Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use this procedure when you want to confirm that malicious activity is occurring within your network. This procedure is useful if you suspect such activity is taking place and you want to identify the targets of the attacks.
Administrative Credentials
No special administrative credentials are required to perform this task.
Special Considerations
No special considerations are required to perform this task.
Note
Broadcast packets have destination IP addresses that end in 255. Disregard those packets when you search the Windows Firewall log file for malicious activity.
To identify malicious activity
With the Windows Firewall log file open in Notepad, scroll through the file from beginning to end.
Look at each log entry with DROP in the action field and note whether the destination IP address (dstip) ends with a number other than 255.
If you find many such entries, take note of the destination IP addresses of the packets.
If those destination IP addresses are all the same, similar, or systematic, write down the source IP addresses (srcip) and the destination IP addresses. These dropped packets can be considered suspicious. Suspicious dropped packets often have systematic port hit entries as well.
Interpreting the Windows Firewall Log
View the Windows Firewall Log File