This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Lower Source port traffic lost on internet

0

We have a process for credit card payments to a third party vendor. Two servers, one for customer facing transactions on a Windows 2012 OS, the other on a Windows 2003 OS (I know, not supported anymore). The Windows 2012 OS only uses private port range somewhere in the range of 49000 - 65000. Windows 2003 uses 1023-5000. We have noticed in a wireshark capture that sometimes when the server(Windows 2003), or the firewall (NAT) changes the source port to a number lower than 1550, the traffic is lost outside our network and never gets to our vendor. Has anyone witnessed this type of activity? We have spoken to our ISP and they say they do not block anything. I suspect that these lower source ports are in conflict with another application beyond our control.

asked 20 May '16, 06:08

Jbanu2's gravatar image

Jbanu2
6112
accept rate: 0%


One Answer:

0

If you suspect a port conflict, you could try modifying your application to use a fixed source port in a range above 1550, rather than using an ephemeral port. If you can't (or don't want to) modify the application, or if doing so doesn't help, you could try to reserve ports below 1550 so they're not included in the dynamic pool. See https://support.microsoft.com/en-us/kb/812873 for more information.

answered 19 Jul '16, 08:18

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

sometimes when the server(Windows 2003), or the firewall (NAT) changes the source port to a number lower than 1550...

Does this mean that you don't know whether it is the firewall or the server that chooses these "low" port numbers, or that both of them sometimes do that? Because if both can do that, you have to configure both the Windows and the firewall to avoid using these ports.

I suspect that these lower source ports are in conflict with another application beyond our control.

If you have in mind an application on the PC, then no, for two reasons:

  • an application cannot freely choose an ephemeral port for a TCP session, it asks the TCP stack for one; if a local TCP port is already occupied by either a running client session or by a server application listening on it, the TCP stack wouldn't give the same port (well, socket) to another application

  • I don't know how W2003's TCP stack works exactly, but it should require that the conflicting application would open sessions towards the same remote server that the conflict could happen. Using port X as ephemeral one for connection to server Y port A and using it at the same time for connection to server Y port B or to server Z port A is perfectly OK from the point of view of TCP

Besides, if it would be an application on your own PC or in your own network, I doubt it would listen on all ports below 1550 and not send anything back.

So if your ISP says they don't block anything, ask them to check it using Wireshark or tcpdump at their output route towards the server, and if your requests are still visible there, move the investigation to the receiving end - the third party vendor also have their ISP and security guys.

(19 Jul '16, 09:05) sindy