Detecting Server and Client Ports

The method used by TCP connections to initiate communication is known as the “three-way handshake.” This method can be compared to how a common telephone conversation is initiated. If Bob calls Alice, he has effectively sent her, in TCP terms, a “SYN” packet. She may or may not answer. If Alice answers, she has effectively sent a “SYN-ACK” packet. The communication is still not established, since Bob may have hung up as she was answering. The communication is established when Bob replies to Alice, sending her an “ACK.”

The Tenable Nessus Network Monitor configuration option “connections to services” enables Tenable Nessus Network Monitor to log network client to server activity.

Whenever a system within the monitored network range tries to connect to a server over TCP, the connecting system emits a TCP “SYN” packet. If the port the client connects on is open, then the server responds with a TCP “SYN/ACK” packet. At this point, Tenable Nessus Network Monitor records both the client address and the server port the client connects to. If the port on the server is not open, then the server does not respond with a TCP “SYN/ACK” packet. In this case, since Tenable Nessus Network Monitor never sees a TCP “SYN/ACK” response from the server, Tenable Nessus Network Monitor does not record the fact that the client tried to connect to the server port, since the port is not available to that client.

The Connections to Services configuration parameter does not track how many times the connection was made. If the same host browses the same web server a million times, or browses a million different web servers once, the host is still marked as having browsed on port 80. This data is logged as Tenable Nessus Network Monitor internal plugin ID 2.

Tenable Nessus Network Monitor detects many applications through plugin and protocol analysis. At a lower level, Tenable Nessus Network Monitor also detects open ports and outbound ports in use on the monitored networks. By default, Tenable Nessus Network Monitor detects any TCP server on the protected network if it sees a TCP “SYN-ACK” packet.

In combination, the detection of server ports and client destination ports allows a network administrator to see who on their network is serving a particular protocol and who on their network is speaking that protocol.