An IP address
(Internet Protocol address) is a unique address used to identify a computer and communicate with other computers. Computers can use static
or dynamic (DHCP)
IP addresses. A static IP address is a number assigned to a computer by an Internet service provider (ISP) and intended to be its permanent
(fixed) address on the Internet, thus, it will not change
is an address associated with a particular process on a computer. Ports have a unique number in the header of a data packet that is used to map this data to that process. Port numbers
are divided into three ranges: Well Known Ports, Registered Ports
, and Dynamic/Private Ports
. Default port values for commonly used TCP/IP services have values lower than 255 and Well Known Ports have numbers that range from 0 to 1023. Registered Ports range from 1024 to 49151 and Dynamic/Private Ports range from 49152 to 65535. An "open port" is a TCP/IP port number that is configured to accept packets while a "closed port" is one that is set to deny all packets with that port number.
" is a technique used by hackers to locate open ports in your computer which they can break into. Malicious programs like viruses and Trojan horses can be introduced into your computer via these open ports. If your PC is sending out large amounts of data, this usually indicates that your system may have a virus or a Trojan horse.
There are third party utilities that will allow you to manage and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:
You can use netstat
from a command prompt
to obtain Local/Foreign Addresses, PID and listening state.
- netstat /? lists all available parameters that can be used.
- netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
- netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
- netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names.
- netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
You can use Process Monitor
, an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity or various Internet Traffic Monitoring Tools
for troubleshooting and malware investigation.
If your firewall provides an alert
that indicates it has blocked access to a port that does not necessarily mean your system has been compromised. Firewall alert messages are a response to unrequested traffic from remote computers
. The alert means that your firewall has blocked an attempt from an external host to access a port on your computer that is commonly used by a trojan. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it. These alerts are often classified by the network port they arrive on and allow you to see the activity of what is happening on your firewall. The alerts allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. It is not unusal for a firewall to provide numerous alerts regarding such attempted access
and Zombie computers
scour the net and will randomly scan a block of IP addresses. These infected computers are searching for "vulnerable ports
" and make repeated attempts to access them. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there.