Software or Windows 7 feature to log incoming network connections

We have a network DVR box in our small office that records from several of our security cameras. It is basically a Windows 7 Embedded Standard OS with a proprietary DVR software on it. We can connect to that DVR from the internet via a static IP using a smartphone.

So I was wondering, if there's a feature in Windows firewall, or maybe if there's some third party software that would allow to log every (outside) incoming connection to that computer?

I basically want to have a log of everything that's connecting to that computer.

PS. The DVR software in question is exacqVision, which has a very weird configuration interface where I couldn't find any logging support.

All of the following should be helpful to you:

Windows Firewall Log:
https://technet.microsoft.com/en-us/...(v=ws.10).aspx

Netstat:
https://superuser.com/questions/4743...ock-certain-ip

Free Sysinternals program called TCPView:
https://docs.microsoft.com/en-us/sys...nloads/tcpview

Thanks. The Windows firewall log did the trick. Interesting how there exist things in plain sight that you never knew were even there :)

I actually found it myself before your post. I followed the instructions from here:
Configure the Windows Firewall Log

The guy in the comments gave the best step-by-step instructions how to set it up. I'll copy it here in case MS decide to remove that comment:

In order to enable firewall logging on Windows 7 and Windows server 2008 R2 machine we need to follow the steps given below.



1. Go to Start and in RUN type wf.msc .


2. This opens up “Windows Firewall with Advanced Security” window.


3. Then right click on “Windows Firewall with Advanced Security on Local Computer” and go to properties.


4. When clicked on properties a new window opens. Now Select “Customize” option under logging.


5. The default path for the log is %windir%\system32\logfiles\firewall\pfirewall.log. If you want to change the path click Browse to select a file location.


6. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this the type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.

7. No logging occurs until you set one of following two options:

* To create a log entry when Windows Firewall drops an incoming network packet, change Log dropped packets to Yes.


* To create a log entry when Windows Firewall allows an inbound connection, change Log successful connections to Yes.


8. Click OK twice to complete your configuration.

What was confusing at first is that I had to set it up in 3 different tabs for Domain Profile, Private Profile and Public Profile tabs. I set up 3 different custom log files, and in my case only Public one is being filled in. Also I had to set up an ACL on the log file for read access for my logon Windows user in Properties -> Security to be able to open it.

And it will work then.

I have a quick follow-up though. I see the following entries in the log:

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2017-11-29 09:36:46 ALLOW 2 10.1.10.51 224.0.0.251 - - 0 - - - - - - - SEND
2017-11-29 09:36:58 ALLOW 2 10.1.10.51 239.255.255.250 - - 0 - - - - - - - SEND
2017-11-29 09:37:05 ALLOW 2 10.1.10.51 224.0.0.252 - - 0 - - - - - - - SEND
2017-11-29 09:37:16 ALLOW 2 10.1.10.51 239.255.255.250 - - 0 - - - - - - - SEND
2017-11-29 09:37:46 ALLOW 2 10.1.10.51 224.0.0.9 - - 0 - - - - - - - SEND
2017-11-29 09:37:58 ALLOW 2 10.1.10.51 224.0.0.252 - - 0 - - - - - - - SEND
2017-11-29 09:38:05 ALLOW 2 10.1.10.51 224.0.0.252 - - 0 - - - - - - - SEND

I'm curious, what are those 224.*.*.* and sometimes 239.*.*.* ips that it's sending to? The log is peppered with them. 10.1.10.51 is that box's ipv4 address.

Thank you very much for including the detailed instructions.

The "src-ip" addresses, being all the same, are for your networked DVR box. ("src" means "source")

The "dst-ip" addresses are likely internal addresses (devices which are on your internal network) -- this is indicated by the fact that the "dst-IPs" are either x.0.0.x or x.255.255.x. ("dst" means "destination")

No, 224.0.0.252, 224.0.0.9, 239.255.255.250, etc. are not local.

Go to a command prompt and type PING 224.0.0.252, etc. See what comes back.

mrjimphelps said:

Go to a command prompt and type PING 224.0.0.252, etc. See what comes back.

I get nothing. The ping just times out.

It's interesting though, if you look at the trace log, the protocol is not tcp but just the value 2. What is that? And also the size is 0.