how do you display incoming and outgoing connections in wi..

Archived from groups: comp.security.firewalls (More info?)

netstat lists listening servers.

But when a connection is established, how do I know which end the
server is on? whether I am running the server or not.

Active Ports has the same problem

Yes, sometimes you can tell from the port numbers - whether they are
low or high numbers.

but maybe i have some server (maliciously against me or not) running on
a high port number for some reason. And a connection is established.
I want to know if the server si on my end.

I could port scan remotely to check/do an onilne port scan, or I could
se if my NAT device is port forwarding on that device. But isn't
there a prog that'll tell me? i'm surpised that netstat doesn't. But I
suppose to do that would require logging and remembering what happened
at the 3 way handshake.

I use the windows firewall. I have heard that sygate lists incoming
and outgoing connections, logging them. But, I had sygate crash on me,
and surely if i use af irewall i should use it for its intendd purpose,
not just to log connections.

MS ha a good port logging utility called "MS Port reporter" but it
doesn't say wich connections are incoming and which outgoing. And to
view the log is a hassle. ( the file is not readable when the port
logger is on. so i either open a copy of the file, or as MS
recommends, stop the port logger!!!).


I guess it's beyond netstat or active ports. And within the realm of a
port logger. But, is there a good one? MS Port reporter is the only
one I found. I tried wallwatcher, but it is a bit odd, asking me what
my router is. seems totally unnecessary, and a hassle to configure.
18 answers Last reply
More about display incoming outgoing connections
  1. Archived from groups: comp.security.firewalls (More info?)

    sorry. may as well disregard this post.

    I didn't realise that netstat -a will list an entry for LISTENING and
    ESTABLISHED, in the case of an incoming connection.

    Whereas for an outgoing connection, there is only an entry for
    ESTABLISHED.
  2. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > sorry. may as well disregard this post.
    >
    > I didn't realise that netstat -a will list an entry for LISTENING and
    > ESTABLISHED, in the case of an incoming connection.
    >
    > Whereas for an outgoing connection, there is only an entry for
    > ESTABLISHED.

    sorry 'bout this. that's wrong too
    I don't understand these netstat results.

    Although I did have an outgoing connection eith only an ESTABLISHED
    entry in netstat. If I do telnet www.htmlgoodies.com 80

    I get
    C:\>netstat -an | find ":80"
    TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
    TCP 192.168.0.2:2873 63.236.73.67:80 ESTABLISHED

    This result appears in the program Active Ports too.

    It's not like i'm running a web server.
    Art posted an article in post
    (lesqi19svl2uljc0k9fd5nsfmcvmp6nfa9@4ax.com) about a netstat bug though
    in that article (
    http://www.hsc.fr./ressources/breves/min_srv_res_win.en.html )

    netstat made it appear as if the server was running on the local port
    (>1024)

    C:\WINDOWS>netstat -anp tcp | find ":1367"
    TCP 0.0.0.0:1367 0.0.0.0:0 LISTENING
    TCP 192.70.106.142:1367 192.70.106.76:22 ESTABLISHED

    So maybe my results (the ones with find ":80" are a bug too that has
    been fixed in w2k3

    So. THe question remains. how do I know which connections are incoming
    and which are outgoing?!! (since either an incoming or outgoing may
    have 2 entries). I'm looking for something mroe accurate than using
    port numbers as a guide.
  3. Archived from groups: comp.security.firewalls (More info?)

    On 18 Sep 2005 14:17:01 -0700, jameshanley39@yahoo.co.uk wrote:

    >So. THe question remains. how do I know which connections are incoming
    >and which are outgoing?!! (since either an incoming or outgoing may
    >have 2 entries). I'm looking for something mroe accurate than using
    >port numbers as a guide.

    I've not been following this thread from the beginning, so I apologize
    for jumping in out of the blue without knowing context. But Sygate's
    traffic log indicates the direction of all incoming and outgoing.

    Art

    http://home.epix.net/~artnpeg
  4. Archived from groups: comp.security.firewalls (More info?)

    >port numbers as a guide.
    >
    > I've not been following this thread from the beginning, so I apologize
    > for jumping in out of the blue without knowing context. But Sygate's
    > traffic log indicates the direction of all incoming and outgoing.
    >
    > Art
    >
    > http://home.epix.net/~artnpeg
    >
    Yes, Sygate firewall logging is excellent. It list all in/out
    connections and attempted connections plus much more. It is organized
    such that it is easy to read.
    Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
    used with Sygate.
    http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm
  5. Archived from groups: comp.security.firewalls (More info?)

    Casey Klc wrote:
    > >port numbers as a guide.
    > >
    > > I've not been following this thread from the beginning, so I apologize
    > > for jumping in out of the blue without knowing context. But Sygate's
    > > traffic log indicates the direction of all incoming and outgoing.
    > >
    > > Art
    > >
    > > http://home.epix.net/~artnpeg
    > >
    > Yes, Sygate firewall logging is excellent. It list all in/out
    > connections and attempted connections plus much more. It is organized
    > such that it is easy to read.
    > Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
    > used with Sygate.
    > http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm

    thanks, yeah, I noticed that sygate has a great logging utility built
    in. I was using sygate but I uninstalled it and went back to the
    windows firewall, because sygate crashed in a bad way.

    It seems overkill to use a software firewall just for that. But, that
    may be the best option.

    thanks.
  6. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > So. THe question remains. how do I know which connections are incoming
    > and which are outgoing?!!

    If you have problems with Windows' netstat command, try TCPView:

    http://www.sysinternals.com/Utilities/TcpView.html

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  7. Archived from groups: comp.security.firewalls (More info?)

    Volker Birk wrote:
    > jameshanley39@yahoo.co.uk wrote:
    > > So. THe question remains. how do I know which connections are incoming
    > > and which are outgoing?!!
    >
    > If you have problems with Windows' netstat command, try TCPView:
    >
    > http://www.sysinternals.com/Utilities/TcpView.html
    >
    > Yours,
    > VB.
    > --

    turns out not to be a bug in netstat. results are the same in TCPView,
    Active Ports, and netstat. But I just noticed, when making an outgoing
    connection looking at the 2 entries. The process is different.

    telnet www.google.com 80

    process inetinfo.exe listens 0.0.0.0:80
    process telnet.exe established 192.168.0.2:1398, 66.102..:80

    I imagine that with an incoming connection, it'd still be 2 entries,
    but the process may the the same. e.g. ftpserver.exe listening, and
    ftpserver.exe established. I can only test this when a friend comes
    online though!
  8. Archived from groups: comp.security.firewalls (More info?)

    Iceman wrote:
    > On Sun, 18 Sep 2005 23:13:03 GMT, Casey Klc wrote in message
    > <MPG.1d97b01f3aca6cf19896c7@news.east.earthlink.net>:
    >
    > >Yes, Sygate firewall logging is excellent. It list all in/out
    > >connections and attempted connections plus much more. It is organized
    > >such that it is easy to read.
    > >Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
    > >used with Sygate.
    > >http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm
    >
    > The Log Viewer really does little more than SPF itself. It's just like
    > kind of bells and whistles.

    I'm glad to be notified of its existance, since it may be useful. If
    the log viewer were useless/pointless then you might have a valid
    objection, but you haven't made that case.
  9. Archived from groups: comp.security.firewalls (More info?)

    On Sun, 18 Sep 2005 23:13:03 GMT, Casey Klc wrote in message
    <MPG.1d97b01f3aca6cf19896c7@news.east.earthlink.net>:

    >Yes, Sygate firewall logging is excellent. It list all in/out
    >connections and attempted connections plus much more. It is organized
    >such that it is easy to read.
    >Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
    >used with Sygate.
    >http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm

    The Log Viewer really does little more than SPF itself. It's just like
    kind of bells and whistles.
  10. Archived from groups: comp.security.firewalls (More info?)

    jameshanle...@yahoo.co.uk wrote:
    > Volker Birk wrote:
    > > jameshanley39@yahoo.co.uk wrote:
    > > > So. THe question remains. how do I know which connections are incoming
    > > > and which are outgoing?!!
    > >
    > > If you have problems with Windows' netstat command, try TCPView:
    > >
    > > http://www.sysinternals.com/Utilities/TcpView.html
    > >
    > > Yours,
    > > VB.
    > > --
    >
    > turns out not to be a bug in netstat. results are the same in TCPView,
    > Active Ports, and netstat. But I just noticed, when making an outgoing
    > connection looking at the 2 entries. The process is different.
    >
    > telnet www.google.com 80
    >
    > process inetinfo.exe listens 0.0.0.0:80
    > process telnet.exe established 192.168.0.2:1398, 66.102..:80
    >
    > I imagine that with an incoming connection, it'd still be 2 entries,
    > but the process may the the same. e.g. ftpserver.exe listening, and
    > ftpserver.exe established. I can only test this when a friend comes
    > online though!

    For an incoming connection, there is only one entry involving whatever
    the tcp port eg port 21.
    e.g. ftpserver.exe ESTABLISHED connection.

    -
    So, I think the best way is to use a logger. and the best logger i've
    seen so far is within the sygate firewall.
  11. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > > http://www.sysinternals.com/Utilities/TcpView.html
    > turns out not to be a bug in netstat. results are the same in TCPView,
    > Active Ports, and netstat. But I just noticed, when making an outgoing
    > connection looking at the 2 entries. The process is different.
    > telnet www.google.com 80
    > process inetinfo.exe listens 0.0.0.0:80
    > process telnet.exe established 192.168.0.2:1398, 66.102..:80

    Hm... what happens if you telnet your own box on port 80? Are you
    getting a connection?

    > I imagine that with an incoming connection, it'd still be 2 entries,
    > but the process may the the same. e.g. ftpserver.exe listening, and
    > ftpserver.exe established.

    This is OK.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  12. Archived from groups: comp.security.firewalls (More info?)

    Jason Edwards wrote:
    > <jameshanley39@yahoo.co.uk> wrote in message
    > news:1127177297.104068.317330@z14g2000cwz.googlegroups.com...
    > >
    > > Volker Birk wrote:
    > > > jameshanley39@yahoo.co.uk wrote:
    > > > > So. THe question remains. how do I know which connections are incoming
    > > > > and which are outgoing?!!
    > > >
    > > > If you have problems with Windows' netstat command, try TCPView:
    > > >
    > > > http://www.sysinternals.com/Utilities/TcpView.html
    > > >
    > > > Yours,
    > > > VB.
    > > > --
    > >
    > > turns out not to be a bug in netstat. results are the same in TCPView,
    > > Active Ports, and netstat.
    >
    > It will also be the same in anything which uses the same API. See
    > http://www.codeproject.com/csharp/iphlpapi.asp
    > There does not seem to be a way to determine whether a TCP connection was
    > made inbound or outbound.
    >
    > However, firewall software operating at a lower level should be able to get
    > the information you want. Note that it's also true that malware operating at
    > a lower level should be able to hide itself from both tcpview and your
    > firewall software.
    > So if you really want to be sure about what your box is talking to, you need
    > an external box to monitor the traffic, not a piece of software on your PC.
    >
    > Jason

    It should be easy for logging software to [have a feature added to]
    determine if a TCP connection is inbound or outbound. The logging
    software can easily read the transport layer stuff, just like is does
    to read the TCP Port, and it can look at flags like SYN and ACK and
    remember who said what and when, and see whether it's incoming or
    outgoing. Infact, it just has to remember who sent the first packet,
    who initiated the connection. No doubt this is what sygate's port
    logger does.

    A proggie like netstat or active oprts or tcpview, would not. It
    doesn't log, so it just sees frames coming in and out. It doesn't
    remember who initiated the connection. This stands in contrast to a
    port logger program, which is *meant* to 'have a memory for this sort
    of thing' and just 'neglects to use it'!
  13. Archived from groups: comp.security.firewalls (More info?)

    <jameshanley39@yahoo.co.uk> wrote in message
    news:1127177297.104068.317330@z14g2000cwz.googlegroups.com...
    >
    > Volker Birk wrote:
    > > jameshanley39@yahoo.co.uk wrote:
    > > > So. THe question remains. how do I know which connections are incoming
    > > > and which are outgoing?!!
    > >
    > > If you have problems with Windows' netstat command, try TCPView:
    > >
    > > http://www.sysinternals.com/Utilities/TcpView.html
    > >
    > > Yours,
    > > VB.
    > > --
    >
    > turns out not to be a bug in netstat. results are the same in TCPView,
    > Active Ports, and netstat.

    It will also be the same in anything which uses the same API. See
    http://www.codeproject.com/csharp/iphlpapi.asp
    There does not seem to be a way to determine whether a TCP connection was
    made inbound or outbound.

    However, firewall software operating at a lower level should be able to get
    the information you want. Note that it's also true that malware operating at
    a lower level should be able to hide itself from both tcpview and your
    firewall software.
    So if you really want to be sure about what your box is talking to, you need
    an external box to monitor the traffic, not a piece of software on your PC.

    Jason

    > But I just noticed, when making an outgoing
    > connection looking at the 2 entries. The process is different.
    >
    > telnet www.google.com 80
    >
    > process inetinfo.exe listens 0.0.0.0:80
    > process telnet.exe established 192.168.0.2:1398, 66.102..:80
    >
    > I imagine that with an incoming connection, it'd still be 2 entries,
    > but the process may the the same. e.g. ftpserver.exe listening, and
    > ftpserver.exe established. I can only test this when a friend comes
    > online though!
    >
  14. Archived from groups: comp.security.firewalls (More info?)

    Volker Birk wrote:
    > jameshanley39@yahoo.co.uk wrote:
    > > > http://www.sysinternals.com/Utilities/TcpView.html
    > > turns out not to be a bug in netstat. results are the same in TCPView,
    > > Active Ports, and netstat. But I just noticed, when making an outgoing
    > > connection looking at the 2 entries. The process is different.
    > > telnet www.google.com 80
    > > process inetinfo.exe listens 0.0.0.0:80
    > > process telnet.exe established 192.168.0.2:1398, 66.102..:80
    >
    > Hm... what happens if you telnet your own box on port 80? Are you
    > getting a connection?

    yes, I get a prompt.
    When I do telnet 127.0.0.1 80 <-- prompt
    When I do telnet 0.0.0.0 80 <-- no prompt.


    infact, as soon as i've booted into windows, regardless whether i've
    opened my browser, I have the following processes running on the
    following ports.
    local port - listening
    inetinfo.exe 0.0.0.0 25,80,443,1025,3456
    svchost.exe 0.0.0.0 135,1037,3544
    svchost.exe 192.168.0.2 520,1033
    tcpsvcs.exe 0.0.0.0 7,9,13,17,19,7,13,17,19
    system 192.168.0.2 138,137,139
    system 0.0.0.0 445,445 (yep, twice, same process/PID !)



    > > I imagine that with an incoming connection, it'd still be 2 entries,
    > > but the process may the the same. e.g. ftpserver.exe listening, and
    > > ftpserver.exe established.
    >

    as can be seen in my follow up post, i was guessing wrongly. On an
    incoming ftp connection. I found that when I ran server and a connetion
    was established, nothing was listed as listening. This was because
    nothing was listening before and those processes are nothing to do with
    it!
    --

    All of those listening processes are independent of my outgoing and
    incoming conections. They are just there when windows loads up. Thus,
    they won't tell me whether or not i'm making an incoming or outgoing
    connection. Whether or not a connection is incoming or outgoing is
    nothing to do with whether one of those built in windows procesesis
    listening on a port. So, nothing to do with the number of entries.
  15. Archived from groups: comp.security.firewalls (More info?)

    Volker Birk wrote:
    > jameshanley39@yahoo.co.uk wrote:
    > > > Hm... what happens if you telnet your own box on port 80? Are you
    > > > getting a connection?
    > > yes, I get a prompt.
    > > When I do telnet 127.0.0.1 80 <-- prompt
    >
    > There is a server running on your box, which is listening on port 80.
    > Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
    > and type in:
    >
    > GET /

    telnet 127.0.0.1 80

    <body><h2>HTTP/0.9 501 Not Implemented</h2></body>
    Connection to host lost.


    and if I telnet to 127.0.0.1 25,

    220 compnm Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready
    at We
    d, 21 Sep 2005 01:22:59 +0100

    -
    I had some crazyness like this occur once before, (I discovered some
    ghostlike hosts on my network e.g. 192.168.2.0 that sort of thing,
    sygate spotted it and prompted me. I discovered it was VMWARE. VMWare
    was closed, but the VMWARE connection was enabled. As soon as i
    disabled the VMWARe connection, the ghost like computer vanished. In
    that instance, the ghost like computer was not the local host. No ARP
    entry for it either. It's not a WLAN. It's wired.

    But I have disabled the VMWARE connection. start..ctrl panel..NW
    connections.. right clicked it and disabled it. The only enabled
    connection is my LAN. Maybe VMWare is still playing games. You can see
    what processes it is that are listening.


    > > When I do telnet 0.0.0.0 80 <-- no prompt.
    >
    > Clear. That cannot work.

    k, well, 127.0.0.1 is the address that only I can use and addresses
    myself and doesn't go out the NW card.
    0.0.0.0 is another address listed by netstat and other port monitor
    proggies. but it also means this host. What's the diff. And if I can't
    connect to it, and other comps also have this address. Who would/could
    connect to it?
  16. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > > Hm... what happens if you telnet your own box on port 80? Are you
    > > getting a connection?
    > yes, I get a prompt.
    > When I do telnet 127.0.0.1 80 <-- prompt

    There is a server running on your box, which is listening on port 80.
    Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
    and type in:

    GET /

    > When I do telnet 0.0.0.0 80 <-- no prompt.

    Clear. That cannot work.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  17. Archived from groups: comp.security.firewalls (More info?)

    Volker Birk wrote:
    > jameshanley39@yahoo.co.uk wrote:
    > > > There is a server running on your box, which is listening on port 80.
    > > > Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
    > > > and type in:
    > > > GET /
    > > telnet 127.0.0.1 80
    > > <body><h2>HTTP/0.9 501 Not Implemented</h2></body>
    > > Connection to host lost.
    >
    > Yes, it's a Webserver running on your host. Now it's clear, why something
    > is listening on port 80: you're driving a Webserver there.
    >
    > > and if I telnet to 127.0.0.1 25,
    > > 220 compnm Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready
    > > at We
    > > d, 21 Sep 2005 01:22:59 +0100
    >
    > Oh, and a SMTP server, too ;-)
    >
    > > > > When I do telnet 0.0.0.0 80 <-- no prompt.
    > > > Clear. That cannot work.
    > > k, well, 127.0.0.1 is the address that only I can use and addresses
    > > myself and doesn't go out the NW card.
    >
    > Yes, it's localhost. Try out the address of your network interface, too.
    >
    > > 0.0.0.0 is another address listed by netstat and other port monitor
    > > proggies. but it also means this host. What's the diff.
    >
    > If a process listens on 0.0.0.0, then this means, it listens on every
    > network interface of the box, including all physical interfaces and
    > localhost.
    >
    > > Who would/could
    > > connect to it?
    >
    > Everybody.

    yep, seems like it. anybody on my LAN. so if I do port redirection on
    my NAT device, anybody can connect.

    and if my comp did have a public IP or even public IPs, then no doubt
    anybody oculd connect makes sense.

    thanks.
  18. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > > There is a server running on your box, which is listening on port 80.
    > > Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
    > > and type in:
    > > GET /
    > telnet 127.0.0.1 80
    > <body><h2>HTTP/0.9 501 Not Implemented</h2></body>
    > Connection to host lost.

    Yes, it's a Webserver running on your host. Now it's clear, why something
    is listening on port 80: you're driving a Webserver there.

    > and if I telnet to 127.0.0.1 25,
    > 220 compnm Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready
    > at We
    > d, 21 Sep 2005 01:22:59 +0100

    Oh, and a SMTP server, too ;-)

    > > > When I do telnet 0.0.0.0 80 <-- no prompt.
    > > Clear. That cannot work.
    > k, well, 127.0.0.1 is the address that only I can use and addresses
    > myself and doesn't go out the NW card.

    Yes, it's localhost. Try out the address of your network interface, too.

    > 0.0.0.0 is another address listed by netstat and other port monitor
    > proggies. but it also means this host. What's the diff.

    If a process listens on 0.0.0.0, then this means, it listens on every
    network interface of the box, including all physical interfaces and
    localhost.

    > Who would/could
    > connect to it?

    Everybody.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
Ask a new question

Read More

Firewalls Servers Networking