|
Posted by Sebastian Gottschalk on January 30, 2007, 5:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Sebastian Gottschalk wrote:
>> warf wrote:
>>
>>> I have been trying to learn as much as I can about internet 'security'
> snip diatribe and gratuitous snarling....
>>> to get a better feeling for what data is leaving my home,
>
>> Eh... is that any serious problem at all?
> [...]
> or if subversion of your connection for nepharious purposes is
> 'problematic: then,YES.
Subversion of your connection implies malicious software. There's nothing
you can do against this except to ensure that it doesn't get executed in
first place. Once it's running, you've lost.
>>> when I allow ZA to allow T-bird to act as a server
> snip.......
> Restated "When I run T-bird ZA tells me T-bird wants to access the
> internet and act as a server.
Then uninstall this software. It's obviously telling nonsense.
>>> For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
>>> notice randomly ports assigned to urls or ip addresss.
>>
>>> and firefox always has 4 connections local and 4 remote open inaddition
>>> to the url i am browsing????
>
>> *repeating the thousandth time*
>> 'netstat' on Win2K provides a view on the state of the *TDI interface*, not
>> the actual TCP/IP sockeets. The TDI interface has different semantics, and
>> something appearing as 0.0.0.0 listening means "an outstanding request to
>> open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
>> If you had just take the simplest measures to actualy verify such bogus
>> open ports with a port scan, you'd have found them closed.
>
> Iam using Ethereal
Fine, then why don't you provide a dump of which traffic you see and what's
unclear to you?
> and there is traffic...
Let's hash this together:
If a socket is not in LISTENING state, even though TDI tells so, then every
incoming traffic to that port gets a TCP RST as reply. Nothing more.
If you're actively sending data on this port, it should be in the OPEN
state and TDI just gets it wrong as well.
If you're passively sending data on this port really being in LISTENING
state, then it can't be on 0.0.0.0, but must be bound to an interface. (An
exception would be Raw Sockets, but this almost never applies.)
In any case, TDI gets it wrong. Thus, there is traffic, but no port in
LISTENING state.
> I reassembled the TCP/IP strream and saw in
> one instance it was a ZA update. This concurrs with the stated utility
> of those servers. I read conflicting ideas as to the scope of the AKAMAI
> servers and wondered why I would be 'uploading' to them as well...with
> optout selected for all products 'satisfaction' reports.
This "upload" is either the requests for the download or the ACKs of the
connection.
Unless we once again catched ZoneAlarm with spying on the users.
>>> I have checked many netstat resources to no avail...help?
>>
>> MSDN... Ah, might just be better to get a replacement which works like the
>> real netstat command, f.e. TcpView from Sysinternals^W Microsoft.
>
> Now I have to spracken ze duetch. That is exactly what i needed but the
> launguage for the links is all german!!! Damn.
Ehm... now why don't you grap TcpView?
> Breifly: How does one interpret the 'listening', 'waiting',
> 'established' and all the other port information netstat lists?
Read RFC 793. On page 21 you'll find a wonderful ASCII art illustration.
> Eastlink is very coy and stingy with 'what services and ports I require'
As a client you don't require any services at all.
| 
XML site map