IP addresses get packets to the correct host. But a host runs many applications simultaneously—web servers, databases, email clients, streaming services. Once a packet reaches the host, how does the operating system know which application should receive it?

The answer lies in port numbers—16-bit identifiers that extend addressing from the host level down to the process level. Port numbers are the essential mechanism that enables multiplexing and demultiplexing; without them, each host could only run one network application at a time.

The Complete Network Address:

Full Transport Layer Address = IP Address + Port Number
                             = 192.168.1.100:443
                             = Host Address + Process Address

This combination—often written as IP:Port—uniquely identifies a network endpoint on the entire Internet.

What is a Port Number?

A port number is a 16-bit unsigned integer (ranging from 0 to 65535) that identifies a specific process or service on a host. Port numbers are carried in the transport layer header—both TCP and UDP include source and destination port fields.

Technical Specifications:

• Size: 16 bits (2 bytes)
• Range: 0 to 65535 (0x0000 to 0xFFFF)
• Total Available: 65,536 unique port numbers
• Per Protocol: TCP and UDP have separate port namespaces
• Total Endpoints per Host: 65,536 TCP + 65,536 UDP = 131,072 possible endpoints

Key Properties:

1. Protocol Independence: TCP port 80 is different from UDP port 80
2. Local Scope: Port numbers are only meaningful in combination with an IP address
3. Direction Awareness: Source port identifies sender; destination port identifies receiver
4. Ephemeral Nature: Client ports are typically temporary; server ports are typically permanent

Source vs. Destination Ports:

Understanding the role of each port field is critical:

Source Port:

• Identifies the sending application process
• Typically assigned automatically by the OS (ephemeral)
• Becomes the destination port in response packets
• Enables the sender to receive replies

Destination Port:

• Identifies the target application process
• Must be known by the sender (well-known ports or prior agreement)
• Used by receiver for demultiplexing
• Determines which socket receives the data

Bidirectional Communication:

When a response is sent, the source and destination ports swap:

Client → Server: Src=52431, Dst=80
Server → Client: Src=80, Dst=52431

This swapping is how stateless protocols (like UDP) can send responses without maintaining connection state.

The Internet Assigned Numbers Authority (IANA) divides the 65,536 available ports into three distinct ranges, each with different purposes and assignment rules.

Range 1: Well-Known Ports (0-1023)

• Also called "System Ports" or "Privileged Ports"
• Reserved for common, standardized services
• Require elevated privileges (root/administrator) to bind on most OSes
• Assigned by IANA to specific protocols
• Examples: HTTP (80), HTTPS (443), SSH (22), DNS (53), SMTP (25)

Range 2: Registered Ports (1024-49151)

• Available for user processes and services
• Can be registered with IANA (but not required)
• No special privileges required to bind
• Many popular applications have registered ports here
• Examples: MySQL (3306), PostgreSQL (5432), MongoDB (27017)

Range 3: Dynamic/Private/Ephemeral Ports (49152-65535)

• Used for temporary, client-side connections
• Automatically assigned by the operating system
• Never registered with IANA
• Recycled after connections close
• Different OSes may use different ephemeral ranges

Operating System Ephemeral Port Ranges:

Different operating systems define ephemeral ranges differently:

Checking Your System's Range:

# Linux
cat /proc/sys/net/ipv4/ip_local_port_range

# Windows
netsh int ipv4 show dynamicport tcp

# macOS
sysctl net.inet.ip.portrange

Port Exhaustion:

When a client makes many simultaneous outbound connections, it can exhaust available ephemeral ports. With 16,384 ephemeral ports and TCP's TIME_WAIT (typically 60-120 seconds), a busy client might hit limits when making more than ~100-200 connections per second to the same destination.

Well-known ports (0-1023) are the most critical for understanding network services. These ports have been assigned to fundamental Internet protocols, and knowing them is essential for network administration, security analysis, and application development.

Port 0: Reserved

• Not a valid port for communication
• When used in binding, tells OS to assign any available port
• Used programmatically as "pick any port for me"

Essential Well-Known Ports:

Port Number Memorization Framework:

Certain port numbers follow logical patterns:

1. FTP pair: 20 (data) and 21 (control) are adjacent
2. Secure variants add 's': 80/443, 110/995, 143/993
3. DNS is 53: Easy to remember, used heavily
4. SSH replaced Telnet: 22 came after 23
5. Web ports: 80 = HTTP, 443 = HTTPS, 8080 = alternative HTTP

The Special Case of Port 443:

Port 443 (HTTPS) has become arguably the most important port on the Internet:

• All secure web traffic flows through 443
• Most modern services tunnel over HTTPS (even non-web protocols)
• Firewalls often allow only 80 and 443 outbound
• Many corporate networks only permit SSL-inspected 443 traffic

Registered Ports (1024-49151):

Registered ports are available for services and applications that don't warrant a well-known port but benefit from a consistent, documented port number. IANA maintains a registry of these assignments.

Common Registered Ports:

Dynamic/Ephemeral Ports (49152-65535):

Ephemeral ports are the workhorses of client-side networking. Every time an application makes an outbound connection, the operating system assigns an ephemeral port as the source port.

Ephemeral Port Lifecycle:

1. Application calls connect() or sendto()
2. OS selects next available ephemeral port (e.g., 52341)
3. Port is marked as in-use in the port allocation table
4. Connection uses this port for all communication
5. Connection closes (or UDP exchange completes)
6. Port enters TIME_WAIT (TCP) or is released (UDP)
7. After TIME_WAIT expires, port is available for reuse

Port Allocation Algorithms:

1. Sequential: Allocate ports in order (52341, 52342, 52343...)

   • Simple but predictable (security concern)

2. Random: Select randomly from available ports

   • Less predictable, harder to exploit
   • Modern systems prefer this approach

3. Round-Robin with Randomization: Hybrid approaches

   • Balance efficiency and security

Understanding how ports are assigned is crucial for both system administration and application development. There are two primary mechanisms: explicit binding and implicit assignment.

Explicit Binding (Server Pattern):

Servers explicitly request a specific port:

server_socket = socket(AF_INET, SOCK_STREAM, 0)
server_socket.bind(('0.0.0.0', 80))  # Explicitly request port 80
server_socket.listen(backlog)

This is the server pattern: bind to a known port so clients can find you.

Implicit Assignment (Client Pattern):

Clients let the OS assign an ephemeral port:

client_socket = socket(AF_INET, SOCK_STREAM, 0)
# No explicit bind() - OS assigns port on connect()
client_socket.connect(('example.com', 80))
# OS has now assigned an ephemeral source port

This is the client pattern: you don't care which local port you use.

Socket Options Affecting Port Assignment:

SO_REUSEADDR:

Allows binding to a port that's in TIME_WAIT state:

server_socket.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
server_socket.bind(('0.0.0.0', 80))

Useful for server restarts—without this, you'd wait for TIME_WAIT to expire.

SO_REUSEPORT:

Allows multiple sockets to bind to the same port:

# Multiple processes can share port 80
server_socket.setsockopt(SOL_SOCKET, SO_REUSEPORT, 1)
server_socket.bind(('0.0.0.0', 80))

Used for load balancing across multiple server processes.

Binding to Specific Interfaces:

bind(('192.168.1.100', 80))  # Only reachable via 192.168.1.100
bind(('127.0.0.1', 80))       # Only reachable via localhost
bind(('0.0.0.0', 80))         # Reachable via any interface
bind(('::', 80))              # IPv6 any interface

We've discussed ports in isolation; now let's see exactly how they function within the multiplexing and demultiplexing framework.

At the Sender (Multiplexing):

Ports identify which socket's data is being sent:

Socket A (port 52341) sends data to server:443
  → Segment header: Src=52341, Dst=443

Socket B (port 52342) sends data to server:443  
  → Segment header: Src=52342, Dst=443

Socket C (port 52343) sends data to different:80
  → Segment header: Src=52343, Dst=80

The source port uniquely identifies the sending socket. The destination port indicates the target service.

At the Receiver (Demultiplexing):

Ports determine which socket receives the data:

Segment arrives: Src=52341, Dst=443
  → Look up socket bound to 443 (with matching 4-tuple for TCP)
  → Deliver to that socket's receive buffer

Segment arrives: Src=52342, Dst=443
  → Different source port = different connection
  → Different socket receives this segment

The Complete Identification Chain:

Each layer adds its own identification. Port numbers are the transport layer's contribution—enabling host-level multiplexing and demultiplexing.

Port Identification Table:

The operating system maintains a table mapping ports to sockets:

TCP Port Table:
┌─────────────────────────────────────────────────────────────┐
│ Local Addr    │ Local Port │ Remote Addr   │ Remote Port │ Socket │
├─────────────────────────────────────────────────────────────┤
│ 0.0.0.0       │ 80         │ *             │ *           │ LISTEN │
│ 0.0.0.0       │ 443        │ *             │ *           │ LISTEN │
│ 192.168.1.10  │ 52341      │ 203.0.113.50  │ 443         │ ESTAB  │
│ 192.168.1.10  │ 52342      │ 203.0.113.50  │ 443         │ ESTAB  │
│ 192.168.1.10  │ 52343      │ 10.0.0.1      │ 22          │ ESTAB  │
└─────────────────────────────────────────────────────────────┘

Demultiplexing consults this table for every incoming segment.

A critical but often misunderstood concept: TCP and UDP have completely separate port namespaces. TCP port 53 is entirely different from UDP port 53.

Protocol Number Differentiation:

In the IP header, the protocol field (field 10) indicates which transport protocol the payload contains:

• Protocol 6: TCP
• Protocol 17: UDP
• Protocol 1: ICMP
• Protocol 89: OSPF

When a segment arrives, the IP layer first checks this protocol field, then passes the segment to the appropriate transport protocol handler. This is why the same port number can be used by both TCP and UDP simultaneously.

Example: DNS Uses Both Protocols on Port 53:

DNS Query (UDP):  Protocol=17, Dst Port=53 → UDP port 53 socket
DNS Query (TCP):  Protocol=6,  Dst Port=53 → TCP port 53 socket

These are different sockets, potentially different processes!

Practical Implications:

1. Port scanning must check both protocols: A port may be open on TCP but closed on UDP (or vice versa)

2. Firewall rules are protocol-specific: Allowing TCP:80 doesn't allow UDP:80

3. Services may use different protocols on the same port: DNS uses UDP for queries but TCP for zone transfers, both on port 53

4. Socket programming requires explicit protocol selection: You must specify TCP or UDP when creating a socket

Socket Creation Example:

# These create sockets in different namespaces
tcp_socket = socket(AF_INET, SOCK_STREAM, 0)  # TCP
udp_socket = socket(AF_INET, SOCK_DGRAM, 0)   # UDP

# Both can bind to port 53 simultaneously
tcp_socket.bind(('0.0.0.0', 53))  # TCP port 53
udp_socket.bind(('0.0.0.0', 53))  # UDP port 53 - no conflict!

Viewing Both Namespaces:

# Linux: Show TCP listening ports
ss -tln

# Linux: Show UDP listening ports  
ss -uln

# Windows: Show both
netstat -an

Port usage has significant security implications. Understanding these is essential for network security.

Port Scanning:

Attackers scan ports to discover running services:

TCP SYN Scan:
Send SYN to each port
  → SYN-ACK response = Port open (service running)
  → RST response = Port closed (no service)
  → No response = Port filtered (firewall blocked)

UDP Scan:
Send UDP packet to each port
  → ICMP Port Unreachable = Port closed
  → Application response = Port open
  → No response = Open or filtered (ambiguous)

Mitigation Strategies:

1. Firewall Rules: Block unused ports at the firewall
2. Port Knocking: Require sequence of connection attempts to "unlock" a port
3. Minimal Services: Run only necessary services
4. Non-Standard Ports: Run services on unexpected ports (security through obscurity—not recommended as sole protection)

Port Redirection and NAT:

Network Address Translation (NAT) translates port numbers as packets traverse network boundaries:

Internal: 192.168.1.100:52341 → External: 203.0.113.1:61234

NAT table maintains mapping:
┌─────────────────────────────────────────────────────┐
│ Internal IP:Port    │  External IP:Port  │ Dest      │
├─────────────────────────────────────────────────────┤
│ 192.168.1.100:52341 │ 203.0.113.1:61234  │ google:443│
│ 192.168.1.101:52341 │ 203.0.113.1:61235  │ google:443│
└─────────────────────────────────────────────────────┘

Multiple internal hosts can use the same source port because NAT assigns different external ports.

Port Forwarding:

Allows external access to internal services:

External: 203.0.113.1:443 → Internal: 192.168.1.10:443

Anyone connecting to the external IP on port 443
gets forwarded to the internal web server.

We've comprehensively explored port identification—the mechanism that enables transport layer multiplexing and demultiplexing. Let's consolidate the key concepts:

What's Next:

Ports enable identification at the transport layer, but they don't tell the whole story. For TCP, connections rather than just ports determine how data is demultiplexed. The next page explores connection identification—how TCP uses the complete 4-tuple to distinguish between thousands of simultaneous connections.