Are ports reported OPEN really OPEN?

Hi,

Please help me out here. I am a registered user of PE 1.62. When I was evaluating this software, I noticed a few anomalies which I still see. I also read an explanation as to the reason... which still baffles me. So here goes again ;-)

1. PE reports certain TCP ports as "Established".
2. TCP-View reports those ports as "listening" and NOT "established". For me, these have two different meanings.
3. CommView 4.x lists no activilty on these ports.

Thus, what does "Established" mean in PE? (Last time I asked, I understood the reply as it was Established from an "historical" point of view).

I have attached a small TEXT file, which is a copy of PE's log as reference. The ports that are listed as "Established" are NOT.

By the way, I do know that these are used in the Microsoft auto-update process. My question is not related to the use of these ports but to PE's reporting.

Thanks in advance!

 

http://www.wilderssecurity.com/showthread.php?t=7848;start=msg52409#msg52409
Hi Bruno,
in this thread Jason explained very clear;
Jason also wrote in the release notes of 1620 there is worked on refining of this situation to have the best status indication possible.

 

Hmm... I must be missing something very obvious here. Jason's responses referred to UDP packets and PE's ability to track them... that I understood.

My question is more basic in that PE reports "TCP" ports as "Established" (i.e. connected) while they are not. CommView 4.x confirms this and so does other applications I have.

The PE Help file tells me (example): "The status says ESTABLISHED, so we know that the connection is currently alive and established." yet I do not see any active connection, only historical. PE normally removes connections that are no longer active.

Thus, what does PE mean when it reports that TCP Port x is "Established"? In my previous attachment, you can see that it was referring to TCP port 80... not to UDP ports.

Sorry if I missed the obvious... please bear with me ;-)

 

Hi Bruno, if you are using v1.620 then it should be somewhat different to earlier versions. I now grab the status information off Windows now instead of coming up with my own (somewhat more accurate) status readings. I did this because Windows has a lot of really weird status, SYN_SENT_1, etc, that were impossible for me to detect. So if Commview or whatever, is reporting otherwise they must be incorrect, since v1.600 or v1.620 Port Explorer now uses Windows to grab the status of the socket... As I said before, the status of the socket will rarely show you any useful information and lots of programs would use their own terminology in coming up with socket status (as I did).

The only TRUE thing you should compare these sorts of programs to is "netstat -an" which is run at the command prompt. Remember the important things though, 1) status isn't THAT important, 2) windows incorrectly REPORTS some status operations itself, 3) Lots of programs have different ways of reporting the status.

*edit* BTW in that logfile you provided, those TCP sockets are CONNECTED and hence should show as established (as can be seen by the sent/recv data)... I'd like to know what TCPView or whatever program you used showed instead

-Jason-