address from the remote system. I don't like having this dependency on Java 6, but Snow Leopard and Windows both support it, so I can probably live with it.
On a related-front our networking folks approached me for some help with converting some existing code to ASP.NET. During the conversation I asked if they had live MAC address information (since they do port shutoffs based on suspicious network activity -- viruses/worms). Turns out they do and we may be able to leverage this project to get access to the information from the network database.
I don't think there is any way to accomplish this. When the IP packet goes via the first router the host's MAC information is lost (as you know MAC is only used in ethernet layer). If the router most close to your PC was capable of telling the remote MAC code to you, again it would only see the MAC of the next router between your PC and the "other end".
Start sacrificing.
There's no general way to do this in terms of the network unless you have no routers involved. With a router involved, you will never see the MAC address of the originating system.
This assumes that the originating system only ever has a single network interface, so has only a single MAC address.
In fact, are you even sure that your "magic packet" (whatever that is) will reach the system you want it to reach, through the routers? That sounds like a function the routers or other network infrastructure should be performing.
Mac address is only used on network segments, and is lost at each hop. Only IP is preserved for end-to-end - and even then the from ip address is rewritten when Natted. I guess my answer is, not possible unless everything is on the same network segment, or your routers are set up for proxy arp (which is not really realistic).
You can only get MAC entries in the ARP table for machines on the same network. If you connect to a machine via a router then you will only see the routers MAC address in the ARP table. So there is no way of knowing the foreign host’s MAC address unless it's a host on the same network (no routers involved).
And by the way there are many similar question already on SO.
if it's a windows system you can use NBTSTAT -A
this will return the netbios info and the IP is there
any Management system like SMS or Altiris will have this info
The DHCP server is a good idea
If it's local you can ping it and then quickly run ARP -a
look for the IP and the MAC will be there.
you might need to write a small batch file.
if you have access to the PC you can use WMI to access the info for the Nic with DHCP.
As said above we can get mac address from a known IP address if that host is in the same subnet. First ping that ip; then look at arp -a | grep and parse the string on nix* to get mac address.
We can issue system command from all programming languages standard API's and can parse the output to get mac address.Java api can ping an IP but I am not sure if we parse the ping output(some library can do it).
It would be better to avoid issuing system command and find an alternative solution as it is not really Platform Independent way of doing it.
Courtesy: Professor Saleem Bhatti

Sniffing network traffic for signs of viruses/spyware

How can I connect a system to a network and sniff for virus/spyware related traffic? I'd like to plug in a network cable, fire up an appropriate tool sand have it scan the data for any signs of problems. I don't expect this to find everything, and this is not to prevent initial infection but to help determine if there is anything trying to actively infect other system/causing network problems.
Running a regular network sniffer and manually looking through the results is no good unless the traffic is really obvious,but I havn't been able to find any tool to scan a network data stream automatically.
I highly recommend running Snort on a machine somewhere near the core of your network, and span (mirror) one (or more) ports from somewhere along your core network path to the machine in question.
Snort has the ability to scan network traffic it sees, and automatically notify you via various methods if it sees something suspicious. This could even be taken further, if desired, to automatically disconnect devices, et cetera, if it finds something.
Use snort: An open source network intrusion prevention and detection system.
Wireshark, formerly ethereal is a great tool, but will not notify you or scan for viruses. Wireshark is a free packet sniffer and protocol analyzer.
Use the netstat -b command to see which processes have which ports open.
Use CPorts to see a list of ports and the associated programs, and have the ability to close those ports.
Download a free anti-virus program such as free AVG.
Setup your firewall more tightly.
Setup a gateway computer to let all network traffic go through. Take the above recommendataions to the gateway computer instead. You will be checking your whole network instead of just your one computer.
You can make Snort scan traffic for viruses. I think this will be the best solution for you.
For watching local network traffic your best bet (with a decent switch) is to set your switch to route all packets out a specific interface (as well as whatever interface it would normally send). This lets you monitor the entire network by dumping traffic down a specific port.
On a 100 megabit network, however, you'll want a gigabit port on your switch to plug it into, or to filter on protocol (e.g. trim out HTTP, FTP, printing, traffic from the fileserver, etc.), or your switch's buffers are going to fill up pretty much instantly and it'll start dropping whatever packets it needs to (and your network performance will die).
The problem with that approach is that most networks today are on switches, not hubs. So, if you plug a machine with a packet sniffer into the switch, it will only be able to see traffic to and from the sniffing machine; and network broadcasts.
As a followup to Ferruccio's comment you will need to find some method of getting around your switches.
A number of network switches have the option of setting up port mirrors, so that all traffic (regardless of the destination) will be copied, or "mirrored", to a nominated port. If you could configure your switch to do this then you would be able to attach your network sniffer here.
Network Magic, if you don't mind something that's not open source.
You can use an IDS, hardware or software
http://en.wikipedia.org/wiki/Intrusion-detection_system

Resources