Port numbers can help provide identification and management of application traffic. In this video, you’ll learn about well-known port numbers for popular applications.
As a networking professional, you may be asked to configure port numbers associated with a particular application. So in this video, we’ll look at the well-known port numbers associated with those apps.
We’ll start with a generic form of file transfer that’s used across many different operating systems. This is FTP or the file transfer protocol. This is a very common and generic form of file transfer that can be used on Linux, Windows, Mac OS, and practically any other operating system.
Unlike many applications that use a single port number to communicate, FTP is configured to use one or two different port numbers, specifically TCP port 20 and TCP port 21. TCP port 20 is commonly associated with the file transfer process itself, and port 21 is commonly sent to send control information between one device and another.
FTP has an authentication method so you can use usernames and passwords, and when you’re transferring information, you can choose to not only transfer the file, you can list information in a particular directory, add different files, delete, rename, and perform other types of file maintenance.
TCP port 22 is commonly associated with SSH or secure shell. This is a way to communicate to a remote device from a console. So you have this text-based front end and you’re able to configure and manage this device over this text-based command line interface.
An important characteristic of SSH is the secure part of SSH because all of the communication between your device and that remote device is all sent across the network in encrypted form. Well, if there’s encryption being used with secure shell, it would be great if we could use encryption with our file transfer protocol. So of course there is a version of the FTP called secure FTP or SFTP. This allows us to transfer files from one device to another, and that entire communication across the network is all encrypted by default.
Interestingly enough, secure FTP is really using the SSH protocol to be able to perform this encryption. So SSH and SFTP use the same port number of TCP port 22. And just like our FTP protocol that allows us to perform file management of that device, we can also perform the same file management using the secure version of FTP. So you can view the directories, you can make changes to the directory names, you can modify files, delete information, and perform all of the normal file management from the secure FTP application.
Both secure shell and secure FTP have that foundation of SSH as the underlying protocol. So not only does secure shell allow you that remote terminal communication, you can also have remote file transfer communication, and all of that communication will be encrypted using the SSH protocol over TCP port 22.
Before we had encryption over SSH or secure shell, we used a non-encrypted form of terminal communication referred to as telnet. This stands for telecommunication network and it commonly uses TCP port 23. Visually, this looks almost identical to what we use with secure shell.
The difference, however, is the communication that we’re sending between our device and the remote station is all being sent in the clear. There’s no encryption that’s taking place across the network. This means that someone could potentially capture those packets and view everything that’s being sent back and forth over the network, including your login credentials. It’s for this reason that you don’t commonly see telnet being used on our network, and instead we’ll use SSH to ensure that all of this communication will always be encrypted.
Another important application on our network is the use of email. And of course we need protocols to be able to transfer these emails from one email server to another. To be able to do that, we use SMTP or the simple mail transfer protocol. SMTP is commonly associated with server-to-server email transfers using TCP port 25.
All of this traffic sent over TCP port 25 is sent in the clear or in plain text. There’s no encryption that’s automatically configured when using TCP port 25. That’s why many SMTP servers will use TCP port 587, which is SMTP using TLS encryption or the transport layer security. SMTP is also used from client devices that are sending email messages, and it’s often sending those to a mail server using this SMTP protocol.
For receiving email messages and being able to manage your email inbox, we often use other protocols such as IMAP or POP3. So any time that you are sending email or you’re transferring email between email servers, you’re probably using SMTP or the simple mail transfer protocol.
We don’t often memorize the IP address of devices that we communicate with. Instead, we use the fully qualified domain name or FQDN. And the way that we translate between the fully qualified domain name and the IP address is we use a DNS server, and that stands for domain name system.
DNS commonly uses UDP port 53 to be able to perform this name query. So we’ll ask a DNS server what the IP address of www.professormesser.com might be, and it will respond back with the IP address that your device can use to communicate to that server.
For those small queries, we commonly use UDP port 53, but if there’s a large transfer of data from one DNS server to another, we commonly would use TCP port 53. These DNS servers are obviously very critical resources because, without them, we wouldn’t be able to communicate to servers such as professormesser.com. This is also a very common protocol to find on the network. And if you take a packet capture, you’re almost guaranteed to capture some type of DNS traffic.
We’ve become very accustomed to simply plugging into a network or connecting to a wireless network and automatically being able to communicate across that network. But behind the scenes there is an automatic IP configuration process using DHCP or the dynamic host configuration protocol. This is the protocol that allows us to automatically configure IP address settings for anyone that connects to the network. By default, DHCP uses UDP port 67 and UDP port 68.
To be able to use DHCP, we need a DHCP server. At home, we commonly use a DHCP server that’s integrated into an existing wireless router, but in an enterprise network, there are often standalone DHCP servers. We usually configure a pool of IP addresses on DHCP, and anyone who connects to the network will be automatically assigned an IP address from this available pool of addresses.
There’s also a lease time associated with this IP address, so you’re only able to use that IP address for a certain amount of time. And if you are still using that address at the end of the leasing period, you can choose to renew that lease with the DHCP server.
We can also configure certain devices to always receive the same IP address every time they connect to the network. And we associate that IP address with the Mac address of that device. We configure that in the DHCP server. That’s often referred to as a DHCP reservation. All of this communication that occurs across the network for DHCP will almost always use UDP port 67 and UDP port 68.
We talked earlier about the FTP or file transfer protocol that we use to send files from one device to another. And we described the process of authentication and the many different management functions associated with FTP. But what if you just needed to transfer a small bit of configuration information from one device to another? You don’t need to view the name of a directory or change any of the file names. You simply need to transfer a small amount of information very, very quickly.
To be able to do that, you might use TFTP or the trivial file transfer protocol. And by default it uses UDP port 69. You’ll often see TFTP used for very simple file transfers. Usually this is something that doesn’t require any type of authentication or login process.
So it may be something like a voice over IP device that has no IP address and no configuration. And when you plug it into the network, it is powered on using power over ethernet. It uses DHCP to get an IP address, and then it uses TFTP to be able to download the latest configuration file from the server.
This is a quick and easy process. It transfers data without any extra overhead, and it’s able to do that very efficiently and very quickly using UDP port 69.
If you’re communicating to a web server, you’re probably using one of two different port numbers. This is using HTTP or HTTPS. This stands for hypertext transfer protocol, and it’s a communication that is commonly associated with browser-based communication. If the information between your browser and the web server is being sent in the clear without any type of encryption, it’s commonly using TCP port 80.
If you need to perform encryption of that data, and that is probably the default for most websites that you’ll visit these days, it is using SSL, that stands for secure sockets layer, or a newer version of SSL referred to as TLS or transport layer security. If this is encrypted data, then it’s probably using TCP port 443, which is sending HTTPS for secure.
Another thing you may notice with the devices that are connected to the network is they all tend to have the correct time and date down to the second level. We’re able to do that through an automated process called NTP or the network time protocol. Every device on the network, operating systems, routers, switches, and any other device, can use NTP to stay synchronized with their clock across all of those different devices. By default, NTP uses UDP port 123.
Being able to synchronize these clocks is more than simply a convenience. In fact, it can be a very critical part of synchronizing log files between very diverse devices. This allows us to go back in time and piece together communications, even though that communication occurred on many different devices. This is a process that usually occurs automatically behind the scenes, and many devices will synchronize their clock multiple times during the day using the NTP protocol.
You might also be able to configure this process. Maybe you’d like a device to update its clock every hour, or maybe simply updating once a day is sufficient. This is also a very accurate way to keep these clocks in synchronization, and usually we get about a one-millisecond difference between devices that are all on the same network. This provides a level of granularity that’s sufficient for most applications, and it’s something that occurs automatically using UDP port 123 and the network time protocol.
As a network professional, you’ll be responsible for the uptime and availability of routers, switches, firewalls, and many other devices on the network. One way to manage those devices is through a protocol named SNMP, or the simple network management protocol. By default, SNMP uses UDP port 161 to query devices and receive information about how that device may be performing.
For example, we might have a management station and we might be querying a device to determine how much traffic has traversed that particular device over a certain amount of time. And then it can provide us with a summary of how much data has been transferred over that time frame. We can then store that data, create graphs, reports, and other information that allows us to manage that device.
You might also find that different versions of SNMP may be used on your network. Version one of SNMP is the original version. This allows your management station to perform a single query to this device and receive a single response. And all of this is sent over the network in the clear with no encryption.
Version two of SNMP allowed for bulk transfers. So we can ask for many different variables from this device and receive a large group of data from that device which simplified the network communication and made it much more efficient. But it didn’t provide any type of encryption. All of this information is still being sent across the network in the clear.
A more modern version of SNMP is what you may commonly find on your network today, which is version three. This is a more secure standard for SNMP, which allows message integrity, authentication, and encryption of the SNMP data. One of the things you’ll find with this default use of SNMP is the management station is interactively making a query and then receiving a response for that query. So it’s up to the management station to initiate that communication.
But it would be nice if these devices could identify problems and proactively send that information down to the management station. We can do that by using a feature of SNMP called an SNMP trap. This allows these notifications to be sent directly from these devices using UDP port 162.
Many organizations may have hundreds or thousands of devices on their network, and it may be a challenge to be able to keep track of what devices are on the network, what users are connecting to those devices, and how the relationship might be between the user and the device.
We’re able to maintain a database of all of these devices and all of these users through a protocol named LDAP. LDAP stands for lightweight directory access protocol, and it commonly uses TCP port 389. LDAP allows us to very easily query these databases and retrieve information that we may have stored. There’s also a secure version of LDAP called LDAP Secure. It uses TCP port 636.
LDAP uses a hierarchical structure to be able to lay out the network and the devices. This is a graphical view of an LDAP database. It starts with the root of the database, which is an organization. In this case, the organization is Messer Studios. We’ve also grouped together like devices into organizational units. There is a production OU, a support OU, and an engineering OU.
Within those organizational units, there may be common name devices. For example, there may be users such as Jack and Daniel, or there may be a database or storage device named Tech Docs. We’re able to organize and access these devices through this structure, making it a very common and simplified way of gaining access to this data.
Microsoft Windows has some very unique features when it comes to data transfer. Microsoft stores information on the network in a file share. You can also share printers through Microsoft’s operating systems. And there’s also authentication built into this entire process.
To be able to provide all of this functionality, there is a specialized protocol named SMB, or server message block, to be able to share files, share printers, or authenticate to the network. You might also see this referred to as CIFS or the common internet file system.
SMB is integrated into Windows itself. You don’t need to add additional software. There’s no additional FTP or SFTP process. Instead, built into the Windows Explorer or the File Explorer within Microsoft Windows is the SMB functionality that allows us to access file shares, print to remote printers, lock different files on the network, and provide processes for authentication and permissions for all of that data.
Early versions of Microsoft Windows used the NetBIOS protocol to be able to facilitate this communication. But most modern versions of Microsoft Windows communicate directly across the network using IP and TCP port 445 as the one that is usually associated with server message block or SMB.
As a network professional, you’ll find that you are constantly referring to logs that are being kept on your routers, your switches, your firewalls, your servers, and almost any other device that’s connected to the network. One challenge is being able to consolidate all of these different log files to one single location, and there is a standardized protocol for transferring these log files called syslog.
Syslog commonly uses UDP port 514 to be able to transfer this log data across the network. You’ll often use syslog in conjunction with a security information and event manager or a SIEM. This is a consolidation point where you can have all of your log files transferred into one single consolidated database. So if you’re using syslog and transferring that over UDP port 514, then you’re probably transferring it to a very large drive array or some other device where you can collect that log information over an extended period of time.
We store a lot of very diverse information on our databases, but fortunately, there is a very common form of storage and retrieval for those databases referred to as a structured query language or SQL. Some people refer to this as SQL. This SQL database uses a standard language that you can use to be able to query and retrieve information from that database.
Microsoft has its own form of SQL database called the Microsoft SQL server, or MS-SQL. It stands for Microsoft structured query language, and it very commonly uses TCP port 1433. There are other types of SQL databases you might find on your network, and they usually use different port numbers. So if you see TCP port 1433, then you’re probably using a Microsoft SQL server.
Many of us start on the help desk to be able to provide support for our end users. And one way that we’re able to view the remote desktop of those devices is through the use of RDP or the remote desktop protocol. RDP uses by default TCP port 3389 to be able to view that remote desktop.
The remote desktop protocol is commonly associated with a service that’s running on a Windows device, but fortunately there are many clients that can use RDP to connect to those Windows devices. So it’s not unusual to find clients for Windows, Mac OS, Linux, iPhone, Android, and many other operating systems.
There are many different protocols used for voice over IP. One of the most popular is SIP. This is the session initiation protocol, and it commonly uses TCP port 5060 and TCP port 5061.
SIP is commonly used as the control protocol that we use when we pick up the phone, we dial the number, it initiates the phone call, and then when the phone call is over, it disconnects the session. You might also see SIP being used for extensions of voice over IP that provide video conferencing, instant messaging, and even file transfers. All of this takes place using SIP over TCP port 5060 and TCP port 5061.