Results 1 to 4 of 4

Thread: Netstat Results, Local/Foreign Addresses, System

  1. #1
    runninbull Guest

    Cool Netstat Results, Local/Foreign Addresses, System

    Hello,
    I have a couple questions about the netstat results shown below.
    1. Should I see local AND foreign addresses with 0.0.0.0?2. Should the local addresses be three different addresses? 0.0.0.0 / 10.0.0.44 / 127.0.0.1?3. This looks incorrect to me as I thought the local address would be the same (local side of firewall) and foreign addresses would be various (outside of firewall).
    Thanks in advance!
    RuninBull

    Proto
    Local Address








    Foreign Address






    State









    PID

    TCP


    0.0.0.0:135










    0.0.0.0:0












    LISTENING





    888

    TCP


    0.0.0.0:445










    0.0.0.0:0












    LISTENING





    4

    TCP


    0.0.0.0:1025









    0.0.0.0:0












    LISTENING





    1236

    TCP


    0.0.0.0:1309









    0.0.0.0:0












    LISTENING





    2020

    TCP


    10.0.0.44:139








    0.0.0.0:0












    LISTENING





    4

    TCP


    10.0.0.44:2775







    69.26.188.50:80






    ESTABLISHED



    4016

    TCP


    10.0.0.44:2776







    69.26.188.50:80






    ESTABLISHED



    4016

    TCP


    127.0.0.1:1025







    127.0.0.1:2772







    TIME_WAIT





    0

    TCP


    127.0.0.1:1027







    0.0.0.0:0












    LISTENING





    2552

    UDP


    0.0.0.0:445










    *:*


































    4

    UDP


    0.0.0.0:500










    *:*


































    652

    UDP


    0.0.0.0:3776









    *:*


































    2124

    UDP


    0.0.0.0:4500









    *:*


































    652

    UDP


    10.0.0.44:123








    *:*


































    928

    UDP


    10.0.0.44:137








    *:*


































    4

    UDP


    10.0.0.44:138








    *:*


































    4

    UDP


    10.0.0.44:1900







    *:*


































    416

    UDP


    127.0.0.1:123








    *:*


































    928

    UDP


    127.0.0.1:1900







    *:*


































    416

    UDP


    127.0.0.1:2674







    *:*


































    4016

    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Netstat Results, Local/Foreign Addresses, System

    <blockquote><hr>runninbull wrote:
    Hello,
    I have a couple questions about the netstat results shown below.
    1. Should I see local AND foreign addresses with 0.0.0.0?2. Should the local addresses be three different addresses? 0.0.0.0 / 10.0.0.44 / 127.0.0.1?3. This looks incorrect to me as I thought the local address would be the same (local side of firewall) and foreign addresses would be various (outside of firewall).
    Thanks in advance!
    RuninBull

    Proto
    Local Address








    Foreign Address






    State









    PID

    TCP


    0.0.0.0:135










    0.0.0.0:0












    LISTENING





    888

    TCP


    0.0.0.0:445










    0.0.0.0:0












    LISTENING





    4

    TCP


    0.0.0.0:1025









    0.0.0.0:0












    LISTENING





    1236

    TCP


    0.0.0.0:1309









    0.0.0.0:0












    LISTENING





    2020

    TCP


    10.0.0.44:139








    0.0.0.0:0












    LISTENING





    4

    TCP


    10.0.0.44:2775







    69.26.188.50:80






    ESTABLISHED



    4016

    TCP


    10.0.0.44:2776







    69.26.188.50:80






    ESTABLISHED



    4016

    TCP


    127.0.0.1:1025







    127.0.0.1:2772







    TIME_WAIT





    0

    TCP


    127.0.0.1:1027







    0.0.0.0:0












    LISTENING





    2552

    UDP


    0.0.0.0:445










    *:*


































    4

    UDP


    0.0.0.0:500










    *:*


































    652

    UDP


    0.0.0.0:3776









    *:*


































    2124

    UDP


    0.0.0.0:4500









    *:*


































    652

    UDP


    10.0.0.44:123








    *:*


































    928

    UDP


    10.0.0.44:137








    *:*


































    4

    UDP


    10.0.0.44:138








    *:*


































    4

    UDP


    10.0.0.44:1900







    *:*


































    416

    UDP


    127.0.0.1:123








    *:*


































    928

    UDP


    127.0.0.1:1900







    *:*


































    416

    UDP


    127.0.0.1:2674







    *:*


































    4016

    Operating System:
    Windows XP Home Edition
    Software Version:
    8.0
    Product Name:
    ZoneAlarm Internet Security Suite

    <hr></blockquote>


    Answers.
    1).Yes
    2).Yes
    3).Yes it is correct.

    Here is mine at "idle" as I replied:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SkyRider>netstat -anob

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 127.0.0.1:8118 0.0.0.0:0 LISTENING 1908
    [privoxy.exe]

    UDP 127.0.0.1:123 *:* 804
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]

    UDP 192.168.0.12:123 *:* 804
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]


    C:\Documents and Settings\SkyRider>
    <hr>

    You have time updater, file and printer sharing, UPnP and maybe SSDP, netbios, a browser, ms services (dcom), rpc, possiblely a legitimate lsass.exe using the port 500 for a vpn/ike (possiblely not needed), ipsec enabled (probably not needed unless you do use a vpn) and a few others all functioning as shown in the netstat you provided.

    Breakdown of answers:
    1). Local and foreign (remote) addresses will use 0.0.0.0 for internal address similar to the 127.0.0.1 and for initial connections to the dhcp server when it has no given IP assigned yet. Once it recieves the IP it will eventually switch over to the assigned IP.
    Also the 0.0.0.0 is often used to connect to other lan devices and again eventually switch over to the assigned address as it's proper address.
    Also the 0.0.0.0 is needed for connections to a VPN as the other network is adopted as another LAN to be used and often the assigned address is not used, using instead the 0.0.0.0 until after several connections then the assigned address will be used.
    The loopback (127.0.0.1) has no opportunity to make such external connections to the dhcp server whereas the 0.0.0.0 does. This is where the 0.0.0.0 is required and is special - it is internally used in the windows and used in the local area network. But never to the actual internet!
    The 0.0.0.0 will only connect to the lan and is used merely for local identification (along with the MAC and some broadcasts to and from the dhcp server).

    The loopback will connect to the non route (0.0.0.0) and the non route connect to the loopback.
    But only for some of the inportant windows processes and for internally looped applications.
    Think of it this way - a server and an access, depending on which is remote and local and which directions, if the process is using both at the same time.


    The Listen as just that - it listens but goes nowhere, whereas the established is actively in use and Time Wait has been established and has stopped but maybe wil be re-established.

    2). Yes. The loopback and non route (0.0.0.0) and you adapter's address are all considered local addresses.
    If you disable some un-needed services and daemons, you may see fewer adaptor address in the netstats results. Your adaptor address or the assigned Ip is a proper indication of actual outgoing connections to either the LAN or the internet.

    3). Foreign address include the localhost addresses.
    There are "server" and "access" connections internally in the windows, and even though these are going to and from each other internally, the remote address of the windows itself is the remote address.

    Here is mine at "work" as I replied:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SkyRider>netstat -anob

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 127.0.0.1:8118 0.0.0.0:0 LISTENING 1908
    [privoxy.exe]

    TCP 127.0.0.1:2759 127.0.0.1:8118 ESTABLISHED 932
    [Opera.exe]

    TCP 127.0.0.1:2760 127.0.0.1:8118 ESTABLISHED 932
    [Opera.exe]

    TCP 127.0.0.1:2764 127.0.0.1:8118 ESTABLISHED 932
    [Opera.exe]

    TCP 127.0.0.1:8118 127.0.0.1:2760 ESTABLISHED 1908
    [privoxy.exe]

    TCP 127.0.0.1:8118 127.0.0.1:2759 ESTABLISHED 1908
    [privoxy.exe]

    TCP 127.0.0.1:8118 127.0.0.1:2764 ESTABLISHED 1908
    [privoxy.exe]

    TCP 192.168.0.12:2762 199.93.63.126:80 ESTABLISHED 1908
    [privoxy.exe]

    TCP 192.168.0.12:2763 199.93.63.126:80 ESTABLISHED 1908
    [privoxy.exe]

    TCP 192.168.0.12:2765 199.93.63.126:80 ESTABLISHED 1908
    [privoxy.exe]

    TCP 127.0.0.1:8118 127.0.0.1:2756 TIME_WAIT 0
    TCP 127.0.0.1:8118 127.0.0.1:2758 TIME_WAIT 0
    UDP 127.0.0.1:123 *:* 804
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]

    UDP 192.168.0.12:123 *:* 804
    c:\windows\system32\WS2_32.dll
    c:\windows\system32\w32time.dll
    ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    [svchost.exe]


    C:\Documents and Settings\SkyRider>
    <hr>

    Notice the port 8118 connections in this one?
    Opera send out to the Privoxy on it's port 8118, and Privoxy sends out to Opera from it's own port 8118.
    In this sense, the Privoxy is a "server" but all these are within the localhost addresses.
    Only the Privoxy actually connects to the internet using the remote port 80 for the http connections acting as a proxy for the Opera requests.

    See this thread, where WebWasher Classic is the localhost proxy (port 8080) and with the proxifing web scanner of the antivirus. It has a more detailed netstat and the port 8080 active in the local host connections are more plainly seen:

    http://forum.zonelabs.org/zonelabs/b...essage.id=4686



    Best regards.
    Oldsod.

    Message Edited by Oldsod on 10-18-2008 04:53 AM
    Best regards.
    oldsod

  3. #3
    runninbull Guest

    Default Re: Netstat Results, Local/Foreign Addresses, System

    Thanks for your thorough reponse and the time you spent explaining this. I find alot of the networking topics documented confusing.
    It sounds like I have alot of extra services turned on that I am not using. I saw some other post's in the forum about windows hardening. I might give those a look and post a follow up.
    Another question along these lines, looking at the process ID's, the &quot;user&quot; listed ranges from my username along with &quot;local service&quot;, &quot;network service&quot; and &quot;system&quot;. Is this normal?
    Runninbull

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Netstat Results, Local/Foreign Addresses, System

    Some of those unwanted services and daemons I would definitley disable, but any others should be left alone.
    Very often disabling some services can backfire or have repercussions later on with installed applications/window aspects and with newer installations of programs.
    Unless you absolutely know for certain what you are doing or are an "expert"
    For some help or guide see:

    http://www.theeldergeek.com/services_guide.htm

    http://www.blackviper.com/WinXP/servicecfg.htm

    Users are basically described as the Local system being the least secure as this has access to local resources. Local Service and Network Service have limited privileges.
    See:

    http://msdn.microsoft.com/en-us/libr...90(VS.85).aspx
    http://msdn.microsoft.com/en-us/libr...88(VS.85).aspx
    http://msdn.microsoft.com/en-us/libr...72(VS.85).aspx

    Changing the Service Configuration:
    http://msdn.microsoft.com/en-us/libr...87(VS.85).aspx
    Really complicated and it is much easier use the Process Explorer from MS to do changes:

    http://technet.microsoft.com/en-us/s.../bb896653.aspx

    This tool has numerous nooks and crannies... open the Properties of the image name and open the Security tab and follow through with the permissions to make you changes. This is an amazing tool with many features and options.
    I would also recommend the Process Monitor and AutoRuns from the same site.

    The MS 'bible" on the services and service accounts:

    http://www.microsoft.com/technet/sec...ch02.mspx#EFAA

    Best regards.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. strange netstat results
    By randeemo in forum Security Issues
    Replies: 2
    Last Post: February 5th, 2006, 10:58 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •