Different Local IP#s showing..?

Discussion in 'other firewalls' started by snapdragin, Nov 16, 2003.

Thread Status:
Not open for further replies.
  1. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Got a question...hope it doesn't sound too far out there, but this is baffling me.

    Right now i have my computer (XP-Home,) directly connected to my cable modem (disconnected my router because of the constant renewing of IP#'s - i am still trying to sort through all that, but in the meantime i have disconnected my D-Link704P router). i do have Sygate 5 (free)running, and each time i have done the scans and tests for open ports, etc., i have passed and shown stealth (no ports open). i also have PortExplorer, and it isn't showing anything out of the norm.

    But when i looked at Sygate's Traffic Log, i noticed that there are quite a few different IP#'s listed under the Local IP column where "my" computer's IP usually shows, and the Remote Host column will be 0.0.0.0.

    My IP# starts with 24.xxx.xxx.xxx (cable). But under the Local IP column, i am seeing IP#'s in the ranges of 63.66.xxx.xxx., 207.xxx.xx.xx, 81.xx.xxx.xx, 195.xxx.xxx.xxx, etc. (all one right after the other)

    These are all TCP incoming, and Sygate is blocking them. The Remote ports involved seem to be 21024 to 21035, with a few lower ports listed there too, and the Local Ports range in the 2055+, 6346+, 30975+ range.

    i am still learning and trying to understand how to read and interpret firewall logs and the different connections that may show, but i do not ever recall seeing the above. i am sure it is probably something simple, but i would surely appreciate anyone explaining it to me in simple terms, if possible. :)

    Thank you firewall Guru's...where would i be without you!

    snap
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Snap

    Being connected directly to the modem, you are likely seeing alot of traffic in your Sygate logs that you would not normally see when behind the router. Some cable connections (networks) can result in alot of "noise" being seen in firewall logs.

    Do you have some sample complete log entries (direction, protocol, source/destination IP's/ports) of the ones you are concerned about? Just xxx out your WAN/public IP.

    Regards,

    CrazyM
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    i can take a snip of the group (they seem to show in groups most of the time)...i have my logs set to just one day, but it fills up so fast i almost froze saving the most recent one to a doc file. i do know there is some problems between my cable modem and my ISP, and the release/renew my connection seems to be going through when i have the router connected..and i am still seeing that even with the router removed. i am also seeing strange Host Names in the packet logs when there is a release/request. Maybe they name their DHCP servers?? but...some of these are full names (first and last).

    i can send you the doc i have saved of the one log i was able to save, but it is way too long to post, or i can just do a screen shot of the one section with the different IP#'s (hoping i don't reveal any IP # that shouldn't be).

    Thank you CrazyM
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You can always just post a snippet of the logs (or email me at the addy in my profile).

    Some of the local ports you mentioned may be associated to P2P/file sharing apps, which would not be unusual to see in your logs when you have dynamic IP's.

    Regards,

    CrazyM
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    This is just a -snip- of the one group from the Traffic Log (i have blocked out my computer's IP)

    i'll email you the doc of my PacketLog...it might tell you more?

    i am not using any P2P apps...and haven't opened my ICQ in a few days...rarely ever transfer files through it. My other computer is not networked with this one, and it's been off for a few days. But i must say...some of the full names i am seeing in the packet dumps...wow...i wonder if i should be seeing that much information??
     

    Attached Files:

  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    With dynamic IP’s, if you inherit one from another subscriber to your ISP that was using P2P apps, you will see traffic that was intended for them. Not much you can do here. You can ignore it, knowing your firewall is blocking it. You could try a release/renew of your IP to change it and hopefully get one not previously associated to a P2P user. If your fiewall was able to reject (provide a closed response) instead of dropping (stealth) these inbound packets, they would likely stop sooner, but I do not believe Sygate has this ability.

    A little info on TCP port 3531:

    PeerEnabler (JoltID product)
    bundled with KaZaA Media Desktop

    http://isc.incidents.org/port_details.html?port=3531

    Regards,

    CrazyM
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Snap,

    With regard to the tcp 3531 activity, that is associated with JoltID's p2pnetworking.exe which comes bundled with some versions of Kazaa. Given that you do not run it, it seems that your current IP recently belonged to someone that did run it and you are seeing the aftereffects.

    With regard to seeing the remote addresses under the local address field I am far less sure. It may be a misconfiguration or corruption of the firewall setup or it may indicate problems with the TCP/IP stack itself though I would be more inclined to think it is the former.

    If you are feeling adventurous, you might install a packet sniffer on your machine (such as Ethereal) and see if it shows the addresses in the remote IP fields and not in the local. It may be that you would have to temporarily disable your firewall though to see the packets within Ethereal.

    I'm sure others will follow along with more suggestions for you :)

    [Late Edit: Loool, I was too late again :) ]
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Not at all, good point on the follow-up on how the IP's are being displayed in the logs :)

    Regards,

    CrazyM
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Oooo..this Ethereal sounds good!! Yep, i am gain! Where do i find out more about this program? i do have TDS-3, TH, NOD, and the other necessary security apps....so i don't mind dropping my firewall long enough to learn more. ~dons protective halmet and holds the shield up~ LOL

    i was going to install Sygate 5.5 sooner or later anyways, but might as well learn a bit more before i close all the doors again. :D
    though i do feel a bit like taking a bath thinking i've got someone else's dirty packet laundry for an IP

    i did try the release and renew manually...even shut down the modem for a good hour..but when i turned it back on and did the renew..i got back the same IP and i've had this one now for a few weeks. Not sure if it was better when i was constantly having the IP renewed with the router.

    i do think that some of the packet information i am seeing though in regard to the Host Names, may well be a site i am trying to connect to and if i idle too long, i go into that DHCP request. It is almost instantaneous but enough of a delay that the firewall logs it.

    Dan...do you have a link to this Ethereal program?

    CrazyM...thank you for taking the time to look at the doc file...sorry it was so long...hadn't realized just how long it was until after i sent it. oops..
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    hummm.....it has the word "compile" on that page ROFL
    You know...there's gonna be another thread opening soon titled "Teach me how to use Ethereal"

    Meanwhile, i'll go read. LOL

    Thanks Dan!

    snap

    Oh yea! another guide! Thanks CrazyM...you read my mind. ;)
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    From the page Dan posted you need the Microsoft:Windows (Intel, 32-bit) page for ethereal-setup-0.9.16.exe, no compiling necessary, just run the .exe

    If you do not already have it installed, you will also need WinPcap first.

    Regards,

    CrazyM
     
  14. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Ah Thanks for pointing that out! I was under the impression that the latest versions included winpcap within the setup but I think I was thinking of the newer versions of nmap
     
Loading...
Thread Status:
Not open for further replies.