Detecting Server and Client Ports

The method used by TCP connections to initiate communication is known as the “three-way handshake.” This method can be compared to how a common telephone conversation is initiated. If Bob calls Alice, he has effectively sent her, in TCP terms, a “SYN” packet. She may or may not answer. If Alice answers, she has effectively sent a “SYN-ACK” packet. The communication is still not established, since Bob may have hung up as she was answering. The communication is established when Bob replies to Alice, sending her an “ACK.”

The NNM configuration option “connections to services” enables NNM to log network client to server activity.

Whenever a system within the monitored network range tries to connect to a server over TCP, the connecting system emits a TCP “SYN” packet. If the port the client connects on is open, then the server responds with a TCP “SYN/ACK” packet. At this point, NNM records both the client address and the server port the client connects to. If the port on the server is not open, then the server does not respond with a TCP “SYN/ACK” packet. In this case, since NNM never sees a TCP “SYN/ACK” response from the server, NNM does not record the fact that the client tried to connect to the server port, since the port is not available to that client.

The Connections to Services configuration parameter does not track how many times the connection was made. If the same host browses the same web server a million times, or browses a million different web servers once, the host is still marked as having browsed on port 80. This data is logged as NNM internal plugin ID 2.

NNM detects many applications through plugin and protocol analysis. At a lower level, NNM also detects open ports and outbound ports in use on the monitored networks. By default, NNM detects any TCP server on the protected network if it sees a TCP “SYN-ACK” packet.

In combination, the detection of server ports and client destination ports allows a network administrator to see who on their network is serving a particular protocol and who on their network is speaking that protocol.