What Does Listening Mean on an IP Address Log?
If an IP address has a status of "Listening" on an IP log, the status indicates your computer it is actively listening for network communication. Usually the listening is limited to a port that can receive specific information -- like from a website. However, listening can be a sign that unauthorized contact is being made to your computer.
The Microsoft application Netstat provides network status information in the form of an IP address log. Typing in the command "netstat -an" from a command prompt will list all the active IP addresses on a system, the remote IP address and the state of the address. The statuses can be: Listening, Established, Time_Wait and Close_Wait. The Listening status indicates a port on your computer is waiting for the remote port to give some information. The Established status indicates a remote port is listening for your computer. Time_Wait and Close_Wait simply indicate those ports are in the process of closing or will close if they don't receive input in a certain amount of time.
2 IP Addresses
The location of resources on a network is indicated by a numeric IP address. If your log shows the address of 0.0.0.0 then it is referring to all network traffic regardless of the source, for example from the Wi-Fi card or the network card. If the IP address is 127.0.0.1 then it refers to only local information and not anything external to your computer. So if the IP address 127.0.0.1 has a status of "Listening" your computer is listening to itself. For example, one piece of hardware may be listening for another piece of hardware to signal that it is done with a task.
Each IP address uses ports for network traffic through them. If you see 0.0.0.0:1963 with a status of Listening, your computer has port 1963 open for communication with other computers. Using ports allows you to close or open communication channels as you need to. Firewalls restrict access to your computer network, in part, by controlling which ports are open to communication.
The IP address log from Netstat shows both the listening port and the established port. If both appear for the same port there is likely to be authorized communication going on. For example, if you see port 0.0.0.0:1963 marked as listening, you will also see a connection labeled as established with the same port open and the local port will be your local area network address with the remote or foreign port being the IP address of the site you're connected to. For example, 10.0.0.9:1963 22.214.171.124:80 indicates that the computer on your network with the IP address 10.0.0.9 is connected to port 1963 to a computer on the Internet with the IP address 126.96.36.199 through port 80.
5 Firewalls and Anti-Virus
If you see port activity on your IP log that doesn't match up with the connections you think you should have, use a firewall to close ports with a status of listening and no corresponding established IP address. Use an anti-virus or anti-malware scanner to remove any potentially malicious software (see link in Resources). Examining IP logs is one useful tool in locating and disabling unauthorized network communication.