[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 493
  • Last Modified:

General Port question

From a netstat command.  

When I look at netstat or any other log that reports on open ports, what is the defination of Local and Foreign?  For some reason I just can't grasp this.  

Foreign Address:Port ?

Proto  Local Address        Foreign Address      State
TCP    2.2.2.2:4378         1.1.1.1:80               ESTABLISHED

Is the above telling me that I am connected to IP 1.1.1.1 opening port 80 on the Remote PC?

- or -

Is the above telling me that my PC has opened port 80 on my PC and is connected to 1.1.1.1?

For some reason I am having issues with grasping this.  
0
mchristo63
Asked:
mchristo63
4 Solutions
 
jhanceCommented:
This says that SOME PROCESS ON YOUR PC (IP = 2.2.2.2 and PORT = 4378) is connected to a REMOTE (i.e. FOREIGN) SERVER at IP = 1.1.1.1 on PORT = 80.

This is probably a web connection (i.e. HTTP) of some sort.  The port on YOUR PC is arbitrary.  The port on the REMOTE is the one that you usually see referred to.
0
 
dooleydogCommented:
Proto  Local Address        Foreign Address      State
TCP    2.2.2.2:4378         1.1.1.1:80               ESTABLISHED

local address is you, and port 4378 is the port your computer is sending this request from.

foreign address is the web server and port 80 is what they send from.

A web server will listen for lots of ports, but only transmit HTTP and other protocols over port 80.

Hope this helps,

0
 
Leon FesterCommented:
Local is the host where the command is being run.
Foreign is any server/workstation that is trying to connect to that server.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
Leon FesterCommented:
You may even find that your own workstation could be listed under the foreign as well as local list.

And that is only because it is one application talking to another application on your worstation. You'd normally see this on a firewalled machine.

As stated above the main port to consider is the port on the foreign host. This should tell you what kind of request was sent to your local machine.

Your local machine could have lots of various apps/websites running and since it knows what kind of request was sent from the foreign host, it is able to redirect to the appropriate port that your application/website is running on at the time of the request.

A nice little tool to use to see what ports are open is aports. Has a nice feature to kill ports with 1 click of the button. Handy to have on a webserver, incase you suspect somebody is trying to/has compromised the server. http://www.tucows.com/get/213738_91414
0
 
mchristo63Author Commented:
So if I see:
Proto  Local Address        Foreign Address      State
TCP    2.2.2.2:4378         1.1.1.1:80               ESTABLISHED

That is tell me IP 1.1.1.1 has opened port 80 on MY PC?  
0
 
jar3817Commented:
no, it means your pc is connected to port 80 on 1.1.1.1
0
 
Leon FesterCommented:
No, it tells you that 1.1.1.1 has sent a http request via port 80 to your machine 2.2.2.2. Your machine has accepted the session on port 4378.

Port 80 on your webserver is only the listening port. Once a session is established your local machine can do what it wants with the port. Consider what would happen if you saw the following

Proto  Local Address        Foreign Address      State
TCP    2.2.2.2:80         1.1.1.1:80               ESTABLISHED

No other machines will be able to browse your website as port 80 is already busy with a session to 1.1.1.1
0
 
mchristo63Author Commented:
OK, so the foreign PC has sent a request via port 80 and my PC accepted via port 4378.  Sounds good.  So if I was trying to diag another issue regarding a totaly different port, for example a Shavlik or Symantic Antivirus or whatever.  If the foreign address is somthing like:

1.1.1.1: 135

In order to allow this do i open port 135 in the firewall?  I get confused as you mentioned with the previous example using port 80, the local PC accepts using port 4378 or a ramndom port.  If I were to open port 135 in this eample, would I see the same results?  Meaning, if I open port 135 in my firewall, would netstat show my pc (local Address) using a random port or port 135?

 
0
 
Leon FesterCommented:
"OK, so the foreign PC has sent a request via port 80 and my PC accepted via port 4378.  Sounds good.  So if I was trying to diag another issue regarding a totaly different port, for example a Shavlik or Symantic Antivirus or whatever.  If the foreign address is somthing like:

1.1.1.1: 135 "

the above is CORRECT! Please understand, the connection on the local machine will always start off on the incoming port that the foreign system requests. It is a direct 1-to-1 relationship that needs to traverse your firewall. After the neccessary security hanshake has taken place your machine moves the sessions to a random port, so that it can service other requests to the originally requested port.

The troubleshooting statements above are correct, wanna troubleshoot connectivety problems on a specific port, then that port needs to be opened on the firewall.

Netstat may/may not show the correct port on the local machine, it depends entirely on the type of port, most commonly you'd find that the gets moved. Try running aports as mentioned above and see what you get, it should help to make to clarify what we're talking about here, then again it may confuse you even more LOL :)

APorts updates in realtime so you can actually monitor an active connection, from the time that it gets initiated till the time it gets disconnected.
0
 
mchristo63Author Commented:
Thanks.  Don't know why this was so hard for me to grasp.  APorts is a good app and it help.  Thanks for your time.  
0
 
Leon FesterCommented:
You're welcome....

Each one teach one.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now