If we actually reached a host, it is recorded in the database as a target to be used in future scans.
188.8.131.52/24 Probe=20060103: Target=20060103:184.108.40.206 Path=20060103,somerset,ping:220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52;R96,342,280,304,508,470,594,676,10247,220,136;S769,812,865,917,975,1034,1098,1171,2200,2216,2232;T255,254,252,251,251,244,243,243,244,243,242;I18433,0,0,0,0,0,0,0,32943,24044,6961Here is the line broken for readabilitiy, with comments:
184.108.40.206/24 The target CIDR block Probe=20060103: The data of the test. (Actually no longer needed) Target=20060103:220.127.116.11 The actual endpoint IP address. May be missing Path=20060103,somerset,ping: Date of the second (ought to be in Ken Thompson seconds) Source of the scan protocol used 18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206; The IP path, in IPv4 or IPv6 addresses. May have the word "HOLE" or "STEALTH" for hops that didn't respond. The last hop might be !
for incomplete paths: see below. R96,342,280,304,508,470,594,676,10247,220,136; Round trip times for each hop, in milliseconds. This is list definitely not necessarily monotonically increasing. S769,812,865,917,975,1034,1098,1171,2200,2216,2232; Time stamps for the round trip times. Not sure how these are useful. T255,254,252,251,251,244,243,243,244,243,242; TTLs of the return packets. I18433,0,0,0,0,0,0,0,32943,24044,6961 IP ID fields of the returned packets.
label=value (or) label=date:valueThe date is yyyymmdd, not Y10K-ready. The labels may be:
Path a comma separated sequence of IP numbers, possibly followed by a completion code and a list of round-trip times in milliseconds Probe when this path was last checked Target a host on the destination network, if found Whiner date and email address if they don't want to be scanned Asnpath not used Name name of the network. Not implemented yet. Complete path scan completion code. deprecated. Pathdate path date. deprecated.There may be multiple paths for different dates in early versions of the Internet mapping data. If other fields are duplicated, only the newest is kept.
case Complete: code = ""; break; case Loop: code = "!L"; break; case Filtered: code = "!F"; break; case HostUnreachable: code = "!H"; break; case NetUnreachable: code = "!N"; break; case OddUnreachable: code = "!O"; break; case Terminated: code = "!T"; break; case Incomplete: code = "!?"; break;Early databases have "?" instead of "!?".
These may be followed by a semicolon and a comma-seperated list of round-trip times in milliseconds. Note: these are not necessarily monotonic: times include routing variations and dead-packet processing times, which appear to be slow-pathed in most routers.
220.127.116.11 Munis.s8-1-0-10-0.ar1.BOS1.gblx.net 18.104.22.168 22.214.171.124 pfo-stone-1.noc.RWTH-Aachen.DE 126.96.36.199 188.8.131.52 (ns.global-ip.net) 184.108.40.206 220.127.116.11 no-host.nap.telefonicamundo.cl 18.104.22.168 22.214.171.124 g0-1.na01.b015466-1.den01.atlas.cogentco.com 126.96.36.199 188.8.131.52 wtnet.demarc.cogentco.com 184.108.40.206 220.127.116.11 atm019.edge1.iad.megapath.net 18.104.22.168 22.214.171.124 (ns0.bt.net) 126.96.36.199 188.8.131.52 te-9-1-ur01.carlisle.pa.panjde.comcast.net 184.108.40.206 220.127.116.11 gw081-092-001-lax1.dsl-isp.net 18.104.22.168
The label may be the name, the site that said it doesn't exist (if in parens), or simply the IP address if no response was obtained. The label represents the first PTR record returned.