Nmap Development mailing list archives
Re: [NSE] ASN made more robust and documented - much more to do.
From: jah <jah () zadkiel plus com>
Date: Thu, 04 Sep 2008 00:47:32 +0100
On 03/09/2008 23:42, David Fifield wrote:
Okay, I get it now. If I run dig +short 31.108.90.212.nmap.asn.cymru.com TXT I get "12780 | 212.90.96.0/20 | UA | ripencc | 1999-11-11" "13249 | 212.90.96.0/20 | UA | ripencc | 1999-11-11" Of the two numbers 12780 and 13249, one of them is the origin ASN and one is a peer ASN, and there's no way to tell which is which. And like you said, the order switches sometimes.
I've been meaning to do some testing to see if it's the dns server to which the query is sent which reorders the answers. I've found that repeating a single query often yields different ordering for what may well be answers cached by the dns server. If Team Cymru's dns server presents ordered answers then we'll still have this issue.
So instead of: | ASN: 4 records found. | Origin ASN: 10565 | BGP: 64.13.128.0/18 | Country: US | Origin ASN: 10565 | BGP: 64.13.128.0/21 | Country: US | Peer ASN: 3561 6461 | BGP: 64.13.128.0/21 | Country: US |_ Peer ASN: 174 2914 6461 | BGP: 64.13.128.0/18 | Country: US present this: | ASN: 4 records found. | BGP: 64.13.128.0/18 | Country: US | Origin ASN: 10565 | Peer ASN: 174 2914 6461 |_BGP: 64.13.128.0/21 | Country: US | Origin ASN: 10565 | Peer ASN: 3561 6461I agree with the shorter form. About the peer ASNs, are we reporting that just because it happens to be in the results returned by the nmap zone, or is it useful? It seems to me the AS description ("SVCOLO-AS - Silicon Valley Colocation, Inc.") is more useful. It appears to require a second query to asn.cymru.com using the AS number. It would be nice to have it as part of the nmap zone results.
As to peer ASN numbers, I think it might be useful for some people (I've certainly found it to be interesting information), but yes it's being reported simply because it's available. I agree that it would be nice to have the AS description as part of the answer from the nmap zone, but there must be a reason that it isn't included since their whois server does include it. I suspect that it may have something to do with the fact that multiple AS numbers (for a given BGP) are combined into one field in answers from the dns service. It might get a bit messy for multiple origin AS. If we were to deal with this client side, it would, as you rightly say, involve extra queries for the asn.cymru.com zone so I suppose it might be preferable for Team Cymru to include the information in the answers somehow. We'd probably only want the name(s) for the origin AS(s). Regards, jah _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] ASN made more robust and documented - much more to do. jah (Aug 15)
- Re: [NSE] ASN made more robust and documented - much more to do. David Fifield (Aug 29)
- Message not available
- Message not available
- Re: [NSE] ASN made more robust and documented - much more to do. jah (Sep 01)
- Re: [NSE] ASN made more robust and documented - much more to do. David Fifield (Sep 03)
- Re: [NSE] ASN made more robust and documented - much more to do. jah (Sep 03)
- Re: [NSE] ASN made more robust and documented - much more to do. Michael Pattrick (Sep 03)
- Re: [NSE] ASN made more robust and documented - much more to do. David Fifield (Sep 03)
- Re: [NSE] ASN made more robust and documented - much more to do. jah (Sep 03)
- Re: [NSE] ASN made more robust and documented - much more to do. Michael Pattrick (Sep 03)
- Re: [NSE] ASN jah (Sep 05)
- Re: [NSE] ASN David Fifield (Sep 05)
- Re: [NSE] ASN David Fifield (Sep 05)
- Re: [NSE] ASN jah (Sep 06)
- Re: [NSE] ASN jah (Sep 06)
- Re: [NSE] ASN David Fifield (Sep 16)
- Re: [NSE] ASN jah (Sep 06)
- Message not available
- Re: [NSE] ASN ipOps and whois jah (Sep 06)
- Re: [NSE] ASN made more robust and documented - much more to do. David Fifield (Aug 29)