Solved

Interpreting Netstat Reports

Posted on 2001-07-13
14
1,702 Views
Last Modified: 2007-12-19
I've been told that the below indicates "OPEN PORTS".
that is what i'm trying to get away from.

Can someone tell me if this is true, Open Ports, and if it's the
UDP that specifies an open port or the *:*

D:\WINNT>netstat -a
UDP    my machine3cj:epmap  *:*
UDP    my machine3cj:microsoft-ds  *:*
UDP    my machine3cj:1025   *:*
UDP    my machine3cj:1027   *:*
UDP    my machine3cj:netbios-ns  *:*
UDP    my machine3cj:netbios-dgm  *:*
UDP    my machine3cj:isakmp  *:*
UDP    my machine3cj:2278   *:*
UDP    my machine3cj:2288   *:*

I'm using Zonealarm at present.
If I'm in the wrong area of experts-exchange please let me know.

Regards, Bud
http://www.wintrouble.net
0
Comment
Question by:smeebud
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6281724
UDP is the connectionless part of the TCP/IP protocol.  User Datagram protocol.  A lot of games and streaming media use UDP because it is faster than TCP due to the fact that no ACK is required.  The ports that you are showing are pretty much default for windows.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6281737
Each line indicates protocol (UDP or TCP), local ip address or name:local port, foreign ip address or name:foreign port. For TCP lines, there is also status.

UDP is a connection less protocol, which means that you will always see the UDP ports as listening, even if you are presently communicating with other machines using UDP. This is indicated by the *:*.

TCP, on the other hand is connection oriented. Therefore ports without active connections will be indicated by *:* LISTENING. For active connections you will see foreign ip or name:foreign port ESTABLISHED. Sessions can also be in SYN_SENT, TIME_WAIT and a few others, when they are either in establishment phase or deestablishment phase.

So basically, what you want to minimize is the number of ports that has *.* in them. These ports indicate that you are waiting for someone to connect to you.

0
 
LVL 14

Author Comment

by:smeebud
ID: 6282232
Well this is new to me svindler.

I'm interested in security. I've tried ZoneAlarm, I'm using that now, also tyied blackICE.

I was told that *:* meant that that port was "Open" for any sniffer to browse around my computer.

Do you know how I can close these Open ports.

Bud
0
 
LVL 4

Expert Comment

by:svindler
ID: 6284125
It is correct that each *:* identifies a potential entrance to your machine. It does require a more for any hacker to enter your machine.
Zonealarm and other personal firewalls will protect you a long part of the way, if you learn how to interpret their warnings.
Be aware though that any program running on your machine might hide itself as an innocent program. Therefore a good virus shield would also be recommendable, to protect you from downloading dangerous programs.
A bit of common sense also helps; do not download programs from unknown sources. If some of your friends send you a program, you might want to wait a few days before running it on your machine, to see what troubles your friend might run into.

Now, to shut each port down, you need to identify who has opened the port. This can be quite tricky on a Windows machine, as I don't know of any commands that would relate each port to the owning program.
Some of the open ports on your machine is related to Windows Networking, and some is related to a VPN client or server, which I suspect you are running.
If you can live without these, then shut them down. This is always the tradeoff when dealing with security. To protect your machine, you need to loose some features.
If you will tell me what Windows version you are running, I can send you a link to Microsft where a more detailed suggested security setup is.
0
 
LVL 14

Author Comment

by:smeebud
ID: 6284150
Yep,
I'm running Windows 2000 Pro SP2.
Right now I'm logged on the internet, and here is my status:

D:\WINNT>netstat -a

Active Connections

Proto  Local Address          Foreign Address        State
TCP    My Machine3cj:epmap  My Machine3cj:0      LISTENING
TCP    My Machine3cj:microsoft-ds  My Machine3cj:0      LISTENING
TCP    My Machine3cj:1026   My Machine3cj:0      LISTENING
TCP    My Machine3cj:1028   My Machine3cj:0      LISTENING
TCP    My Machine3cj:netbios-ssn  My Machine3cj:0      LISTENING
TCP    My Machine3cj:2379   postoffice.worldnet.att.net:pop3  TIME_WAIT
TCP    My Machine3cj:2380   postoffice.worldnet.att.net:pop3  TIME_WAIT
TCP    My Machine3cj:2381   postoffice.worldnet.att.net:pop3  TIME_WAIT
TCP    My Machine3cj:2382   postoffice.worldnet.att.net:pop3  TIME_WAIT
TCP    My Machine3cj:pop3   My Machine3cj:0      LISTENING
UDP    My Machine3cj:epmap  *:*
UDP    My Machine3cj:microsoft-ds  *:*
UDP    My Machine3cj:1025   *:*
UDP    My Machine3cj:1027   *:*
UDP    My Machine3cj:netbios-ns  *:*
UDP    My Machine3cj:netbios-dgm  *:*
UDP    My Machine3cj:isakmp  *:*
UDP    My Machine3cj:2365   *:*
UDP    My Machine3cj:2371   *:*

I really appreciate your taking the time to explain this to me.

Bud
0
 
LVL 14

Author Comment

by:smeebud
ID: 6284156
Oh BTW,
 I'm not running on any network.

Bud
0
 
LVL 4

Expert Comment

by:svindler
ID: 6284955
If this is your only machine, you can probably remove "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" if that is installed.
As I can see that you have an IPSec client installed, I guess you connect to some kind of company network, and therefore can't use the above advice?
You also have a pop3 (mail) server running. Do other people connect to your machine to retrieve mail? If not, then find the service and disable it.
The lines ending in TIME_WAIT shows that you have connected to a pop3 server to get your mail in four separate sessions. I guess you DO have other people retrieving mail from your machine, as you must have collected from four different accounts.
As for the unnamed ports they are probably randomly selected by programs you are running. This could be multimedia clients like RealPlayer or Windows Media Player.

You can read a lot about security (and other technical stuff) on Microsoft TechNet. See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/Default.asp
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 14

Author Comment

by:smeebud
ID: 6286100
The POP3 is needed.

I've never seen a Server like AT@T or any server that didn'r require a Pop3.

I think we could Identify "who" opened the ports with the nststat coimmands:

see
http://www.wintrouble.net/discus/messages/53/2799.html?995042274

Where whould you suggest I cloase these ports at?
The proceedure:

Step 1
Step 2??

Regards, Bud
http://www.wintrouble.net
0
 
LVL 4

Expert Comment

by:svindler
ID: 6289065
My point about POP3 is, you are running as a server, not only as a client. This is not necessary if you are only collecting mail, as opposed to being a mail server.

It is not possible to identify "who" opened a port for listening by using netstat.

I guess some third party tools could help you identify the listening programs. Maybe ZoneAlarm can do it?
0
 
LVL 14

Author Comment

by:smeebud
ID: 6290881
Ok, I'll try shutting down
TCP 3cj:1614   postoffice.worldnet.att.net:pop3

and see what happens.
Thanks.

I pretty much mystified right now<G>

bud
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 200 total points
ID: 6299517
Just an obnoxious correction . . .

From your example:

UDP    my machine3cj:2278   *:*


UDP = protocol type

my machine3cj = the listening IP address

2278 = the port that the indicated IP address is listening on

*:* = indicates that the "listener" will allow a connection from any IP address on any interface
0
 
LVL 14

Author Comment

by:smeebud
ID: 6302300
SteveJ,

Great,
This one bothers me:
*:* = indicates that the "listener" will allow a connection from any IP address on any interface
 How do I block that in 200? Or ZoneAlarm?

Bud
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 6302900
Doesn't zone alarm essentially only allow connections that originate from your machine? I *** THINK *** you don't have to block ports explicitly because zone alarm only allows connections that you originate. In other words, just because your PC is listening on port XYZ doesn't mean that someone could connect to that port: zone alarm wouldn't allow the connection because it originated from outside of your network.

I'm only vaguely familiar with W2K, but I think that there's a security piece that allows you to block specific ports. But again, re-read your zone alarm documentation or scan the web for zone alarm expertise.

Steve
0
 
LVL 14

Author Comment

by:smeebud
ID: 6303180
You're right,
  ZoneAlarm is constantly in Stealth Mode.

You've been a big help Steve, thanks.

This port stuff is new to me.

Regards, Bud
http://www.wintrouble.net
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now