Archived from groups: comp.security.firewalls (
More info?)
Thanks for the suggestions.
I already have utilized netstat and a couple of other tools to discover all
open ports and running proceeses on the various machines in my network. No
active listeners on port 47519 - at least at the time I checked.
I'm wondering if this has anything to do with one of my kids running a file
share program (I know they've dabbled with Emule) on their PC. So that,
even if it's not running now, it's still a registered "active" connection in
the peer network via caching or something. But I could swear I thought all
those programs used ports in like the 4,000's and such.
I set up a syslog server so I could validate the connection attempts and not
just rely on the SonicWall logging report, and sure enough they show up.
Most of the connections (after I performed DNS on the IP's) seem to be
coming from various DSL and other home broadband networks.
My next step is to set up a sniffer and check the packets out...
Thanks...
"Don Kelloway" <dkelloway@commodon.com> wrote in message
news:l48Rc.14262$Jp6.11457@newsread3.news.atl.earthlink.net...
> "JDB" <jbelle@evitria.com> wrote in message
> news:10h9ka91dva9793@corp.supernews.com...
> > Recently installed a SonicWall TZ170 firewall in my home network
> > environment. Set up the log to record everything just so I could get
> an
> > idea of traffic that was being dropped..
> >
> > I now find that 90% of my log entries are of the following type:
> >
> > TCP connection dropped 221.119.213.184, 63690, WAN
> 24.155.81.xxx,
> > 47519, WAN Type: 47519
> >
> > I x'd out my IP for obvious reasons.
> >
> > My question is, I keep getting all these hits from various source IP's
> to
> > port 47519. I have no clue what that port is or what the connect
> attempts
> > are looking for. Is this possibly a file sharing program that one of
> my
> > kids may be running?
> >
> > Thanks..
> >
>
> AFAIK TCP port 47519 is not currently listed for being associated with
> anything malicious. So what you may be seeing is either:
>
> A. various external clients (from as far away as Japan) attempting to
> probe for something new that has yet to make the lists
>
> B. various external clients (from as far away as Japan) attempting to
> connect to something that's making itself known for being available
>
> Regardless I would suggest that you attempt to discover if there's
> anything listening on this port. Better yet confirm everything that is
> currently listening on your PC. To accomplish this you can acquire and
> install a third-party utility or you can perform a couple of commands
> and review the results.
>
> To perform the latter with Windows XP, simply do the following:
>
> 1. Click START | RUN. On the Open line, type CMD /C NETSTAT -ANO
> >C:\NETSTAT.TXT and press Enter.
>
> 2. Click START | RUN. On the Open line, type CMD /C TASKLIST /SVC
> >C:\TASKLIST.TXT and press Enter.
>
> After performing each of the above a DOS window will open and close.
> When this occurs the system is creating a TXT file reflecting the
> results of running each command. The first txt file (netstat.txt)
> provides a listing of ports currently in use. The second txt file
> (tasklist.txt) provides a listing of all the processes that are running
> and their respective PID's.
>
> Next open both TXT files with Notepad. In the 'netstat.txt' file focus
> on the ports that are 'listening'. At the far right is a PID number
> that indicates what process is responsible for placing that port into a
> 'listening' state. Refer to the 'tasklist.txt' file to determine the
> process for the PID.
>
>
> --
> Best regards, from Don Kelloway of Commodon Communications
> Visit
http://www.commodon.com to learn about the "Threats to Your
> Security on the Internet".
>
>