Many "No application listening on the port" events

Discussion in 'ESET Smart Security' started by Valistar, Jan 26, 2012.

Thread Status:
Not open for further replies.
  1. Valistar

    Valistar Registered Member

    Joined:
    Jan 26, 2012
    Posts:
    1
    Location:
    USA
    Recently (today) my firewall log has been flooded with "No application listening on the port", with the occasional "TCP packet not belonging to any open connection." I receive these events for basically every connection. They are not malicious, the source IPs are all expected sources. When I go to google, I get several events with the source being googles IP, and so on. (For instance, the events occurring around 6:08 are me registering for these forums). It isn't just webrowsing. All connections spawn these events.

    Code:
    1/26/2012 6:10:40 PM	No application listening on the port	166.137.14.29:45497	69.176.145.35:40078	UDP			
    1/26/2012 6:10:38 PM	No application listening on the port	166.137.14.29:45497	69.176.145.35:40078	UDP			
    1/26/2012 6:09:43 PM	No application listening on the port	50.103.231.184:24587	69.176.145.35:40078	UDP			
    1/26/2012 6:09:39 PM	No application listening on the port	50.103.231.184:24587	69.176.145.35:40078	UDP			
    1/26/2012 6:09:37 PM	No application listening on the port	50.103.231.184:24587	69.176.145.35:40078	UDP			
    1/26/2012 6:08:54 PM	TCP packet not belonging to any open connection	66.227.46.190:80	69.176.145.35:51268	TCP			
    1/26/2012 6:08:54 PM	TCP packet not belonging to any open connection	66.227.46.190:80	69.176.145.35:51270	TCP			
    1/26/2012 6:08:53 PM	TCP packet not belonging to any open connection	66.227.46.190:80	69.176.145.35:51271	TCP			
    1/26/2012 6:08:53 PM	TCP packet not belonging to any open connection	66.227.46.190:80	69.176.145.35:51269	TCP			
    1/26/2012 6:08:52 PM	No application listening on the port	66.227.46.190:80	69.176.145.35:51267	TCP			
    1/26/2012 6:08:18 PM	TCP packet not belonging to any open connection	66.227.46.190:80	69.176.145.35:51256	TCP			
    1/26/2012 6:08:17 PM	TCP packet not belonging to any open connection	66.227.46.190:80	69.176.145.35:51255	TCP			
    1/26/2012 6:08:12 PM	TCP packet not belonging to any open connection	66.227.46.190:80	69.176.145.35:51253	TCP			
    1/26/2012 6:08:12 PM	No application listening on the port	115.186.157.153:22474	69.176.145.35:40078	UDP			
    1/26/2012 6:08:11 PM	No application listening on the port	94.193.255.30:6881	69.176.145.35:44686	UDP			
    1/26/2012 6:08:07 PM	No application listening on the port	115.186.157.153:22474	69.176.145.35:40078	UDP			
    1/26/2012 6:08:03 PM	No application listening on the port	115.186.157.153:22474	69.176.145.35:40078	UDP			
    1/26/2012 6:08:02 PM	No application listening on the port	71.13.229.228:35284	69.176.145.35:40078	UDP			
    1/26/2012 6:08:01 PM	No application listening on the port	98.234.217.30:55722	69.176.145.35:40078	UDP			
    1/26/2012 6:07:58 PM	No application listening on the port	71.13.229.228:35284	69.176.145.35:40078	UDP			
    1/26/2012 6:07:57 PM	No application listening on the port	98.234.217.30:55722	69.176.145.35:40078	UDP			
    1/26/2012 6:07:55 PM	No application listening on the port	98.234.217.30:55722	69.176.145.35:40078	UDP			
    1/26/2012 6:06:57 PM	No application listening on the port	24.242.51.102:16322	69.176.145.35:40078	UDP			
    1/26/2012 6:06:53 PM	No application listening on the port	24.242.51.102:16322	69.176.145.35:40078	UDP			
    1/26/2012 6:06:51 PM	No application listening on the port	24.242.51.102:16322	69.176.145.35:40078	UDP			
    1/26/2012 6:05:24 PM	No application listening on the port	71.13.229.228:24986	69.176.145.35:40078	UDP			
    1/26/2012 6:05:20 PM	No application listening on the port	71.13.229.228:24986	69.176.145.35:40078	UDP			
    1/26/2012 6:05:18 PM	No application listening on the port	71.13.229.228:24986	69.176.145.35:40078	UDP			
    1/26/2012 6:04:04 PM	No application listening on the port	67.166.205.205:26371	69.176.145.35:40078	UDP			
    1/26/2012 6:04:00 PM	No application listening on the port	67.166.205.205:26371	69.176.145.35:40078	UDP			
    1/26/2012 6:03:58 PM	No application listening on the port	67.166.205.205:26371	69.176.145.35:40078	UDP			
    1/26/2012 6:03:54 PM	No application listening on the port	67.164.117.232:55980	69.176.145.35:40078	UDP			
    1/26/2012 6:03:50 PM	No application listening on the port	67.164.117.232:55980	69.176.145.35:40078	UDP			
    1/26/2012 6:03:48 PM	No application listening on the port	67.164.117.232:55980	69.176.145.35:40078	UDP			
    1/26/2012 6:02:49 PM	No application listening on the port	39.45.227.195:38692	69.176.145.35:40078	UDP			
    1/26/2012 6:02:46 PM	No application listening on the port	39.45.227.195:38692	69.176.145.35:40078	UDP			
    1/26/2012 6:02:19 PM	No application listening on the port	98.234.217.30:55136	69.176.145.35:40078	UDP			
    1/26/2012 6:02:15 PM	No application listening on the port	98.234.217.30:55136	69.176.145.35:40078	UDP			
    1/26/2012 6:02:13 PM	No application listening on the port	98.234.217.30:55136	69.176.145.35:40078	UDP			
    1/26/2012 6:01:55 PM	No application listening on the port	74.125.113.101:80	69.176.145.35:51212	TCP			
    1/26/2012 6:01:43 PM	TCP packet not belonging to any open connection	17.173.66.48:443	69.176.145.35:51174	TCP			
    1/26/2012 6:01:24 PM	Communication denied by rule	69.176.145.35:137	17.173.66.48:137	UDP	Block NETBIOS Name Service requests	System	
    
    I believe the application that should be listening to all of these connections is svchost.exe, as it no longer appears in my list of network connections in ESET which is unusual. Haven't a clue though what would have stopped it. I haven't made any changes to my system, or ESET except I believe a virus definition update earlier today for ESET.
    Edit: svchost.exe is back in my network connections list after a restart or three. Events continue. Quite a few NETBIOS denied events when I boot up, in line with the default rule, but I don't see how that would be connected.


    Once this all started, I ran through all the things I could find through google including getting a pre-release build, deleting all the rules related to svchost.exe (the firewall is in learning mode. Automatic mode has no effect on the events), making sure settings are correct.

    Should my external IP be in the trusted zone? Adding it doesn't fix the problem, just wondered as my ISP recently made some changes to their infrastructure that might've goofed things up. Right now the trusted zone contains only local network IPs. Just throwing things at the wall and hoping they stick, at this point. As an aside, this doesn't appear to be causing any problems (except with a new program, but that's probably just something else configured incorrectly) but its obviously not desired functionality.
     
    Last edited: Jan 27, 2012
  2. foneil

    foneil Eset Staff Account

    Joined:
    Dec 7, 2010
    Posts:
    255
    Location:
    San Diego
    These messages mean that there is inbound traffic attempting to communicate on ports where no application is listening to accept the traffic. There can be a wide number of causes, from an issue with the ISP or even improper port forwarding set up on the router. These entries can been seen fairly often when perusing firewall logs for other issues and in those cases, just as in this one, they do not cause any adverse effects.

    Because the software firewall is monitoring all network traffic in and out of the system, this is simply working as intended.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Make sure that logging of blocked connections is disabled in the IDS setup. This option should only be enabled while troubleshooting certain connection issues.
     
Thread Status:
Not open for further replies.