If we actually reached a host, it is recorded in the database as a target to be used in future scans.
18.104.22.168/24 Probe=20060103: Target=20060103:22.214.171.124 Path=20060103,somerset,ping:126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168;R96,342,280,304,508,470,594,676,10247,220,136;S769,812,865,917,975,1034,1098,1171,2200,2216,2232;T255,254,252,251,251,244,243,243,244,243,242;I18433,0,0,0,0,0,0,0,32943,24044,6961Here is the line broken for readabilitiy, with comments:
22.214.171.124/24 The target CIDR block Probe=20060103: The data of the test. (Actually no longer needed) Target=20060103:126.96.36.199 The actual endpoint IP address. May be missing Path=20060103,somerset,ping: Date of the second (ought to be in Ken Thompson seconds) Source of the scan protocol used 188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124; The IP path, in IPv4 or IPv6 addresses. May have the word "HOLE" or "STEALTH" for hops that didn't respond. The last hop might be !
for incomplete paths: see below. R96,342,280,304,508,470,594,676,10247,220,136; Round trip times for each hop, in milliseconds. This is list definitely not necessarily monotonically increasing. S769,812,865,917,975,1034,1098,1171,2200,2216,2232; Time stamps for the round trip times. Not sure how these are useful. T255,254,252,251,251,244,243,243,244,243,242; TTLs of the return packets. I18433,0,0,0,0,0,0,0,32943,24044,6961 IP ID fields of the returned packets.
label=value (or) label=date:valueThe date is yyyymmdd, not Y10K-ready. The labels may be:
Path a comma separated sequence of IP numbers, possibly followed by a completion code and a list of round-trip times in milliseconds Probe when this path was last checked Target a host on the destination network, if found Whiner date and email address if they don't want to be scanned Asnpath not used Name name of the network. Not implemented yet. Complete path scan completion code. deprecated. Pathdate path date. deprecated.There may be multiple paths for different dates in early versions of the Internet mapping data. If other fields are duplicated, only the newest is kept.
case Complete: code = ""; break; case Loop: code = "!L"; break; case Filtered: code = "!F"; break; case HostUnreachable: code = "!H"; break; case NetUnreachable: code = "!N"; break; case OddUnreachable: code = "!O"; break; case Terminated: code = "!T"; break; case Incomplete: code = "!?"; break;Early databases have "?" instead of "!?".
These may be followed by a semicolon and a comma-seperated list of round-trip times in milliseconds. Note: these are not necessarily monotonic: times include routing variations and dead-packet processing times, which appear to be slow-pathed in most routers.
126.96.36.199 Munis.s8-1-0-10-0.ar1.BOS1.gblx.net 188.8.131.52 184.108.40.206 pfo-stone-1.noc.RWTH-Aachen.DE 220.127.116.11 18.104.22.168 (ns.global-ip.net) 22.214.171.124 126.96.36.199 no-host.nap.telefonicamundo.cl 188.8.131.52 184.108.40.206 g0-1.na01.b015466-1.den01.atlas.cogentco.com 220.127.116.11 18.104.22.168 wtnet.demarc.cogentco.com 22.214.171.124 126.96.36.199 atm019.edge1.iad.megapath.net 188.8.131.52 184.108.40.206 (ns0.bt.net) 220.127.116.11 18.104.22.168 te-9-1-ur01.carlisle.pa.panjde.comcast.net 22.214.171.124 126.96.36.199 gw081-092-001-lax1.dsl-isp.net 188.8.131.52
The label may be the name, the site that said it doesn't exist (if in parens), or simply the IP address if no response was obtained. The label represents the first PTR record returned.