Intro to Network Traffic Analysis - Client and server port numbers used in first full TCP three-way handshake

HTB Content Academy
#1

Question: What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)

I’ve been pulling my hair out trying to figure out what the heck is the other port. So far, all I have for the solution is “443 [other port]”. I’ve spent so much time trying to play with filters via tcpdump and within wireshark but just cannot for the life me find what the heck is that other port. I found somewhere that the other port in question is sending a TCP packet with the RST flag enabled (this even confuses me but inputting such ports don’t work) but that seems to be the only piece of information out there concerning this question. Can someone please provide what in the world is this other port number???

1 Like
#2

When reading the pcap starting from the top of the file, you are looking for the first conversation that has a full handshake sequence:

  • SYN: Flags [S]
  • SYN-ACK: Flags [S.]
  • ACK: Flags [.]

Start with the [S] flag and look at the source port (bigger number). Then try to see if you can find a [S.] flag with the same port number (it will be the destination port this time), followed by a [.] flag with the same port number (it will be the source port again).

Make sure to check for both HTTP (80) and HTTPS (443) conversations. It helps to prevent name resolution for hostnames and ports using -nn:

tcpdump -nnr TCPDump-lab-2.pcap port 80 or 443

3 Likes