Thursday, October 29, 2009

Understanding Ports

When studying for the CompTIA Security+ exam (SY0-201), you’ll come across information on ports. These are important to know and it’s also important to understand how they’re used. In this post, I want to cover how ports are used by systems.

TCP/IP uses IP addresses (and MAC addresses) to get traffic from one host to another. However, when a packet arrives, how does the system know what service, process or protocol to send the packet to? The answer is the port.

Imagine that Sally is using Internet Explorer to do a search with Google.com. DNS is used to resolve Google.com to an IP address and a packet is sent to the Google web site with Sally’s search data. The packet will have a source and destination IP address, and a source and destination port:

  • Source
    70.167.73.10
    Port 1025
  • Destination
    74.125.67.100
    Port 80
When the packet reaches the destination IP address (Google), it is examined to identify the destination port. The Google server sees the port is 80 and passes the packet to the service handling HTTP - the web server service. It knows to do this because port 80 is the well-known port for HTTP.  The web server service than creates a return packet with the data.

  • Destination
    70.167.73.10
    Port 1025
  • Source
    74.125.67.100
    Port 80
What isn’t apparent is that when the packet was created for Internet Explorer, the system designated a port (in this case 1025) for Internet Explorer. When the packet from Google reaches Sally’s computer, it has a destination port of 1025 so the packet is passed to Internet Explorer.

At another time, Sally’s computer may register port 1046 (or some other port beyond port 1023) to Internet Explorer. The point is that while well-known ports are constant, the return port isn’t constant.

Good luck in your studies.

Darril