1025 TIME_WAITs between my computer

Discussion in 'other firewalls' started by sophie001, Apr 14, 2005.

Thread Status:
Not open for further replies.
  1. sophie001

    sophie001 Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    1
    Hi, here is my situation:

    I have a Windows 2000 Professional with Windows Firewall activated on it and I am also behind of and hardware firewall. I have Norton virus protection, all my updates are done, etc.

    When I check my "netstat", I see lots of ESTABLISHED or TIME_WAIT connections between my computer (df-office) and many other http connection to some other IP addreses. (But I am not connected to any web site at that time)

    Here is my netstat output, PLEASE HELP:
    THANK YOU

    TCP df-office:1025 df-office:1067 TIME_WAIT
    TCP df-office:1025 df-office:1070 TIME_WAIT
    TCP df-office:1025 df-office:1076 TIME_WAIT
    TCP df-office:1025 df-office:1082 TIME_WAIT
    TCP df-office:1025 df-office:1090 TIME_WAIT
    TCP df-office:1025 df-office:1093 TIME_WAIT
    TCP df-office:1025 df-office:1095 TIME_WAIT
    TCP df-office:1025 df-office:1098 TIME_WAIT
    TCP df-office:1025 df-office:1099 TIME_WAIT
    TCP df-office:1025 df-office:1105 TIME_WAIT
    TCP df-office:1025 df-office:1106 TIME_WAIT
    TCP df-office:1025 df-office:1112 TIME_WAIT
    TCP df-office:1025 df-office:1115 TIME_WAIT
    TCP df-office:1025 df-office:1117 TIME_WAIT
    TCP df-office:1025 df-office:1119 TIME_WAIT
    TCP df-office:1025 df-office:1121 TIME_WAIT
    TCP df-office:1025 df-office:1123 TIME_WAIT
    TCP df-office:1025 df-office:1125 TIME_WAIT
    TCP df-office:1025 df-office:1127 TIME_WAIT
    TCP df-office:1025 df-office:1132 TIME_WAIT
    TCP df-office:1025 df-office:1134 TIME_WAIT
    TCP df-office:1025 df-office:1135 TIME_WAIT
    TCP df-office:1025 df-office:1140 TIME_WAIT
    TCP df-office:1025 df-office:1142 TIME_WAIT
    TCP df-office:1025 df-office:1144 TIME_WAIT
    TCP df-office:1025 df-office:1147 TIME_WAIT
    TCP df-office:1025 df-office:1148 TIME_WAIT
    TCP df-office:1025 df-office:1151 TIME_WAIT
    TCP df-office:1025 df-office:1153 TIME_WAIT
    TCP df-office:1025 df-office:1155 TIME_WAIT
    TCP df-office:1025 df-office:1157 TIME_WAIT
    TCP df-office:1025 df-office:1159 TIME_WAIT
    TCP df-office:1025 df-office:1160 TIME_WAIT
    TCP df-office:1025 df-office:1164 TIME_WAIT
    TCP df-office:1025 df-office:1166 TIME_WAIT
    TCP df-office:1025 df-office:1167 TIME_WAIT
    TCP df-office:1025 df-office:1172 TIME_WAIT
    TCP df-office:1025 df-office:1174 TIME_WAIT
    TCP df-office:1025 df-office:1176 TIME_WAIT
    TCP df-office:1025 df-office:1178 TIME_WAIT
    TCP df-office:1025 df-office:1180 TIME_WAIT
    TCP df-office:1025 df-office:1182 TIME_WAIT
    TCP df-office:1025 df-office:1184 TIME_WAIT
    TCP df-office:1025 df-office:1186 TIME_WAIT
    TCP df-office:1025 df-office:1191 TIME_WAIT
    TCP df-office:1025 df-office:1193 TIME_WAIT
    TCP df-office:1025 df-office:1194 TIME_WAIT
    TCP df-office:1025 df-office:1197 TIME_WAIT
    TCP df-office:1025 df-office:1199 TIME_WAIT
    TCP df-office:1025 df-office:1201 TIME_WAIT
    TCP df-office:1025 df-office:1203 TIME_WAIT
    TCP df-office:1025 df-office:1211 TIME_WAIT
    TCP df-office:1064 df-office:1025 TIME_WAIT
    TCP df-office:1079 df-office:1025 TIME_WAIT
    TCP df-office:1129 df-office:1025 TIME_WAIT
    TCP df-office:1138 df-office:1025 TIME_WAIT
    TCP df-office:1188 df-office:1025 TIME_WAIT
    TCP df-office:1207 df-office:1025 TIME_WAIT
    TCP df-office:1211 df-office:1025 TIME_WAIT
    TCP df-office:1030 209.164.35.117.ptr.us.xo.net:microsoft-ds ESTA
    ISHED
    TCP df-office:1037 207.46.249.56:http TIME_WAIT
    TCP df-office:1052 v4.windowsupdate.microsoft.com:http TIME_WAIT
    TCP df-office:1065 207.68.172.234:http TIME_WAIT
    TCP df-office:1208 eqnjadvip1.doubleclick.net:http TIME_WAIT
     
  2. Mephisto

    Mephisto Guest

    Time wait is what you should see IF you just recently visited some websites and the connection has not closed yet completely. Also the IP#'s showing are for Microsofts Auto Update ... which will connect to Microsoft to look for updates at least a few times a day.

    The 1025 is the port number being used on your PC and the second number is the port number you are connected to on the Microsoft server (or website you visited).

    Established connections that do not change to Time Wait after you are idle for several minutes is what you want to look for (suspicious activity)


    From what i see you have nothing to worry about.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Just to add to Mephisto's comments, TCP connections will go through a variety of states.

    "A connection progresses through a series of states during its lifetime. The states are: LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and the fictional state CLOSED. CLOSED is fictional because it represents the state when there is no TCB (Transmission Control Block), and therefore, no connection. Briefly the meanings of the states are:

    LISTEN - represents waiting for a connection request from any remote TCP and port.

    SYN-SENT - represents waiting for a matching connection request after having sent a connection request.

    SYN-RECEIVED - represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.

    ESTABLISHED - represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.

    FIN-WAIT-1 - represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.

    FIN-WAIT-2 - represents waiting for a connection termination request from the remote TCP.

    CLOSE-WAIT - represents waiting for a connection termination request from the local user.

    CLOSING - represents waiting for a connection termination request acknowledgment from the remote TCP.

    LAST-ACK - represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).

    TIME-WAIT - represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.

    CLOSED - represents no connection state at all.

    A TCP connection progresses from one state to another in response to events. The events are the user calls, OPEN, SEND, RECEIVE, CLOSE, ABORT, and STATUS; the incoming segments, particularly those containing the SYN, ACK, RST and FIN flags; and timeouts."

    RFC 793

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.