Ports
A single machine that has one IP address, but runs many services simultaneously, how does it know which incoming packet goes to which service?
A port is a 16-bit unsigned integer used by the transport Layer (TCP/UDP) to uniquely identify a communication endpoint on a host, enabling multiple concurrent network connections over the same IP address.
Range from 0-65535 because 16-bits = $2^{16}$ = 65536 possible values
Divided by IANA standards into three main categories:
| Range | Size (Number of Ports) | Type / Category |
|---|---|---|
| 0 - 1023 | 1024 | Well-Known / Privileged Ports |
| 1024 - 49151 | 48128 | Registered Ports |
| 49152 - 65535 | 16384 | Dynamic / Private / Ephemeral Ports |
IANA is the organization that manages the unique identifiers used on the Internet, it make sure these identifiers are unique and standardized worldwide, so two devices or services don’t accidentally use the same address, name, or port.
IANA is operated under ICANN (the organization that manages domain names), and the technical work is done by a group called Public Technical Identifiers (PTI).
Well-Known Ports
| Service Name | Port Number | Transport Protocol |
|---|---|---|
| tcpmux | 1 | TCP/UDP |
| echo | 7 | TCP/UDP |
| discard | 9 | TCP/UDP |
| systat | 11 | TCP/UDP |
| daytime | 13 | TCP/UDP |
| qotd (Quote of the Day) | 17 | TCP/UDP |
| chargen | 19 | TCP/UDP |
| FTP data | 20 | TCP |
| FTP control | 21 | TCP |
| SSH | 22 | TCP |
| Telnet | 23 | TCP |
| SMTP | 25 | TCP |
| DNS | 53 | TCP/UDP |
| DHCP/BOOTP server | 67 | UDP |
| DHCP/BOOTP client | 68 | UDP |
| TFTP | 69 | UDP |
| HTTP | 80 | TCP |
| Kerberos | 88 | TCP/UDP |
| POP3 | 110 | TCP |
| sunrpc (RPC bind) | 111 | TCP/UDP |
| Ident | 113 | TCP/UDP |
| NNTP | 119 | TCP |
| NTP | 123 | UDP |
| NetBIOS Name | 137 | UDP |
| NetBIOS Datagram | 138 | UDP |
| NetBIOS Session | 139 | TCP |
| IMAP | 143 | TCP |
| SNMP | 161 | UDP |
| SNMP Trap | 162 | UDP |
| BGP | 179 | TCP |
| LDAP | 389 | TCP/UDP |
| LDAPS | 636 | TCP |
| HTTPS | 443 | TCP |
| SMB/CIFS | 445 | TCP |
| Syslog | 514 | UDP |
| RIP | 520 | UDP |
| LPD (Printer) | 515 | TCP |
| Kerberos change/set pwd | 464 | TCP/UDP |
| RTSP | 554 | TCP |
| SMTP Submission | 587 | TCP |
| DHCPv6 client | 546 | UDP |
| DHCPv6 server | 547 | UDP |
| IPP (Printing) | 631 | TCP/UDP |
| IMAPS | 993 | TCP |
| POP3S | 995 | TCP |
| ESP (IPsec) | 50 | UDP |
| AH (IPsec) | 51 | UDP |
| ISAKMP/IKE | 500 | UDP |
| SMB over NetBIOS | 139 | TCP |
| SLP | 427 | TCP/UDP |
| Kerberos Admin | 749 | TCP |
This table covers some of the frequently used ports in networking and security contexts. For a full reference, IANA maintains a complete list of all assigned ports.
Registered ports
| Service Name | Port Number | Transport Protocol |
|---|---|---|
| MSRPC | 135 | TCP |
| Kerberos Admin | 749 | TCP |
| Oracle TNS | 1521 | TCP |
| Citrix ICA | 1494 | TCP |
| Citrix CGP | 2598 | TCP |
| RMI Registry | 1099 | TCP |
| MySQL | 3306 | TCP |
| RDP (Remote Desktop) | 3389 | TCP |
| PostgreSQL | 5432 | TCP |
| VNC | 5900 | TCP |
| Elasticsearch | 9200 | TCP |
| Kibana | 5601 | TCP |
| Jenkins | 8080 | TCP |
| HTTP Alternate | 8000 | TCP |
| HTTPS Alternate | 8443 | TCP |
| Docker API (unencrypted) | 2375 | TCP |
| Docker API (TLS) | 2376 | TCP |
| RabbitMQ | 5672 | TCP |
| Kafka | 9092 | TCP |
| Zookeeper | 2181 | TCP |
| MQTT | 1883 | TCP |
| MQTT over TLS | 8883 | TCP |
| BitTorrent | 6881-6889 | TCP/UDP |
| TeamViewer | 5938 | TCP/UDP |
| OpenVPN | 1194 | UDP |
| SIP (VoIP signaling) | 5060 | TCP/UDP |
| SIP TLS | 5061 | TCP |
| L2TP VPN | 1701 | UDP |
| IPsec NAT-T | 4500 | UDP |
| PPTP | 1723 | TCP |
| Redis | 6379 | TCP |
| MongoDB | 27017 | TCP |
| Memcached | 11211 | TCP/UDP |
| NFS | 2049 | TCP/UDP |
| UPnP | 1900 | UDP |
| SNMP over TLS | 10162 | TCP |
| RADIUS Authentication | 1812 | UDP |
| RADIUS Accounting | 1813 | UDP |
| Remote Desktop Gateway | 3390 | TCP |
| SQL Server Browser | 1434 | UDP |
| Microsoft SQL Alternate | 1435 | TCP |
| MySQL Alternate | 3307 | TCP |
| PostgreSQL Alternate | 5433 | TCP |
Dynamic / Private / Ephemeral Ports
When a client initiates a TCP connection, the OS assigns a source port (typically from the ephemeral port range) if you didn’t explicitly bind one.
Ephemeral ports are just the pool of ports the OS can automatically allocate.
So Ephemeral ports are used only for outbound connections where the client does not explicitly specify a source port.
Open vs Closed vs Filtered Ports
When a host receives network traffic targeting a specific TCP or UDP port, the OS or firewall can classify the port’s state as Open, Closed or Filtered
Open
A port is open if an application (process) on the host is actively listening on that port for incoming connections or datagrams, and the host responds to incoming packets directed to this port according to the transport protocol.
Closed
A port is closed if there is no application listening on that port, but the host is reachable. The host responds to incoming packets with a protocol-specific port unreachable message.
Filtered
A filtered port is a port where incoming packets are dropped or blocked, preventing the scanner from determining whether the port is open or closed or even online.
4-Tuple / 5-Tuple
A 5-tuple consists of the following five elements:
- Source IP address
- Source port
- Destination IP address
- Destination port
- Transport protocol (TCP or UDP)
the 5-tuple defines a unique socket connection on the network.
When a process opens a TCP or UDP socket and sends/receives data, the operating system kernel must manage and track active connections, so it can deliver incoming packets to the correct process or socket.
TCP Example
For TCP, which is connection-oriented, the kernel maintains a TCP control block (TCB) for each active connection.
No two active TCP connections can have the same 5-tuple.
For example: Two browser tabs can connect to the same server, but different source ports make the 5-tuples unique, and vice versa.
The kernel uses the 5-tuple to route incoming packets to the correct socket.
UDP Example
Unlike TCP, UDP does not need a TCB because there is no connection state. UDP is connectionless, the kernel just routes it to the correct socket based on the 5-tuple.
Same thing here, no two UDP connections can have the same 5-tuple. Multiple UDP flows can share the same source port, as long as destination IP or port differs, making the 5-tuple unique.