If we actually reached a host, it is recorded in the database as a target to be used in future scans.
22.214.171.124/24 Probe=20060103: Target=20060103:126.96.36.199 Path=20060103,somerset,ping:188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124;R96,342,280,304,508,470,594,676,10247,220,136;S769,812,865,917,975,1034,1098,1171,2200,2216,2232;T255,254,252,251,251,244,243,243,244,243,242;I18433,0,0,0,0,0,0,0,32943,24044,6961Here is the line broken for readabilitiy, with comments:
126.96.36.199/24 The target CIDR block Probe=20060103: The data of the test. (Actually no longer needed) Target=20060103:188.8.131.52 The actual endpoint IP address. May be missing Path=20060103,somerset,ping: Date of the second (ought to be in Ken Thompson seconds) Source of the scan protocol used 184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199; The IP path, in IPv4 or IPv6 addresses. May have the word "HOLE" or "STEALTH" for hops that didn't respond. The last hop might be !
for incomplete paths: see below. R96,342,280,304,508,470,594,676,10247,220,136; Round trip times for each hop, in milliseconds. This is list definitely not necessarily monotonically increasing. S769,812,865,917,975,1034,1098,1171,2200,2216,2232; Time stamps for the round trip times. Not sure how these are useful. T255,254,252,251,251,244,243,243,244,243,242; TTLs of the return packets. I18433,0,0,0,0,0,0,0,32943,24044,6961 IP ID fields of the returned packets.
label=value (or) label=date:valueThe date is yyyymmdd, not Y10K-ready. The labels may be:
Path a comma separated sequence of IP numbers, possibly followed by a completion code and a list of round-trip times in milliseconds Probe when this path was last checked Target a host on the destination network, if found Whiner date and email address if they don't want to be scanned Asnpath not used Name name of the network. Not implemented yet. Complete path scan completion code. deprecated. Pathdate path date. deprecated.There may be multiple paths for different dates in early versions of the Internet mapping data. If other fields are duplicated, only the newest is kept.
case Complete: code = ""; break; case Loop: code = "!L"; break; case Filtered: code = "!F"; break; case HostUnreachable: code = "!H"; break; case NetUnreachable: code = "!N"; break; case OddUnreachable: code = "!O"; break; case Terminated: code = "!T"; break; case Incomplete: code = "!?"; break;Early databases have "?" instead of "!?".
These may be followed by a semicolon and a comma-seperated list of round-trip times in milliseconds. Note: these are not necessarily monotonic: times include routing variations and dead-packet processing times, which appear to be slow-pathed in most routers.
188.8.131.52 Munis.s8-1-0-10-0.ar1.BOS1.gblx.net 184.108.40.206 220.127.116.11 pfo-stone-1.noc.RWTH-Aachen.DE 18.104.22.168 22.214.171.124 (ns.global-ip.net) 126.96.36.199 188.8.131.52 no-host.nap.telefonicamundo.cl 184.108.40.206 220.127.116.11 g0-1.na01.b015466-1.den01.atlas.cogentco.com 18.104.22.168 22.214.171.124 wtnet.demarc.cogentco.com 126.96.36.199 188.8.131.52 atm019.edge1.iad.megapath.net 184.108.40.206 220.127.116.11 (ns0.bt.net) 18.104.22.168 22.214.171.124 te-9-1-ur01.carlisle.pa.panjde.comcast.net 126.96.36.199 188.8.131.52 gw081-092-001-lax1.dsl-isp.net 184.108.40.206
The label may be the name, the site that said it doesn't exist (if in parens), or simply the IP address if no response was obtained. The label represents the first PTR record returned.