Problems in Establishing a Connection
Applications communicate between ports. In fact, in TCP and UDP discussions, we say the TCP session is defined or uniquely characterized by these four parameters: the sending IP address, the sending TCP port number, the receiving IP address, and the receiving TCP port. Programmers refer to the set of four parameters along with the protocol as a socket. These four values (IP address A, port x) <--> (IP address B, port y) uniquely identify the logical communications channel between the client and the server.
Figure 20: Defining a Session
For example, in the three-way handshake, the client sends the SYN packet from IP address A listing port x as the source port. In the packet the client also lists the destination as IP address B (server) and port y (the application). As we described previously, the operating system in each device needs to allocate memory for the operation of the session being established. These four values are the tags used to identify the exchange. Note that a single server, such as an email server, can use port 25 as part of a set of thousands of different sessions, so long as the client port or client address changes in each instance.
Occasionally, a client application will attempt to connect to a port that is not available on a server. We say the port is not open. If this happens, most TCP stacks will tell the source of this occurrence by sending an ICMP packet indicating this. However, most client devices will ignore the report and the user will not make the connection. If someone or some device is attempting to discover which ports are active on the server by scanning ports, you may see a sudden increase in the amount of ICMP traffic on your network. Scanning is a process in which a SYN packet is sent to each possible port number in succession. For example, a scanning utility might send successive SYN packets to 220.127.116.11: 1025, 18.104.22.168: 1026, 22.214.171.124: 1027, and so forth. Here we have used the common notation to show the port number behind the IP address separated by a colon.
There are generally two sources for scanning activities: good guys and bad guys. Among the good guys are network troubleshooting tools with functions built in that will scan the ports of a host in order to see if the host has the correct ports open.
Most servers have several open ports which represent services it will provide. For example, a server with ports 110, 25 and 80 open would be available to provide email and web page serving. If the server actively announces these services, we say it advertises the services. So, often a network support tool will scan the network to see which devices have open ports and then send a SYN to verify the status of the port. Among the bad guys are hackers that are attempting to do reconnaissance on your network. They also want to know which devices are servers and which ports are open, but for their own less honorable purposes.