Strange port traffic

Here is a list of bandwidth by service over a one day period:

Rank             Service                              Sent/Received Data
1      Web (HTTP) (6,80)      800 MBytes
2      TCP Port 3341 (6,3341)      95 MBytes
3      HTTPS (6,443)      76 MBytes
4      Retrieve E-Mail (POP3) (6,110)      23 MBytes
5      TCP Port 2525 (6,2525)      11 MBytes
6      TCP Port 2214 (6,2214)      10 MBytes
7      TCP Port 3553 (6,3553)      10 MBytes
8      IP Type 47 (47,256)      10 MBytes
9      TCP Port 2961 (6,2961)      10 MBytes
10      TCP Port 2565 (6,2565)      10 MBytes
11      Send E-Mail (SMTP) (6,25)      5 MBytes
12      TCP Port 3285 (6,3285)      5 MBytes
13      TCP Port 3213 (6,3213)      5 MBytes
14      Name Service (DNS) (17,53)      4 MBytes
15      IP Type 47 (47,3044)      3 MBytes
16      TCP Port 2543 (6,2543)      3 MBytes
17      IP Type 47 (47,60901)      904 KBytes
18      TCP Port 3651 (6,3651)      854 KBytes
19      TCP Port 3357 (6,3357)      832 KBytes
20      TCP Port 4772 (6,4772)      824 KBytes
21      TCP Port 3793 (6,3793)      824 KBytes
22      TCP Port 2554 (6,2554)      824 KBytes
23      TCP Port 4996 (6,4996)      822 KBytes
24      TCP Port 4933 (6,4933)      822 KBytes
25      TCP Port 3541 (6,3541)      822 KBytes

I have the firewall set up with rules to allow the following services/ports:
HTTP            80
HTTPS            443      
POP3            110
SMTP      25
NS-SMTP      2525
DNS      (TCP and UDP) 53
PPTP      1723
Ping      0, 8
ICMP      7
FTP      20, 21
NetBios      UPD 137-139

And then a final rule blocking all other traffic in or out.  
So what is all this traffic in the 2,000-4,000 port range and why is it being allowed?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
Return traffic for allowed outgoing ports?

Remember, everything above 1024 can be used as a port to establish a connection on after first negotiation.
STS-TechAuthor Commented:
Perhaps.  If so- how do I stop them?  I'd rather have a user come to me and say "my webwidget isn't working" than have unknown traffic.
Ernie BeekExpertCommented:
Ehr, you can't?

Designated ports out to the internet are only to determine what kind of protocol is being used. So you connect to a webserver on port 80. The server then knows that you want to talk http. After that the server and client negotiate a port (>1024) to talk http over.....

So blocking that is like unplugging your internet.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

STS-TechAuthor Commented:
Grrrr.  What you are saying makes perfect sense.  Time to install a packet analyzer I suppose.
Take a look at:

This may help you get some control of these ports.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
STS-TechAuthor Commented:
According to this, from carlmd's article:

...had there been a restrictive firewall on the client machine, when the connection from the server to port 1930 on the client would have failed.  Note that the client program did not explicitly ask for port 1930 -- it just asked for an unused port number to use for this temporary data connection.

The ports should be blocked- as I want them to be.  Maybe I should make a rule allowing everything I don't want and forwarding it to an invalid address.
You can certainly block the use of ephemeral ports with a firewall, but realize that you will most likely stop any and all web browsing, and many other applications as well. Most likely the traffic you reference is coming from web use, and if you want to stop that, just block outgoing http and https traffic. This would permit other programs using ephemeral ports to continue working.

Traffic on these ports is just a normal cost of using the internet, and you should not be overly concerned that they are being used. Remeber, they are only used for return traffic in response to something that was initiated on your network.

A good firewall will detect and prevent port scanning and other attacks via these ports.
STS-TechAuthor Commented:
I will reluctantly agree with that.  We had a recent rash of streaming at this site so I wanted to be sure that someone wasn't trying to find another way, but based on what I've read I'll put my paranoina aside for now.

Thanks to you both.
STS-TechAuthor Commented:
Not what I wanted to hear- but the right answer, nonetheless.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.