Wireshark-users: Re: [Wireshark-users] out of port numbers

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Sat, 20 Aug 2011 15:25:27 +1000
Andrej van der Zee wrote:
> Hi,
> 
> I was wondering if there is any way to deduct from a pcap-file that a
> server might be running out of port numbers? What signs/patterns
> should I look for?

How do you define running out of ports?

Windows by default does not recognise the concept of well known and
reserved ports, and limits max port to 4000. It takes registry changes
to enforce sanity - reserve everything below 32768 and set max port to
49151 (not 65535 like you can on *nix which takes too much explaining).

On *nixes you have to know how the TCP and UDP stacks are configured,
and they are all different. I have two Linux box that use 32768-61000,
four Solaris boxes that use 32768-65535 and umpteen AIX boxes that use
32000-61000.

Andrew
-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who