Without getting into the ethics of P2P...

On Firestarter I'm seeing an expected connection from IP x.x.x.1 on port 6697.

I sometimes also see a connection that I don't understand, a persistent connection from my PC (192.168.123.151) to the other computer (x.x.x.1) on a random port, in this case port 1120. That outbound connection doesn't go away, according to Firestarter, even if I shut down the P2P client. Firestarter continues to identify it as an active connection.

I'm no kind of expert at checking out this sort of thing, but I did scan the port with nmap:
Does that look like anything I should be worried about. As I said, the sympthom only shows up occasionally, and only when an uploader is apparently having a troublesome connection.

Why would you scan your *own* LAN address machine if you could use a combo of lsof, netstat, strace and tcpdump to get all sorts of gory process details? Does the remote address change or not? If it changes is it between a few addresses or random?

The problem is that I don't understand what any of those commands do. I just want to know whether a persistent open connection from my machine to the remote is being initialized here.

Most often it does not change. When it does change, it's usually within a few addresses. On one occasion, it appeared to me that there may have been such a connection created to a random IP, but I could not be sure about that.

With +3K in posts you surely know the nfo is at your fingertips? netstat to easily get the process ID to feed into lsof, lsof to list open files for that process (see what's in use or what something logs to) and connections, strace to attach to the process and see what gets written if nothing gets logged and tcpdump to capture packets before processing them with tools like wireshark, tcpflow or snort.


Iptables logging?


Depending on what P2P app you use it may be super leafnodes or whatever else type of intermediates are in use.