6346 is the server port for gnutella. Those look like gnutella client requests. The "S" you were asking about is the SYN TCP Header flag, which indicates it is the intial client request for a tcp connection.
Scott Bowlus ----- Original Message ----- From: "Thomas Madhavan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, April 13, 2002 6:22 PM Subject: Zonealarm log - what is this? > Hi guys, I was wondering if you could sate my curiousity. > > My Linux box is a bit dead at the moment (argh I'm a newbie) so I'm using > Win98. In my log files I came across this group of entries. > > ZoneAlarm Logging Client v2.6.362 > Windows 98-4.10.2222- A -SP > type,date,time,source,destination,transport > FWIN,2002/03/27,22:00:36 +0:00 GMT,65.80.28.184:1734,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:01:10 +0:00 GMT,65.80.28.184:1921,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:01:40 +0:00 GMT,65.80.28.184:2130,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:02:12 +0:00 GMT,65.80.28.184:2337,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:03:25 +0:00 GMT,65.80.28.184:2820,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:04:46 +0:00 GMT,65.80.28.184:3329,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:06:07 +0:00 GMT,65.80.28.184:3769,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:07:23 +0:00 GMT,65.80.28.184:4243,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:08:42 +0:00 GMT,65.80.28.184:4769,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:10:00 +0:00 GMT,65.80.28.184:1333,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:11:18 +0:00 GMT,65.80.28.184:1803,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:12:33 +0:00 GMT,65.80.28.184:2216,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:13:47 +0:00 GMT,65.80.28.184:2685,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:15:02 +0:00 GMT,65.80.28.184:3168,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:16:23 +0:00 GMT,65.80.28.184:3639,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:17:43 +0:00 GMT,65.80.28.184:4119,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:19:00 +0:00 GMT,65.80.28.184:4557,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:20:15 +0:00 GMT,65.80.28.184:1079,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:21:30 +0:00 GMT,65.80.28.184:1546,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:22:48 +0:00 GMT,65.80.28.184:1994,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:24:07 +0:00 GMT,65.80.28.184:2506,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:25:22 +0:00 GMT,65.80.28.184:2988,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:26:45 +0:00 GMT,65.80.28.184:3487,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:28:10 +0:00 GMT,65.80.28.184:3965,62.253.86.237:6346,TCP > (flags:S) > FWIN,2002/03/27,22:29:31 +0:00 GMT,65.80.28.184:4440,62.253.86.237:6346,TCP > (flags:S) > > They're coming from different IPs, but directed to the same port? > > Could anyone tell me what 'Flags : S' is and also what 'FWIN' is about? I've > done searches for both but I can't get anything that will briefly tell me > what it's about. > > Thanks. > > Thomas > >
