Recently installed a SonicWall TZ170 firewall in my home network environment. Set up the log to record everything just so I could get an idea of traffic that was being dropped..
I now find that 90% of my log entries are of the following type:
TCP connection dropped 221.119.213.184, 63690, WAN 24.155.81.xxx,
47519, WAN Type: 47519
I x'd out my IP for obvious reasons.
My question is, I keep getting all these hits from various source IP's to port 47519. I have no clue what that port is or what the connect attempts are looking for. Is this possibly a file sharing program that one of my kids may be running?
AFAIK TCP port 47519 is not currently listed for being associated with anything malicious. So what you may be seeing is either:
A. various external clients (from as far away as Japan) attempting to probe for something new that has yet to make the lists
B. various external clients (from as far away as Japan) attempting to connect to something that's making itself known for being available
Regardless I would suggest that you attempt to discover if there's anything listening on this port. Better yet confirm everything that is currently listening on your PC. To accomplish this you can acquire and install a third-party utility or you can perform a couple of commands and review the results.
To perform the latter with Windows XP, simply do the following:
Click START | RUN. On the Open line, type CMD /C NETSTAT -ANO
Click START | RUN. On the Open line, type CMD /C TASKLIST /SVC
After performing each of the above a DOS window will open and close. When this occurs the system is creating a TXT file reflecting the results of running each command. The first txt file (netstat.txt) provides a listing of ports currently in use. The second txt file (tasklist.txt) provides a listing of all the processes that are running and their respective PID's.
Next open both TXT files with Notepad. In the 'netstat.txt' file focus on the ports that are 'listening'. At the far right is a PID number that indicates what process is responsible for placing that port into a 'listening' state. Refer to the 'tasklist.txt' file to determine the process for the PID.
I already have utilized netstat and a couple of other tools to discover all open ports and running proceeses on the various machines in my network. No active listeners on port 47519 - at least at the time I checked.
I'm wondering if this has anything to do with one of my kids running a file share program (I know they've dabbled with Emule) on their PC. So that, even if it's not running now, it's still a registered "active" connection in the peer network via caching or something. But I could swear I thought all those programs used ports in like the 4,000's and such.
I set up a syslog server so I could validate the connection attempts and not just rely on the SonicWall logging report, and sure enough they show up. Most of the connections (after I performed DNS on the IP's) seem to be coming from various DSL and other home broadband networks. My next step is to set up a sniffer and check the packets out...
I sniffed the connection attempts coming in. They're all 70 bytes in size and are real similiar in packet construction to the ones coming in for the connect attempts for port 4662, etc (the designated eMule ports). Just can't figure out why port 47519. My next step is to fire up eMule on my kids computer and see what ports are listening and then sniff the connections again.
Upon checking the options I discovered the Wrap was set to 72. Simply increasing it appears to have resolved the issue with line termination. Thanks for pointing out the issue. In regards to sigs not being deleted. I usually do so manually, but occasionally one will slip by.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.