Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Connections In/Out From PC

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    199

    Connections In/Out From PC

    I currently running Window XP with Sygate firewall installed. This shows me a list of applications with their connections, the connection status, protocol, port number etc.

    My questions are, how does this program know this information ? Are there raw log files located somewhere in the system files showing all connections or what ? If so is there anyway to manaully view this log file?. Also how much should i trust that all connections in and out and being shown to me ?

    I know there are alot of questions there, but they have been playing on mind for a while. Any help would be great. Thanks alot.
    -

  2. #2
    AO's Mr Grumpy
    Join Date
    Apr 2003
    Posts
    903

    Re: Connections In/Out From PC

    Originally posted here by mikester2
    I currently running Window XP with Sygate firewall installed. This shows me a list of applications with their connections, the connection status, protocol, port number etc.

    My questions are, how does this program know this information ? Are there raw log files located somewhere in the system files showing all connections or what ? If so is there anyway to manaully view this log file?. Also how much should i trust that all connections in and out and being shown to me ?

    I know there are alot of questions there, but they have been playing on mind for a while. Any help would be great. Thanks alot.
    Prior to posting this, did you actually take the time to search for the possible answers to your questions?, or did you just think , Lots of questions playing on my mind. Oh I'll post this on AO, save me the time and trouble to use my initiative and look for myself. ===>>> hint: Sygate, protocols, port Nos
    Computer says no
    (Carol Beer)

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well, firewalls monitor incoming and outgoing traffic interactively. I would have thought that what you are looking at is the result of a scan of your system.

    It would not be a good idea if you were merely being shown the contents of a log file, as that might be tampered with.

    Most firewalls have some sort of logging capabilities, at the very least of potential attacks. Others are capable of more sophisticated traffic and system analysis. Check out the help files under "reporting" and "logs" to find out what your one does.

    Like most things in life, the free versions probably don't give you as much information and functionality as the ones you pay for

    Also how much should i trust that all connections in and out and being shown to me ?
    How would you know that they were not?, at least before it was too late. You obviously trusted the application to install it?

    You can get other tools and run online scans if you like.

  4. #4
    Senior Member
    Join Date
    Jan 2004
    Posts
    199
    Prior to posting this, did you actually take the time to search for the possible answers to your questions?, or did you just think , Lots of questions playing on my mind. Oh I'll post this on AO, save me the time and trouble to use my initiative and look for myself. ===>>> hint: Sygate, protocols, port Nos
    Thanks for the hints jm459. I've been looking into and reading about firewalls, on and off, for a few years now. Granted i'm not doing a security course/degree and therefore i havn't had loads of time to search as deeply as i would have liked. These questions (mainy the one core one of how to firewalls actually find out about and monitor connections) have always bugged me, so i throught i'd ask on AO forums and see if they could help out in any way. I'm sorry if i offended or pissed you off by my post.

    Thanks for the info nihi (you rock man). You say the firewall monitors incoming and outgoing traffic. Any ideas how it does this ? Does the operating system provide this service with sytem calls, or does it edit a device drvier etc ?
    -

  5. #5
    AO's Mr Grumpy
    Join Date
    Apr 2003
    Posts
    903
    Originally posted here by mikester2
    I'm sorry if i offended or pissed you off by my post.
    No offence taken.
    Check this out . It may be of some help.

    http://grc.com/su-firewalls.htm
    Computer says no
    (Carol Beer)

  6. #6
    Banned
    Join Date
    Sep 2004
    Posts
    305
    Start up a command prompt and type netstat -n or whatever flag you want. You'll basically get the same information. Microsoft also offers a little tool called PortReporter (too lazy to find the link) that has more detailed information. That in a way answers some of your questions.

    As to what connections should you trust, trust what you want. If you know you have AIM running then expect port 5190 to have something using it, if you're using irc, expect port 6667 or whatever port you're using open. People might gawk and talk crap about viruses and backdoors, which I know happen, but if you trust your browsing habits and downloads, then I don't think you have anything to worry about.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    As far as I know there is no single answer to your question. They can work in a number of ways................for example there are hardware (device) firewalls and software ones.

    This is quite comprehensive:

    http://computer.howstuffworks.com/fr...firewalls-faq/

    Now go to http://www.grc.com and run "shields up!" ....................not a totally definitive set of tests but if you fail any you probably ought to do something about it

    Then go here: http://www.portmonster.com and get Portmonster by ZING Software.............it will keep you amused for a while and let you do a bit of experimenting. It has a nice GUI

    Hope that helps.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    i think this is an excellant question. if the answer your looking for is the same as the one i think you'er looking for i would be unable to answer it. (where does netstat get its info from)

    my guess.... your computer is capable of logging every thing that happens on it to event log. it does after all need to keep track of what it's doing with resources or it wouldn't work. logging of every sucessful operation is turned off by default as well as many un-successfull events because it would cause one hellatious evt file. Although logging of these events is turned off by default the messages are still sent (why and how i don't know). while a basic firewall reads info from packet headers the better ones match up this info with system events as well as compare the payload against known malicious sigs or just disallow unapproved types of payloads such as executable binarys or unrecognizable streams.

    at first i was going to point to SMS but thats fairly new and wouldn't applly to the DOS netstat. logging of com/dcom was something i also was going to say (pslist), but again that doesn't apply.

    this is a question for an OS programmer and i hope that one will read this thread and reply because the answer would be very interesting.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: Connections In/Out From PC

    Wow, a lot of people are grasping for the answer. If you guys don't actually know how it's done, then perhaps you should stop trying feebly to answer the question...

    Originally posted here by mikester2
    I currently running Window XP with Sygate firewall installed. This shows me a list of applications with their connections, the connection status, protocol, port number etc.

    My questions are, how does this program know this information ? Are there raw log files located somewhere in the system files showing all connections or what ? If so is there anyway to manaully view this log file?. Also how much should i trust that all connections in and out and being shown to me ?
    Here's how it happens:
    - When applications start up, they are assigned a unique identifier (Process ID) among other things.
    - During this process, Windows records the information it hands out into an internal table.
    - Now, let's say our application makes a connection out to another site on startup. By opening a connection, it is actually just asking Windows to try and open the connection.
    - Windows will then create a new connection given the details of said connection, assigns the connection a special identifier, and then dumps this information as well into a table in the Windows kernel, just like processes are done (though in a different area obviously).

    As to your latter questions, the "manual viewing" of this information is done through various tools in Windows (netstat as well as other tools as has been noted). Like all things, the only way to ensure the information you're viewing is accurate is to ensure that the pieces of code that assign or view this information are operating as they are intended. Many very powerful trojans frequently attempt to break process listing software in order to hide themselves on process list, and the same applies to network connection listing.

    As for the overall question of how Sygate or any such application can know about this information, it's pretty straightforward: Windows provides a programmatic interface through which any application with sufficient privileges can obtain this information.

    I hope that sufficiently answered your questions.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    fport and friends

    The default approach to show the processes associated with
    TCP/UDP ports is done by using the ntdll.dll functions (kernel mode)
    ntquerysysteminformation()/ntdeviceiocontrolfile() to check
    for the "\device\tcp"/"\device\udp" resource
    (process explorer[1] by sysinternals uses this as one out of
    three techniques). For examples of what not to do with it, see
    phrack[2]. However, we should always be aware of these techniques.

    /edit:
    This happens at the level of the TDI (Transport Data interface) in [3]!

    The ip-helper api (iphlpapi.dll) allows to enumerate those
    processes simpler (XP, 2k,2k3) using GetTcpTable(). Again,
    an example is given in [2] and [4].


    firewalls

    Unfortunately, I never looked deep into the working of firewalls,
    but I am not sure whether they just enumerate as the above tools.

    Anyway, in theory: They apply a filter/firewall-hook driver technology.
    Sorry, for not being able to give more in-depth insight.

    /edit:
    This happens at the level of the TCP/IP Driver in [3]!



    [1] http://www.sysinternals.com/ntw2k/fr.../procexp.shtml
    [2] http://www.phrack.org/show.php?p=62&a=12
    [3] http://www.ndis.com/papers/winpktfilter.htm
    [4] http://msdn.microsoft.com/library/de...ettcptable.asp

    /edit: remark about layer-difference added.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •