This may be a daft question ...

.... but I've just been looking at my firewall log file (Windows XP Home
Edition V5.1 + Service Pack 1) and noticed that I have several groups of
'dropped packets' from 217.39.173.231. 'Whois' tells me this is a BT Public
Internet Service address - my ISP is NTL and I'm connected via NTL cable.
So why would a BT server somewhere be wanting to talk to my PC in such a
manner that the Firewall disallows it? (You can probably tell I have just
slightly less knowledge than is required to be dangerous ... !)

Mike Faithfull said this...
> ... but I've just been looking at my firewall log file (Windows XP Home
> Edition V5.1 + Service Pack 1) and noticed that I have several groups of
> 'dropped packets' from 217.39.173.231. 'Whois' tells me this is a BT
> Public Internet Service address - my ISP is NTL and I'm connected via
> NTL cable. So why would a BT server somewhere be wanting to talk to my
> PC in such a manner that the Firewall disallows it? (You can probably
> tell I have just slightly less knowledge than is required to be
> dangerous ... !)
>
>
Hi Mike. What sort of firewall are you running? Is it possible to give any
further information from the log such as local and remote port numbers?
It could be malicious or it may just be background noise, it's impossible
to tell without more detailed info.


--
º~ dªv¡d ~º

"Groove" <(E-Mail Removed)> wrote in message
news:Xns93BB83CDBDB22d4v1d@62.253.162.114...
> Mike Faithfull said this...
> > ... but I've just been looking at my firewall log file (Windows XP Home
> > Edition V5.1 + Service Pack 1) and noticed that I have several groups of
> > 'dropped packets' from 217.39.173.231.
> >

> Hi Mike. What sort of firewall are you running? Is it possible to give any
> further information from the log such as local and remote port numbers?
> It could be malicious or it may just be background noise, it's impossible
> to tell without more detailed info.

It's the one built in to XP. It produces a log file called pfirewall.log
that captures certain events. Here's an entry ...

DROP TCP 217.39.173.231 213.104.104.35 4619 1433 48 S 1858592789 0 16384

According to the headings, the data represents:

action, protocol, source IP, destination IP, source port, destination port,
size, tcpflags, tcpsyn, tcpack, tcpwin

I have had similar entries (dropped packets, I mean, I don't know about the
other numbers) from strange places like Poland, Slovenia and Japan.

Mike Faithfull said this...
> DROP TCP 217.39.173.231 213.104.104.35 4619 1433 48 S 1858592789 0 16384

> action, protocol, source IP, destination IP, source port, destination
> port, size, tcpflags, tcpsyn, tcpack, tcpwin
>
> I have had similar entries (dropped packets, I mean, I don't know about
> the other numbers) from strange places like Poland, Slovenia and Japan.
>
If I read this correctly, this is something tapping at your port 1433. IIRC
there was a worm a while back that used this port. However, the dropped
packet is good, your firewall is not allowing access,
Hopefully there are wiser heads than mine that can add to this thread, but
in the meantime I would recommend you look at a "proper" firewall for your
system. The xp built-in firewall is very limited in function.



--
º~ dªv¡d ~º

In article <v1yRa.13391$(E-Mail Removed)>,
(E-Mail Removed) says...
> "Groove" <(E-Mail Removed)> wrote in message
> news:Xns93BB83CDBDB22d4v1d@62.253.162.114...
> > Mike Faithfull said this...
> > > ... but I've just been looking at my firewall log file (Windows XP Home
> > > Edition V5.1 + Service Pack 1) and noticed that I have several groups of
> > > 'dropped packets' from 217.39.173.231.
> > >
>
> > Hi Mike. What sort of firewall are you running? Is it possible to give any
> > further information from the log such as local and remote port numbers?
> > It could be malicious or it may just be background noise, it's impossible
> > to tell without more detailed info.
>
> It's the one built in to XP. It produces a log file called pfirewall.log
> that captures certain events. Here's an entry ...
>
> DROP TCP 217.39.173.231 213.104.104.35 4619 1433 48 S 1858592789 0 16384

Port 1433 is used by MS SQL Server, so if you're not running that you
needn't worry anyway. It's quite likely that a BTOpenworld customer
(unknowingly) has a worm that is trying to exploit a known vulnerability
in MS SQL Server.

> I have had similar entries (dropped packets, I mean, I don't know about the
> other numbers) from strange places like Poland, Slovenia and Japan.
>
You will see dropped packets whenever something "outside" attempts to
initiate a connection to your machine - any time the firewall thinks
that the packets it receives aren't part of an exchange that you
initiated. They are a result of worms, hackers, badly configured
networks, buggy software ... if they're not getting in you don't need to
worry about them too much.