Different port number on client and server for same connection

Question

I have a connection from client to server over websocket. I was just checking the netstat o/p to understand network level details. I found that when i run netstat -anpt on both client and server , i get different client port . For eg On server ,

tcp6 0 0 172.34.10.158:8080 121.71.171.152:28301
ESTABLISHED 13250/java

On client,

tcp6 0 0 192.168.0.111:35129 51.74.132.142:8080
ESTABLISHED 8209/java

So the client port from server is "28301" but when i check on my client, its "35129". I am bit confused on this. PS 192.168.0.111 is my local ip , 51.74.132.142 is my server's public ip , 121.71.171.152 is my ISP ip and 172.34.10.158 is my server's private ip. Would be great to know more about this so any docs,resources would be useful.

Answer 1

Both the client and the server are behind NAT (Network Address Translation) firewalls.

You listed:

Client: tcp6 0 0 192.168.0.111:35129 51.74.132.142:8080

Server: tcp6 0 0 172.34.10.158:8080 121.71.171.152:28301

Your client has an IP of 192.168.0.111 on your local network, and wants to talk to a server at 51.74.132.142 on port 8080 , so it allocates a dynamic port for the conversation (port 35129 ).

The TCP/IP packets leave the local network through a firewall with source-NAT, which maps the source IP:Port to 121.71.171.152 : 28301 .
That is the external IP of your office/home. You can confirm that at http://www.whatsmyip.org/ .

The TCP/IP packets arrive at the firewall protecting the server network, which is configured with destination-NAT, so it maps the destination IP:Port to 172.34.10.158 : 8080 .

The server receives the packet and establishes a connection.

Packets flowing the other way are then un-mapped by the firewalls. The firewalls maintain state to remember how to reverse the mapping. To conserve resources, the state has a timeout, so if the server is really slow and takes longer to respond than the timeout, the response will get lost even if the client is still waiting. The network admin controls the timeout. I've seen them as low as 5 minutes, so any response time > 5 mins never arrived back at client.
Moral: Setting client timeout higher than firewall NAT timeout just delays the inevitable.

Recap

Network                      Source                Destination
YourPC   --lan--> Firewall   192.168.0.111:35129   51.74.132.142:8080
Firewall --web--> Firewall   121.71.171.152:28301  51.74.132.142:8080
Firewall --lan--> Server     121.71.171.152:28301  172.34.10.158:8080

Answer 2

This is a network tuple hostip:hostport:destip:dest:port:protocol. All these 5 information together define one connection at OS level. At OS level, it has to know all these details for one connection to successfully route data from host to dest and viceversa.

How many tuples are there in a connection?

https://en.wikipedia.org/wiki/Network_socket#Socket_pairs