Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

question about firewall log entry


  • Please log in to reply
5 replies to this topic

#1 mrjonesnme2010

mrjonesnme2010

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 30 April 2010 - 05:31 PM

First let me preface by saying I have posted this question elsewhere, so participants here may have seen it before. If so feel free to pass on by. I'm just trying to get some different perspectives

my specifics 1 PC Desktop with DSL modem, not router.
Vista Home Premium 32 bit OS with Vista Service pack 2
use Norton as my security product, with on demand scanners from malwarebytes, spybot, and windows defender

here is my issue
When I look at my firewall logs, I see the entry
port blocking allowed 192.168.0.1(8)

This entry appears every 5 minutes or so from the time my computer boots up

now my network shows only 1 PC and all my security scans show clean. my firewall works because I do get entries where port blocking blocks unsolicited IP addresses

Now MY ISP is AT&T and I'm in a major US metro area. I know that if I shut down my computer for more than 8 minutes, I will get a new IP address upon start up. So them seem to rotate IP addresses rapidly

just wondering what this means. My initial thought is that it is my DSL modem "talking" to my computer to let it know that the link between them is established and established and established

just not sure why the entry every 5 minutes and not sure what the (8) means in 192.168.0.1 (8)

Thanks in advance

BC AdBot (Login to Remove)

 


#2 Darth sidious

Darth sidious

  • Members
  • 248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nottingham, UK
  • Local time:02:32 PM

Posted 02 May 2010 - 05:57 AM

That looks like an ip address of a router or modem it may be your modem open cmd prompt type ipconfig should bring up your connection.
HP Compaq 6715b Notebook--AMD Turionx2 2.2Ghz 64 Mobile TL-64--4GB DDR2 667Mhz--Compaq 6715b--fujitsu siemens 500GB sataII Internal, Toshiba 1TB EXT HD Backup--IGP ATI Radeon x1250 128MB--Broadcom a\b\g Wlan adapter built in, Sonicwall TZ100, Dlink DSL 2740b--Windows 7 Ultimate 64-bit and linux ubuntu dual boot--Firefox 4.0 &IE8--Eset Firewall--Nod32 antivirus & Spyware Doctor--Malwarebytes anti malware.

#3 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:10:32 AM

Posted 02 May 2010 - 11:01 PM

Doesn't Norton have a Help file where they explain how to read the logs?

Could be port 8, unlikely since is unassigned by IANA list.
Could be exterior gateway protocol#
Could be ping to keep the connection alive, ICMP type 8 - Echo request. If it's incoming, then your computer will issue ICMP type 3 which is a reply to ping or Echo Reply. If it's outgoing, then it is your computer pinging the modem. You didn't tell what your IP is so it's all a guesswork on my part. If default, it's 192.168.0.100. you also did not tell whether it's outgoing or incoming communication.
Anyway the 192.168.0.1 address sounds like the address of your NAT modem which is the gateway to the outer world, and most likely it's all perfectly normal.

Edited by tos226, 02 May 2010 - 11:03 PM.


#4 mrjonesnme2010

mrjonesnme2010
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 03 May 2010 - 06:11 PM

First- Thanks to you both for responding

Yes, the 192.168.0.1 is my DSL modem. It is not my IP address

the connection is an inbound action through the firewall. In fact when this happens, the firewall entry will read

port blocking allowed 192.168.0.1 (8)

TOS226
when you say

Could be ping to keep the connection alive, ICMP type 8 - Echo request. If it's incoming, then your computer will issue ICMP type 3 which is a reply to ping or Echo Reply. If it's outgoing, then it is your computer pinging the modem. You didn't tell what your IP is so it's all a guesswork on my part. If default, it's 192.168.0.100. you also did not tell whether it's outgoing or incoming communication.

I think it is incoming as it appears to come into my system as evidenced by the port blocking allowed message, so that makes sense what you said about keeping the connection alive. But I do not see any continous logging of the return reply (reply from the computer to DSL modem). Now at boot up I do see a connection from my computer to 192.168.0.1. But only 1 time

1. Do you think the (8) in the 192.168.0.1 (8) is standing for the ICMP type 8?

2. So is it normal for the DSL modem to make connection to the computer like every 5 minutes?

3. This doesn't appear to be some type of hacking does it?
Thanks in advance

Edited by mrjonesnme2010, 03 May 2010 - 06:14 PM.


#5 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:10:32 AM

Posted 09 May 2010 - 04:59 PM

If this is ICMP, I suspect it's normal.
I don't use a modem, but have a router. I do see ICMP pings from the router sometimes, usually at startup or resume from standby. More frequently I see ARP (address resolution protocol) in action.
Every few minutes the router sends a query to all devices "who has x.x.x.x IP?", and the box with that IP address replies "Me, here is my MAC address xx-xx-xx-xx-xx-xx", and the computers do the same about other computers, everybody keeps asking everybody else who is where.

If you don't see the outgoing, perhaps you're not logging it in the firewall. Or the firewall is setup to ignore the external pings, which is fine as well, so long as your connection is working.

What do the Norton logs look like besides this one entry? See, I don't have Norton (nor Vista), so a wording such as "port blocking allowed" is not very clear to me. Let's say you go to google, how do the logs read?

Edited by tos226, 09 May 2010 - 05:03 PM.


#6 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:32 AM

Posted 11 May 2010 - 02:57 AM

Not all ICMP ones are legit. There is nothing on my system to account for any ICMP hits and the only ICMP ones I get that are legit are from AOL and I know which ones those are and not all ICMP hits I get are from them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users