What are these ports?

[TC]

Hello,

I was wondering if someone might be able to help me with a few
netstat questions.

Doing netstat I get this:

Proto Local Address Foreign Address State
TCP earth:1043 localhost:2042 TIME_WAIT
TCP earth:1043 localhost:2043 TIME_WAIT
TCP earth:2041 localhost:1043 TIME_WAIT

Doing netstat -a I get this

Proto Local Address Foreign Address State
TCP earth:daytime earth:0 LISTENING
TCP earth:time earth:0 LISTENING
TCP earth:epmap earth:0 LISTENING
TCP earth:microsoft-ds earth:0 LISTENING
TCP earth:3389 earth:0 LISTENING
TCP earth:1028 earth:0 LISTENING
TCP earth:1043 earth:0 LISTENING
TCP earth:netbios-ssn earth:0 LISTENING


UDP earth:daytime *:*
UDP earth:time *:*
UDP earth:ntp *:*
UDP earth:microsoft-ds *:*
UDP earth:isakmp *:*
UDP earth:1026 *:*
UDP earth:1287 *:*
UDP earth:3434 *:*
UDP earth:4500 *:*
UDP earth:1773 *:*
UDP earth:1850 *:*
UDP earth:1900 *:*
UDP earth:netbios-ns *:*
UDP earth:netbios-dgm *:*
UDP earth:1900 *:*


I understand that what Proto mean s and local address and the state
mean. Except what is time_wait and the *.*

More importently what are the ports? What's running on what and what
does it do? How do I close them, stop them, stealth them out and all
that fun things.

I've looked some things up and I'm not finding to much info besides
that such and such might use it but the such and such are trogens and
warms and all the fun nasties. but these ports have been open since
relinstalling XP Pro.

ANy thoughts?

Thank you,

TC

 

[Bob S.]

TC,

Take a look at www.grc.com and snoop around a bit. Do the port probe test
"Shields Up" then when you see the results screen you can scroll down and
see any vulnerabilities plus read about all the ports. A simple search on
Google for "TCP Ports" will get you about a gazillion hits.

Bob S.

 

[TC]

Bob,

Thank you for the info. I have taken a look at grc.com but
with the ports I have listed it didn't seem to help to much at most it
had a name.

Do you or anyone else have any other infomation?

Thank you,

TC

 

[Jack]

Hi

You did not indicate the nature of your system.

In a network setting ports might be open locally for Network and application
purposes. Nothing is wrong with it.

However if ports are open to the Internet it might be a problem.

The GRC site has a page that scans your system through the Internet and let
you know the status of the ports as reflects to the Internet.

More here:

Cable/DSL Routers, NAT & Ports - http://www.ezlan.net/routers1.html

Internet -Basic protection: http://www.ezlan.net/firewall.html

Internet Infestation: http://www.ezlan.net/infestation.html

Basic Steps in cleaning Internet "Junk" - http://www.ezlan.net/clean.html

Jack (MVP-Networking).

 

[TC]

Hi Jack,

Well, I'm running XP Pro with Nortan Anti-Virus and using it's
equivalent to MS Firewall instead of MS Firewall.

The Computer is behind a router/firewall which does NAT and PSI.
I have run GRC and several others who say ports are stealth.

While, my understandng is that these are probally ports open for local
things but it still bugs me that MS has these ports open and doesn't
make it easy to find out what they do and all the ins and outs of them
or how to shut them off and the ramafications.

The other reason is while admitidly it's ona home network not everyone
here keeps smart about what they are downloading so I want to secury
my system to protect myself from there stupidity.

I'll take a look at the sites you provided but I am looking for a bit
more insight.

Thank you again. BTW: What is MVP-Networking?

TC

 

[Ken Wickes [MSFT]]

TIME_WAIT is a TCP thing. Basically when a computer closes a connection
properly it keeps the connection around long enough to make sure the close
handshaking goes through. I think it's like two minutes.

re: *.*. Unlike TCP, UDP doesn't maintain an active connection, it's
either open or closed. So there is no remote address to supply, the packets
can come from anywhere.

It would be nice if there was a master list of what each port was for, but
it would just be a convention. Nothing guarantees that I'm talking SSDP on
port 1900. netstat -o will give you the process id of the module owning the
socket. That's probably more interesting.

 

[TC]

TIME_WAIT is a TCP thing. Basically when a computer closes a connection
properly it keeps the connection around long enough to make sure the close
handshaking goes through. I think it's like two minutes.

re: *.*. Unlike TCP, UDP doesn't maintain an active connection, it's
either open or closed. So there is no remote address to supply, the packets
can come from anywhere.

It would be nice if there was a master list of what each port was for, but
it would just be a convention. Nothing guarantees that I'm talking SSDP on
port 1900. netstat -o will give you the process id of the module owning the
socket. That's probably more interesting.

Ken,

Thank you for the reply. I hope you have some extra time to
answer a follow question or more

But more importently THANK YOU for telling me about netstat -o
that has helped me track down more information so I can ask more
directed questions.

First I have seen the Time Wait sit there forever or till I
shut down my computer what comes first. I usually need to block it at
an external firewall or play with my host file to that it can't ever
connect in the first place. Why is that?

Ok,

The only protocol I am running right now is the TCP/IP suite.
I got rid of the client for file/printer sharing. I have no simple
network services (or however MS words it) from the compontents on the
CD.
So I am trying to figure out why daytime, time, and ntp are
there. I do have MS NTP client turned off.
What is epmap?
what is microsoft-ds?
netbios-ssn?
netbios-dgm?
netbios-ns?

Since I am not using NetBios why does it seem that the ports are open?

I'm trying to figure out port 1026 and 1030.
1026 seems to be alg.exe
1030 seems to be ccApp.exe

Anyone have any idea what these are?

ports 1034 and 1455 are svchost.exe
port 3434 is ddusrv.exe that I bleive is a client that I use and I'm
going to be E-mailing the aurther that now.


Now, as far as XP is concerned is there a way to shot down (stealth or
close) these ports? If so and can you point me in the right direction
of the ramafacations?

Thank you,

TC


Active Connections

Proto Local Address Foreign Address State
TCP earth:daytime earth:0 LISTENING
TCP earth:time earth:0 LISTENING
TCP earth:epmap earth:0 LISTENING
TCP earth:microsoft-ds earth:0 LISTENING
TCP earth:1026 earth:0 LISTENING
TCP earth:1030 earth:0 LISTENING
TCP earth:netbios-ssn earth:0 LISTENING

UDP earth:daytime *:*
UDP earth:time *:*
UDP earth:ntp *:*
UDP earth:microsoft-ds *:*
UDP earth:1034 *:*
UDP earth:1455 *:*
UDP earth:3434 *:*
UDP earth:netbios-ns *:*
UDP earth:netbios-dgm *:*

 

[Ken Wickes [MSFT]]

Ken,

Thank you for the reply. I hope you have some extra time to
answer a follow question or more

But more importently THANK YOU for telling me about netstat -o
that has helped me track down more information so I can ask more
directed questions.

First I have seen the Time Wait sit there forever or till I
shut down my computer what comes first. I usually need to block it at
an external firewall or play with my host file to that it can't ever
connect in the first place. Why is that?

Ok,

The only protocol I am running right now is the TCP/IP suite.
I got rid of the client for file/printer sharing. I have no simple
network services (or however MS words it) from the compontents on the
CD.
So I am trying to figure out why daytime, time, and ntp are
there. I do have MS NTP client turned off.
What is epmap?
what is microsoft-ds?
netbios-ssn?
netbios-dgm?
netbios-ns?

Since I am not using NetBios why does it seem that the ports are open?

I'm trying to figure out port 1026 and 1030.
1026 seems to be alg.exe
1030 seems to be ccApp.exe

Anyone have any idea what these are?

ports 1034 and 1455 are svchost.exe
port 3434 is ddusrv.exe that I bleive is a client that I use and I'm
going to be E-mailing the aurther that now.


Now, as far as XP is concerned is there a way to shot down (stealth or
close) these ports? If so and can you point me in the right direction
of the ramafacations?

Thank you,

TC


Active Connections

Proto Local Address Foreign Address State
TCP earth:daytime earth:0 LISTENING
TCP earth:time earth:0 LISTENING
TCP earth:epmap earth:0 LISTENING
TCP earth:microsoft-ds earth:0 LISTENING
TCP earth:1026 earth:0 LISTENING
TCP earth:1030 earth:0 LISTENING
TCP earth:netbios-ssn earth:0 LISTENING

UDP earth:daytime *:*
UDP earth:time *:*
UDP earth:ntp *:*
UDP earth:microsoft-ds *:*
UDP earth:1034 *:*
UDP earth:1455 *:*
UDP earth:3434 *:*
UDP earth:netbios-ns *:*
UDP earth:netbios-dgm *:*

Not sure about the time_wait forever thing. It may be that the app is
forgetting to close the socket.

Searching google will probably give better descriptions for the protocols
than I can give.

Alg.exe supports the windows firewall and ICS.

ccApp is not part of Windows as far as I know.

You will still be using NetBIOS locally even if you aren't using it over the
network.

I wouldn't worry too much about the ports as long as the owning process is
legit. Running the firewall should provide adequate protection.