Netstat and open ports

[Iain]

Hi everyone

I have XP Pro SP2 which is fully updated.  I've been examining the status of my ports using netstat and a couple of online scans.  Fortunately, the scans revealed nothing of concern, but I found something that I don't understand.  Here is the netstat output:

Proto  Local Address                        Foreign Address                  State

TCP    <ComputerName>:1248        fh-in-f165.google.com:http  ESTABLISHED

TCP    <ComputerName>:1249        fh-in-f165.google.com:http  ESTABLISHED

TCP    <ComputerName>:1251        ik-in-f103.google.com:http  ESTABLISHED

TCP    <ComputerName>:1266        pop3.mail.<ISP>.net:pop3  TIME_WAIT

One of the scan reports mentioned that well-known ports (such as 21, 22, 25, 80 and 110) should be open only if I have the relevant server running, and I don't have any of these servers running on my PC.  So far, so good as my local port connections are 1248, 1249, 1251, and 1266 and ports 80 and 110 were reported as "Stealth".

There are two things that I'd like to know about:

Firsty, how are the local port numbers decided?  I have tried this experiment several times and the local http/pop3 port numbers are rarely the same (I know that the first 1024 are "reserved").  Is it random?  Is it possible to force a particular connection to use a specific local port (i.e. if I want my pop3 connection to be 2468 always)?

Secondly, I have only one instance of IE7 running, so why are there 3 http connections open?  If I renew the page or navigate elsewhere, there may be up to 10 http connections displayed.

Thanks for your time and patience.

[digip]

The multiple connections are because your browser uses these to download files from the sites you visit. Most browsers allow you to control how many connections your pc can have to one server. Too many, and the site may reject your requests. Not enough, and file downloads may take longer. IE settings for connections to a server are preset in the registry and can be tweaked for faster downloads from a site.

Ever try to download several files at a time from a site, only to have to wait until one finishes before the download dialog pops up again for the last one you clicked on? This is because the web server is only taking so many requests from you at one time to limit bandwidth. Otherwise the server could get flooded with requests and time out. You browser allows you to up or lower the default number of connections, sometimes helping increase download speeds. Opera gives you the options to change this from default 8 connections to a min of 1 to max of 128 concurrent connections.

When you visit google, it does nto just rely on www.google.com to return the information to you. It spreads the workload over its network of computers that share the same file. Otherwise anyone coming to the site would have to wait in line for each shared file. This is why you see multiple connections ending in google.com.

Download and load Wireshark. Then open your browser and go to google.com. You will see a request for a site in google that has a different anem than google.com it will b something like L.www.google.com or some other server name. One server takes requsts, and another handles distribution of the traffic going back and forth. One domain of www.google.com may actually have multiple ip addresses that point to the name google.com.

The random port numbers you see connected to these servers is just the internet traffic between you and the sites you visited. They often take some time to timeout after leaving a site, but some may stay if the server is trying to reach you still.

The only time you should worry is if your not online and have no browsers or programs running that connect to the internet, but you see something connected to your network on multiple ports.

I may have not explained this too well but a little search on Netstat can maybe help you find more on what you want to know:

http://en.wikipedia.org/wiki/Netstat

http://www.microsoft.com/resources/documen...t.mspx?mfr=true

http://www.microsoft.com/technet/prodtechn...e.mspx?mfr=true

http://www.faqs.org/docs/linux_network/x-0...ce.netstat.html

[Iain]

Thanks for the detailed response - I guessed that the local ports were random.  I don't know of any reason why I should want to, but is it possible to fix the local ports to a particular number or range of numbers?  It's an academic question really.

[Sparda]

Thanks for the detailed response - I guessed that the local ports were random.  I don't know of any reason why I should want to, but is it possible to fix the local ports to a particular number or range of numbers?  It's an academic question really.

If you did that you could only have that range number of concurrents connections.

[digip]

Thanks for the detailed response - I guessed that the local ports were random.  I don't know of any reason why I should want to, but is it possible to fix the local ports to a particular number or range of numbers?  It's an academic question really.

Port numbers are designated for specific things and defined in RFC's, but any connection can use almost any port number.

For a list of pre defined port numbers and what they are used for check here: http://www.iana.org/assignments/port-numbers

They are defined by different RFC's, which are basically just definitions for internet connection protocols and standards: http://www.rfc.net/

[Iain]

Yes, I see about having only a specific range available.  As I said, it was an academic question to see if it could be done, rather than a practical question of having to do it (not that I could think of a reason why it should be specified in the first place).  I realise that ports have specific "associations" (FTP/TCP 21, HTTP/ TCP 80 etc.) and that it's possible to use ports for other connections and I guess that's where the "bad" guys come in!

As a spin off from this, I've been looking further and know that some TCP ports are recommended strongly to be locked down, such as 135, 137, 138, 139, 445 etc. because of vulnerabilities of one kind or another.  I was astonished to see the lines:

Proto  Local Address            Foreign Address      State                PID

TCP    0.0.0.0:135              0.0.0.0:0                LISTENING      1296

TCP    [::]:135                      [::]:0                      LISTENING      1296

(yes, I do have TCP/IPv6 installed but I'm going to uncheck or uninstall it)

in my Netstat output.  I changed the format of the output and it mentioned epmap.  I did some googling and was thoroughly confused.  Some sites said close it down (the port) as it's not needed but others said if I close it down, my PC may not work normally.  As I said earlier, I have XP Pro SP2 and I realise that it has the patch for the major vulnerability relating to port 135.  I am connected to ADSL via a router so that has a hardware firewall and there's NAT so I reckon I'm fairly well protected.  Do I need to worry about these local connections listening on port 135?

If it's relevant, PID 1296 is svchost.exe and the User Name (in Task Manager) is NETWORK SERVICE.  I ran tasklist /svc /FI "PID eq 1296" and it reported

Image Name                  PID Services

======================

svchost.exe                1296 RpcSs

Thanks again for your time.

[digip]

By default I close (or block) 135-139, and 445 on my firewall. Your pc will run fine with these blocked ports filtered out. No need to worry about local ports on 135 as long as you block it on your firewall. Anything with 0.0.0.0. will not be a problem for you either.

The PID will change everytime you start windows. It's a process ID. Open Task Manager and you can get the PID for every program running. These all change each time the program starts or when you reboot.

[Iain]

Great - that's reassuring.  I have ZoneAlarm (free version) and, as far as I'm aware, I can't block specific ports.  I have checked my ADSL Router Firewall and have created a rule which will block incoming to TCP 135.  I realise that the PIDs change on reboot.

Thanks for your time.

[moonlit]

Great - that's reassuring.  I have ZoneAlarm (free version) and, as far as I'm aware, I can't block specific ports.  I have checked my ADSL Router Firewall and have created a rule which will block incoming to TCP 135.  I realise that the PIDs change on reboot.

Thanks for your time.

I can't really remember but I think ZoneAlarm is closed unless you tell it otherwise.

[digip]

Great - that's reassuring.  I have ZoneAlarm (free version) and, as far as I'm aware, I can't block specific ports.  I have checked my ADSL Router Firewall and have created a rule which will block incoming to TCP 135.  I realise that the PIDs change on reboot.

Thanks for your time.

ZoneAlarm Pro or Suite lets you block them manually. I do not know if the free version does this by default, but probably not everything is blocked since you do not have a way to control it.

[Sparda]

ZoneAlarm Pro or Suite lets you block them manually. I do not know if the free version does this by default, but probably not everything is blocked since you do not have a way to control it.

The other problem with this been that since you haven't told windows (in this paticulare case) that it 'can't' use those ports, it will still try to. In which case when a connection attempt is made by the OS, the connection will time out becasue the server response got blocked (or because it never left in the first place bu the client thought it did)

[Iain]

No, I haven't found a way to block a specific port (by number) in the free version of ZoneAlarm.

@Sparda - I'm interested to know how I could tell Windows that it 'can't' use a specific port.

I've looked into disabling DCOM (via a registry tweak and Start>Run>dcomcnfg).  The sites that I've seen say it *should* be OK to disable it on a standalone PC but some corporate users need it for some of their software.  Does anyone have experience of disabling it?  I'm confused about what it actually is and what it does so I'm hesitant to mess around - just in case.  I'm starting to disable anything which I don't need (I've got rid of TCP/IPv6 after my earlier comment!).