Firewall shows ports being used in sqeuence

What could be causing my apps to accept connections to use local
ports in sequence? Below are some more details.

Thank you for any help.

Alix

------

I run on XP Pro on cable with no other PCs or devices attached to
the network.

I use the free FILSECLAB firewall. My firewall is ANTIVIR. For
my browser I use OPERA and my newsreader is NEWSBIN PRO.

I have scanned my PC for viruses and for other malware or adware.

------

The monitor feature in the FILSECLAB firewall shows that simply to
do their work, the browser and newsreader are accepting
connections which come into my local ports numbered 1030, 1031,
1032, 1033, etc. The sequence is not precisely followed but more
or less that is what is happening.

It doesn't seem like a port scan as it seems too slow and anyway
it is closely correleated with my own use of my applications.

But it seems very odd.

Each time I boot the PC and launch Opera to Google somewhere,
there is a pause for a second or two for this FIRST web page and
the status line says: "Connecting to www.google.com". Then it
frees up.

What could be causing this sequential use of local ports? Is it
something I might have set in XP's registry?

Alix

Alix wrote:

> The monitor feature in the FILSECLAB firewall shows that simply to do
> their work, the browser and newsreader are accepting connections which
> come into my local ports numbered 1030, 1031, 1032, 1033, etc. The
> sequence is not precisely followed but more or less that is what is
> happening.

Are you absolutely sure they're *accepting* connections on those ports?

I'd wager they're using those ports for outgoing connections, to remote
ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.

Internet related software using an arbitrary local port to establish
outgoing connections is expected and necessary. And yes, they generally
establish multiple connections using more or less sequential port numbers.
Especially web browsers. Mine is configured to make as many as 64 at a
time, although I've never seen it actually do that. News readers typically
don't make more than 3 or 4 at a time, as NNTP servers won't allow it.

--
_?_ Outside of a dog, a book is a man's best friend.
(@ @) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo-------------------------------[ Groucho Marx ]--
grok! Registered Linux user #402208

Jeffrey F. Bloss

From: "Alix" <>

| What could be causing my apps to accept connections to use local
| ports in sequence? Below are some more details.
|
| Thank you for any help.
|
| Alix
|
| ------
|
| I run on XP Pro on cable with no other PCs or devices attached to
| the network.
|
| I use the free FILSECLAB firewall. My firewall is ANTIVIR. For
| my browser I use OPERA and my newsreader is NEWSBIN PRO.
|
| I have scanned my PC for viruses and for other malware or adware.
|
| ------
|
| The monitor feature in the FILSECLAB firewall shows that simply to
| do their work, the browser and newsreader are accepting
| connections which come into my local ports numbered 1030, 1031,
| 1032, 1033, etc. The sequence is not precisely followed but more
| or less that is what is happening.
|
| It doesn't seem like a port scan as it seems too slow and anyway
| it is closely correleated with my own use of my applications.
|
| But it seems very odd.
|
| Each time I boot the PC and launch Opera to Google somewhere,
| there is a pause for a second or two for this FIRST web page and
| the status line says: "Connecting to www.google.com". Then it
| frees up.
|
| What could be causing this sequential use of local ports? Is it
| something I might have set in XP's registry?

You said -- "My firewall is ANTIVIR."
Care to rephrase that ? Do you really mean anti virus ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

Alix wrote:
> What could be causing my apps to accept connections to use local
> ports in sequence? Below are some more details.
>
> Thank you for any help.
>
> Alix
>
> ------
>
> I run on XP Pro on cable with no other PCs or devices attached to
> the network.
>
> I use the free FILSECLAB firewall. My firewall is ANTIVIR. For
> my browser I use OPERA and my newsreader is NEWSBIN PRO.
>
> I have scanned my PC for viruses and for other malware or adware.
>
> ------
>
> The monitor feature in the FILSECLAB firewall shows that simply to
> do their work, the browser and newsreader are accepting
> connections which come into my local ports numbered 1030, 1031,
> 1032, 1033, etc. The sequence is not precisely followed but more
> or less that is what is happening.
>
> It doesn't seem like a port scan as it seems too slow and anyway
> it is closely correleated with my own use of my applications.
>
> But it seems very odd.
>
> Each time I boot the PC and launch Opera to Google somewhere,
> there is a pause for a second or two for this FIRST web page and
> the status line says: "Connecting to www.google.com". Then it
> frees up.
>
> What could be causing this sequential use of local ports? Is it
> something I might have set in XP's registry?
Are you running google desktop search engine?

Winged

Winged

> Are you absolutely sure they're *accepting* connections on those ports?
>
> I'd wager they're using those ports for outgoing connections, to remote
> ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.
>
#################################
Correct. Both Unix and Windows use those ports as source ports. That's what
is seen in the Local Address column on a netstat -an oputput. The Foreign
Address column will have what you term as normal ports otherwise known as
destination ports. That column is the important one when looking for
unwanted connections.
donnie

Donnie

In article <>,
"Jeffrey F. Bloss" <> wrote:

> Alix wrote:
>
> > The monitor feature in the FILSECLAB firewall shows that simply to do
> > their work, the browser and newsreader are accepting connections which
> > come into my local ports numbered 1030, 1031, 1032, 1033, etc. The
> > sequence is not precisely followed but more or less that is what is
> > happening.
>
> Are you absolutely sure they're *accepting* connections on those ports?
>
> I'd wager they're using those ports for outgoing connections, to remote
> ports that look more normal. 80 and 119 for typical HTTP and NNTP traffic.

Usually the source ports in outgoing connections are much higher, like
32000+. 1030, 1031, etc. are pretty unlikely to be used as ephemeral
source ports.

--
Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Barry Margolin

On Mon 05 Dec 2005 17:49:44, David H. Lipman
<DLipman~nospam~@Verizon.Net> wrote:

> You said -- "My firewall is ANTIVIR."
> Care to rephrase that ? Do you really mean anti virus ?

Oops. Yes, you are quite right.

The antivirus is ANTIVIR and the firewall is FILSECLAB.

Sorry for any confusion.

Alix

Barry Margolin wrote:

> Usually the source ports in outgoing connections are much higher, like
> 32000+. 1030, 1031, etc. are pretty unlikely to be used as ephemeral
> source ports.

Wrong, it depends on the stack implentatin, in genaral the use of the port
range from 1024 upwards as source-port is an absolutely normal stack
behaivior.

Sample netstat output snippet from an avarage win2000 box:

C:\Dokumente und Einstellungen\wk>netstat -an

Aktive Connections

Proto Local Address Remoteaddress Status

TCP 192.168.1.3:1123 192.168.1.254:445 Established
TCP 192.168.1.3:1131 192.168.1.254:143 Established
TCP 192.168.1.3:1132 192.168.1.254:143 Established
TCP 192.168.1.3:1133 192.168.1.254:22 Established
TCP 192.168.1.3:1910 146.48.98.96:80 Established
TCP 192.168.1.3:1911 146.48.98.96:80 Established
TCP 192.168.1.3:1924 192.168.1.4:139 Established
TCP 192.168.1.3:1931 192.168.1.254:25 Established
TCP 192.168.1.3:1934 64.233.183.124:80 Established
TCP 192.168.1.3:3389 192.168.1.19:41835 Established
TCP 192.168.1.3:1939 64.233.183.124:80 Established
TCP 192.168.1.3:1946 212.60.1.145:119 Established

Wolfgang

Wolfgang Kueter

On Tue 06 Dec 2005 08:40:15, Wolfgang Kueter
<> wrote:

> Wrong, it depends on the stack implentatin, in genaral the use
> of the port range from 1024 upwards as source-port is an
> absolutely normal stack behaivior.
>
> Sample netstat output snippet from an avarage win2000 box:
>
> C:\Dokumente und Einstellungen\wk>netstat -an
>
> Aktive Connections
>
> Proto Local Address Remoteaddress Status
>
> TCP 192.168.1.3:1123 192.168.1.254:445
> Established TCP 192.168.1.3:1131 192.168.1.254:143
> Established TCP 192.168.1.3:1132 192.168.1.254:143
> Established TCP 192.168.1.3:1133 192.168.1.254:22
> Established TCP 192.168.1.3:1910
> 146.48.98.96:80 Established TCP 192.168.1.3:1911
> 146.48.98.96:80 Established TCP 192.168.1.3:1924
> 192.168.1.4:139 Established TCP 192.168.1.3:1931
> 192.168.1.254:25 Established TCP
> 192.168.1.3:1934 64.233.183.124:80 Established
> TCP 192.168.1.3:3389 192.168.1.19:41835
> Established TCP 192.168.1.3:1939 64.233.183.124:80
> Established TCP 192.168.1.3:1946 212.60.1.145:119
> Established
>
> Wolfgang
>


I am the OP and I get the following sort of result.
(Apologies if the line wrap does not work properly.)

You can see the port numbers go from 2087 to 2093. I suspect this
morning they started at 1024 or something like that.


Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
0/60 12:59 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
54/0 12:59 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
54/0 12:59 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
728/116 12:59 domino.newhall.gov.uk/web/html.nsf/full-
default.css
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
0/60 12:59 ACK
Pass SYSTEM HTTP/Out 62.107.125.121/2089
172.16.16.16/80 62/0 12:59 SYN
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59
RDSD|RT:6|No.10000
Pass Opera HTTP/Out 62.107.125.121/2090 172.16.16.16/80
62/0 12:59 SYN
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
2805/77235 12:59
194.201.98.217/Committee/CE_CommRepository.nsf/vSCByCD?
OpenForm&RestrictToCategory=Development+Committee& tip=committee
Pass named UDP/Out 62.107.125.121/1025 199.166.31.3/53
2188/4140 12:59 RDSD|RT:10|No.10000
Pass SYSTEM HTTP/Out 62.107.125.121/2088
172.16.16.16/80 62/0 12:59 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59
RDSD|RT:6|No.10000
Pass Opera HTTP/Out 62.107.125.121/2091 172.16.16.16/80
62/0 12:59 SYN
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 12:59
RDSD|RT:6|No.10000
Pass Opera HTTP/Out 62.107.125.121/2092 172.16.16.16/80
62/0 12:59 SYN
Pass Opera HTTP/Out 0.0.0.0/0 172.16.16.16/80 0/0 13:00
RDSD|RT:6|No.10000
Pass SYSTEM HTTP/Out 62.107.125.121/2092
172.16.16.16/80 62/0 13:00 SYN
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
62/0 13:00 SYN
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
0/62 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2087 194.201.98.217/80
1060/412 13:00 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
0/60 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2086 194.201.98.217/80
0/60 13:00 ACK
Pass SYSTEM HTTP/Out 62.107.125.121/2089
172.16.16.16/80 62/0 13:00 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 62.107.125.121/2090 172.16.16.16/80
62/0 13:00 RDSD|RT:10|No.10000
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
0/60 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
798/6133 13:00 www.google.com/search?as_q=fred
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
54/0 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2093 66.249.87.99/80
0/60 13:00 ACK
Pass Opera HTTP/Out 62.107.125.121/2091 172.16.16.16/80
62/0 13:00 RDSD|RT:10|No.10000

[I have changed my IP number slightly to mask it's actual value.]

Alix

On Wed 07 Dec 2005 19:12:14, Wolfgang Kueter
<> wrote:

>> Are you saying that it is normal behavior of the TCPIP stack
>> that I am going out of port 80 and using those ascending port
>> numbers as I try to access various web and news servers?
>
> Of course, yes. There is a difference between client and server
> and destination port and source port. Both major transport
> protocols (which are tcp and udp) when connecting a service on a
> remote machine will contact the destination machine on the well
> known destination port for the particular service (80 for
> web/http, 119 for news/nntp, 110 for pop3, 25 for smtp ...) and
> use a random source port above usually above 1024 to recieve the
> answer packets from the remote machine. That is just how a
> tcp/ip stack works. Ascending source port numbers are nothing to
> worry about. Ascending TCP sequence numbers however would of
> course be a completely different story.
>
> Please read documents like:
>
> http://www.firewall.cx/tcp-analysis-section-4.php
> http://www.cisco.com/univercd/cc/td/...ito_doc/ip.htm
>
>>>> What could be causing this sequential use of local ports?
>>>
>>> Normal behaivior of an avarage TCP/IP stack.


Thanks for the info Wolfgang.
Thanks too for two very good links


>>
>> I am going to get a hardare firewall when I can afford to.
>
> Your stack won't behave any diffrent with a hardware firewall.
> What you observe is totally normal behaivior and absolutely
> nothing to worry about.

I was thinking of the hardware firewall as better a replacememnt for
a personal software firewall.

I find that the the config requirements of many software firewalls
can get more complicated than I am able to handle! Things like
making sure various utility servers get through (DHCP, UBR, DNS, etc)
and distinguishing between WAN and private IP addresses all makes my
head spin!

Alix