TCP Connection - Established

J

John

I am using W2K Workstation, not joined to a domain, ie. standalone. I
use an ADSL connection to the internet.

I ran netstat -a -n to see the connections that existed and there was a
connection with status "established" that got my attention.

Netstat shows

TCP mynumericIPaddress:1525 207.33.111.82:8195 Established

The interesting thing is that the connection remains even if my Sygate
personal firewall is "blocking all traffic".

I also made a rule to block traffic (in or out) on TCP to remote port
8195 with any packets logged. There were no packets, suggesting this
connection was not generating any traffic.

I downloaded a "whois" utility and searched 207.33.111.82 and the result
was "no such address".

It seems to be something happening inside my machine only, but I thought
netstat only reported external connections.

Can anyone explain?

Thanks

John.
 
S

Steven Umbach

Port 1525 tcp is shown as used by Oracle applications in some port charts.
Downloading and using TCPView from SysInternals will help by mapping ports to
process/application and right clinking the process will give more information.
If you have not done a spyware/parasite scan you may also want to do that as it
could be spyware. SpyBot Search and Destroy in advanced mode/tools also will
show processes and startup applications that may also shed some light on what
the mystery port usage is. I believe Sygate may even be able to map ports to
processes and has a traceback function via the logs. It definitely looks like a
connection to an external address because of the address 207.33.111.82. ---
Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://www.safer-networking.org/
 
J

jmkanes

Port 1525 tcp is shown as used by Oracle applications in some port charts.
Downloading and using TCPView from SysInternals will help by mapping ports to
process/application and right clinking the process will give more information.
If you have not done a spyware/parasite scan you may also want to do that as it
could be spyware. SpyBot Search and Destroy in advanced mode/tools also will
show processes and startup applications that may also shed some light on what
the mystery port usage is. I believe Sygate may even be able to map ports to
processes and has a traceback function via the logs. It definitely looks like a
connection to an external address because of the address 207.33.111.82. ---
Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://www.safer-networking.org/
Click to expand...

Thanks Steve. I got a copy of TCPView and used it to identify the
process involved. It's the firewall! Sygate personal firewall pro.

Hmmm. I will try to contact Sygate and get their explanation. When I
get it I will let you know what it was.

Strange stuff.

Thanks again.

John.
 
O

Oli Restorick [MVP]

Just for any Windows XP and Windows Server 2003 folk who may be reading,
there's a new -o switch in netstat that will tell you which process is
responsible for each row of the output.

Oli
 
J

John

Port 1525 tcp is shown as used by Oracle applications in some port charts.
Downloading and using TCPView from SysInternals will help by mapping ports to
process/application and right clinking the process will give more information.
If you have not done a spyware/parasite scan you may also want to do that as it
could be spyware. SpyBot Search and Destroy in advanced mode/tools also will
show processes and startup applications that may also shed some light on what
the mystery port usage is. I believe Sygate may even be able to map ports to
processes and has a traceback function via the logs. It definitely looks like a
connection to an external address because of the address 207.33.111.82. ---
Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://www.safer-networking.org/
Click to expand...

Steve,

The mystery is solved. I used Internet explorer to try to connect to
207.33.111.82. That failed, but it triggered a popup from my firewall
advising that this address was trying to make contact with ntoskrnl on
my machine, and did I want to allow the connection.

Since the mystery connection had *never* left any tracks in my firewall
log (which would allow me to back trace it) I said "yes" to the firewall
in order to leave a backtraceable track in the firewall traffic log.

No need to backtrace - the address shows in the traffic log as
"ssupdates.sygate.com". The connection is used to determine if my
firewall is up to date, version and patch wise. The firewall doesn't
report the connection to reduce the "noise factor" I guess.

I'm happy again. Thanks again for your help on the issue, and a general
thank you for your input to this board.

John.
 
S

Steven L Umbach

Hi John.

Excellent and thanks for posting back. Now you know how to track these
issues down. Sygate has a lot of neat features, especially with it's logging
cpability. Glad to help. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

TCP established connection unwanted 3
Is sygate spyware? 5
been hacked, tlntsvr.exe cannot be shutdown 4
Outlook/Exchange 2003 over HTTPS delay with web proxy 1
Win2003-NAT outbound connection mapping delete 0
Can ping but not start TCP connection 5
Disconnect TCP connections shown in Netstat 3
Help! XP does not respect TcpNumConnections limmit 0

Top