Archived from groups: comp.security.firewalls (More info?
Thanks for the suggestions.
I already have utilized netstat and a couple of other tools to discover all
open ports and running proceeses on the various machines in my network. No
active listeners on port 47519 - at least at the time I checked.
I'm wondering if this has anything to do with one of my kids running a file
share program (I know they've dabbled with Emule) on their PC. So that,
even if it's not running now, it's still a registered "active" connection in
the peer network via caching or something. But I could swear I thought all
those programs used ports in like the 4,000's and such.
I set up a syslog server so I could validate the connection attempts and not
just rely on the SonicWall logging report, and sure enough they show up.
Most of the connections (after I performed DNS on the IP's) seem to be
coming from various DSL and other home broadband networks.
My next step is to set up a sniffer and check the packets out...
"Don Kelloway" <email@example.com> wrote in message
> "JDB" <firstname.lastname@example.org> wrote in message
> > Recently installed a SonicWall TZ170 firewall in my home network
> > environment. Set up the log to record everything just so I could get
> > idea of traffic that was being dropped..
> > I now find that 90% of my log entries are of the following type:
> > TCP connection dropped 220.127.116.11, 63690, WAN
> > 47519, WAN Type: 47519
> > I x'd out my IP for obvious reasons.
> > My question is, I keep getting all these hits from various source IP's
> > port 47519. I have no clue what that port is or what the connect
> > are looking for. Is this possibly a file sharing program that one of
> > kids may be running?
> > Thanks..
> AFAIK TCP port 47519 is not currently listed for being associated with
> anything malicious. So what you may be seeing is either:
> A. various external clients (from as far away as Japan) attempting to
> probe for something new that has yet to make the lists
> B. various external clients (from as far away as Japan) attempting to
> connect to something that's making itself known for being available
> Regardless I would suggest that you attempt to discover if there's
> anything listening on this port. Better yet confirm everything that is
> currently listening on your PC. To accomplish this you can acquire and
> install a third-party utility or you can perform a couple of commands
> and review the results.
> To perform the latter with Windows XP, simply do the following:
> 1. Click START | RUN. On the Open line, type CMD /C NETSTAT -ANO
> >C:\NETSTAT.TXT and press Enter.
> 2. Click START | RUN. On the Open line, type CMD /C TASKLIST /SVC
> >C:\TASKLIST.TXT and press Enter.
> After performing each of the above a DOS window will open and close.
> When this occurs the system is creating a TXT file reflecting the
> results of running each command. The first txt file (netstat.txt)
> provides a listing of ports currently in use. The second txt file
> (tasklist.txt) provides a listing of all the processes that are running
> and their respective PID's.
> Next open both TXT files with Notepad. In the 'netstat.txt' file focus
> on the ports that are 'listening'. At the far right is a PID number
> that indicates what process is responsible for placing that port into a
> 'listening' state. Refer to the 'tasklist.txt' file to determine the
> process for the PID.
> Best regards, from Don Kelloway of Commodon Communications
> Visit http://www.commodon.com
to learn about the "Threats to Your
> Security on the Internet".