how do you display incoming and outgoing connections in windows?

sorry. may as well disregard this post.

I didn't realise that netstat -a will list an entry for LISTENING and ESTABLISHED, in the case of an incoming connection.

Whereas for an outgoing connection, there is only an entry for ESTABLISHED.

sorry 'bout this. that's wrong too I don't understand these netstat results.

Although I did have an outgoing connection eith only an ESTABLISHED entry in netstat. If I do telnet

80

I get C:\\>netstat -an | find ":80" TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 192.168.0.2:2873 63.236.73.67:80 ESTABLISHED

This result appears in the program Active Ports too.

It's not like i'm running a web server. Art posted an article in post ( snipped-for-privacy@4ax.com) about a netstat bug though in that article (

)

netstat made it appear as if the server was running on the local port (>1024)

C:\\WINDOWS>netstat -anp tcp | find ":1367" TCP 0.0.0.0:1367 0.0.0.0:0 LISTENING TCP 192.70.106.142:1367 192.70.106.76:22 ESTABLISHED

So maybe my results (the ones with find ":80" are a bug too that has been fixed in w2k3

So. THe question remains. how do I know which connections are incoming and which are outgoing?!! (since either an incoming or outgoing may have 2 entries). I'm looking for something mroe accurate than using port numbers as a guide.

I've not been following this thread from the beginning, so I apologize for jumping in out of the blue without knowing context. But Sygate's traffic log indicates the direction of all incoming and outgoing.

Art

Yes, Sygate firewall logging is excellent. It list all in/out connections and attempted connections plus much more. It is organized such that it is easy to read. Also, there is free (Sygate) SPF Log Viewer v1.2 that can be used with Sygate.

thanks, yeah, I noticed that sygate has a great logging utility built in. I was using sygate but I uninstalled it and went back to the windows firewall, because sygate crashed in a bad way.

It seems overkill to use a software firewall just for that. But, that may be the best option.

thanks.

If you have problems with Windows' netstat command, try TCPView:

Yours, VB.

turns out not to be a bug in netstat. results are the same in TCPView, Active Ports, and netstat. But I just noticed, when making an outgoing connection looking at the 2 entries. The process is different.

telnet

80

process inetinfo.exe listens 0.0.0.0:80 process telnet.exe established 192.168.0.2:1398, 66.102..:80

I imagine that with an incoming connection, it'd still be 2 entries, but the process may the the same. e.g. ftpserver.exe listening, and ftpserver.exe established. I can only test this when a friend comes online though!

I'm glad to be notified of its existance, since it may be useful. If the log viewer were useless/pointless then you might have a valid objection, but you haven't made that case.

The Log Viewer really does little more than SPF itself. It's just like kind of bells and whistles.

For an incoming connection, there is only one entry involving whatever the tcp port eg port 21. e.g. ftpserver.exe ESTABLISHED connection.

- So, I think the best way is to use a logger. and the best logger i've seen so far is within the sygate firewall.

Hm... what happens if you telnet your own box on port 80? Are you getting a connection?

This is OK.

Yours, VB.

It should be easy for logging software to [have a feature added to] determine if a TCP connection is inbound or outbound. The logging software can easily read the transport layer stuff, just like is does to read the TCP Port, and it can look at flags like SYN and ACK and remember who said what and when, and see whether it's incoming or outgoing. Infact, it just has to remember who sent the first packet, who initiated the connection. No doubt this is what sygate's port logger does.

A proggie like netstat or active oprts or tcpview, would not. It doesn't log, so it just sees frames coming in and out. It doesn't remember who initiated the connection. This stands in contrast to a port logger program, which is *meant* to 'have a memory for this sort of thing' and just 'neglects to use it'!

It will also be the same in anything which uses the same API. See

does not seem to be a way to determine whether a TCP connection was made inbound or outbound.

However, firewall software operating at a lower level should be able to get the information you want. Note that it's also true that malware operating at a lower level should be able to hide itself from both tcpview and your firewall software. So if you really want to be sure about what your box is talking to, you need an external box to monitor the traffic, not a piece of software on your PC.

Jason

yes, I get a prompt. When I do telnet 127.0.0.1 80 I imagine that with an incoming connection, it'd still be 2 entries,

as can be seen in my follow up post, i was guessing wrongly. On an incoming ftp connection. I found that when I ran server and a connetion was established, nothing was listed as listening. This was because nothing was listening before and those processes are nothing to do with it!

telnet 127.0.0.1 80

HTTP/0.9 501 Not Implemented Connection to host lost.

and if I telnet to 127.0.0.1 25,

220 compnm Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at We d, 21 Sep 2005 01:22:59 +0100

- I had some crazyness like this occur once before, (I discovered some ghostlike hosts on my network e.g. 192.168.2.0 that sort of thing, sygate spotted it and prompted me. I discovered it was VMWARE. VMWare was closed, but the VMWARE connection was enabled. As soon as i disabled the VMWARe connection, the ghost like computer vanished. In that instance, the ghost like computer was not the local host. No ARP entry for it either. It's not a WLAN. It's wired.

But I have disabled the VMWARE connection. start..ctrl panel..NW connections.. right clicked it and disabled it. The only enabled connection is my LAN. Maybe VMWare is still playing games. You can see what processes it is that are listening.

k, well, 127.0.0.1 is the address that only I can use and addresses myself and doesn't go out the NW card.

0.0.0.0 is another address listed by netstat and other port monitor proggies. but it also means this host. What's the diff. And if I can't connect to it, and other comps also have this address. Who would/could connect to it?

yep, seems like it. anybody on my LAN. so if I do port redirection on my NAT device, anybody can connect.

and if my comp did have a public IP or even public IPs, then no doubt anybody oculd connect makes sense.

thanks.

Yes, it's a Webserver running on your host. Now it's clear, why something is listening on port 80: you're driving a Webserver there.

Oh, and a SMTP server, too ;-)

Yes, it's localhost. Try out the address of your network interface, too.

If a process listens on 0.0.0.0, then this means, it listens on every network interface of the box, including all physical interfaces and localhost.

Everybody.

Yours, VB.