Hello,
I recently sent a search warrant to Hughes Networking Systems for information about an IP address and who was using this IP address on a certain date and time. They responded stating that they were unable to provide that information because I did not provide a source port and that this certain IP address can be used by up to 250 users at a time. They gave me the following about source ports.
Source Port
PACKETS the flow across the internet, two numbers assigned to the connection. One somewhat random ( source port ) and the other not so random number ( destination port ). These numbers are assigned to the connection in conjunction with the IP address help uniquely identify the connection.
Example
97.48.23.334562
The IP address 97.48.23.33 had a connection that used source port of 4562.
I acquired the IP address in question from a previous search warrant sent to Facebook. Facebook returned the last IP address that was used to access a certain Facebook account. Does anyone know if Facebook would have these source ports that are with certain IP addresses? If so do you have any templates of what you may put in your search warrants?
Thanks for your help.
A request from Facebook would have a destination port of either 80 (HTTP) or 443 (HTTPS). The originating ISP may have a source port of something else so that it can internally manage multiple users traffic using fewer IP addresses. In order for Facebook to return data to the correct ISP, the return packs must contain the original IP address, for the ISP to then route the traffic back to the correct device, the original source port must be included. Facebook should keep this log??
For more information, look up port address translation (PAT)
Hope this helps.
Just to add to this somewhat.
PAT is more common in smaller networks, home networks for example. Typically, an ISP providing dial up or broadband services would assign the router an IP, either the same one each session (static) or a different one each session (dynamic). In this case, the ISP wouldn't need to know the source port number used, simply the IP address and the exact time Facebook logged the IP address on their servers.
A mobile telephone would typically work quite differently, in order to maximums the amount of users able to connect to the internet with fewer IP addresses, they would assign each handset an internal IP, typically in the 10.0.0.0/8 range of reserved IPs. All traffic would then get routed through a NAT (Network Address Translator) router that enables the 10.0.0.0/8 IP to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. Still, in this scenario, port should not be something required by the ISP, they should just require the IP address and an accurate date and time the IP hit the Facebook server.
Would be interested to hear others thoughts on this.
Every request has a source port, in your case as well, the message will have the specific source port. You just need to find out the particular source port and you will find the proper reason in the least amount of time.
Would be interested to hear others thoughts on this.
I'm also thinking NAT. UDP connections however CAN use the same udp.srcport and udp.dstport since the protocol is "fire and forget" and does not need to be distinguished at the source - or even expect a response.
There are other attributes that could be used, like TCP sequence number or packet/payload size, packet content (cookies), browser footprint (http headers) that you could use to pinpoint the session you wish to acquire.
Providers who implement carrier-grade NAT mostly use deterministic NAPT, in order to keep up performance and to fulfill their LE response requirements. The outbound communication from an internal IP address will always be mapped to the same port range, so they have only the same amount of logs like with public IPs (logging private IP assignments instead). But they need the source port to determine the private IP and user.