"Stealth Mode Connection Attempt" . . . . Should I be worried?

Hello Ian

It looks like a standard DNS query on port 53 - the colon 53 part - either being made/returned from/to a computer with an IP address of 192.168.1.64 (presumably yours?) to what I'm going to assume is your gateway/router 192.168.1.254? The port initiating or receiving the request is one of many ephemeral ports Apple (and others) uses to establish and/or maintain transient requests - 56497.

This is my reading of it - perhaps others can offer more insight? I personally think its nothing to worry about. If you want to know which application and/or process started the ball rolling you could use a number of command line utilities:

sudo lsof -i | grep LISTEN

The above should show all ports that are listening. This one:

sudo lsof -i -P | grep portnumber

Should target all active connections based on the port number

If the command line is not to your taste installing and monitoring something like 'Little Snitch' should show you something? Probably mDNSResponder (Bonjour etc) as it uses a number of ports in the 50000+ range.

Apple have a support article listing what ports they often use:

http://support.apple.com/kb/ts1629

HTH?

Tony

It appears that you have a DSL or U-verse device from AT&T. The 192.168.1.254 is characteristic of AT&T's modems; for reasons which no doubt make sense in Atlanta, they use the last available IP in the Class C range instead of the first available IP the way other people do. I've seen this with modems from Westell, Motorola, and 2Wire, all on AT&T's service, so either it's a DSL modem thing (and my old Thompson modem from when I was using a DSL service from someone other than AT&T did not use that address) or it's an AT&T thing. The :53 part of the IP indicates that this is a request from port 53; the UPD part says that it's a UPD port. UPD (and TCP) port 53 is DNS. <http://www.auditmypc.com/port/udp-port-53.asp>. It seems that there's a DNS update coming from your modem. Did you get that message when you tried to go to a new website? If so, that's probably legit. However, you might want to read this <http://pages.uoregon.edu/joe/port53wars/port53wars.pdf>. There are a lot of problems associated with DNS. For more, you could look up 'DNS server cache poisoning'.

Easily done. Two methods:

GUI way: System Preferences/Network/Ethernet (if wired, substitute AirPort if wireless) Click on 'Advanced'. If wired, you should see your TCP setup immediately, displaying your IPv4 address and your router's IPv4 address. If wireless, you need to click on the TCP/IP tab, and then you'll see your TCP setup.

CLI way: launch Terminal, type 'ifconfig -a' and you should see a list of all the MAC and IPv4 and IPv6 addresses for all your network cards, together with the router IPs.

Hi Ian

Are the odd few that are different within the same subnet as your private LAN? The 192.168.1.x Range? If they are they may be simply stale references for another network device (eg: another mac, iphone, ipad etc) that were issued those addresses in the past.

Tony

Well, the :80 indicates that they're port 80, HTTP. 173.194.37.104 is a Google IP and so is 209.85.227.100. 66.235.142.20 belongs to someone called Omniture. You can find out some info about some IPs by going to http://networktools.nl/whois/ and inputting the IP.

Commonly used ports:

25 is SMTP, outgoing mail
53 is DNS
80 is HTTP, the web
110 is POP3, outgoing mail
143 us IMPA, also outgoing mail
443 is HTTPS, secure web

<http://en.wikipedia.org/wiki/List of_TCP_and_UDP_portnumbers> is a list of TCP ports.