Active Server Ports
I spent most of last week on the road visiting customers. Many of them were working on projects to reduce the number of physical servers hosted in their data centers. In some cases, they wanted to move the servers to cloud services such as AWS or Azure. In others, they wanted to virtualize the servers locally on platforms such as VMWare ESX.
One of the challenges many network managers have is how to determine what network ports are active on servers and what ports were active in the past. When one device sends traffic to another, the IP address is used to route that traffic to the appropriate place. Once the traffic reaches the right place, the device needs to know which app or service to send the traffic on to. That’s where ports come in. An active server port is one which is ready to accept connections from a clients. Examples include TCP port 80 for HTTP and TCP port 25 for SMTP email.
Network managers need a real time and historical report showing them what ports were in use so that they can update firewall rules and access lists. Many networks now contain trusted systems such as company owned PC’s, but also non trusted systems such as contractor’s laptops. It is vital that you protect servers by only allowing connections on certain ports and from certain networks.
Generating a list of active server ports
While command line utilities such as netstat can give you a real-time view of network connections (both incoming and outgoing), it does not provide historical reporting. Some network ports on a server may only become active when certain applications are used.
Another option is to monitor network traffic going to and from your servers. If the server accepts a connection on a certain port, it will generate network traffic. All you need to do is monitor that traffic using a SPAN, mirror port or TAP, and capture the active port metadata. The metadata will reveal the source IP addresses, port information and the amount of data transferred.
Network traffic analysis systems, which are application aware, can also reveal what applications are running on the server. You may have a web server running over a non standard port like TCP port 8000, for example.
Reporting on active server ports using LANGuardian
Our LANGuardian product can provide a real-time and historical view of what ports are active on your servers. It does this by analyzing network traffic and then extracting application and port information which is stored in a database.
The screenshot below shows a sample report where I focus on a server (10.1.1.97). Use the search box at the top of the LANGuardian GUI and enter ports. Select the report Bandwidth :: Ports, Services and Protocols. Enter the IP address of the server you want to query into the Destination IP/Subnet field, select a time range for the report, and then run it. Click on the image below to access a sample report on our online demo.
The total column in this report shows the amount of data that has been sent or received by the server on each port number for the selected time period. The Server Port (Service) column lists the ports that were active on the server. Clicking on the Total column will also reveal what applications are using the ports. You just need to drill down to the Bandwidth :: Sessions report and check the protocol column. Click on the image below to access a sample report on our online demo.
If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how it can be used to report on what ports your servers are using, do not hesitate to contact us and speak with our technical support team.