| technology | networking - Ross Heintzkill
What are TCP Ports and Why Are They Important?
Quick Definition of TCP: Transmission Control Protocol (TCP) is a global communication standard that devices use to reliably transmit data. TCP is defined by being connection-oriented, which means that both the client and the server have to be established before the data gets sent. This means the data is reliable, ordered and error-checked in transit. It is one of the main protocols of the Internet protocol suite — and the entire suite is often referred to as TCP/IP.
Quick Definition of TCP Ports: A "port" is a logical distinction in computer networking. Ports are numbered and used as global standards to identify specific processes or types of network services.
Much like before shipping something to a foreign country, you'd agree where you'd be shipping out of and where you'd have it arriving, TCP ports allow for standardized communication between devices. One device can receive information for many different processes and services, and which port the information flows on helps to keep it organized.
An Overview of TCP Ports [VIDEO]
In this video, Tim Warner covers what TCP ports are as well as where and how TCP port numbers are used. He further describes how you can use the netstat command-line tool to find port use information. He also explains how, on Windows computers, you can use a free GUI-based tool called TCPView to better view and work with this information.
How Do TCP and TCP Ports Work?
Transmission Control Protocol is a key component of the TCP/IP protocol stack. TCP is a connection-oriented protocol that requires a connection or a circuit between the source sending computer and the destination one. TCP is one of the two main ways to transmit data in a TCP/IP network. UDP, which is a best-effort connectionless protocol, is the other one.
For devices to communicate via TCP, they use TCP ports. Generally, a TCP port represents an application or service-specific endpoint identifier.
Think of opening a web browser. When you type in "CBTNuggets.com", your browser translates that to "http://www.cbtnuggets.com". And with that, you're specifying the hypertext transfer protocol — and hopefully, you get the page without issue. That happens because CBT Nuggets' web server aka its HTTP server is listening for incoming connections on a particular port address.
The well-known port for HTTP is 80. By contrast, you might download some software from ftp.microsoft.com, their FTP server is going to be listening on the well-known Port 23. And so forth. Protip: If you're planning to earn an IT certification exam, you may need to have many of the most common TCP ports memorized.
How Many TCP Ports are There?
A TCP port is a 16-bit, unsigned value, so there's a finite number of TCP ports available in the world. Specifically, there are 65,535 available TCP ports.
You've probably heard that the world is moving from IPv4 to IPv6 due to address depletion. It's also entirely likely that the time will come when we'll have to expand the port range to accommodate additional services.
That said, the first 1,024 TCP ports are called well-known port numbers, and they're agreed upon among technology vendors. So if you and I were to go into business and sell a really nice FTP client software, we'd agree to work with the standard, well-known FTP port numbers.
How Do Sockets Work with TCP Connections?
A socket allows for a connection to another system that's already running some TCP server software. A socket takes a combination of an IP address and a port number. That means a single host can host multiple instances of the same service by using different port numbers.
For instance, we can set up a web server that has "Site 1" listening on the default port of 80 and another web server. That is to say another website on the same server with the same IP address, "Site 2", but listening on Port 8080.
Where and How Do We Use Port Numbers?
One place is during server application configuration. Enterprise apps like Oracle, SQL, SharePoint, all require you to set up services on discrete port numbers. Which is also why working with your network administrator to allow for that traffic to flow on those port IDs are important. Firewalls monitor ports to keep systems secure.
Service addressing is another way to use port numbers. Once we install our enterprise application, we advertise the service using, generally speaking, a hostname and the port number. For example, "http://cbtnuggets:1988". We wouldn't have to do that if it were a well-known port. If it's well known, we can leave it off.
We use port numbers for troubleshooting purposes. Specifically, we can troubleshoot malware and identify rogue processes.
Firewall configuration often uses rules that denote both aspects of a socket. You might create allowances or traffic blocks based on IP addresses, port numbers, or both.
How to View TCP Connections on Your Machine
Regardless of your OS, you can always get to the netstat command line tool, although the specific parameters you use will depend on your OS. In Windows, start with a command prompt and type:
This will output a table of all current TCP connections on the system. Unfortunately, you can't do all that much besides looking at it.
There's another option, though, and that's to type:
This outputs a lot more data that's much more useful. This includes all the parameters.
What's a Good Tool for Viewing TCP Information?
If you're working on a Windows machine, TCPView.exe is strongly recommended. A Microsoft property now, it was originally developed by Mark Russinovich. There's also a command line version of the tool called TCPVcon that's also free.
What's great about TCPView is its graphical interface. And the interface is more than just a netstat query on steroids, there's a lot of context and information in its interface.
Running TCPView, you may discover that you have quite a lot more running on your system in terms of remote connections than you might have otherwise been aware. That's one of the reasons TCPView is an excellent way to diagnose rogue processes. It could be a trojan horse, some sort of backdoor administrative application that phones home. You can easily identify those tools, by taking a look.
Don't be surprised if you see many applications running with processes going like Outlook, Chrome, or Dropbox. If you right-click one of these items that's listed, you'll get a specific ID of the image or the executable program that's running. You can also end the process — terminate it from there — by right-clicking and pressing "close application". You can right-click a process and do a WHOIS lookup. There's a lot of good things to do in TCPView and you should play around with it.
The bottom line with TCPView is that by using it you can see that for each process that you have running on your system, you can see at a glance if it's TCP or UDP. And you can see the local and remote port. You'll see that UDP doesn't have remote ports, that's because UDP is a connectionless protocol and doesn't require an end-to-end circuit like TCP does. Which is why TCP tells us on this interface where we're connected, both locally and to a remote system.
TCP is an important concept for any network professional to understand. It's one of the tools that has made our modern digital age possible. All this information about understanding TCP/IP lends itself to learning much more about IT professions. If you're looking for more detail, check out our CompTIA A+ training.