Some feedback from Mr. Anon E. Mouse:
As for the wrong flags seen by another person:
I occasionally see an Swedish akamai server when
browsing German news sites, e.g.
#> whois 213.61.5.0
..
inetnum: 213.61.5.0 - 213.61.5.127
netname: DE-COLT-AKAMAI
descr: Akamai Technologies Inc.
descr: 500 Technologies SQ.
descr: 02139 Massachuetts
descr: abuse? [EMAIL PROTECTED]
country: SE
..
The same info is contained in the ripe inetnum file.
and from the traceroute from my dialup I would guess
a German location so this probably is a typo in
the whois data (DE/SE). The D key is right next to S.
-----Burton
Never attribute to malice that which can be adequately explained by
stupidity.
http://www.jargon.net/jargonfile/h/HanlonsRazor.html
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Burton M.
Strauss III
Sent: Monday, March 31, 2003 9:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Wrong Flag
You know, that sounds like a corrupted p2c.opt.table file...
Check the log messages from the read (you may have to temporarily log more -
I think I've cleaned it up in .90+, but it may not tell you unless you turn
on noisy (-t 4) in .90 or -t 3 in earlier versions). It should tell you how
many records were read. If that's not a match for the lines in the file,
then something is wrong...
Look at it - it's just text... if it's munged, that could be. Look up your
various ranges and see what you see...
If you need to download an updated p2c file, the shell script in utils/p2c
isn't really very complex - a .bat file wouldn't be out of the question if
you have the necessary tools (gawk and wget, IIRC) - which run fine under
cygwin.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas
Pagel
Sent: Monday, March 31, 2003 8:49 AM
To: [EMAIL PROTECTED]
Subject: AW: [Ntop] Wrong Flag
I guess I'll get into trouble rebuilding the lists, I was one of the "not
UNIX speaking people" paying €50 for the ready-to-use download for Win32...
Redirection might be the case..., but in the meantime I got a flag of UA for
one of my local hosts....
Thomas Pagel
Senior Consultant Business Intelligence
Software4You Planungssysteme GmbH
Niederlassung Paderborn
Hauptstraße 35
33178 Borchen (Germany)
tel.: +49 (5251) 54009-11
mob.: +49 (172) 8423035
fax.: +49 (5251) 54009-99
home: http://www.software4you.com
4PLAN® - The Art of Budgeting.
Disclaimer:
This email may contain confidential and proprietary material for the sole
use of the intended recipient.
Any review or distribution by others is prohibited.
If you are not the intended recipient please contact the sender and delete
all copies.
-----Ursprüngliche Nachricht-----
Von: Burton M. Strauss III [mailto:[EMAIL PROTECTED]
Gesendet: Montag, 31. März 2003 15:54
An: [EMAIL PROTECTED]
Betreff: RE: [Ntop] Wrong Flag
The data is derived from the registry provided tables - RIPE in your case.
Three thoughts, one is that they've updated their data since the p2c table
you have (I updated it in the cvs this weekend with the March data).
Second thought is that you're getting service (directly or upstream) from a
Swedish company - they may have gotten an allocation from RIPE, who listed
it in their database as Sweden, even though they're servicing .de
Third - it's not who you think it is, because of under-the-covers
redirection etc.
To troubleshoot these,
1. Do a traceroute and see who the upstream providers are
2. Do a whois query
3. Check the data in the p2c file (and check the updated version).
4. Check the latest data at the registry
You can always update the table via
$ make p2ctable
$ su -
$ cd ...
$ make install-data-local
For a.focus.de:
$ whois -h whois.ripe.de focus.de
[whois.ripe.de]
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
% The object shown below is NOT in the RIPE database.
% It has been obtained by querying a remote server:
% (whois.denic.de) at port 43.
% To see the object stored in the RIPE database
% use the -R flag in your query
%
%REFERRAL START
% Copyright (c)2002 by DENIC
%
% Restricted rights.
%
%
% Except for agreed Internet operational purposes, no part of this
% information may be reproduced, stored in a retrieval system, or
% transmitted, in any form or by any means, electronic, mechanical,
% recording, or otherwise, without prior permission of the DENIC
% on behalf of itself and/or the copyright holders. Any use of this
% material to target advertising or similar activities are explicitly
% forbidden and will be prosecuted. The DENIC requests to be notified
% of any such activities or suspicions thereof.
domain: focus.de
descr: Focus Magazin Verlag GmbH
descr: Arabellastr. 23
descr: D-81925 Muenchen
descr: Germany
nserver: ns1.tomorrow-focus.de
nserver: ns2.tomorrow-focus.de
nserver: demdwu02.mediaways.net
nserver: ns-2.mediaways.net
status: connect
changed: 20020815 142754
source: DENIC
[admin-c]
Type: PERSON
Name: Joerg Buerosse
Address: Prinzregentenstrasse 78
City: München
Pcode: 81675
Country: DE
Changed: 20020812 144343
Source: DENIC
[tech-c][zone-c]
Type: ORG
Name: Hostmaster mediaWays GmbH
Address: Huelshorstweg 30
City: Verl
Pcode: 33415
Country: DE
Phone: +49 5246 80 1244
Phone: +49 5246 80 1705
Fax: +49 5246 80 2081
Email: [EMAIL PROTECTED]
Changed: 20030207 153222
Source: DENIC
%REFERRAL END
vs.
$ nslookup -sil a.focus.de
Server: 192.168.42.1
Address: 192.168.42.1#53
Non-authoritative answer:
a.focus.de canonical name = a.focus.de.edgesuite.net.
a.focus.de.edgesuite.net canonical name = a654.g.akamai.net.
Name: a654.g.akamai.net
Address: 130.81.64.27
Name: a654.g.akamai.net
Address: 130.81.64.10
$ grep ':130\.8' p2c.opt.table
US:130.8.0.0/14
US:130.80.0.0/15
CH:130.82.0.0/16
DE:130.83.0.0/16
FR:130.84.0.0/16
US:130.85.0.0/16
US:130.86.0.0/16
JP:130.87.0.0/16
UK:130.88.0.0/16
NL:130.89.0.0/16
Could it be you're getting redirected to a different Akamai server???
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas
Pagel
Sent: Monday, March 31, 2003 4:57 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] Wrong Flag
Hi,
Looking at statistics/hosts I find a host a.focus.de with a Swedish flag…
I'm quite sure that this host is in Germany… Any idea why it thinks that
this host is from Sweden?
Thanks,
Thomas Pagel
Senior Consultant Business Intelligence
Software4You Planungssysteme GmbH
Niederlassung Paderborn
Hauptstraße 35
33178 Borchen (Germany)
tel.: +49 (5251) 54009-11
mob.: +49 (172) 8423035
fax.: +49 (5251) 54009-99
home: http://www.software4you.com
4PLAN® - The Art of Budgeting.
Disclaimer:
This email may contain confidential and proprietary material for the sole
use of the intended recipient.
Any review or distribution by others is prohibited.
If you are not the intended recipient please contact the sender and delete
all copies.
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
