After installing Who's There? I try to run it, but it complains that there's a problem trying to access or save its serial number.

• The first time Who's There? is run after installation, it must be run by a user with administrative privileges. If you're the only user of the machine, you probably have admin privileges. You can learn more about admin privileges by going to the Mac Help menu and searching for "adding a user account".

I know my firewall's log file contains data, but nothing is displayed in the main window of Who's There?

• The data filters may be set so that no data match the criteria. Try setting the filters to allow all data: all dates and times, all actions, all risk levels.
• The Access History window's filter field may be set so that no data match the criteria. Try clearing that field.
• If you have used the Preferences dialog in Who's There? to specify a log file other than the default, be sure that the log file is in fact a firewall log file in the correct format. Invalid text files can be specified in the Preferences dialog and will be opened by Who's There?, but no data will be displayed.
• If you are running Norton Personal Firewall, be sure that its log file is selected, and not an alternate log file such as WhosThere.log or ipfw.log.
• Make sure that your firewall has logging enabled. With DoorStop X, for example, you enable logging through its preferences window.
• If you're using a router, see Who's There? and routers. (15, Home Routers)
• Who's There? does not support the log file from the "built-in" firewall in Mac OS X 10.5 (Leopard), which is missing critical port number information.

The data displayed does not go as far back in time as I think it should.

• You may have the data filters set to restrict the period that is displayed.
• Check the log file in question to confirm that its entries actually go back as far as you think they do. It's possible the log has been rolled (archived and reset) by OS X or by your firewall. (12, Features)

Who's There? is not displaying certain data in my log file. (12, Features)

• The data filters may be set so that some data is excluded from the display.
• The Access History window's filter field may be set so that no data match the criteria.
• Be sure that Who's There? is actually reading from the firewall's current live log file.
• If you're using Norton Personal Firewall 3.0 or later, the log file will have certain data that will not be displayed by Who's There?. In particular, Who's There? does not display the TYPE token at all.

Who's There? is displaying only denied connection attempts, but I know there have been some connections allowed. (12, Firewall Basics, Features)

• Your firewall may be set to log only denied connections. Consult your firewall's documentation on how to change logging parameters. Note that the built-in firewall in Mac OS X 10.4 cannot be configured to log allowed connections, representing a security risk.
• Check the "action taken" popup in the Who's There? main window, to confirm that it is not set to display only denied connection attempts.

Sometimes the location indicated in the map does not match the location in the WHOIS lookup.

• The map coordinates come from a different source than WHOIS. Occasionally, data from the two sources will not match.

I notice attempts to services on my machine, from my machine, but I know I haven't made them.

• Certain invalidly formed links can cause access attempts from your own machine with certain Web browsers.
• Certain applications may try to talk to themselves using TCP/IP, resulting in such an access. In particular, Microsoft Office applications seem to do this on occasion. (6, Protocols)

I sent an email to a network administrator, and it was returned as undeliverable. (13, Investigating and Reporting Suspicious Activity)

• The email address returned from the WHOIS lookup may be out of date, due to the WHOIS database itself being out of date. It may also be incorrect, due to a typo or other error. Check the information returned from the WHOIS lookup (in the lower pane of the Who's There? dialog) for alternate addresses. Start at the bottom of the window, since information gets more specific the farther down the window you look. Alternatively, you can attempt to contact the network administrator using other WHOIS information, such as their phone number or mailing address

How do I tell Who's There? to use a different email client?

• Who's There? uses the default email application specified in OS X. To view or change the default mail reader, run the OS X built-in Mail application and select Preferences from the Mail menu. Click the General icon, and in the Default Email Reader popup menu, choose a mail reader from the menu or, if the one you want is not displayed, choose "Select ..." and then locate the mail program you want to use.

  See Getting Started for a list of supported email applications.

The Likely Web site address in the Who's There? dialog does not work.

• Make sure you are connected to the Internet.
• In some cases, there is insufficient data from WHOIS for Who's There? to correctly determine the Web site address.

The map does not display any coordinates or cursor.

• Make sure you are connected to the Internet.
• The map servers do not have information on all IP addresses.
• The map servers are sometimes quite busy, especially in the middle of a weekday.

The WHOIS search in the Who's There? dialog says it has timed out, or that the service is unavailable

• Make sure you are connected to the Internet
• The WHOIS servers are sometimes quite busy, especially in the middle of a weekday.
• Make sure you've specified a valid DNS in the Network System Preferences dialog. If you have not, or if the DNS is offline, long delays can result.

The WHOIS search in the Who's There? dialog says the lookup failed.

• Occasionally, a WHOIS server will be down. Try again later. If this condition persists, contact noc@arin.net.

I used File > Open to change log files, but when I quit and relaunch Who's There? it opens the old log file.

• File > Open is intended only for temporarily opening log files. If you want to select a new default log file, use the General pane of the Preferences dialog.

Who's There? is displaying less lines than are in the log file, either for a particular access attempt

• Confirm that you have not checked "Don't show duplicate lines" in Display preferences.

Columns in the Access History window are missing or out of order

• Column order can be changed by dragging a column header. Which columns are present in the display is controlled by Display Preferences.

Columns are not wide enough.

• The width of any column can be changed by dragging the right edge of the column header.

When I launch Who's There? the DoorStop X Firewall also launches.

• When Who's There? is launched for the first time, it tries to contact DoorStop X, to see if DoorStop is active and logging is enabled. If it's not, Who's There? will display a warning. Who's There? will do this each time it's launched, until it finds DoorStop properly configured.

I have the DoorStop X Firewall installed, but Who's There? does not display DoorStop protection information for any service.

• In the Service Info window, Who's There? will display protection info for any service, but only with DoorStop X 1.1 or later. To upgrade, see http://www.opendoor.com/doorstop.

Some tabs in the Who's There? dialog just beep when I click on them.

• This means that the tab has no meaning in the current context. For example, if you're in Summary by Service, select a line in the upper pane, and then click Service Info, you'll go to the Service Info pane of the Who's There? dialog. Since there is no IP address in this situation, the WHOIS, Email and Map tabs have no meaning.

Some action buttons are unavailable

• In certain situations, not all buttons will make sense. For example, in Summary by Service, with a service selected, the "Draft email" button makes no sense, and so is not active.

Changes in Preferences don't work for Summary by Service or Summary by IP.

• Most changes in Display Preferences apply only to the Access History window.

I added a custom service to DoorStop X and gave it a custom icon, but neither the name nor the icon shows up in Who's There?

• You must quit and relaunch Who's There in order to see service names and icons added to DoorStop.

I added a custom service to DoorStop X, but it shows up in Who's There? as "Unknown".

• If a custom service uses a custom icon, both the icon and the name are displayed. However, without a custom icon, Who's There? does not display the name of a custom service unless the name is changed from the default ("Service on port nnn").

Some duplicate lines are not omitted.

• Confirm that the lines really are duplicates, as described in Omit duplicate lines.

I don't see any outgoing access attempts, although I surf the Web a lot.

• Confirm that your firewall is configured to log outgoing attempts. Most firewalls do not block or log outgoing packets.

Listed destination IP addresses don't match my machine's

• Some addresses may be those used by broadcasts, which will not match those of your machine.
• Confirm that you have not configured your machine to have more than one IP address.

Lines displayed after entering data into the Access History window's filter field do not seem to all contain the data I've entered.

• Perhaps the matched data is in a column that's not currently being displayed. Check Display Preferences.
• Different columns match the filter field in different ways. Some columns only require a substring match, where the data is matched anywhere within the column's entry.

The Access History line I'm looking at scrolls off the screen as new lines come in.

• Selecting any line in the Access History window will prevent the scrolling.

New lines in the Access History window are not automatically brought into view.

• New lines are only automatically brought into view if the Access History window is sorted by date.
• Be sure no line in the window is selected, which will prevent automatic scrolling to any new line.

I cannot access the book's blog (isfym.com), Top 10 list or Twitter stream.

• You must have Internet access to be able to search and access the blog or list, or access the Twitter stream.
• Perhaps the blog's Web site is too busy, or temporarily inaccessible. Try again a bit later.

Searching the blog returns results that don't match what I'm expecting.

• The search takes advantage of Google technology to provide a highly advanced lookup of your search terms in the blog. In some cases, some of the results returned may not directly match what you're expecting.
• The search also may return related information from the Web itself which is not necessarily part of the blog.

Back to Table of Contents
Back to Investigating
Forward to Appendices