5.7 Identify these elements used for network profiling
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. What Are Ports?
In networking, a port is a logical communication endpoint used by applications and services to send and receive data.
- An IP address identifies a device on the network
- A port number identifies a specific service or application on that device
Together, they form a socket:
IP Address + Port Number
Example format:
192.168.1.10:80
This means:
- Device IP: 192.168.1.10
- Service: Port 80 (commonly HTTP)
2. Why Ports Are Important in Network Profiling
Network profiling involves analyzing network traffic to understand behavior.
Ports help identify:
- What services are running
- What type of traffic is being transmitted
- Whether traffic is normal or suspicious
- Which applications are communicating
By analyzing ports, a security analyst can:
- Detect unauthorized services
- Identify malware communication
- Understand user and system activity
3. Port Number Ranges
Ports are divided into three main ranges:
a) Well-Known Ports (0–1023)
- Assigned by standard organizations
- Used by common protocols
Examples:
- 20/21 → FTP
- 22 → SSH
- 23 → Telnet
- 25 → SMTP
- 53 → DNS
- 80 → HTTP
- 443 → HTTPS
b) Registered Ports (1024–49151)
- Assigned to specific applications
- Used by software vendors
Examples:
- 1433 → Microsoft SQL Server
- 1521 → Oracle Database
c) Dynamic / Ephemeral Ports (49152–65535)
- Temporary ports
- Assigned by the operating system
- Used for client-side communication
4. Common Ports and Their Services (Important for Exam)
You must remember these:
| Port | Protocol | Service |
|---|---|---|
| 20/21 | TCP | FTP |
| 22 | TCP | SSH |
| 23 | TCP | Telnet |
| 25 | TCP | SMTP |
| 53 | TCP/UDP | DNS |
| 67/68 | UDP | DHCP |
| 69 | UDP | TFTP |
| 80 | TCP | HTTP |
| 110 | TCP | POP3 |
| 123 | UDP | NTP |
| 137–139 | TCP/UDP | NetBIOS |
| 143 | TCP | IMAP |
| 161/162 | UDP | SNMP |
| 389 | TCP/UDP | LDAP |
| 443 | TCP | HTTPS |
| 445 | TCP | SMB |
| 3389 | TCP | RDP |
5. Ports in Network Traffic Analysis
When analyzing packets or logs, ports help identify:
a) Source Port
- Usually a random ephemeral port
- Assigned by the client
b) Destination Port
- Identifies the service being accessed
Example:
Source: 192.168.1.5:52345
Destination: 10.0.0.10:443
Meaning:
- Client uses port 52345 (temporary)
- Connecting to HTTPS service on port 443
6. How Ports Help in Network Profiling
Ports allow analysts to:
a) Identify Applications
- Port 80 → Web traffic (HTTP)
- Port 443 → Secure web traffic (HTTPS)
b) Detect Unusual Activity
- Traffic on uncommon ports may indicate:
- Malware
- Unauthorized services
- Data exfiltration
c) Understand Communication Patterns
- Which ports are frequently used
- Which services are active
- Traffic volume per port
d) Classify Traffic
- Web traffic (80, 443)
- Email traffic (25, 110, 143)
- Remote access (22, 3389)
7. Port vs Protocol
Ports work together with protocols:
- TCP (Transmission Control Protocol)
- UDP (User Datagram Protocol)
Important points:
- Some ports use TCP only (e.g., 80, 443)
- Some use UDP only (e.g., 69, 123)
- Some use both (e.g., 53 for DNS)
8. Security Importance of Ports
Ports are a key focus in cybersecurity:
a) Open Ports
- Ports that accept connections
- Can expose services to attackers
b) Closed Ports
- No service is listening
c) Filtered Ports
- Blocked by firewalls
9. Suspicious Port Activity (Exam Focus)
Analysts should watch for:
- Unexpected open ports
- Traffic on unusual ports
- High number of connections to a port
- Ports associated with known attacks
- Encrypted traffic on non-standard ports
10. Port Scanning
Attackers often use port scanning to discover open ports.
Common scan types:
- TCP SYN scan
- TCP connect scan
- UDP scan
Purpose:
- Identify running services
- Find vulnerabilities
11. Tools That Analyze Ports
Common tools used in IT/security environments:
- Packet analyzers (e.g., Wireshark)
- Flow analysis tools (e.g., NetFlow)
- Intrusion Detection Systems (IDS)
These tools show:
- Source and destination ports
- Protocol type
- Traffic patterns
12. Key Exam Tips
- Know common port numbers and services
- Understand source vs destination ports
- Remember port ranges
- Know how ports help in traffic identification
- Understand security risks of open ports
- Be familiar with port scanning concepts
13. Summary
- Ports identify specific services on a device
- They are essential for network communication and analysis
- In network profiling, ports help determine:
- What service is running
- What type of traffic is flowing
- Whether activity is normal or suspicious
Understanding ports is critical for analyzing network traffic and detecting security issues.
