0

Have just run netstat -A on my SQL Server and seen an established connection from one of our workstations on bmcw000340.domain:close-combat.

My google-fu is failing me and I can't find out what close-combat is... does anyone know?

Paul D'Ambra
  • 1,082
  • 1
  • 13
  • 22
  • Add the `-n` flag to get numeric output. Then you will see the port number (and the IP address) instead of the hostname and service description. – Michael Hampton Jul 11 '12 at 07:43

3 Answers3

2

It looks to be TCP and UDP port 1944:

http://www.iana.org/assignments/port-numbers

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Was wondering more what close-combat was... What it's used by or for... – Paul D'Ambra Sep 22 '10 at 11:38
  • Port 1944 is above the Well Known port numbers so it's probably a service or application that happens to run on port 1944 and is not actually close-combat, whatever that is. You can find out what service\application\process it is by running netstat -a -b -o which will list each connection, what process has established each connection, and what PID is responsible for each connection. – joeqwerty Sep 22 '10 at 12:16
  • 1
    Believe close combat was a game, way back when, people used to think their bit of software was important enough to have its own port, and for that port to appear in named lists :) As joequerty says, its not going to be "close combat" - especially (its not 100% clear) if it's the source port which is generally irrelevant. – Tom Newton Sep 20 '12 at 18:24
  • @PaulD'Ambra Welcome to Server Fault. This question appears to have been answered; if you feel the answers are sufficient, please consider accepting an answer so that this question is considered resolved. Until you do so, it remains on the unanswered list and continues to come up. – Michael Hampton Oct 21 '12 at 13:47
  • http://findports.com/document.php?tag=close-combat the game close combat doesn't use port 1944 – Paul D'Ambra Oct 21 '12 at 20:30
  • @MichaelHampton the purpose of asking the question is because I don't know why the machine would have an outbound close-combat connection. I don't know what close-combat is. And neither of the answers clarifies that. I've updated the question to (hopefully) make that clearer. – Paul D'Ambra Oct 21 '12 at 20:31
  • @TomNewton yours is the closest to explaining what happened. Add your comment as an answer and I'd be happy to accept it. – Paul D'Ambra Oct 21 '12 at 20:41
2

The translation that is done there (from port numbers to service names) is done using a lookup in your services file /etc/services. A very quick glance will show that a lot of information in there is entirely obsolete, and that it doesn't necessarily correspond to what is actually running or used on your machine.

If you want, you can change the service name in the services file to what your server is actually hosting there.

Additionally, bear in mind that with source port randomization, the service name of the source port is completely irrelevant, because it is random. Normally the ports chosen are supposed to be above 32767, but I typically don't observe this to be the case.

If you find the translation to be obfuscating rather than informative, simply specify the -n option to netstat; this will prevent lookup of both port numbers and rDNS. In theory, you could also trim irrelevant entries from /etc/services, though I wouldn't.

On windows this works exactly the same, except that the file is located at %WINDIR%\System32\drivers\etc\services.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
1

Believe close combat was a game, way back when, people used to think their bit of software was important enough to have its own port, and for that port to appear in named lists :) As joequerty says, its not going to be "close combat" - especially (its not 100% clear) if it's the source port which is generally irrelevant.

Tom Newton
  • 4,141
  • 2
  • 24
  • 28