Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Curious about this behavior ...


  • Please log in to reply
9 replies to this topic

#1 MakeItBetter

MakeItBetter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 15 March 2014 - 08:43 PM

I've been a happy user of search everything ...

 

...but as I've been digging deeper into computer stuff, I noticed in the resource monitor that everything was accessing the web...

 

...it's a disk indexing tool, so I don't quite understand what the need is ...

 

Well, today I downloaded and installed tcpview...

 

And noticed some odd behavior...

 

First, I noticed the system process (pid 0) is enumerating the ports in some sort of loopback mode... (that is, ip 127.0.0.1) - as you can see in the #1 attachment

 

Second, then I discovered that the remote port system process is also the "remote port" that Everything is also using (with a curious set of connections which look like they are talking to one another...)

 

(I cleaned up the processes a bit, but this is a quick view showing how everything is connected to the same remote port)

 

...as you can see in the second file attachment

 

I quit everything, but the processes appeared to remain open ... so I finally just closed the connections and killed everything ...

 

As another experiment, I closed chrome and then relaunched without opening any new tabs (so only one tab was open)...and was a bit surprised to see the number of connections (as you can see in attachment #3)...

 

I assume some of these connections are to my password manager...but it has me curious about all the others...

 

Can anyone shine some light on these goings on?  I mean, I've run everything thru virustotal any number of times with no av complaining...and everything has been written about a fair amount on the web...but I've not seen anyone write about its accessing the web...

 

Cheers!

 

Jann

Attached Files



BC AdBot (Login to Remove)

 


#2 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 16 March 2014 - 12:27 AM

Everything is not leaving your system. the IP addresses local and remote are 127.0.0.1. I'm assuming no one has mentioned it because it's not leaving the PC.

 

What web page was open on your single tab of Chrome? It was https.


Edited by CaveDweller2, 16 March 2014 - 12:28 AM.

Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#3 MakeItBetter

MakeItBetter
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 27 March 2014 - 10:29 AM

Thanks, CaveDweller2...

...sorry I didn't get  back to you sooner...I don't recall what was open in chrome -- I'm assuming it's whatever the default startup page is that comes up in chrome. (I don't use chrome all that much.)

However, I see I made a comment about the possibility of it being my password keeper (lastpass).

 

But even if the data is not leaving NOW, the fact that everything enumerates the ports ... why does it need to do that?

 

And just because it isn't currently sending data...doesn't mean that it doesn't at some other time.

 

Why does everything need to access the web at all?

 

Thanks,

 

Jann



#4 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 27 March 2014 - 12:34 PM

Ports are part of how computers work so that is normal. It's not accessing the web. 127.0.0.1 is your card, why it does this? I have no idea. Ask the people that made it.

 

As long as both Local and Remote are 127.0.0.1, nothing is even leaving your computer let alone going out on the net.


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#5 easyrider2

easyrider2

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:02 AM

Posted 27 March 2014 - 03:08 PM

Hi MakeItBetter,

 

I cannot see anything concerning in your screenshots.

 

Imagine that you open few different web browsers (e.g. Chrome, Mozilla Firefox and Internet Explorer) and then opened different youtube videos on each of them. How would your computer know which video to play in which browser? IP address of your pc and youtube server are exactly the same for each of the sessions with youtube for each browser. The way for your computer to differentiate which data goes to which tab / browser is by using different ports.

 

Port 80 means web browsing using http, port 443 means web browsing using secure http (https), as mentioned by CaveDweller2, 127.0.0.1 means that your pc is communicating with itself and this is normal.

 

Hope this helps ;)



#6 MakeItBetter

MakeItBetter
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 27 March 2014 - 03:35 PM

easyrider2 ...

 

Your example doesn't QUITE hold water...

 

...If I have multiple browsers open, along with multiple youtubes playing...they would ALL go thru port 80...

 

(but it does make for a good metaphor...but just not precisely how different browsers and web pages manage to keep from being "mixed up" ... at least not at the port level shown in the tcpview software.)

 

There are other ways in which the web traffic is disambiguated rather than via the tcp/ip ports, which "generally" respond to specific kinds of protocols...

 

...80 for http

...443 for https

 

...as CaveDweller2 indicated above ...

 

25 frequently for mail

another for ftp...

another for ssh

 

etc.

 

So, I understand tcp/ip ports in general -- I may not be an expert, but I get the general idea and have used many different ones over time...the real concern to me is the port-scanning I saw going on...

 

...and I have some idea of loopback mode...but had more concern about nuances...those sneaky ways in which crackers make things look okay when they are not... :)

 

...and was curious if anyone else had seen anything similar ...

 

Do appreciate both of you reaching out and responding, though.

 

Cheers!

 

Jann



#7 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 27 March 2014 - 04:44 PM

Weeee networking lessons:

 

NAT - Network Address Translation = taking lots of private addresses and fooling an ISP that you only have 1 IP address. Example - At your home you have a home router that is either your modem as well or it's connected to your modem, either way on your home side of the router everything is 192.168.x.x(normally) on the outside it is something like 208.25.68.145. NAT is the umbrella.

 

hmm...how to explain this - PAT - Port Address Translation =  as you've seen programs on your computer get assigned ports. There are over 65000 of them. But for networking these ports are combined with the IP address to make each computer program unique to the PC they're on. This is what lets NAT work, this is the ribs of the umbrella. So if someone else and you both go to the net at the same time on your network, how does that work? Each instanced of web traffic you have open = a different port. And the router + your PC keep track of that. if you want to see it on your PC open a few web pages and at a command prompt type netstat -a press enter and all the connection on your PC will open. now close a website and type it in again. some will be ready to close or closing, type it in again and they'll be closed.

 

you'll also notice on the right side will be your ip address will be something like 192.168.1.80:55912(that just so happens to be one on mine right now) - that is your combined IP address + port number for that connection. But don't let that screen scare you lol


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#8 MakeItBetter

MakeItBetter
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 27 March 2014 - 04:59 PM

Lapping it up!  Thanks, CaveDweller2!

...my understanding is that if you use tcpview, it gives you a "live" version of netstat ...so you can see the changes in real time (well, almost real time...)...though I haven't dug into the differences in the information each provides...I don't recall seeing the info past the ip address as you describe above ... but it's been a bit since I dipped into looking at tcpview ... other things have kept me occupied...

 

THANKS yet again!


Edited by MakeItBetter, 27 March 2014 - 05:02 PM.


#9 easyrider2

easyrider2

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:02 AM

Posted 28 March 2014 - 04:13 AM

Hi,

 

I was thinking about the local ports, not the remote ones ;)

 

Hope all works ok for you.



#10 MakeItBetter

MakeItBetter
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 28 March 2014 - 11:06 AM

Hi,

 

I was thinking about the local ports, not the remote ones ;)

 

Hope all works ok for you.

Ahhh....I see what you are saying...my bad.  Your response clarified a LOT, so thanks!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users