Introduction
This section contains one of the most
well-known fields in the TCP header, the Source and Destination port
numbers. These fields are used to specify the application or services
offered on local or remote hosts. We explain the importance and
functionality of the TCP source and destination ports, alongside with
plenty of examples.
You will come to understand how
important ports are and how they can be used to gain information on
remote systems that have been targetted for attacks. We will cover basic
and advanced port communications using detailed examples and colourful
diagrams, but for now, we will start with some basics to help break down
the topic and allow us to smoothly progress in to more advanced and
complex information.
When a host needs to generate a request or send data, it requires some information:
1) IP Address of the desired host to which it wants to send the data or request.
2) Port number to which the data or
request should be sent to on the remote host. In the case of a request,
it allows the sender to specify the service it is intending to use. We
will analyse this soon.
1) The IP Address is used to uniquely identify the desired host we need to contact. This information is not shown in the above packet because it exists in the IP header section located right above the TCP header we are analysing. If we were to expand the IP header, we would (certainly) find the source and destination IP Address fields in there.
2) The 2nd important aspect, the port
number, allows us to identify the service or application our data or
request must be sent to, as we have previously stated. When a host,
whether it be a simple computer or a dedicated server, offers various
services such as http, ftp, telnet, all clients connecting to it must
use a port number to choose which particular service they would like to
use.
The best way to understand the concept
is through examples and there are plenty of them below, so let's take a
look at a few, starting from a simple one and then moving towards
something slightly more complicated.
Time To Dive Deeper!
Let's consider your web browser for a moment.
When you send a http request to download
a webpage, it must be sent to the correct web server in order for it to
receive it, process it and allow you to view the page you want. This is
achieved by obtaining the correct IP address via DNS resolution and
sending the request to the correct port number at the remote machine
(web server). The port value, in the case of an http request, is usually
80.
Once your request arrives at the web
server, it will check that the packet is indeed for itself. This is done
by observing the destination IP Address of the newly received packet.
Keep in mind that this particular step is a function of the Network
layer.
Once it verifies that the packet is in
fact for the local machine, it will process the packet and see that the
destination port number is equal to 80. It then realises it should send
the data (or request) to the http deamon that's waiting in the
background to serve clients:
Using this neat method we
are able to use the rest of the services offered by the server. So, to
use the FTP service, our workstation generates a packet that is directed
to the server's IP address, that is 200.0.0.1, but this time with a
destination port of 21.
The diagram that follows illustrates this process:
By now you should
understand the purpose of the destination port and how it allows us to
select the services we require from hosts that offer them.
For those who noticed, our
captured packet at the beginning of this page also shows the existence
of another port, the source port, which we are going to take a look at
below.
Understanding the Source Port
The source port serves
analogues to the destination port, but is used by the sending host to
help keep track of new incoming connections and existing data streams.
As most of you are well
aware, in TCP/UDP data communications, a host will always provide a
destination and source port number. We have already analysed the
destination port, and how it allows the host to select the service it
requires. The source port is provided to the remote machine, in the case
of our example, this is the Internet Server, in order for it to reply
to the correct session initiated by the other side.
This is achieved by
reversing the destination and source ports. When the host (in our
example, Host A) receives this packet, it will identify the packet as a
reply to the previous packet it sent:
As Host A receives the
Internet Server's reply, the Transport layer will notice the reversed
ports and recognise it as a response to the previous packet it sent (the
one with the green arrow).
The Transport and Session
layers keep track of all new connections, established connections and
connections that are in the process of being torn down, which explains
how Host A remembers that it's expecting a reply from the Internet
Server.
Of course the captured
packet that's displayed at the beginning of the page shows different
port numbers than the ones in these diagrams. In that particular case,
the workstation sends a request to its local http proxy server that runs
on port 8080, using port 3025 as its source port.
We should also note that
TCP uses a few more mechanisms to accurately keep track of these
connections. The pages to follow will analyse them as well, so don't
worry about missing out on any information, just grab some brain food
(hhmmm chocolate...), sit back, relax and continue reading!
Không có nhận xét nào:
Đăng nhận xét