Why o Why

Why o Why is is there 65,535 ports ? Why not 65,536 or 65,534 ? Does anyone know ?

Thanks Alot Dude !

I believe its because the TCP packet header only allows for a 16-bit port numer (source and destination) so 0-65535 is the number range you get.


-Maestr0

You're on the right track Maestr0. It's a 32 bit addressing scheme though, and it uses 32 bit header information (TCP packet header uses a 32-bit port number), not 16bit.

65535 just happens to be the highest positive number that can be obtained using 32 bits.

That's also why the portons of an IP and subnet mask are called octets. (8bits per octet x 4 octets = 32bit Address)

This limitation is addressed in IPv6.....If they ever finalize it! :p

The 32-bit adress is related to the IP portion of the protocol(s) and does not contain any information about ports. The TCP portion of the packet contains two 16-bit fields in the header, one for the source port and one for the destination port.

-Maestr0

To me it's kind of like 255. You can't have an IP passed that...or Subnet mask. There are actually only 254 useable though, because 255 is 11111111 in binary, and is not useable, and 0 is of course the other value, and is also not useable....Ok, I know what I'm talking about here but I just crawled out of bed and I'm still waking up, anyone want to clarify this better untill I'm awake?

Ahhhh hang on thar a moment..

Quote:

---

65535 just happens to be the highest positive number that can be obtained using 32 bits.

---

if you check your binary.. 65535 is the highest value that can be obtained from 16bits..
If my history comes correctly the 64k ports comes from the 8bit cpu days where the original systems could only address 65535bytes.. the cpu would work addresses in 16 bit values..
the X25 protocol was 8bit based and was used with early TCP work..

maestr0 has it:

Quote:

---

The 32-bit adress is related to the IP portion of the protocol(s) and does not contain any information about ports. The TCP portion of the packet contains two 16-bit fields in the header, one for the source port and one for the destination port.

---

Cheers

I just brushed over my TCP/IP and you are correct, Maestr0...the TCP portion of the packet does contain 16-bit, not 32bit headers. Also, I did the binary and Und3ertak3r is correct also.

I guess I was thinking IPv4 is 32-bit and not thinking about the fact that it still uses the original 16-bit addressing scheme.

does the port begin with 0000 ????

No .... port 1 i think , best if one of the mods or senior members comfirm tho :) Thanks

No, it begins with port 0

Quote:

---

Port 0
Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications.

However, port 0 sometimes takes on a special meaning in network programming, particularly Unix socket programming. In this environment, port 0 is a programming technique for specifying system-allocated (dynamic) ports.

Instead of "hard-coding" a particular port number, or writing code that searches for an open port, Unix programmers simply specify port 0 as a connection parameter. That triggers the operating system to automatically search for and return the next available port in the dynamic port number range.

This programming technique does not work the same way in Microsoft Windows as it does in Unix.

---

SOURCE: http://compnetworking.about.com/libr.../blports_0.htm


slick

Without a port 0 there would actually be only 65535 ports, which is 2^16-1. As most things in computers and programming, things start at 0, because of the binary value [all 0s].

16 bits of precision is a range of -32767 to 32768. Integers of greater precision (32 bits) are required to display the port number, however it is still only 16bits of precision in terms of the number of numbers in the range.

chsh, unsigned 16 bit integer?
Cheers,
cgkanchi

I havent heard like port 0 yet.......is it remotely linked to promiscous mode,,, but i guess that has to do with IP addresses and not port nos.....

Regards

Kalp

i found a few very interesting facts abt Port 0 and OS Fingerprinting

Quote:

---

Port 0 OS Fingerprinting
As port 0 is reserved for special use as stated in RFC 1700. Coupled with the fact that this port number is reassigned by the OS, no traffic should flow over the internet use this port. As the specifics are not clear different OS's have, different ways of handling traffic using port 0 thus they can be fingerprinted.

Port 0 fingerprinting consists of seven tests. The tests are labeled P1 - P7 below.

P1: send tcp packet from source port 0 to port 0
P2: send tcp packet from source port X to port 0
P3: send tcp packet from source port 0 to open port
P4: send tcp packet from source port 0 to closed port
P5: send udp packet from source port 0 to port 0
P6: send udp packet from source port 53 to port 0
P7: send udp packet from source port 0 to closed port

Port X in test P2 is any port not equal to 0. Port 53 is used in test P6 as it is most likely to bypass a firewall configuration.

The standard reply expected to P1, P2 and P4 should be a RST packet as the port should be closed.

The standard reply to P3 should be SYN ACK as the port is open and port 0 is a valid port as described above.

The standard reply to P5, P6 and P7 should all be ICMP port unreachable as UDP port 0 / closed port should not have a program listening on it.

Although port 0 is a valid port number various OS's handle port 0 differently.

Results
Below are a few example fingerprints. The entire list can be found at the end of the paper.

Fingerprint OpenBSD 3.2/3.3
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=N)
P4(Resp=Y%Flags=AR)
P5(Resp=N)
P6(Resp=N)
P7(Resp=Y)

Notice that OpenBSD has a cool feature / bug whereby it does not allow incoming connections from source port 0 (test P3)

Fingerprint Linux
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=Y)
P6(Resp=Y)
P7(Resp=Y)

Unfortunately, both MS Windows 2000 and Linux have the same port 0 fingerprint, replying to all 7 tests.

Recommendations
Although port 0 is a valid TCP / UDP port number, it is highly recommend that one should block any traffic using this port at your firewall. No program should be listening on port 0 and no program should connect from port 0 thus, it should be blocked.
Port 0 fingerprinting can be tested using the gobbler-2.0.1-alpha available from http://www.networkpenetration.com or http://gobbler.sourceforge.net

---

Quote:

---

List of Port 0 Fingerprints
::::::::::::::::::::::::::::::

Fingerprint Mac OSX
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=N)
P6(Resp=N)
P7(Resp=Y)

Fingerprint Gobbler 2.0 Alpha
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=N)
P6(Resp=N)
P7(Resp=Y)

Fingerprint Linux
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=Y)
P6(Resp=Y)
P7(Resp=Y)

Fingerprint MS Windows 2000
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=Y)
P6(Resp=Y)
P7(Resp=Y)

Fingerprint VMS on Alpha
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=Y)
P6(Resp=Y)
P7(Resp=Y)

Fingerprint OpenBSD 3.2 or 3.3
P1(Resp=Y%Flags=AR)
P2(Resp=Y%Flags=AR)
P3(Resp=N)
P4(Resp=Y%Flags=AR)
P5(Resp=N)
P6(Resp=N)
P7(Resp=Y)

Fingerprint SunOS 5.6 (can someone confirm please)
P1(Resp=N)
P2(Resp=N)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=N)
P6(Resp=N)
P7(Resp=Y)

Fingerprint MS NT Server 4 (Service pack ?) with checkpoint ?
P1(Resp=N)
P2(Resp=N)
P3(Resp=Y%Flags=AS)
P4(Resp=Y%Flags=AR)
P5(Resp=N)
P6(Resp=N)
P7(Resp=Y)

---