I'm trying to use wireshark to determine what ports a certain program uses. The program connects to the server fine if we are on the same network, but I obviously need to forward the ports on the firewall to use it outside of the office.
I turn on wireshark, and try to establish the connection from the program to 192.168.1.6. I then look at the packets that are going to and from 192.168.1.6.
They are all TCP and say:
Source: 192.168.1.130
Dest: 192.168.1.6
Service: TCP
Info: 49716 > 808 [PSH, ACK] Seq=1102 Ack=395 Win=65304 Len=87
or some coming the other way
Source: 192.168.1.6
Dest: 192.168.1.130
Service: TCP
Info: 808 > 49710 [ACK] Seq=2 Ack=320 Win=254 Len=0
My question is:
I take it this is just port 808, the other port (source port) changes occasionally betwen 49710 and 49716, what does this mean?
does is the traffic coming the other way part of an open connection? Or do I need to make sure the client PC has port 808 connecting to their PC as well?
The source port for applications that don't need a specific source port tends to fall in the ephemeral range, > 49152. More info here.
As long as the firewall is "stateful", in other words, tracks connections recognizes packets from the same TCP stream as part of the same flow (the vast majority of modern firewalls do this), you will only need to allow the connection in one direction (to port 808).
The destination port is the port on the server that the program connects to, which is TCP port 808 in this scenario. If you want external users to be able to connect to the server behind your firewall then you need to create a rule in your firewall that allows external connections inbound to port 808 of the server. You'll more than likely need to create a NAT rule as well that translates one of your routable (public) ip addresses to the non-routable (private) ip address of the server. The port on the client side is allocated from the pool of ephemeral ports and will mostly be different every time the program makes a new connection to the server. The connection between the client and the server is a 4-tuple, comprised of source ip address/port and destination ip address/port. The traffic from the server to the client for an established session does not need to be specifically allowed through the firewall (no outbound rule needed) as it's a component of an established session, based on your inbound rule.
I think the other posters have answered your two (more or less) "conceptual" questions, but practically speaking, on Windows you can run
netstat -aon | find ":<portnumber>"
which will tell you the process id. You can then use Task Manager (with the Process ID column added under View > Choose Columns I believe) to determine which process is listening on a certain port.Also, TCPView from Sysinternals works well.