#comment This file is both a guide to the user and is used to generate #comment PrintHeaderComments.c . I choose to use the same file to avoid #comment the need to keep both files up to date. #comment #comment It is read by createPrintHeaderComments.pl which understands #comment lines which begin with # as commands: #comment comment - these lines will not appear in PrintHeaderComments.c #comment print - these lines are printed as is #comment stop - this line stops the perl script from reading, #comment further lines in this file. #comment All other lines are preceded by 'printf ("#' and followed by #comment '\n");' when printed in the PrintHeaderComments.c. #comment #print #include #print #include "PrintHeaderComments.h" #print #print void PrintHeaderComments(struct control_struct * control) { ======================================================================= All fields are -------------------------------------------------------------------- 1. Key | Defines the remaining fields on this line | T - IP trace | G - IP geographic infromation ======================================================================= T - trace fields -------------------- Header Fields ------------------ 2. Source | source IP of skitter monitor preforming the | trace 3. Destination | destination IP being traced 4. Timestamp | timestamp when source began trace -------------------- Reply Fields ------------------ 5. DestReplied | boolean if response from destination recieved | R - Replied, reply was recieved | N - Not-replied, no reply was not recieved | Since skitter sends a 255 packet when | it halts probing it is still possible | for the final destination to send a | reply and for the HaltReasonData (see below) | to not equal no_halt. | RTT values are in milliseconds 6. DestRTT | RTT of first response packet from destination | 0 if DestReplied is N 7. RequestTTL | TTL set in request packet which elicited | a echo reply | 0 if DestReplied is N 8. ReplyTTL | TTL found in reply packet -------------------- Halt Fields ------------------ 9. HaltReason | Gives the reason, if needed, why skitter | stopped incremental probing. | HaltReason HaltReasonData | ------------------------------------ | S success/no_halt 0 | U icmp_unreachable icmp_code | L loop_detected loop_length | G gap_detected gap_limit 10. HaltReasonData | Provides extra data about why skitter | halted. What value stored is based | on the value found in HaltReasonData. -------------------- Path Fields ------------------ 11. PathComplete | boolean if all hops to destination was found. | C - Complete, all hops found | I - Incomplete, at least one hop is missing 12. through N. PerHopData | Hops are presented as a single colon | seperated field. IP,RTT,numTries(;IP,RTT,numTries)* IP | IP address which sent a TTL expired RTT | RTT of the TTL expired packet num_tries | Num Tries before response recieved from TTL #comment this prevents sk_analysis_dump from print this information #comment when it is impossible for it to actual do so. #print #ifdef USE_NETACUITY_ #print if (true == control->print_geo_info) { ======================================================================= G - Geographic fields ------------------------------------------------------------------------- 0. Key | Must be G to be a geographic line 2. IP | IP whose geographic information is presented 3. Country=Confidence | country and it's confidence interval 4. Region=Confidence | region and it's confidence interval 5. City=Confidence | city and it's confidence interval 6. Bandwidth=Confidence | Bandwidth and it's confidence interval 7. MetroArea | Metro Area 8. Latitude | Latitude 9. Longitude | Longitude #print } #print #endif #print } #stop ======================================================================= Detailed Comments ======================================================================= Header fields ---------------------- Source - the IP address of the skitter monitor. Destination - the IP address of the final destination to which the packets were sent in a given trace. If skitter did not halt then the destination can be assumed to be at the end of the path. Timestamp - UNIX timestamp ------- The meaning of this parameter is different in different versions of skitter. version 0-9-a3 or earlier (files collected before 2001/02/06): In I and C type traces - time when the reply was received from the destination In N type traces - time when the current cycle (one pass over all monitored addresses) of probing started. Same value for all N-type traces in a cycle. version caida-1.1 (files collected after 2001/02/07): In all types of traces - time when the skitter send the first probing packet to this destination. Reply Fields --------------------- DestRTT The amount of time elapsed between the packet leaving the skitter source and the reply from the destination arriving back at the source. Skitter will always take the first such reply from the destination; later replies are thrown away. RequestTTL This is the TTL set in the ICMP echo request packet by skitter that got a ICMP echo reply from the destination. This value should be the number of routers in the forward path between source and the destination. Only the first reply is stored. ReplyTTL This is the TTL found in the ICMP echo reply packet which was recieved from the destination. Since each router on the return path decrements the reply's packet's TTL, this value can be used to estimate the return path length. Halt Fields --------------------- HaltReason This field shows whether the incremental probing towards the destination was halted or not. Note that halting does not necessarily mean that a response from the final destination is not collected since a final try is always taken with a TTL value of 255. HaltReasonData This field explains why probing of this destination halted. HaltReason meaning HaltReasonData description -------------------------------------------------------------- S success/no_halt 0 probing successful, extra value is set to 0. U icmp_unreachable icmp_code skitter received an 'ICMP unreachable' code which is stored in icmp_code. L loop_detected loop_length skitter detected a loop of loop_length hops. G gap_detected gap_limit skitter stopped probing after reaching the maximum number of nonresponsive TTL values. Path Fields ------------ PathComplete This field shows wether the path from source to destination is complete. Complete paths have at least one response from each intermediate hop (each value of TTL) and a response from the destination. A path is incomplete if there was no response from one or more intermediate hops. PerHopData This field consists of one or more triplets IP, RTT, num_tries for each value of TTL. IP IP address which sent a TTL_expired. For TTL values with no response a 'q' is printed. RTT RTT of the ICMP TTL_expired num_tries Number of tries before response received for the given TTL. Multiple responses can be collected from the same TTL value for the same destination. In this case triplets from the same TTL are separated by ';'. ======================================================================= Confidence Intervals (defined by Netacuity) ======================================================================= The confidence numbers returned for Country, Region, City are explained below. 5 Very High Confidence. This address is extremely likely to be located in the Country, Region or City indicated. This occurs when we've either seen the address before and processed it through our system which gave a definite indication of user location or network topology gives us a very high degree of confidence that the user is located at the given location. 4 High Confidence. This address is highly likely to be located in the Country, Region or City indicated. This occurs when we've either seen the address before and processed it through our system which gave us a fairly certain indication of user location or network topology gives us a high degree of confidence that the user is located at the given location. 3 Medium Confidence. This address is probably located in the Country, Region or City indicated. This occurs when we've either seen the address before and processed it through our system which gave us a probable indication of user location or network topology gives us a medium degree of confidence that the user is located at the given location. 2 Medium/Low Confidence. We do not have a large degree of certainty that the address is located in the Country, Region or City indicated, but we have indications that it is. This occurs when we've either not seen the address before and are relying on what we believe to be possibly inaccurate information or network topology gives us a medium/low degree of confidence that the user is located at the given location. 1 Low Confidence. We believe that the address could be located in the Country, Region or City indicated, but believe that it likely is not or cannot be determined. This occurs when we've either not seen the address before and are relying on what we believe to be possibly inaccurate information or network topology gives us a low degree of confidence that the user is located at the given location. 0 No response.