port being attacked? or spyware?

[Wiles]

when i connect to some people via p2p chat, i get hit on two distinct ports which are not being used for the p2p chat connection. I get 3-6 packets every 1 second, rather annoying to know something is sending you unwanted packets. The source computers are the same, but the source ports differ, but their destination is always the same two ports on my computer. They are UDP packets, so while I can capture info with wireshark, i don't know how to read it meaningfully. If their computer has spyware or a trojan, could that be the culprit? their anti-virus/anti-spyware doesn't seem to be able to find something is wrong, and they don't know much about computers....

so, if my firewall is constantly blocking those ports, is there a chance that too many packets came at the same time, and something got past the firewall? how many packets per second can iptables filter before it lets unchecked packets thru? And how to read what the UDP packet actually contains?

[Jman]

Source ports don't really mean anything. Destination typically does. See some general info on TCP/UDP.

You might get some useful data out of wireshark, although constructing the conversation might be difficult. What client and protocol are you using?

If it makes you feel better install and run chkrootkit.

[Wiles]

is the port displayed in the firestarter events list the source or destination port?

[Crito]

It's your port number. Whether that's the source or destination depends on whether the traffic is inbound or outbound. If you can't determine that easily finding your IP in the relevant column (i.e. if you're using DHCP without reservations and the IP changes frequently), just press ctrl+2 to add a direction column to the events view. That should make it crystal clear.