Ephemeral Port Range
Question
What is the ephemeral port range on various operating systems on which the Xshield agents are installed?
Answer
Ephemeral Port Ranges Across Operating Systems
Ephemeral ports (also called dynamic or private ports) are temporary ports assigned by the operating system for client-side communications. These ranges vary by OS and can often be customized by the administrator.
The Xshield Agent reads the ephemeral port range on a given host and uses that port range to coalesce all communications in the port range to a single channel. This allows the platform to treat communication from/to a given host IP in the ephemeral port range to be a single channel as there is not much value to track them independently.
Do note that the Xshield agent keeps track of a list of well known service ports. If a communication on a port in the ephemeral port range is a member of the well known port list then it is not coalesced and instead tracked as a separate channel. This enusres that operators get full visibility of communications on these well known ports.
The list of well known service ports used by the Xshield Agent is available at Well Known Service Ports
When a path for a comnunication is not seen on the platform, the first step should be is to check the ephemeral port range on the specific host. If the expected port is in the defined ephemeral port range then check if the data volume and connection count is increasing for the path to/from the specific IP address for the ephemeral port range.
When the data volume and connection count is not increasing for the path with ephemeral port, then check if the port is one of the well know service port. If it matches one of the well known ports then check for a unique path for the specific port.
1. Windows
-
Modern Windows (Windows Server 2008 and later, Windows 10/11):
- Default Range:
49152–65535 - Command to View/Set:
netsh int ipv4 show dynamicport tcp
netsh int ipv4 set dynamicport tcp start=49152 num=16384
- Default Range:
-
Older Windows (Windows XP, Server 2003):
- Default Range:
1025–5000
- Default Range:
2. Linux
- Most Modern Distributions (kernel 2.6.26+):
- Default Range:
32768–60999 - View Range:
cat /proc/sys/net/ipv4/ip_local_port_range - Set Range:
sysctl -w net.ipv4.ip_local_port_range="32768 60999"
- Default Range:
3. Solaris
- Default Range (Solaris 10/11):
32768–65535 - View Current Range:
ndd /dev/tcp tcp_smallest_anon_port
ndd /dev/tcp tcp_largest_anon_port - Set Range:
ndd -set /dev/tcp tcp_smallest_anon_port 32768
ndd -set /dev/tcp tcp_largest_anon_port 65535
4. AIX
- Default Range (AIX 5.3 and later):
32768–65535 - View Current Range:
no -o ephemeral_low
no -o ephemeral_high - Set Range:
no -p -o ephemeral_low=32768
no -p -o ephemeral_high=65535
Summary Table
| Operating System | Default Ephemeral Port Range | Command to View | Command to Set |
|---|---|---|---|
| Windows (10/11) | 49152–65535 | netsh int ipv4 show dynamicport tcp | netsh int ipv4 set dynamicport tcp start=49152 num=16384 |
| Windows XP/2003 | 1025–5000 | — | — |
| Linux | 32768–60999 | cat /proc/sys/net/ipv4/ip_local_port_range | sysctl -w net.ipv4.ip_local_port_range="32768 60999" |
| Solaris | 32768–65535 | ndd /dev/tcp ... | ndd -set /dev/tcp ... |
| AIX | 32768–65535 | no -o ephemeral_low / ephemeral_high | no -p -o ephemeral_low=... / ephemeral_high=... |
Note: These ports are used primarily for outbound connections and may need to be allowed in firewalls for return traffic to function correctly.