Archived from groups: microsoft.public.windowsxp.basics (
More info?)
To answer your question, the 3rd column is the action. Open means a
port was opened. If a dropped packet was inbound, it might have been
pests wandering the Internet, probes wandering the Internet, or just
background noise (e.g. broadcast messages) on the Internet. Like radio
broadcasts, broadcast messages are intended for everybody, but no
individual in particular. Among other reasons, outbound packets might
be dropped if an outbound communication request was made (e.g. request
for email or a web page) with no connection to the Internet, or if a
request was redirected internally and could not be resolved.
TCP and UDP are communication protocols you will often see in a log.
ICMP is a protocol used by Ping and Tracert. Ping does not use TCP or UDP.
Addresses on the Internet (IP addresses) are the 4 numbers separated by
dots. The first IP address is the source IP address, and the second IP
address is the destination. Among many others, addresses starting with
192.168 are internal inside your PC, not external. So all 5 packets
originated internally, and the first 3 had internal destinations.
the last 2 numbers are the port number used by the source system, and
the port number used by the target system, respectively. Sometimes your
PC is the source, and sometimes your PC is the target, depending on
whether your PC is sending or receiving the transmission. Port 80 is
used by Internet browsers for communicating in HTTP protocol. Port 53
is used to communicate with a DNS server (that translates www addresses
into IP addresses that computers understand). The meaning of other
TCP/UDP ports can be found at
http://www.iana.org/assignments/port-numbers
You can quickly find your own IP address by clicking on the icon in the
lower right that looks 2 monitors (if you have 2 icons like this, it's
the one that shows the name of your Internet connection, when you rest
your mouse pointer on it.), and clicking the tab labeled Details.
As your firewall log grows, you will see that most dropped packets are
just background noise, or pests and probes that wander and search the
Internet looking for an opportunity (but not you or any particular
individual). If something/somebody were specifically targeting you for
an attack, you would likely see a sudden series of many dropped packets
from the same external IP address, using many different ports.
http://www.pcworld.com/reviews/article/0,aid,115939,pg,1,00.asp
Switching to one of the firewalls recommended in this article is very
good advice. Go with ZoneAlarm if you love to learn and are not
impatient with learning curves.
After installing TrendMicro's security suite and dropping XP's firewall,
i found that TrendMicro's initial settings left some ports on my PC
visible (open or closed) to predators on the internet, before i figured
out how to make them invisible. which ports were visible depended on
whether i was running with XP SP1 or SP2.
TrendMicro's security suite and the purchased versions of ZoneAlarm have
many other nice, additional features. TrendMicro's security suite has a
very good antivirus component, along with Wi-Fi and personal data
protection, though the spyware component had poor results in the tests
cited in the article. ZoneAlarm is much more versatile (herein lies the
learning curve) in allowing you to allow/disallow inbound requests
depending on IP address, and in filtering different types of cookies and
different types of mobile code (ActiveX, VBscript, Java script, etc.) on
a website-by-website basis.
Rick Merrill wrote:
> I find that in C:\windows there is a
> "pfirewall.log" that gets bigger (>6MB) - I can stop the firewall and
> delete the file the restart the firewall.
>
> The log contains entries like
> 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - -
> - - - - - RECEIVE
> 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - -
> - - - - - RECEIVE
> 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - -
> - - - - - RECEIVE
> 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - -
> - - - -
> 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - -
> - - - -
>
> What do these entries mean? Is a "drop" a putative attack?!
>
> Rick
> Merrill
Facebook
Twitter
Instagram