Software or Windows 7 feature to log incoming network connections

dc2000

New member
Member
VIP
Local time
10:13 AM
Messages
153
We have a network DVR box in our small office that records from several of our security cameras. It is basically a Windows 7 Embedded Standard OS with a proprietary DVR software on it. We can connect to that DVR from the internet via a static IP using a smartphone.

So I was wondering, if there's a feature in Windows firewall, or maybe if there's some third party software that would allow to log every (outside) incoming connection to that computer?

I basically want to have a log of everything that's connecting to that computer.

PS. The DVR software in question is exacqVision, which has a very weird configuration interface where I couldn't find any logging support.
 

My Computer My Computer

At a glance

Windows
OS
Windows

My Computer My Computer

At a glance

Linux Mint 18.2 xfce 64-bit (VMWare host) / W...Haswell4 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
CPU
Haswell
Memory
4 GB
Monitor(s) Displays
Acer 23"
Screen Resolution
1920 x 1080
Hard Drives
Two hard drives, 1TB each: One for Linux, one for my data.
Keyboard
IBM Model M
Antivirus
Sophos (Linux), Trend Micro (Windows)
Browser
Firefox, Opera
Other Info
I use Samba to share my data drive with the other computers at my house and with my guest session in VMWare Workstation Player.
Thanks. The Windows firewall log did the trick. Interesting how there exist things in plain sight that you never knew were even there :)

I actually found it myself before your post. I followed the instructions from here:
Configure the Windows Firewall Log

The guy in the comments gave the best step-by-step instructions how to set it up. I'll copy it here in case MS decide to remove that comment:


In order to enable firewall logging on Windows 7 and Windows server 2008 R2 machine we need to follow the steps given below.



1. Go to Start and in RUN type wf.msc .


2. This opens up “Windows Firewall with Advanced Security” window.


3. Then right click on “Windows Firewall with Advanced Security on Local Computer” and go to properties.


4. When clicked on properties a new window opens. Now Select “Customize” option under logging.


5. The default path for the log is %windir%\system32\logfiles\firewall\pfirewall.log. If you want to change the path click Browse to select a file location.


6. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this the type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.

7. No logging occurs until you set one of following two options:

* To create a log entry when Windows Firewall drops an incoming network packet, change Log dropped packets to Yes.


* To create a log entry when Windows Firewall allows an inbound connection, change Log successful connections to Yes.


8. Click OK twice to complete your configuration.



What was confusing at first is that I had to set it up in 3 different tabs for Domain Profile, Private Profile and Public Profile tabs. I set up 3 different custom log files, and in my case only Public one is being filled in. Also I had to set up an ACL on the log file for read access for my logon Windows user in Properties -> Security to be able to open it.

And it will work then.

I have a quick follow-up though. I see the following entries in the log:


#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2017-11-29 09:36:46 ALLOW 2 10.1.10.51 224.0.0.251 - - 0 - - - - - - - SEND
2017-11-29 09:36:58 ALLOW 2 10.1.10.51 239.255.255.250 - - 0 - - - - - - - SEND
2017-11-29 09:37:05 ALLOW 2 10.1.10.51 224.0.0.252 - - 0 - - - - - - - SEND
2017-11-29 09:37:16 ALLOW 2 10.1.10.51 239.255.255.250 - - 0 - - - - - - - SEND
2017-11-29 09:37:46 ALLOW 2 10.1.10.51 224.0.0.9 - - 0 - - - - - - - SEND
2017-11-29 09:37:58 ALLOW 2 10.1.10.51 224.0.0.252 - - 0 - - - - - - - SEND
2017-11-29 09:38:05 ALLOW 2 10.1.10.51 224.0.0.252 - - 0 - - - - - - - SEND

I'm curious, what are those 224.*.*.* and sometimes 239.*.*.* ips that it's sending to? The log is peppered with them. 10.1.10.51 is that box's ipv4 address.
 

My Computer My Computer

At a glance

Windows
OS
Windows
Thank you very much for including the detailed instructions.

The "src-ip" addresses, being all the same, are for your networked DVR box. ("src" means "source")

The "dst-ip" addresses are likely internal addresses (devices which are on your internal network) -- this is indicated by the fact that the "dst-IPs" are either x.0.0.x or x.255.255.x. ("dst" means "destination")
 

My Computer My Computer

At a glance

Linux Mint 18.2 xfce 64-bit (VMWare host) / W...Haswell4 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
CPU
Haswell
Memory
4 GB
Monitor(s) Displays
Acer 23"
Screen Resolution
1920 x 1080
Hard Drives
Two hard drives, 1TB each: One for Linux, one for my data.
Keyboard
IBM Model M
Antivirus
Sophos (Linux), Trend Micro (Windows)
Browser
Firefox, Opera
Other Info
I use Samba to share my data drive with the other computers at my house and with my guest session in VMWare Workstation Player.
No, 224.0.0.252, 224.0.0.9, 239.255.255.250, etc. are not local.
 

My Computer My Computer

At a glance

Windows
OS
Windows
Go to a command prompt and type PING 224.0.0.252, etc. See what comes back.
 

My Computer My Computer

At a glance

Linux Mint 18.2 xfce 64-bit (VMWare host) / W...Haswell4 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
CPU
Haswell
Memory
4 GB
Monitor(s) Displays
Acer 23"
Screen Resolution
1920 x 1080
Hard Drives
Two hard drives, 1TB each: One for Linux, one for my data.
Keyboard
IBM Model M
Antivirus
Sophos (Linux), Trend Micro (Windows)
Browser
Firefox, Opera
Other Info
I use Samba to share my data drive with the other computers at my house and with my guest session in VMWare Workstation Player.
Go to a command prompt and type PING 224.0.0.252, etc. See what comes back.

I get nothing. The ping just times out.

It's interesting though, if you look at the trace log, the protocol is not tcp but just the value 2. What is that? And also the size is 0.
 

My Computer My Computer

At a glance

Windows
OS
Windows
Back
Top