5723 Views 9 Replies Latest reply: Dec 26, 2010 3:00 PM by Ian R. Brown
It looks like a standard DNS query on port 53 - the colon 53 part - either being made/returned from/to a computer with an IP address of 192.168.1.64 (presumably yours?) to what I'm going to assume is your gateway/router 192.168.1.254? The port initiating or receiving the request is one of many ephemeral ports Apple (and others) uses to establish and/or maintain transient requests - 56497.
This is my reading of it - perhaps others can offer more insight? I personally think its nothing to worry about. If you want to know which application and/or process started the ball rolling you could use a number of command line utilities:
sudo lsof -i | grep LISTEN
The above should show all ports that are listening. This one:
sudo lsof -i -P | grep portnumber
Should target all active connections based on the port number
If the command line is not to your taste installing and monitoring something like 'Little Snitch' should show you something? Probably mDNSResponder (Bonjour etc) as it uses a number of ports in the 50000+ range.
Apple have a support article listing what ports they often use:
It appears that you have a DSL or U-verse device from AT&T. The 192.168.1.254 is characteristic of AT&T's modems; for reasons which no doubt make sense in Atlanta, they use the last available IP in the Class C range instead of the first available IP the way other people do. I've seen this with modems from Westell, Motorola, and 2Wire, all on AT&T's service, so either it's a DSL modem thing (and my old Thompson modem from when I was using a DSL service from someone other than AT&T did not use that address) or it's an AT&T thing. The :53 part of the IP indicates that this is a request from port 53; the UPD part says that it's a UPD port. UPD (and TCP) port 53 is DNS. <http://www.auditmypc.com/port/udp-port-53.asp>. It seems that there's a DNS update coming from your modem. Did you get that message when you tried to go to a new website? If so, that's probably legit. However, you might want to read this <http://pages.uoregon.edu/joe/port53wars/port53wars.pdf>. There are a lot of problems associated with DNS. For more, you could look up 'DNS server cache poisoning'.
Easily done. Two methods:
GUI way: System Preferences/Network/Ethernet (if wired, substitute AirPort if wireless) Click on 'Advanced'. If wired, you should see your TCP setup immediately, displaying your IPv4 address and your router's IPv4 address. If wireless, you need to click on the TCP/IP tab, and then you'll see your TCP setup.
CLI way: launch Terminal, type 'ifconfig -a' and you should see a list of all the MAC and IPv4 and IPv6 addresses for all your network cards, together with the router IPs.
Thanks Charles. Those 2 are the computer and router.
Tony, out of several hundred using the above addresses I have noticed, after a quick skim through, these addresses from yesterday:-
25/12/2010 13:33:14 Firewall Stealth Mode connection attempt to TCP 192.168.1.64:49591 from 22.214.171.124:80
25/12/2010 13:33:14 Firewall Stealth Mode connection attempt to TCP 192.168.1.64:49590 from 126.96.36.199:80
25/12/2010 13:33:14 Firewall Stealth Mode connection attempt to TCP 192.168.1.64:49592 from 188.8.131.52:80
Any idea what they might be?
Well, the :80 indicates that they're port 80, HTTP. 184.108.40.206 is a Google IP and so is 220.127.116.11. 18.104.22.168 belongs to someone called Omniture. You can find out some info about some IPs by going to http://networktools.nl/whois/ and inputting the IP.
Commonly used ports:
25 is SMTP, outgoing mail
53 is DNS
80 is HTTP, the web
110 is POP3, outgoing mail
143 us IMPA, also outgoing mail
443 is HTTPS, secure web
<http://en.wikipedia.org/wiki/Listof_TCP_and_UDP_portnumbers> is a list of TCP ports.
Thanks Charles, that is very interesting info.
Possibly more interesting are these two sentences from the Wikipedia article on Omniture:-
+"Omniture collects data from Apple and Adobe, who use Omniture to collect usage statistics across their products. It is possible to opt-out of the Omniture data-collection system, and to block the tracking".+