Strange Port Goings on !

Discussion in 'other firewalls' started by Spanner intheWorks, Apr 6, 2005.

Thread Status:
Not open for further replies.
  1. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Spanner,

    If you don't have a port-to-process mapper, try using TCPView and see what processes are involved.

    Nick
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    A port scanner and port/process mapper are two different things.
    Other port/process mappers you could look at:
    Port Explorer
    Vision
    Active Ports

    Without more detail we would only be guessing at what you might be seeing. Was what you posted the entire netstat results, or only part of it? Netstat has other switches/options available that will give more detailed results depending on your OS. Just type netstat ? at the command prompt to see the different switches (along with description) that are available to you.

    Regards,

    CrazyM
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Spanner,

    Port Explorer, TCPView, and TDImon are forensic tools used to monitor processes and their network activity over time. Initially, study the process lists and verify that their network activity serves a legitimate purpose. Most will be familiar to you (such as your browser, mail client, app updaters, Windows processes, web filters/proxies); pay attention to the ones that are not and monitor what they do. Gather information like the ports (local and remote) and addresses (local and remote) involved, listening status (acting as a server), and the protocol used (TCP, UDP).

    Nick
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The UDP entries associated to IE and localhost are a normal function of IE caching.

    Simply means the process is listening and there is no established connection to a foreign address:port (*:*)

    Regards,

    CrazyM
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Spanner,

    You're welcome :). Identifying opened ports may shed some light on connection obj. Quoting in part:

    "The Winsock API (implementation of BSD sockets API on Windows systems) is implemented on TCP/IP using the Afd driver, which uses the TDI (Transport Driver Interface) API to communicate with the TCP/IP driver.

    To implement an outgoing TCP connection, the Afd driver creates two TDI objects:
    a TDI address object
    a TDI connection object..."


    Nick
     
    Last edited: Apr 9, 2005
Loading...
Thread Status:
Not open for further replies.