How to identify and monitor network ports after intrusion detection

When analyzing firewall logs or IDS alerts, you have probably come across an unfamiliar source or destination port

    Requires Free Membership to View

. The next step in the analysis process is to figure out what service is using that network port so you can determine if it puts your network at risk.

More Information

Get strategies for managing network ports.

Find out how to scan for a port to see if it's being used in a network

The easiest way to identify and begin monitoring a network port is to look in the services file included with every modern TCP/IP stack. That's C:\WINDOWS\SYSTEM32\DRIVERS\ETC\SERVICES under Windows (Hint: You can use Notepad to view or edit the file -- just double-click on it and choose notepad from the list), or /etc/services under most Unix variants. The Windows 'find' or Unix 'grep' commands can quickly search these files. Very often you won't find the port in the default services file because they usually list only a tiny subset of the available network ports and services. Then it's time to use the Web:

Once you've found a service that uses the port in question don't assume anything! First, is it really what is seems to be, or did someone switch port numbers? Some ports are commonly used by more than one service, so which is it? Is the service allowed in your environment? Should it be? The following tools will help you find out more about what is really happening.

  • Foundstone has a command line utility called fport and SysInternals has a GUI program called TCPView. Both of these tools show you open TCP and UDP ports on your Windows computer, as well as what program and process is using them. These programs come in simple ZIP files. You can extract, use and then delete them -- no installation required.
  • On Unix, just use 'netstat -anp | less' or better yet, 'lsof -Pni'. lsof (LiSt Open Files) comes with many Linux distributions, though it is not usually installed by default. As the name suggests, it can list open files, but since everything in Unix is a file, this tool can do much more than the simple name suggests. I highly recommend exploring it.
  • Nmap has recently added a service and network port scanner. There are other tools that do similar things, but Nmap is probably the best and simplest. It also runs on Windows. As always, DO NOT PORT SCAN ANYTHING until you have written permission to do so.

If all else fails, try searching on Google, but don't make too many assumptions about what you find. The goal is to identify what is actually happening in your environment -- why did you get an alert, why was this log generated, is it malicious or benign. You know your network better than anyone on the Web.


  Why Snort makes IDS worth the time and effort
  How to identify ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors.
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort

JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was first published in May 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.