Who's There? User's Guide

Who's There? Firewall Advisor
User's Guide

Main Window

This chapter assumes that you are familiar with the material presented in Basic Concepts. This chapter describes the main window, shown in Figure 1 below. This window gives an overview of the data in the firewall's log file, and is always present while Who's There? is running.

The major components of the main window are:

Data filters - control the log lines actually processed by Who's There?
Data view tabs - control how the data is displayed
Sorting controls - control how the data is sorted
Action buttons - obtain further information on an accessor or service

Each component is discussed in its own section below.

Figure 1. Who's There? main window, access history

Data filters

You can control which firewall log lines are processed, using the popup menus in the upper left of the main window. See Figure 2 below.

Figure 2. View selection popup menus

The log lines to be processed can be specified:

by time frame
- access attempts within the last 30 days
- access attempts within the last 7 days (default)
- access attempts within the last 2 days
- access attempts today
- access attempts within a user-specified date range
by action taken (12, Firewall Basics)
- the access attempt was denied by the firewall
- the access attempt was allowed by the firewall
by risk level of the service to which access was attempted
- high - Accesses against built-in or other common Mac services that could cause significant damage or data exposure.
- medium - Accesses that would require the Mac to be running special software (for example, server software) to succeed, or that would cause little harm if they succeeded.
- low - Accesses that can only work on non-Mac machines, or that shouldn't be able to cause any harm or compromise any information on a Mac. Note that "low" risk does not mean "no" risk.
- unknown - No assessment can be made for the particular service.

The risk level assigned to a particular service is based solely on the particular service, and doesn't take into account other risk-related factors, such as those discussed in Investigating Accesses. Note that rating a service as high risk does not mean the service is inherently risky, only that a breach of security to that service could have serious results for the user. Stated risk levels represent Open Door's best analysis, but cannot be guaranteed to be correct. The risk levels selected with the risk level data filter are indicated in the risk levels popup menu by one or more risk icons.

high

medium

low

unknown

Table 1. Risk rating icons

Changing filter settings can change the number of log lines that Who's There? displays. The actual number of lines displayed is indicated at the bottom of the main window, along with the total number of lines in the log file.

Data view tabs

Using the tabs across the top of the main window, the way in which the data is viewed can be changed:

Access history detail - displays lines from the firewall log file (default)
Summary by service - displays a summary of the log lines, grouped by service
Summary by IP address - displays a summary of the log lines, grouped by accessor IP address

Figure 3. Tabs controlling the data view

Each type of view is covered in the following sections.

Access history detail

This is the view shown in Figure 1 above. In this view, lines from the log file are simply displayed, without summary. Each line usually corresponds to one attempt to access a service on the firewall machine, but can correspond to more than one such attempt if Don't show duplicates is checked. Only the lines selected by the data filter popups are displayed. The default columns are:

Date & time - The date and time of the access attempt.
Action - Whether the access attempt was allowed or denied by the firewall, (12, Firewall Basics)
Service - The service to which access was attempted, if known (not all port numbers correspond to a specific service).
Port - The port number to which access was attempted. (6, Port Numbers)
Risk - Who's There's assessment of the security risk posed by an access attempt to the given service.
Mode - Which protocol (TCP, UDP or ICMP) was used in the access attempt. (6, Protocols)
IP address - The IP address of the accessor's machine. (6, IP Addresses and Host Names)
Host name - The host name, if any, associated with the accessor's IP address. For example, host name www.opendoor.com is associated with IP address 66.241.68.27. (6, IP Addresses and Host Names)

There are four other columns that can be displayed:

Emailed - This column contains a checkmark if email has been sent regarding the particular IP address. All currently displayed instances of the IP address are checkmarked at the time email is sent. If lines in the log file are not displayed in Who's There, due to data filtering, those lines will not have checkmarks if they are later displayed,
In/Out - The direction of the access attempt: coming into the firewall machine, or going out. Most firewalls log only incoming access attempts, as these represent the greatest risk for Macintosh users. Outgoing attempts, not blocked or logged by many firewalls, are typically due to user actions such as Web surfing, or certain system operations, but may sometimes happen with Trojan Horses (11, What Viruses Are) or other malicious software.
Src Port - The port number on the machine from which the access was attempted. Note that source and destination port numbers do not have to be the same. (6, Port Numbers)
Dst IP Address - The IP address on your machine to which access was attempted. Although most users' machines have only one IP address, machines also accept packets sent to other addresses usually referred to as "multicasts". (12, IP Addresses and Host Names)

We should clarify a few of the above columns. When a user on another machine tries to access a service on your machine, they send one or more packets from their machine to yours. The IP address of their machine is the source IP address (column IP address) and the port from which they send the packets is the source port (column Src Port). The IP address of your machine is the destination IP address (column Dst IP Address) and the port to which they send the packets is the destination port (column Port), representing the service (column Service) which they are trying to access. Normally, out of these five columns, only three are of concern: IP address (who is trying to access your machine?), Port (what port are they trying to access?) and Service (what's the name of the service associated with the port). For example, say someone on a machine with an IP address of 10.0.0.27 tries to contact Personal File Sharing on your machine, which has an IP address of 192.168.1.222. The column values would read as follows:

IP address - 10.0.0.27 (The IP address of the accessor's machine)
Src Port - This can be any port number. Source and destination port numbers do not have to match.
Dst IP Address - 192.168.1.222 (The IP address of your machine)
Port - 548 (The port number used by Personal File Sharing)
Service - Personal File Sharing (The name of the service to which access was attempted)

Columns can be resized by dragging the right edge of a column header, and moved by dragging the column header. If you wish to omit certain columns, or add others, see Display Preferences.

There are two menu commands associated only with the Access history detail:

Copy - Copy a selected line to the Clipboard, using Copy from the Edit menu.
Copy Special - Copy one field of a selected line to the Clipboard, using Copy Special from the Edit menu.

Sorting is controlled as described in the section on sorting.

Summary by service

This view, shown below in Figure 4, groups the data in the upper pane by service. Only the lines selected by the data filter popups are displayed. The lower pane displays summary information about each of the IP addresses that attempted to access a service selected in the upper pane.

Figure 4. Main window, summary by service

The columns in the upper pane are:

Service - The name of the service to which access was attempted, and its icon, if known. Not all port numbers correspond to a specific service.
Port - The port number to which access was attempted. If there are TCP, UDP and ICMP access attempts to the same port, the ICMP attempts will appear in a separate line (since ICMP "ports" in Who's There? usually indicate ICMP message types) . The two lines will have the same port number but different service names. (6, Port Numbers)
Risk - Who's There's assessment of the security risk posed by an access attempt to the given service.
Accesses Allowed - The total number of access attempts to a service which were allowed. (12, Features)
Accesses Denied - The total number of access attempts to a service which were denied. (12, Features)
Most Recent - The most recent access to the service, from any IP address.

The columns in the lower pane are:

IP address - Data in this column represents the IP address of an accessor to the given service. (6, IP Addresses and Host Names)
Host name - Data in this column represents the host name, if any, associated with an accessor to the given service. For example, host name www.opendoor.com is associated with IP address 66.241.68.27. (6, IP Addresses and Host Names)
Accesses Allowed - The total number of access attempts allowed from the accessor address to this service. (12, Features)
Accesses Denied - The total number of access attempts denied from the accessor address to this service. (12, Features)
Most Recent - The most recent access from the accessor to the service.

The horizontal divider between the upper and low panes can be moved by dragging the dot in the center of the bar. For example, in Figure 4 Windows Sharing is selected. The upper pane shows that there were no allowed attempts and 4 denied. In the lower pane, for each address from which access was attempted to Windows Sharing, we see a summary of allowed and denied attempts, and the most recent attempt. Sorting is controlled as described in the section on sorting. Columns in either pane can be resized by dragging the right edge of a column header, and moved by dragging the column header.

Summary by IP address

This view, shown below in Figure 5, groups the data in the upper pane by IP address. Only the lines selected by the data filter popups are displayed. The lower pane displays summary information about each of the services to which access was attempted from the IP address selected in the upper pane.

Figure 5. Main window, summary by IP address

The upper pane displays summary information about accessing IP addresses. The columns are:

IP address - The IP address of the accessor's machine. (6, IP Addresses and Host Names)
Host name - The host name, if any, associated with the accessor's IP address. For example, host name www.opendoor.com is associated with IP address 66.241.68.27. (6, IP Addresses and Host Names)
Accesses Allowed - The total number of access attempts from an accessor which were allowed. (12, Features)
Accesses Denied - The total number of access attempts from an accessor which were denied. (12, Features)
Most Recent - The most recent access from the IP address to any service.

The lower pane displays information about services to which access was attempted by the IP address selected in the upper pane. The columns are:

Service - Data in this column represents the name of the service, if any, to which access was attempted from the given IP address; and the service icon, if known.
Port - Data in this column represents the port number to which access was attempted from the given IP address. If there are TCP, UDP and ICMP access attempts to the same port, the ICMP attempts will appear in a separate line. The two lines will have the same port number but different service names. (6, Port Numbers)
Risk - Who's There's assessment of the security risk posed by an access attempt to the given service.
Accesses Allowed - The total number of access attempts from an accessor which were allowed. (12, Features)
Accesses Denied - The total number of access attempts from an accessor which were denied. (12, Features)
Most Recent - The most recent access from the selected IP address to the service.

The horizontal divider between the upper and low panes can be moved by dragging the dot in the center of the bar. For example, in Figure 5 the IP address 192.168.1.7 is selected. The upper pane shows that there were no allowed attempts and 2 denied. In the lower pane, for each service to which access was attempted from 192.168.1.7, we see a summary of allowed and denied attempts, and the most recent attempt. Sorting is controlled as described in the section below on sorting. Columns in either pane can be resized by dragging the right edge of a column header, and moved by dragging the column header.

Sorting the data

Sort columns used in the upper and lower panes are independent. To sort by a given column, click on the column's heading. The current sort column is indicated by a blue heading. In Figure 5 above, the upper pane is sorted by IP address, and the lower pane by Port.

The sort sense (ascending or descending) is specified by the sort triangle at the right edge of the selected column heading. Who's There? applies the same meaning to the sort triangle as does the Finder. That is, ascending order is used when the triangle points up, descending when the triangle points down. The default sort order for each column is that which is most likely to be useful. Thus, the default sort order for accesses denied (and allowed) is descending, but for host names is ascending. The sort sense is toggled by clicking the sort triangle.

Action buttons

The action buttons are located in the upper right of the main window.

Figure 6. Action buttons

Service info - Opens the Who's There? dialog with details, if known, of the selected service
Who's there? - Opens the Who's There? dialog with details, if known, of the selected accessor IP address
Draft email - Opens the Who's There? dialog with the draft of an email to the administrator of a particular network (accessor IP address)

Note that each button will be active only if it makes sense for the selected item in the main window. For example, in Figure 4 only the Service info button is enabled, since the active selection is that of a service. Likewise, in Figure 5, the Service info button is not enabled, since the active selection is that of an IP address.

For details of the Who's There? dialog, please see Who's There? Dialog.

Extra information on services

Beyond what's in the Service Info pane of the Who's There? dialog, additional information on most services is available in Internet Security for Your Macintosh. If you select a service in any of the following three ways:

Select a line in the Access History window
Select a service in the upper pane of the Summary by Service window
Select a service in the lower pane of the Summary by IP Address window

you can then request further information on the service by choosing "View eBook" from the Book menu, or typing Cmd-E. You can also click the eBook button in the Service Info dialog. Who's There? will display additional information on the service, if any, in your default browser. See Figure 7.

Figure 7. eBook entries on port 548

A list of relevant passages is displayed on the left, with the text of passages displayed on the right. If there is nothing in the book that corresponds to a service, you'll see a list of passages that relate to unknown services.

Exporting data

You can export to a text file the information displayed in any of the three views of the main window. Choose Export from the File menu, and specify a file name and location. Only the data actually displayed will be exported.

Back to Table of Contents
Back to Getting Started
Forward to Who's There? Dialog