Client and server port identity - Learn Tech From Zero

4.9 Interpret common artifact elements from an event to identify an alert

A port is like a door on a computer that allows data to go in and out.
Ports are numbered from 0 to 65535.
Ports help identify specific services running on a device.
- Example: A server may run a web service on port 80.

In any network communication, there is a client (the one initiating the request) and a server (the one responding to the request).

Aspect	Client Port	Server Port
Definition	The temporary port used by the client device to communicate	The known port where a service listens for requests
Port Range	Usually 1024–65535 (called ephemeral ports)	Usually 0–1023 (called well-known ports)
Assigned By	Assigned dynamically by the client OS	Predefined by the service/application
Purpose	Used to receive replies from the server	Receives requests from clients
Example	49215, 50122	80 (HTTP), 443 (HTTPS), 22 (SSH)

Suppose a network alert shows:

Source: 10.0.0.5:53210 → Destination: 192.168.1.100:443

This tells us:

Knowing which port belongs to the client and which to the server helps you:

Identify the type of traffic
- Port 80 → HTTP traffic
- Port 22 → SSH traffic
- Port 53 → DNS traffic
Detect unusual behavior
- If a client connects to a server on a port not typically used (e.g., port 3389 for RDP on a public server), it may indicate a security alert.
Analyze logs and alerts
- Security tools like SIEMs (e.g., Splunk, QRadar) often show source and destination ports.
- Knowing which is client vs server port allows you to understand the flow of communication.

Logs usually show in the format: source_ip:source_port → destination_ip:destination_port
Source port → client port
Destination port → server port

Example alert in SIEM:

Alert: Suspicious network connection
Source IP: 10.1.1.50:49765
Destination IP: 172.16.0.25:22

Client port: 49765
Server port: 22 (SSH)
Interpretation: The client tried to connect to an SSH service on the server. If unexpected, this could be suspicious.

To understand port identity, you should know the types of ports:

Well-known ports (0–1023)
- Reserved for common services
- Example: HTTP (80), HTTPS (443), DNS (53), SMTP (25)
Registered ports (1024–49151)
- Used by applications and services, but not as standard as well-known ports
- Example: Microsoft SQL Server (1433), Oracle DB (1521)
Dynamic/Ephemeral ports (49152–65535)
- Temporary client ports
- Example: A client device connecting to a web server on port 443 may get an ephemeral port 53215

For the exam, memorizing common well-known server ports is important because alerts often reference them.

Look at the port numbers:
- Ephemeral (high-numbered) → likely client
- Well-known → likely server
Look at the direction of traffic (if available):
- The initiator of the connection is usually the client
Combine IP and port knowledge:
- Internal IP → could be client
- Server IP → well-known port, responding to requests

Know the top 10–15 server ports, e.g.:
- 20,21 → FTP
- 22 → SSH
- 25 → SMTP
- 53 → DNS
- 80 → HTTP
- 443 → HTTPS
- 3389 → RDP
Remember: The client port is usually high-numbered and dynamic, server port is standard for service.
Practice reading alerts: Always identify which IP is client/server and which port belongs to whom.

Ports = doors for network traffic
Client port = ephemeral, temporary, high-numbered, initiates requests
Server port = well-known, standard, listens for requests
Correct identification helps in alert analysis, intrusion detection, and understanding network events.