Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What ports are used as source ports for Splunk Universal forwarder agent?

mlevsh
Builder
‎08-13-2018 12:51 PM

Let’s say we have Splunk Universal Forwarder agents installed on windows servers.
Is it known what ports are being used by windows servers to send data FROM (not sent TO) to splunk deployment server?

In the following example source port = 61616 is used. Can it be something like 8180?
TCP windows_server_source_ip:61616 splunk_deployment_server:8089 ESTABLISHED 3232

Reply

mbagali_splunk
Splunk Employee
Splunk Employee
‎08-14-2018 12:00 AM

On Universal forwarders , TCP source ports are assigned randomly . Nn the receiver(for example Indexer) the port is reserved (like 9997). If you capture a TCP dump between UF and Indexer you can determine that UF communicates with indexer on random ports but indexer acknowledges back only with the reserved port defined.

Reply

mlevsh
Builder
‎08-14-2018 09:29 AM

@mbagali, thank you for your reply!

0 Karma
Reply

DalJeanis
Legend
‎08-13-2018 03:23 PM

We verified for you in the Slack channel, and longtime heavy hitter Clint Sharp (coccyx) confirmed that, regardless of WIndows or Unix, TCP source ports are ephemeral and assigned randomly, and always above 1024 and generally above 32 k (32768).

https://en.wikipedia.org/wiki/Ephemeral_port

If you are trying to filter your incoming data by source port, you are probably building an unnecessary and unhelpful technical limitation into your system that will come back to haunt you, and it will come bearing hand grenades.

If your security area is trying to firewall your data by source port, then they need a refresher course. That won't inconvenience hackers anywhere near as much as it inconveniences your network guys.

Reply

mlevsh
Builder
‎08-14-2018 09:37 AM

@DalJeanis & @mbagali .

Our Application support team is troubleshooting the issue with a specific Application, that runs on the server, where we have Splunk Universal forwarder (SUF) installed.
Let's say that Application is configured to use tcp port 8180.

If tcp source ports are assigned randomly, then 8180 could have been randomly assigned as source port for Splunk Universal Forwarder and it would take down Application production service that was configured to use that port, per Application Support team.

Do you think it is possible?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...