Message: 3
Alexander>How can i detect the protocol? I need this for jurisdictional purposes.
When you use "netstat" the first column will tell you whether it is TCP.
If you use "netstat -a", you'll see something similar to the following:
C:\Windows\SYSTEM32>netstat
Active Connections
Proto Local Address Foreign Address State
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
Here we have:
host_IP:PORT
51273 is a randomly selected port based on what's available on the localhost
https is the label that is defined by c:\windows\system32\drivers\etc\services
To see what comes out of the services file, just:
C:\Windows\System32\drivers\etc>findstr https services
https 443/tcp MCom #HTTP over TLS/SSL
https 443/udp MCom #HTTP over TLS/SSL
In this case the state is ESTABLISHED, there are several other states and
there are flow charts in several textbooks that show how the tcp protocol
changes state and under what conditions.
UDP is a little different as it doesn't have a state. So it looks something like this:
Here's how you define the protocol for the well known UDP services
C:\Windows\System32\drivers\etc>findstr 13[78] services
netbios-ns 137/tcp nbname #NETBIOS Name Service
netbios-ns 137/udp nbname #NETBIOS Name Service
netbios-dgm 138/udp nbdatagram #NETBIOS Datagram Service
C:\Windows\System32\drivers\etc>findstr 2177 services
qwave 2177/tcp #QWAVE
qwave 2177/udp #QWAVE Experiment Port
BTW:[MS-QDP]: Quality Windows Audio/Video Experience (qWave)
The c:\windows\system32\drivers\etc\services will contain any protocol/port pair that Microsoft decided should be in there. You can edit this file and define any protocol/port pair you need to describe the services your enterprise provides.
Hope I didn't guild the lily,
Paula
