outbound followed by inbound to unopened port

Discussion in 'ESET NOD32 Antivirus' started by chrizio, Feb 19, 2012.

Thread Status:
Not open for further replies.
  1. chrizio

    chrizio Guest

    ESET AV Home, the current main version, running on XP, Windows behind a DSL-Router.
    Traffic monitor (part of Sunbelt Personal Firewall) shows, amongst others,
    following traffic
    (first) ekrn.exe sends TCP packet to remote port 80, external IP, local port 1102
    (one minute later, however time distance can vary) TCP packet comes in. It comes from the same external IP into the same port as the predecessor outbound packet was sent out. However, traffic monitor indicates this port
    as unopened. It looks like answer to the predecessor outbound packet.

    Which circumstance is bad here?
    a) packets are coming back from the same external IP
    or
    b) the local port is unopened, does not accept

    Or has all this to be interpreted as failure of traffic monitor?


    One yet observation:
    ekrn.exe is sending TCP also from second port. Port located very close to the port used in issue described above. Numbers of these two local ports differ by 1. This outbound traffic goes to different external IP (93.184.x.x, for the issue above it was 89.202.x.x). And is repeated after few seconds for three times. However, in this case the traffic monitor does not indicate reply traffic, same traffic parameters but inversed in direction. Where does the difference against previous case can come from?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Unfortunately, it's not clear to me what issue you're having. Perhaps it's a question for the vendor of Traffic monitor (?)
     
  3. chrizio

    chrizio Guest

    I have just questions. One of three facts listed in thread opening message
    must be suspicious. But which one?
    a) packets are coming back from the same external IP, or
    b) the local port is unopened, does not accept, or
    c) traffic monitor is indicating unopened port where inbound comes in
     
Thread Status:
Not open for further replies.