IANA have entries for both TCP and UDP packets defined within their range of assigned ports at : http://www.iana.org/assignments/port-numbers

 

 

As you can see, both are defined as being reserved.

 

However, there is a lesser known definition for port 0 which is:

 

spr-itunes        0/tcp    Shirt Pocket netTunes

spl-itunes        0/tcp    Shirt Pocket launchTunes

 

which causes confusion when some /etc/services files have the itunes (nothing to do with Apple) and commands will show the spr-itunes service as being in use.

 

The use of TCP port 0 was first introduced (as far as I can find) with the documentation of RFC675 where they state that :

 

 

So this would have resulted in a packet which was 0.0.0.0:0 or, x.x.x.x:0 where x.x.x.x is a valid IP address.

 

So, when do we see port 0 in use? Well, for no valid reason I know of.

 

Indeed, many IDS systems provide signatures to detect packets which have port numbers of 0, for example:

 

 

To break down this Snort IDS signature, we have a TCP flow from any system to any system where the destination port number is 0.

 

Other handlers have pondered on where such packets come from such as : isc.sans.org/diary.html?storyid=556

 but we also know that such packets can be created by tools such as hping3.

 

So, have you seen TCP 0 on your network and found a valid reason for it being there? If so, drop us a line via the contact form, and i'll update the diary with those uses.

 

Update:

 

One of our diary readers, Troy, has let us know that he has seen on a number of occasions TCP Port 0 traffic coming from an Akamai caching server farm. If you know why the people over at Akamai are using TCP port 0, or indeed have a packet capture we could examine the please let us know via the contact form.