Who's There? Firewall Advisor
After installing Who's There? I try to run it, but it complains
that there's a problem trying to access or save its serial number.
- The first time Who's There? is run after installation, it must
be run by a user with administrative privileges. If you're the
only user of the machine, you probably have admin privileges.
You can learn more about admin privileges by going to the Mac
Help menu and searching for "adding a user account".
I know my firewall's log file contains data, but nothing is displayed
in the main window of Who's There?
- The data filters may be set so that no data match the criteria. Try setting the
filters to allow all data: all dates and times, all actions, all
- The Access History window's filter field may be set so that no data match the criteria. Try clearing that
- If you have used the Preferences dialog in Who's There? to specify
a log file other than the default, be sure that the log file is
in fact a firewall log file in the correct format. Invalid text files can be specified in the Preferences dialog
and will be opened by Who's There?, but no data will be displayed.
- If you are running Norton Personal Firewall, be sure that its
log file is selected, and not an alternate log file such as WhosThere.log
- Make sure that your firewall has logging enabled. With DoorStop X, for example, you enable logging through its preferences window.
- If you're using a router, see Who's There? and routers. (15, Home Routers)
- Who's There? does not support the log file from the "built-in"
firewall in Mac OS X 10.5 (Leopard), which is missing critical
port number information.
The data displayed does not go as far back in time as I think
- You may have the data filters set to restrict the period that is displayed.
- Check the log file in question to confirm that its entries actually
go back as far as you think they do. It's possible the log has
been rolled (archived and reset) by OS X or by your firewall. (12, Features)
Who's There? is not displaying certain data in my log file. (12, Features)
- The data filters may be set so that some data is excluded from the display.
- The Access History window's filter field may be set so that no data match the criteria.
- Be sure that Who's There? is actually reading from the firewall's
current live log file.
- If you're using Norton Personal Firewall 3.0 or later, the log file will have certain data that will not be displayed by Who's There?.
In particular, Who's There? does not display the TYPE token at
Who's There? is displaying only denied connection attempts, but
I know there have been some connections allowed. (12, Firewall Basics, Features)
- Your firewall may be set to log only denied connections. Consult
your firewall's documentation on how to change logging parameters.
Note that the built-in firewall in Mac OS X 10.4 cannot be configured
to log allowed connections, representing a security risk.
- Check the "action taken" popup in the Who's There? main window, to confirm that it is not set
to display only denied connection attempts.
Sometimes the location indicated in the map does not match the
location in the WHOIS lookup.
- The map coordinates come from a different source than WHOIS. Occasionally,
data from the two sources will not match.
I notice attempts to services on my machine, from my machine,
but I know I haven't made them.
- Certain invalidly formed links can cause access attempts from
your own machine with certain Web browsers.
- Certain applications may try to talk to themselves using TCP/IP,
resulting in such an access. In particular, Microsoft Office applications
seem to do this on occasion. (6, Protocols)
I sent an email to a network administrator, and it was returned
as undeliverable. (13, Investigating and Reporting Suspicious Activity)
- The email address returned from the WHOIS lookup may be out of
date, due to the WHOIS database itself being out of date. It may
also be incorrect, due to a typo or other error. Check the information
returned from the WHOIS lookup (in the lower pane of the Who's
There? dialog) for alternate addresses. Start at the bottom of
the window, since information gets more specific the farther down
the window you look. Alternatively, you can attempt to contact
the network administrator using other WHOIS information, such
as their phone number or mailing address
How do I tell Who's There? to use a different email client?
The Likely Web site address in the Who's There? dialog does not
- Make sure you are connected to the Internet.
- In some cases, there is insufficient data from WHOIS for Who's
There? to correctly determine the Web site address.
The map does not display any coordinates or cursor.
- Make sure you are connected to the Internet.
- The map servers do not have information on all IP addresses.
- The map servers are sometimes quite busy, especially in the middle
of a weekday.
The WHOIS search in the Who's There? dialog says it has timed
out, or that the service is unavailable
- Make sure you are connected to the Internet
- The WHOIS servers are sometimes quite busy, especially in the
middle of a weekday.
- Make sure you've specified a valid DNS in the Network System Preferences
dialog. If you have not, or if the DNS is offline, long delays
The WHOIS search in the Who's There? dialog says the lookup failed.
- Occasionally, a WHOIS server will be down. Try again later. If
this condition persists, contact email@example.com.
I used File > Open to change log files, but when I quit and relaunch
Who's There? it opens the old log file.
- File > Open is intended only for temporarily opening log files.
If you want to select a new default log file, use the General
pane of the Preferences dialog.
Who's There? is displaying less lines than are in the log file,
either for a particular access attempt
Columns in the Access History window are missing or out of order
- Column order can be changed by dragging a column header. Which
columns are present in the display is controlled by Display Preferences.
Columns are not wide enough.
- The width of any column can be changed by dragging the right edge
of the column header.
When I launch Who's There? the DoorStop X Firewall also launches.
- When Who's There? is launched for the first time, it tries to
contact DoorStop X, to see if DoorStop is active and logging is
enabled. If it's not, Who's There? will display a warning. Who's
There? will do this each time it's launched, until it finds DoorStop
I have the DoorStop X Firewall installed, but Who's There? does
not display DoorStop protection information for any service.
- In the Service Info window, Who's There? will display protection
info for any service, but only with DoorStop X 1.1 or later. To
upgrade, see http://www.opendoor.com/doorstop.
Some tabs in the Who's There? dialog just beep when I click on
- This means that the tab has no meaning in the current context.
For example, if you're in Summary by Service, select a line in
the upper pane, and then click Service Info, you'll go to the
Service Info pane of the Who's There? dialog. Since there is no
IP address in this situation, the WHOIS, Email and Map tabs have
Some action buttons are unavailable
- In certain situations, not all buttons will make sense. For example,
in Summary by Service, with a service selected, the "Draft email"
button makes no sense, and so is not active.
Changes in Preferences don't work for Summary by Service or Summary
I added a custom service to DoorStop X and gave it a custom icon,
but neither the name nor the icon shows up in Who's There?
- You must quit and relaunch Who's There in order to see service
names and icons added to DoorStop.
I added a custom service to DoorStop X, but it shows up in Who's
There? as "Unknown".
- If a custom service uses a custom icon, both the icon and the
name are displayed. However, without a custom icon, Who's There?
does not display the name of a custom service unless the name
is changed from the default ("Service on port nnn").
Some duplicate lines are not omitted.
I don't see any outgoing access attempts, although I surf the
Web a lot.
- Confirm that your firewall is configured to log outgoing attempts.
Most firewalls do not block or log outgoing packets.
Listed destination IP addresses don't match my machine's
- Some addresses may be those used by broadcasts, which will not
match those of your machine.
- Confirm that you have not configured your machine to have more
than one IP address.
Lines displayed after entering data into the Access History window's
filter field do not seem to all contain the data I've entered.
- Perhaps the matched data is in a column that's not currently being
displayed. Check Display Preferences.
- Different columns match the filter field in different ways. Some
columns only require a substring match, where the data is matched
anywhere within the column's entry.
The Access History line I'm looking at scrolls off the screen
as new lines come in.
- Selecting any line in the Access History window will prevent the
New lines in the Access History window are not automatically brought
- New lines are only automatically brought into view if the Access
History window is sorted by date.
- Be sure no line in the window is selected, which will prevent
automatic scrolling to any new line.
I cannot access the book's blog (isfym.com), Top 10 list or Twitter stream.
- You must have Internet access to be able to search and access
the blog or list, or access the Twitter stream.
- Perhaps the blog's Web site is too busy, or temporarily inaccessible.
Try again a bit later.
Searching the blog returns results that don't match what I'm expecting.
- The search takes advantage of Google technology to provide a highly
advanced lookup of your search terms in the blog. In some cases,
some of the results returned may not directly match what you're
- The search also may return related information from the Web itself
which is not necessarily part of the blog.
Back to Table of Contents
Back to Investigating
Forward to Appendices