Random TCP Ports listening

[rameshj]

Hi,

When I start my java application, it opens some random ports(listen TCP ports). I don't know where it is from. The process ID of the ports are my java application. Can you please help me to analyze the root cause (or) type of those ports. Below are the command out for 'netstat -nltp' :

tcp 0 0 :::10500 :::* LISTEN 32343/java
tcp 0 0 :::4242 :::* LISTEN 32343/java
tcp 0 0 :::57272 :::* LISTEN 32343/java
tcp 0 0 :::8443 :::* LISTEN 32343/java
tcp 0 0 ::ffff:127.0.0.1:59708 :::* LISTEN 32343/java
tcp 0 0 :::50078 :::* LISTEN 32343/java

The 10500,4242 &8443 ports are expected to listen. But I don't know why the 50078, 59708 & 57272 ports are listening ? Can you please help me to analyze this issue.

Thanks,
Ramesh

[voidpointer69]

Moi Ramesh,

It would appear that your java app is not specifying what ports it wants to use when it creates the sockets. See man socket.

The ports that have been assigned have been chosen by the OS.

This beggars a question. Usually, a program only "listens" on a socket if it wants to accept connections from other programs. If the "listener" is not choosing the port numbers up front, how is it telling the rest of world what ports can be used to contact it?

Cheers - VP

[rameshj]

Code:

It would appear that your java app is not specifying what ports it wants to use when it creates the sockets. See man socket.

No. I explicitly specified the ports (10500,4242 &8443).

[manyrootsofallevil]

Code:

It would appear that your java app is not specifying what ports it wants to use when it creates the sockets. See man socket.

No. I explicitly specified the ports (10500,4242 &8443).

have you tried connecting to those ports?

Does your client works on that port?

[rameshj]

Yes. Everything working perfect. My client/agent can connect to all the predefined ports(10500,4242,8443). No functionality issue. But additional ports are in LISTEN state.

[manyrootsofallevil]

I meant, can you connect to the other ports?

Also, are 100% sure that your app is not opening them? e.g. you added those ports for debugging purposes and forgot to remove them. Some other part of the code is opening them?

[waynemot]

As I recall the TCP implementation is as follows: advertise on the public port, once a connection establishes forward that connection to another port on the server (thus leaving the serving advertised port available for the next caller) and that is probably what you are seeing, these additional ports containing your established TCP connections.

[voidpointer69]

Ramesh,

what manyroots says - you can try to see who is opening the extra ports with lsof

Cheers - vp

[rameshj]

Thanks to all for your help.

I could not find the root cause from lsof command. Below are the lsof command output.

Code:

/usr/sbin/lsof -c java | grep LISTEN
java    32343  sas   14u  IPv6       114815023490                   TCP *:57272 (LISTEN)
java    32343  sas   17u  IPv6       114815023692                   TCP *:10500 (LISTEN)
java    32343  sas   19u  IPv6       114815023797                   TCP *:50078 (LISTEN)
java    32343  sas  108u  IPv6       114815140966                   TCP *:pcsync-https (LISTEN)
java    32343  sas  118u  IPv6       114815141261                   TCP *:4242 (LISTEN)
java    32343  sas  120u  IPv6       114815141477                   TCP localhost.localdomain:59708 (LISTEN)

Code:

/usr/sbin/lsof -i :50078
COMMAND   PID USER   FD   TYPE       DEVICE SIZE NODE NAME
java    32343  sas   19u  IPv6 114815023797       TCP *:50078 (LISTEN)

Code:

/usr/sbin/lsof -i :57272
COMMAND   PID USER   FD   TYPE       DEVICE SIZE NODE NAME
java    32343  sas   14u  IPv6 114815023490       TCP *:57272 (LISTEN)

Code:

/usr/sbin/lsof -i :59708
COMMAND   PID USER   FD   TYPE       DEVICE SIZE NODE NAME
java    32343  sas  120u  IPv6 114815141477       TCP localhost.localdomain:59708 (LISTEN)

Hi waynemot,

Do mean whenever I bind a public port it will open another random port ? I tried to create a test server socket from java. But it LISTENs only one port which I expected. No additional ports are open.

Thanks,
Ramesh

[manyrootsofallevil]

You can only have a connection per socket, so normally what happens is that a connection is established on port x, say 80 for a web server and the actual transfer of data is done on another random port.

For instance, this is apache listening in port 80.

Code:

tcp        0      0 :::80                       :::*                        LISTEN
tcp        0      0 ::ffff:10.168.20.227:80     ::ffff:10.168.20.89:50480   ESTABLISHED

As you can see, the connection is established on port 50480 but there is nothing listening on that port, once the connection is finished, i.e. browser is closed, connections go on TIME_WAIT and then get closed forever.

In your case, you have something listening on those rogue ports.

Did you try to connect to the rogue ports rather than the normal ports?

If instead of listing listening ports, you list all ports you'll see the behavior mentioned above.