PORT CONNECTION STATUS CT Lab#4

TCP packet UDP packet Ports Background

TCP packet

TCP Packet  Sequence number (32 bits)  has a dual role:  If the SYN flag is set (1), then this is the initial sequence number. The sequence number of the actual first data byte and the acknowledged number in the corresponding ACK are then this sequence number plus 1.  If the SYN flag is clear (0), then this is the accumulated sequence number of the first data byte of this segment for the current session.  When a host initiates a TCP session, its initial sequence number is effectively random; it may be any value between 0 and 4,294,967,295,  Acknowledgment number (32 bits)  if the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting.

TCP example  For example, the initial relative sequence number shown in packet #1 is 0 (naturally), while the ASCII decode in the third pane shows that the actual sequence number is 0xf61c6cbe, or decimal.

TCP example (cont.)

 Statistics > Flow Graph..., select TCP flow and click OK

TCP STATES- Create connection

TCP STATES – close connection

UDP Packet

Port definition  Port: There are two types of ports relating to computers  1) Connections to peripherals such as USB devices, serial cables, or mouse's etc  2) Virtual ports found in TCP/IP communications

Expanded definition  For information relating to network security we are more concerned with virtual ports  Ports are like channels that carry information into, out of, and internal to a computer  There are 65,536 standard ports on a computer  Each port is assigned to a certain type of communication “traffic”

Example of port assignments

netstat Port connection status

Netstat  Netstat is an important utility for network administrators.  It is used to display active TCP connections and UDP connections, Ethernet statistics, and the IP routing table.  A port can be in any one of a number of states.  When a TCP port is in a listening state, it is waiting for initiation and completion of a three-way handshake.  This results in the port transforming to an established state.

Netstat (windows)  - a : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.  -e : Displays Ethernet statistics.  -n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.  -o : Displays active TCP connections and includes the process ID (PID) for each connection.  -p Protocol : Shows connections for the protocol specified by Protocol.  -s : Displays statistics by protocol.  -r : Displays the contents of the IP routing table. This is equivalent to the route print command.  Interval : Redisplays the selected information every Interval seconds  /? : Displays help at the command prompt.

Netstat (windows) - examples Examples  To display both the Ethernet statistics and the statistics for all protocols, type the following command:  netstat -e -s  To display the statistics for only the TCP and UDP protocols, type the following command:  netstat -s -p tcp udp  To display active TCP connections and the process IDs every 5 seconds, type the following command:  netstat -o 5  To display active TCP connections and the process IDs using numerical form, type the following command:  netstat -n -o

Netstat ( linux) Commanddiscription netstat -a | more all the listening and non-listening ports netstat -tCurrent TCP sessions on the system netstat -uCurrent UDP sessions on the system Netstat –l Netstat –lt – netstat -lu It shows all the sockets which are in listening state. netstat –rCurrent routing table netstat -nDisplays addresses and port numbers in numerical form. Netstat -rn netstat –iCurrent interfaces Netstat -xused to dispaly the statistic of each protocol

How to read Netstat result - example  Example (netstat –an)

How to read Netstat result IP  *.* = All IPv4 addresses (it's listening, so accept connections from any IPv4)  [::] = All IPv6 addresses (it's listening, so accept connections from any IPv6)  If it says on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).  on the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. No danger there.  If it displays your online IP on the Local Address column, it means that port is ONLY listening for connections from the Internet.  If it displays your local network IP on the Local Address column, it means that port is ONLY listening for connections from the local network.  Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

How to read Netstat result  Consider the following example :  RX-OK : Correct packets received on this interface. RX-ERR : Incorrect packets received on this interface RX-DRP : Packets that were dropped at this interface. RX-OVR : Packets that this interface was unable to receive.

FTP Command  FTP stands for file transfer protocol. It is an application layer protocol as well as an application.  The FTP command is used in the command prompt to connect to FTP servers.

Lab Exercise  Objectives  Name the command used to display protocol statistics and current TCP/IP network connections (netsat).  Understand how a computer can manage multiple communications through the use of ports.  List the switches that can be added to the netstat command to increase its functionality.