This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it a bad thing to see many [TCP Port numbers reused]?

0

Here is a Wireshark capture that contains many [TCP Port numbers reused] packets.

You'll notice that the reused port messages begin at frame 47727 and continue on for the rest of the capture.

Understandably, every stream that contains a reused port message has a corresponding stream that occurred prior and that has the same client side port number.

For example:

The first frame that reports a reused port is 47727 (contained in stream 3952) where the reused port number is 2242 (foliocorp). Using the tcp.port == 2242 filter, I discovered that stream 0 uses port 2242 as well.

What caught my attention is the fact that all the streams that contain a TCP Port numbers reused message, are popping up because a duplicate port number (client side) was used aproximately 2 hours prior to the error message - and in sequential order.

It's as if the client computer sets aside a certain amount of port numbers that will be used and then when the port numbers have all been used, the first port number is reused again and so on.

My question is, given that the same port number is NOT being used simultaneously, but rather is simply being reused in the sense that it was used some time in the past (2 hours in my case), can I ignore the TCP Port numbers reused messages? Or is there something occurring that shouldn't be? If so, how to I go about fixing the problem?

asked 25 Jan '13, 14:13

KTM's gravatar image

KTM
7691314
accept rate: 100%

edited 25 Jan '13, 14:16


One Answer:

1

It can happen when you have a long running capture of a single client-server relation where the client keeps opening new TCP sessions all the time, like in your case (several hours of captured packets). What happens is that the client uses a temporary port (also called "ephemeral port") and connects to the server port (which is usually a fixed port, like port 80 for HTTP).

Windows up until Windows XP uses port 1025 to 5000 as ephemeral ports (it doesn't matter if it connects to the same server or another, it always increases by 1), and when it gets to 5000 it will start at 1025 again. You can see this text book behaviour in frame 33150 (SYN from port 5000) and the next SYN is in 33162 coming from port 1025 again. Since your capture started after the client had already opened and closed some connections you do not see 1025 twice, but in your case 2242 was the first port number you captured. When it loops around 5000 back to 1025 it is only a matter of time until you get a "port number reused".

"Port number reused" might indicate a problem, but only if the ports are reused very shortly again - which is not the case in your trace. Final verdict: yes, port number reused, but in a long running trace, and thus not a problem. The time distance is about 7880 seconds between the reuse, so you're safe.

BTW, starting with Vista, Microsoft changed the ephemeral port range to 49152 up to 65535. See also http://en.wikipedia.org/wiki/Ephemeral_port

answered 25 Jan '13, 15:29

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%