how do you display incoming and outgoing connections in wi..

[Guest]

Archived from groups: comp.security.firewalls (More info?)

netstat lists listening servers.

But when a connection is established, how do I know which end the
server is on? whether I am running the server or not.

Active Ports has the same problem

Yes, sometimes you can tell from the port numbers - whether they are
low or high numbers.

but maybe i have some server (maliciously against me or not) running on
a high port number for some reason. And a connection is established.
I want to know if the server si on my end.

I could port scan remotely to check/do an onilne port scan, or I could
se if my NAT device is port forwarding on that device. But isn't
there a prog that'll tell me? i'm surpised that netstat doesn't. But I
suppose to do that would require logging and remembering what happened
at the 3 way handshake.

I use the windows firewall. I have heard that sygate lists incoming
and outgoing connections, logging them. But, I had sygate crash on me,
and surely if i use af irewall i should use it for its intendd purpose,
not just to log connections.

MS ha a good port logging utility called "MS Port reporter" but it
doesn't say wich connections are incoming and which outgoing. And to
view the log is a hassle. ( the file is not readable when the port
logger is on. so i either open a copy of the file, or as MS
recommends, stop the port logger!!!).


I guess it's beyond netstat or active ports. And within the realm of a
port logger. But, is there a good one? MS Port reporter is the only
one I found. I tried wallwatcher, but it is a bit odd, asking me what
my router is. seems totally unnecessary, and a hassle to configure.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

sorry. may as well disregard this post.

I didn't realise that netstat -a will list an entry for LISTENING and
ESTABLISHED, in the case of an incoming connection.

Whereas for an outgoing connection, there is only an entry for
ESTABLISHED.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> sorry. may as well disregard this post.
>
> I didn't realise that netstat -a will list an entry for LISTENING and
> ESTABLISHED, in the case of an incoming connection.
>
> Whereas for an outgoing connection, there is only an entry for
> ESTABLISHED.

sorry 'bout this. that's wrong too
I don't understand these netstat results.

Although I did have an outgoing connection eith only an ESTABLISHED
entry in netstat. If I do telnet www.htmlgoodies.com 80

I get
C:\>netstat -an | find ":80"
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 192.168.0.2:2873 63.236.73.67:80 ESTABLISHED

This result appears in the program Active Ports too.

It's not like i'm running a web server.
Art posted an article in post
(lesqi19svl2uljc0k9fd5nsfmcvmp6nfa9@4ax.com) about a netstat bug though
in that article (
http://www.hsc.fr./ressources/breves/min_srv_res_win.en.html )

netstat made it appear as if the server was running on the local port
(>1024)

C:\WINDOWS>netstat -anp tcp | find ":1367"
TCP 0.0.0.0:1367 0.0.0.0:0 LISTENING
TCP 192.70.106.142:1367 192.70.106.76:22 ESTABLISHED

So maybe my results (the ones with find ":80" are a bug too that has
been fixed in w2k3

So. THe question remains. how do I know which connections are incoming
and which are outgoing?!! (since either an incoming or outgoing may
have 2 entries). I'm looking for something mroe accurate than using
port numbers as a guide.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 18 Sep 2005 14:17:01 -0700, jameshanley39@yahoo.co.uk wrote:

>So. THe question remains. how do I know which connections are incoming
>and which are outgoing?!! (since either an incoming or outgoing may
>have 2 entries). I'm looking for something mroe accurate than using
>port numbers as a guide.

I've not been following this thread from the beginning, so I apologize
for jumping in out of the blue without knowing context. But Sygate's
traffic log indicates the direction of all incoming and outgoing.

Art

http://home.epix.net/~artnpeg

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>port numbers as a guide.
>
> I've not been following this thread from the beginning, so I apologize
> for jumping in out of the blue without knowing context. But Sygate's
> traffic log indicates the direction of all incoming and outgoing.
>
> Art
>
> http://home.epix.net/~artnpeg
>
Yes, Sygate firewall logging is excellent. It list all in/out
connections and attempted connections plus much more. It is organized
such that it is easy to read.
Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
used with Sygate.
http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Casey Klc wrote:
> >port numbers as a guide.
> >
> > I've not been following this thread from the beginning, so I apologize
> > for jumping in out of the blue without knowing context. But Sygate's
> > traffic log indicates the direction of all incoming and outgoing.
> >
> > Art
> >
> > http://home.epix.net/~artnpeg
> >
> Yes, Sygate firewall logging is excellent. It list all in/out
> connections and attempted connections plus much more. It is organized
> such that it is easy to read.
> Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
> used with Sygate.
> http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm

thanks, yeah, I noticed that sygate has a great logging utility built
in. I was using sygate but I uninstalled it and went back to the
windows firewall, because sygate crashed in a bad way.

It seems overkill to use a software firewall just for that. But, that
may be the best option.

thanks.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> So. THe question remains. how do I know which connections are incoming
> and which are outgoing?!!

If you have problems with Windows' netstat command, try TCPView:

http://www.sysinternals.com/Utilities/TcpView.html

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> jameshanley39@yahoo.co.uk wrote:
> > So. THe question remains. how do I know which connections are incoming
> > and which are outgoing?!!
>
> If you have problems with Windows' netstat command, try TCPView:
>
> http://www.sysinternals.com/Utilities/TcpView.html
>
> Yours,
> VB.
> --

turns out not to be a bug in netstat. results are the same in TCPView,
Active Ports, and netstat. But I just noticed, when making an outgoing
connection looking at the 2 entries. The process is different.

telnet www.google.com 80

process inetinfo.exe listens 0.0.0.0:80
process telnet.exe established 192.168.0.2:1398, 66.102..:80

I imagine that with an incoming connection, it'd still be 2 entries,
but the process may the the same. e.g. ftpserver.exe listening, and
ftpserver.exe established. I can only test this when a friend comes
online though!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Iceman wrote:
> On Sun, 18 Sep 2005 23:13:03 GMT, Casey Klc wrote in message
> <MPG.1d97b01f3aca6cf19896c7@news.east.earthlink.net>:
>
> >Yes, Sygate firewall logging is excellent. It list all in/out
> >connections and attempted connections plus much more. It is organized
> >such that it is easy to read.
> >Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
> >used with Sygate.
> >http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm
>
> The Log Viewer really does little more than SPF itself. It's just like
> kind of bells and whistles.

I'm glad to be notified of its existance, since it may be useful. If
the log viewer were useless/pointless then you might have a valid
objection, but you haven't made that case.

 

[Iceman]

Archived from groups: comp.security.firewalls (More info?)

On Sun, 18 Sep 2005 23:13:03 GMT, Casey Klc wrote in message
<MPG.1d97b01f3aca6cf19896c7@news.east.earthlink.net>:

>Yes, Sygate firewall logging is excellent. It list all in/out
>connections and attempted connections plus much more. It is organized
>such that it is easy to read.
>Also, there is free (Sygate) SPF Log Viewer v1.2 that can be
>used with Sygate.
>http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm

The Log Viewer really does little more than SPF itself. It's just like
kind of bells and whistles.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jameshanle...@yahoo.co.uk wrote:
> Volker Birk wrote:
> > jameshanley39@yahoo.co.uk wrote:
> > > So. THe question remains. how do I know which connections are incoming
> > > and which are outgoing?!!
> >
> > If you have problems with Windows' netstat command, try TCPView:
> >
> > http://www.sysinternals.com/Utilities/TcpView.html
> >
> > Yours,
> > VB.
> > --
>
> turns out not to be a bug in netstat. results are the same in TCPView,
> Active Ports, and netstat. But I just noticed, when making an outgoing
> connection looking at the 2 entries. The process is different.
>
> telnet www.google.com 80
>
> process inetinfo.exe listens 0.0.0.0:80
> process telnet.exe established 192.168.0.2:1398, 66.102..:80
>
> I imagine that with an incoming connection, it'd still be 2 entries,
> but the process may the the same. e.g. ftpserver.exe listening, and
> ftpserver.exe established. I can only test this when a friend comes
> online though!

For an incoming connection, there is only one entry involving whatever
the tcp port eg port 21.
e.g. ftpserver.exe ESTABLISHED connection.

-
So, I think the best way is to use a logger. and the best logger i've
seen so far is within the sygate firewall.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> > http://www.sysinternals.com/Utilities/TcpView.html
> turns out not to be a bug in netstat. results are the same in TCPView,
> Active Ports, and netstat. But I just noticed, when making an outgoing
> connection looking at the 2 entries. The process is different.
> telnet www.google.com 80
> process inetinfo.exe listens 0.0.0.0:80
> process telnet.exe established 192.168.0.2:1398, 66.102..:80

Hm... what happens if you telnet your own box on port 80? Are you
getting a connection?

> I imagine that with an incoming connection, it'd still be 2 entries,
> but the process may the the same. e.g. ftpserver.exe listening, and
> ftpserver.exe established.

This is OK.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Jason Edwards wrote:
> <jameshanley39@yahoo.co.uk> wrote in message
> news:1127177297.104068.317330@z14g2000cwz.googlegroups.com...
> >
> > Volker Birk wrote:
> > > jameshanley39@yahoo.co.uk wrote:
> > > > So. THe question remains. how do I know which connections are incoming
> > > > and which are outgoing?!!
> > >
> > > If you have problems with Windows' netstat command, try TCPView:
> > >
> > > http://www.sysinternals.com/Utilities/TcpView.html
> > >
> > > Yours,
> > > VB.
> > > --
> >
> > turns out not to be a bug in netstat. results are the same in TCPView,
> > Active Ports, and netstat.
>
> It will also be the same in anything which uses the same API. See
> http://www.codeproject.com/csharp/iphlpapi.asp
> There does not seem to be a way to determine whether a TCP connection was
> made inbound or outbound.
>
> However, firewall software operating at a lower level should be able to get
> the information you want. Note that it's also true that malware operating at
> a lower level should be able to hide itself from both tcpview and your
> firewall software.
> So if you really want to be sure about what your box is talking to, you need
> an external box to monitor the traffic, not a piece of software on your PC.
>
> Jason

It should be easy for logging software to [have a feature added to]
determine if a TCP connection is inbound or outbound. The logging
software can easily read the transport layer stuff, just like is does
to read the TCP Port, and it can look at flags like SYN and ACK and
remember who said what and when, and see whether it's incoming or
outgoing. Infact, it just has to remember who sent the first packet,
who initiated the connection. No doubt this is what sygate's port
logger does.

A proggie like netstat or active oprts or tcpview, would not. It
doesn't log, so it just sees frames coming in and out. It doesn't
remember who initiated the connection. This stands in contrast to a
port logger program, which is *meant* to 'have a memory for this sort
of thing' and just 'neglects to use it'!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1127177297.104068.317330@z14g2000cwz.googlegroups.com...
>
> Volker Birk wrote:
> > jameshanley39@yahoo.co.uk wrote:
> > > So. THe question remains. how do I know which connections are incoming
> > > and which are outgoing?!!
> >
> > If you have problems with Windows' netstat command, try TCPView:
> >
> > http://www.sysinternals.com/Utilities/TcpView.html
> >
> > Yours,
> > VB.
> > --
>
> turns out not to be a bug in netstat. results are the same in TCPView,
> Active Ports, and netstat.

It will also be the same in anything which uses the same API. See
http://www.codeproject.com/csharp/iphlpapi.asp
There does not seem to be a way to determine whether a TCP connection was
made inbound or outbound.

However, firewall software operating at a lower level should be able to get
the information you want. Note that it's also true that malware operating at
a lower level should be able to hide itself from both tcpview and your
firewall software.
So if you really want to be sure about what your box is talking to, you need
an external box to monitor the traffic, not a piece of software on your PC.

Jason

> But I just noticed, when making an outgoing
> connection looking at the 2 entries. The process is different.
>
> telnet www.google.com 80
>
> process inetinfo.exe listens 0.0.0.0:80
> process telnet.exe established 192.168.0.2:1398, 66.102..:80
>
> I imagine that with an incoming connection, it'd still be 2 entries,
> but the process may the the same. e.g. ftpserver.exe listening, and
> ftpserver.exe established. I can only test this when a friend comes
> online though!
>

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> jameshanley39@yahoo.co.uk wrote:
> > > http://www.sysinternals.com/Utilities/TcpView.html
> > turns out not to be a bug in netstat. results are the same in TCPView,
> > Active Ports, and netstat. But I just noticed, when making an outgoing
> > connection looking at the 2 entries. The process is different.
> > telnet www.google.com 80
> > process inetinfo.exe listens 0.0.0.0:80
> > process telnet.exe established 192.168.0.2:1398, 66.102..:80
>
> Hm... what happens if you telnet your own box on port 80? Are you
> getting a connection?

yes, I get a prompt.
When I do telnet 127.0.0.1 80 <-- prompt
When I do telnet 0.0.0.0 80 <-- no prompt.


infact, as soon as i've booted into windows, regardless whether i've
opened my browser, I have the following processes running on the
following ports.
local port - listening
inetinfo.exe 0.0.0.0 25,80,443,1025,3456
svchost.exe 0.0.0.0 135,1037,3544
svchost.exe 192.168.0.2 520,1033
tcpsvcs.exe 0.0.0.0 7,9,13,17,19,7,13,17,19
system 192.168.0.2 138,137,139
system 0.0.0.0 445,445 (yep, twice, same process/PID !)







[i/james wrote]
> > I imagine that with an incoming connection, it'd still be 2 entries,
> > but the process may the the same. e.g. ftpserver.exe listening, and
> > ftpserver.exe established.
>

as can be seen in my follow up post, i was guessing wrongly. On an
incoming ftp connection. I found that when I ran server and a connetion
was established, nothing was listed as listening. This was because
nothing was listening before and those processes are nothing to do with
it!
--

All of those listening processes are independent of my outgoing and
incoming conections. They are just there when windows loads up. Thus,
they won't tell me whether or not i'm making an incoming or outgoing
connection. Whether or not a connection is incoming or outgoing is
nothing to do with whether one of those built in windows procesesis
listening on a port. So, nothing to do with the number of entries.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> jameshanley39@yahoo.co.uk wrote:
> > > Hm... what happens if you telnet your own box on port 80? Are you
> > > getting a connection?
> > yes, I get a prompt.
> > When I do telnet 127.0.0.1 80 <-- prompt
>
> There is a server running on your box, which is listening on port 80.
> Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
> and type in:
>
> GET /

telnet 127.0.0.1 80

<body><h2>HTTP/0.9 501 Not Implemented</h2></body>
Connection to host lost.


and if I telnet to 127.0.0.1 25,

220 compnm Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready
at We
d, 21 Sep 2005 01:22:59 +0100

-
I had some crazyness like this occur once before, (I discovered some
ghostlike hosts on my network e.g. 192.168.2.0 that sort of thing,
sygate spotted it and prompted me. I discovered it was VMWARE. VMWare
was closed, but the VMWARE connection was enabled. As soon as i
disabled the VMWARe connection, the ghost like computer vanished. In
that instance, the ghost like computer was not the local host. No ARP
entry for it either. It's not a WLAN. It's wired.

But I have disabled the VMWARE connection. start..ctrl panel..NW
connections.. right clicked it and disabled it. The only enabled
connection is my LAN. Maybe VMWare is still playing games. You can see
what processes it is that are listening.


> > When I do telnet 0.0.0.0 80 <-- no prompt.
>
> Clear. That cannot work.

k, well, 127.0.0.1 is the address that only I can use and addresses
myself and doesn't go out the NW card.
0.0.0.0 is another address listed by netstat and other port monitor
proggies. but it also means this host. What's the diff. And if I can't
connect to it, and other comps also have this address. Who would/could
connect to it?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> > Hm... what happens if you telnet your own box on port 80? Are you
> > getting a connection?
> yes, I get a prompt.
> When I do telnet 127.0.0.1 80 <-- prompt

There is a server running on your box, which is listening on port 80.
Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
and type in:

GET /

> When I do telnet 0.0.0.0 80 <-- no prompt.

Clear. That cannot work.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> jameshanley39@yahoo.co.uk wrote:
> > > There is a server running on your box, which is listening on port 80.
> > > Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
> > > and type in:
> > > GET /
> > telnet 127.0.0.1 80
> > <body><h2>HTTP/0.9 501 Not Implemented</h2></body>
> > Connection to host lost.
>
> Yes, it's a Webserver running on your host. Now it's clear, why something
> is listening on port 80: you're driving a Webserver there.
>
> > and if I telnet to 127.0.0.1 25,
> > 220 compnm Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready
> > at We
> > d, 21 Sep 2005 01:22:59 +0100
>
> Oh, and a SMTP server, too ;-)
>
> > > > When I do telnet 0.0.0.0 80 <-- no prompt.
> > > Clear. That cannot work.
> > k, well, 127.0.0.1 is the address that only I can use and addresses
> > myself and doesn't go out the NW card.
>
> Yes, it's localhost. Try out the address of your network interface, too.
>
> > 0.0.0.0 is another address listed by netstat and other port monitor
> > proggies. but it also means this host. What's the diff.
>
> If a process listens on 0.0.0.0, then this means, it listens on every
> network interface of the box, including all physical interfaces and
> localhost.
>
> > Who would/could
> > connect to it?
>
> Everybody.

yep, seems like it. anybody on my LAN. so if I do port redirection on
my NAT device, anybody can connect.

and if my comp did have a public IP or even public IPs, then no doubt
anybody oculd connect makes sense.

thanks.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> > There is a server running on your box, which is listening on port 80.
> > Perhaps it's a webserver. To try this out, telnet 127.0.0.1 80
> > and type in:
> > GET /
> telnet 127.0.0.1 80
> <body><h2>HTTP/0.9 501 Not Implemented</h2></body>
> Connection to host lost.

Yes, it's a Webserver running on your host. Now it's clear, why something
is listening on port 80: you're driving a Webserver there.

> and if I telnet to 127.0.0.1 25,
> 220 compnm Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready
> at We
> d, 21 Sep 2005 01:22:59 +0100

Oh, and a SMTP server, too ;-)

> > > When I do telnet 0.0.0.0 80 <-- no prompt.
> > Clear. That cannot work.
> k, well, 127.0.0.1 is the address that only I can use and addresses
> myself and doesn't go out the NW card.

Yes, it's localhost. Try out the address of your network interface, too.

> 0.0.0.0 is another address listed by netstat and other port monitor
> proggies. but it also means this host. What's the diff.

If a process listens on 0.0.0.0, then this means, it listens on every
network interface of the box, including all physical interfaces and
localhost.

> Who would/could
> connect to it?

Everybody.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"