2

Very strange,i have 4 machine,some machines are real hw(slack64 and slackware) one is a phone android,and last is virtual machine.

From slack64 to every machine...

for i in oracle slackware android;do nmap -p554 -sT -P0 $i;done|grep open
554/tcp open  rtsp
554/tcp open  rtsp
554/tcp open  rtsp

I can telnet it from slack64

telnet oracle  554
Trying 192.168.0.21...
Connected to oracle.
Escape character is '^]'.

But if I do ssh to machine..for example oracle..

netstat -na|grep 554

return..empty!

Same thing with other machines

If I did telnet oracle from oracle..

telnet  oracle 554
Trying 192.168.0.21...
telnet: connect to address 192.168.0.21: Connection refused

What the hell is this? I investigate..very strange.

elbarna
  • 12,050
  • 22
  • 92
  • 170

3 Answers3

4

If your network connection goes through a router, then I'd check to see if the router has port 554 open. If it has, it's probably easy to to just uncheck a checkbox for "Real Time Streaming Protocol" (or equivalent) in the router settings.

Kusalananda
  • 320,670
  • 36
  • 633
  • 936
3

I'm probably way off here, but I'm going to post anyway.

Looking up port 554 in IANA's port assignment list shows that both TCP and UDP 554 is used by the "Real Time Streaming Protocol". Furthermore, it shows a point of contact using an email address @prognet.com.

The domain name doesn't load a website, but a whois lookup of prognet.com reveals that it's owned by RealNetworks and its name servers are various A records of real.com.

Then I actually had to go to real.com to remember what it was... RealPlayer!

I'm guessing the "Real Time Streaming Protocol" is something that RealPlayer uses. Is media streaming something that happens at all in your environment? If not, like I said, I'm probably way off and it's something else that just happens to use port 554.

Brad Johnson
  • 104
  • 2
  • No media streaming,and if I want to use media streaming I avoid Real ,low quality and closed source – elbarna Feb 13 '17 at 06:07
1

ss utility will help you to get what is the process using this port

hafw1:~# ss -tapn | grep ":22"
LISTEN     0      128            :::22                      :::*      users:(("sshd",9828,4))
LISTEN     0      128             *:22                       *:*      users:(("sshd",9828,3))
ESTAB      0      0  my_ip:59233        dest:22     users:(("ssh",1625,3))

Where:

  • -t: TCP only
  • -a: Display ports and sockets
  • -p: Processes information
  • -n: Do not resolv port names

Now, just replace the grep value to :554 and you could find information about your mysterious process. What should help you investigate further this matter is to run watch on every server you are facing this open port issue, and run nmap again:

watch -n 1  ss -tapn \| grep ":554"

If you see no open port could be the case where some people are reporting this port being open on Apple Time Capsule routers trying to proxy this traffic inside your network.