If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#31
|
|||
|
|||
How do you block an IP address on Windows?
Bram van den Heuvel wrote:
Given news wrote: Which means they're *starting* from my machine! Why is your machine communicating with 1e100.net ? I thought that was for crawling web sites. Do you run a web site ? I don't think I've ever casually seen one of my machines communicating with an address like that. I don't run Wireshark all that often, so it's not like I collect daily logs of every packet sent/received. All good questions. Here is a Wireshark screenshot from when I first noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99 via my router 192.168.1.1 as shown in this screenshot http://img4.imagetitan.com/img.php?i...nshot(603).jpg I don't know how to decipher which process did that since Wireshark just says Info=80-60589 [FIN, ACK] Seq=1 Ack=1 Win=30 Len=0 Here's another screenshot take at the same time showing an *outgoing* call to 64.4.54.50 from the same other IP addresses, but where the communication goes on for quite a while (and it may have something to do with displaycatalog.mp.microsoft.com which came just before it). http://img4.imagetitan.com/img.php?i...nshot(617).jpg Here is a call to 204.79.197.200 made from my machine. http://img4.imagetitan.com/img.php?i...nshot(614).jpg The only way I know the domains is that I did a "whois" lookup afterward but I was very clear to run nothing when these screenshots were snapped with Windows+PrintScreen. Other than providing the screenshots, I can't answer any of your questions other than to say I'm probably as normal as anyone is, in that I have a Windows 10 desktop configured probably about as normally as anyone is configured (e.g., no servers). I don't even know what 1e100.net means when you ask me. Is that one of the domains of one of the IP addresses I found going out? My advice, your next Windows tool would be TCPView. The program name, is on the left. https://docs.microsoft.com/en-us/sys...nloads/tcpview Paul |
Ads |
#32
|
|||
|
|||
How do you block an IP address on Windows?
"Bram van den Heuvel" wrote | All good questions. Here is a Wireshark screenshot from when I first | noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99 | via my router 192.168.1.1 as shown in this screenshot | http://img4.imagetitan.com/img.php?i...nshot(603).jpg I was thinking the same thing as Paul. TCPView will show what program is going out. You may have programs or services running that you've allowed to call home, or that you haven't specifically set not to call home. You really should look into getting a firewall that allows you to control outbound traffic. |
#33
|
|||
|
|||
How do you block an IP address on Windows?
On Tue, 22 Aug 2017 20:10:39 +0000 (UTC), Bram van den Heuvel
wrote: All good questions. Here is a Wireshark screenshot from when I first noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99 via my router 192.168.1.1 as shown in this screenshot I didn't stare long at your packet captures, but from what I saw, I couldn't tell which end initiated the connection. Since it's a TCP connection, it'll start with a SYN, then a SYN,ACK in return, and a final ACK. Once the three-way-handshake is successful and complete, the actual data transfer can start. The first SYN comes from the side that wants to initiate the connection. You can use the filter capability above Wireshark's display area to enter filter terms, or just right click on something interesting and tell it to "Apply as Filter". That really cleans up the display. http://img4.imagetitan.com/img.php?i...nshot(603).jpg My ancient newsreader initially wanted to render that link as http://img4.imagetitan.com/img.php?image=16_screenshot and I was going to ask "What language is that??" |
#34
|
|||
|
|||
How do you block an IP address on Windows?
Given news
wrote:
My advice, your next Windows tool would be TCPView. https://docs.microsoft.com/en-us/sys...nloads/tcpview Thanks for that sniffer suggestion. I am running tcpview now. There sure are a lot of svchost.exe and mqsvc.exe processes! http://img4.imagetitan.com/img.php?image=16_tcpview.jpg I see there is a colum for "remote address" and one for "process" (on the left) so I will see what that tells me over time. Thanks for the debugging hints. |
#35
|
|||
|
|||
How do you block an IP address on Windows?
On 2017-08-22 21:43, Mayayana wrote:
"Bram van den Heuvel" wrote | All good questions. Here is a Wireshark screenshot from when I first | noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99 | via my router 192.168.1.1 as shown in this screenshot | http://img4.imagetitan.com/img.php?i...nshot(603).jpg I was thinking the same thing as Paul. TCPView will show what program is going out. You may have programs or services running that you've allowed to call home, or that you haven't specifically set not to call home. You really should look into getting a firewall that allows you to control outbound traffic. I use the built-in Windows firewall for that, all you need is an extra tool called Windows Firewall Notifier, so that you get some notice when something gets blocked. If I recall, Mayayana, you use Private Firewall? Is that not just a front end to the Windows built-in Filtering API? i.e. Same as built-in firewall? Windows Firewall is a bit lame when it comes to process names (if the process is a 8N3 name, it cannot identify it, which is the case with Office 2016) and also pretty lame with services hosted in svchost, but I'm not sure if Private Firewall can do better - Plus I'd have to migrate all my rules, a real pain... Best Regards, -- ! _\|/_ Sylvain / ! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society oO-( )-Oo Pentium of Borg: Division futile; You will be approximated. |
#36
|
|||
|
|||
How do you block an IP address on Windows?
Bram van den Heuvel wrote:
Given news wrote: My advice, your next Windows tool would be TCPView. https://docs.microsoft.com/en-us/sys...nloads/tcpview Thanks for that sniffer suggestion. I am running tcpview now. There sure are a lot of svchost.exe and mqsvc.exe processes! http://img4.imagetitan.com/img.php?image=16_tcpview.jpg I see there is a colum for "remote address" and one for "process" (on the left) so I will see what that tells me over time. Thanks for the debugging hints. You can use sysinternals.com "Process Explorer" on SVCHOSTs. The current version doesn't seem to give details in the same way as some older versions. Basically, you right-click "procexp.exe" and select Run as Administrator. With Admin, it is able to peer inside SVCHosts and get service names and even execution cycles. Maybe I'm confused, but when I tried the most recent version, I wasn't seeing the usual info I'm used to getting. ******* In Command Prompt, on WinXP Pro, you could do tasklist /svc and that gives the service names inside a SVCHOST. But that may not be enough info. And Process Explorer, if it works for you, can give a bit more info. Paul |
#37
|
|||
|
|||
How do you block an IP address on Windows?
Char Jackson wrote:
On Tue, 22 Aug 2017 20:10:39 +0000 (UTC), Bram van den Heuvel wrote: All good questions. Here is a Wireshark screenshot from when I first noticed the *outgoing* IP address 104.28.17.56 from my desktop 192.168.1.99 via my router 192.168.1.1 as shown in this screenshot I didn't stare long at your packet captures, but from what I saw, I couldn't tell which end initiated the connection. Since it's a TCP connection, it'll start with a SYN, then a SYN,ACK in return, and a final ACK. Once the three-way-handshake is successful and complete, the actual data transfer can start. The first SYN comes from the side that wants to initiate the connection. You can use the filter capability above Wireshark's display area to enter filter terms, or just right click on something interesting and tell it to "Apply as Filter". That really cleans up the display. http://img4.imagetitan.com/img.php?i...nshot(603).jpg My ancient newsreader initially wanted to render that link as http://img4.imagetitan.com/img.php?image=16_screenshot and I was going to ask "What language is that??" In Wireshark, under the "View : Name Resolution" menu, is an option to turn on DNS translation for as many as three different levels in the trace. That makes the trace easier to read. That's one of the first things I have to turn on, after installing it. I've had copies of Wireshark before, which refused to save those settings, so they had to be turned on each time Wireshark was used. Paul |
#38
|
|||
|
|||
How do you block an IP address on Windows?
Paul wrote:
In Command Prompt, on WinXP Pro, you could do tasklist /svc and that gives the service names inside a SVCHOST. You can also right-click the svchost in the details tab of task manager, then use "go to service(s)" |
#39
|
|||
|
|||
How do you block an IP address on Windows?
Char Jackson wrote:
My ancient newsreader initially wanted to render that link as http://img4.imagetitan.com/img.php?image=16_screenshot and I was going to ask "What language is that??" It's all Greek to me ;-) |
#40
|
|||
|
|||
How do you block an IP address on Windows?
"B00ze" wrote
| If I recall, Mayayana, you use Private Firewall? I use Online Armor on XP and Private Firewall on 7. (You have a good memory! If you hadn't mentioned the name I would have had to have checked.) I've been waiting to see what else people recommend for Win10. So far Comodo looks like a possibility. OA got sold and changed after the XP version, and I've never been more than generally satisfied with PF. The UI and controls are not as easy to use. The trouble, as you probably know, is that the products keep changing, being sold, changing their license arrangement, etc. There was a time on 9x when Zone Alarm was all that anyone used. Then they got a bad reputation over something or other. I think they're still around. Are they any good now? Goodness knows! And the Matousec site that reviews these things seems to have been all but abandoned. | Is that not just a front end to the Windows built-in Filtering API? Not that I know of. There've been firewalls far longer than there's been the Windows firewall. But I don't know for sure. I've only looked at the Windows version a bit and found the customizing controls seemed to be almost impossible to use. But I have to say that I didn't try very hard. I don't particularly want to use the fox to guard the henhouse. I block all svchost from going out, for instance. I doubt Windows would allow that, especially in Win10. Or more likely it would tell me svchost was blocked and then call home anyway. |
#41
|
|||
|
|||
How do you block an IP address on Windows?
On 2017-08-23 09:04, Mayayana wrote:
"B00ze" wrote | If I recall, Mayayana, you use Private Firewall? I use Online Armor on XP and Private Firewall on 7. (You have a good memory! If you hadn't mentioned the name I would have had to have checked.) I remembered only because I had had my eye on PV already, and when you told us one day that that's the one you were using I figured it amplified my interest in it. The Windows Firewall has annoying shortcomings, the most annoying being that it does not open a pop-up window when it blocks an outgoing connection. I've been waiting to see what else people recommend for Win10. So far Comodo looks like a possibility. OA got I tried Commodo once, but it was the entire security suite, and it was just too much: You have rules, based on templates, based on something else; like 3 levels deep. It also does HIPS, so it wants to control what processes are allowed to do. Configuring the whole thing is a full time job... sold and changed after the XP version, and I've never been more than generally satisfied with PF. The UI and controls are not as easy to use. The trouble, as you probably know, is that the products keep changing, being sold, changing their license arrangement, etc. There The product has not been updated since 2014. Waiting to see if someone will pick-up... was a time on 9x when Zone Alarm was all that anyone used. Then they got a bad reputation over something or other. I think they're still around. Are they any good now? Goodness knows! And the Matousec site that reviews these things seems to have been all but abandoned. Hehehe, I had ZoneAlarm on my 9x box. But they insisted on "simplifying" the program and it was less and less configurable. Haven't tried it in years. | Is that not just a front end to the Windows built-in Filtering API? Not that I know of. There've been firewalls far longer than there's been the Windows firewall. But I don't know for sure. I've only looked at the Windows version a bit and found the customizing controls seemed to be almost impossible to use. But I have to say that I didn't try very hard. I don't particularly want to use the fox Agreed, Firewalls were around before the Microsoft Filtering API. But I'm used to the Windows Firewall by now, so I've kinda given-up on looking at alternatives. However, I still remember that one of the ones I should look at, if someone ever buys them and continues development, is PF. to guard the henhouse. I block all svchost from going out, for instance. I doubt Windows would allow that, especially in Win10. Or more likely it would tell me svchost was blocked and then call home anyway. There are some services that should be allowed, like the one that downloads CRLs. If you block all SVCHOSTS you will not have the latest revocation lists. Since the Windows Firewall is very poor when it comes to SVCHOSTS, I have a rule that allows svchosts only to specific IP ranges (all Akamai.net). Bit of a pain to keep updated, but it's safer than to allow svchost access to everything. Best Regards, -- ! _\|/_ Sylvain / ! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society oO-( )-Oo Bits of ice striking hull - "Captain, we're being hailed." |
#42
|
|||
|
|||
How do you block an IP address on Windows?
"B00ze" wrote
| I block all svchost from going | out, for instance. I doubt Windows would allow that, | especially in Win10. Or more likely it would tell me svchost | was blocked and then call home anyway. | | There are some services that should be allowed, like the one that | downloads CRLs. If you block all SVCHOSTS you will not have the latest | revocation lists. Since the Windows Firewall is very poor when it comes | to SVCHOSTS, I have a rule that allows svchosts only to specific IP | ranges (all Akamai.net). Bit of a pain to keep updated, but it's safer | than to allow svchost access to everything. | I didn't know you could do that. I can control processes and ports, but not IPs-per-process. Though I can't say that I care very much about certificates. If I shopped online, and if half of them weren't expired anyway, then I might be interested. There's nothing I want that needs to allow svchost. I don't enable Windows update or any extras like Windows Time. I would need DHCP but I use fixed local IPs in order to avoid that. But I wouldn't be surprised if it's impossible to block svchost entirely on Win10. |
#43
|
|||
|
|||
How do you block an IP address on Windows?
On 22/08/2017 20:04, Paul wrote:
Bram van den Heuvel wrote: Also Char Jackson was wondering if any of these connections were *incoming* but they're not. All of them are outgoing connections first. Which means they're *starting* from my machine! Why is your machine communicating with 1e100.net ? I thought that was for crawling web sites. Do you run a web site ? I don't think I've ever casually seen one of my machines communicating with an address like that. I don't run Wireshark all that often, so it's not like I collect daily logs of every packet sent/received. Â*Â* Paul The 1e100.net domain (and all it's sub-domains, obviously) belong to Google. See: https://support.google.com/faqs/answer/174717?hl=en -- Brian Gregory (in the UK). To email me please remove all the letter vee from my email address. |
#44
|
|||
|
|||
How do you block an IP address on Windows?
On 21/08/2017 06:30, Bram van den Heuvel wrote:
I'm just learning Wireshark where all I'm doing at the moment is going line by line to see what IP addresses are accessed by my computer when I am doing nothing and the computer is just on. In Wireshark I see connections to IP addresses which I look up and find out who they are but I have no idea why my computer is connecting to them. I tried putting them in the HOSTS file but HOSTS doesn't work this way. # 127.0.0.1 104.28.17.56 # Wireshark - Cloudflare # 127.0.0.1 172.217.5.206 # Wireshark - Google Search Engine Spider # 127.0.0.1 152.195.54.20 # Wireshark - ANS Communication Verizon Busines # 127.0.0.1 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use (probably ok) You are correct, that can't and won't work. The hosts file can only be used to set the IP that will be returned when a DNS lookup is done on a domain name using Windows. -- Brian Gregory (in the UK). To email me please remove all the letter vee from my email address. |
#45
|
|||
|
|||
How do you block an IP address on Windows?
[snop]
You are correct, that can't and won't work. The hosts file can only be used to set the IP that will be returned when a DNS lookup is done on a domain name using Windows. That's what I thought. HOSTS works only for domain names, not IPs. Some routers can block IPs. -- Mark Lloyd http://notstupid.us/ "The memory of my own suffering has prevented me from ever shadowing one young soul with the superstitions of the Christian religion." -- Elizabeth Cady Stanton |
Thread Tools | |
Display Modes | Rate This Thread |
|
|