Searching \ for '[TECH]: deciphering log files from website' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=deciphering+log
Search entire site for: ': deciphering log files from website'.

Exact match. Not showing close matches.
PICList Thread
'[TECH]: deciphering log files from website'
2010\08\28@234145 by Aaron

picon face
Below are two entries from some log files on a website that I
maintain.  I am trying to figure out if they are from the same
computer.  I note that the IP addresses are different, but both
resolve to "AT&T Internet Services", to separate servers within about
20 miles of the person's home address who I believe is responsible for
the entries.  I also note that the user agents are identical.  I
searched through 22 days of log files and can not find another user
agent that matches exactly.  I don't have much experience deciphering
this kind of thing and am looking for correlation of my findings.

(I took the liberty of obscuring the website name and host ip address)

2010-08-17 23:29:09 W3SVC46816626 NTXPWUS69 74.xxx.xxx.145 POST
/contact.asp - 80 - 70.225.137.151 HTTP/1.1
Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.5;+en-US;+rv:1.9.2.8)+Gecko/20100722+Firefox/3.6.8
- http://thewebsitename.org/ thewebsitename.org 302 0 0 414 738 10843

2010-08-28 23:36:53 W3SVC46816626 NTXPWUS69 74.xxx.xxx.145 POST
/contact.asp - 80 - 76.251.230.168 HTTP/1.1
Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.5;+en-US;+rv:1.9.2.8)+Gecko/20100722+Firefox/3.6.8
- http://thewebsitename.org/ thewebsitename.org 302 0 0 414 2174 10578

Aaro

2010\08\30@142342 by James Newton

face picon face
It is very unlikely that they are from the same machine. One is from
70.225.137.151, the other is from 76.251.230.168, within a few minutes of
each other. In order for the same machine to have sent them, they would have
to reconnect from a different ISP between transmissions or re-DHCP with the
same ISP.

http://whois.domaintools.com/70.225.137.151 AT&T Richardson TX

http://whois.domaintools.com/76.251.230.168 AT&T Richardson TX

Since both IP's are on the same ISP, only the reconnect makes sense, and
since these are dsl lines, which typically stay connected and typically
don't change IP even on re-connect, it is almost certainly two different
machines.
It's possible that one user could be controlling two different PC's... I do
that; one at home and the other via remote desktop at the office. If I hit a
web site from home and then hit the same site from the remote machine the
connecting IP's would be from two different ISPs even.

--
James Newton
1-970-462-7764
{Original Message removed}

2010\08\30@150916 by David

flavicon
face
 On 30/08/2010 19:23, James Newton wrote:
> It is very unlikely that they are from the same machine. One is from
> 70.225.137.151, the other is from 76.251.230.168, within a few minutes of
> each other. In order for the same machine to have sent them, they would have
> to reconnect from a different ISP between transmissions or re-DHCP with the
> same ISP.
They are 11 days apart, therefore this is wrong.  I replied off-list as I didn't know how relevant the post was.

FWIW it looks quite likely that they are the same machine, but there is no way of saying exactly.

Davi

2010\08\31@074134 by RussellMc

face picon face
You could anonymously spam him with plausible offers just not quite
too be good to be true and see what sort of extra information you get
when she takes the hook. If he is engaged in nefarious deeds you could
honeypot the site you send her to make it seem attractive to do
whatever the deed is and see if he does it. That may or may not be
considered moral depending on the circumstances.


     R

Spare bits: Heherhimhishersshehe ..

2010\08\31@112529 by Herbert Graf

picon face
On Mon, 2010-08-30 at 11:23 -0700, James Newton wrote:
> It is very unlikely that they are from the same machine. One is from
> 70.225.137.151, the other is from 76.251.230.168, within a few minutes of
> each other. In order for the same machine to have sent them, they would have
> to reconnect from a different ISP between transmissions or re-DHCP with the
> same ISP.
>
> http://whois.domaintools.com/70.225.137.151 AT&T Richardson TX
>
> http://whois.domaintools.com/76.251.230.168 AT&T Richardson TX
>
> Since both IP's are on the same ISP, only the reconnect makes sense, and
> since these are dsl lines, which typically stay connected and typically
> don't change IP even on re-connect, it is almost certainly two different
> machines.
I strongly disagree James; it depends on ISP.

I sometimes change my IP frequently during a session (when trying to get
stuff from websites that only let you look at a certain number of pages
"free" before the paywall goes up). Hitting reconnect on my router gets
my a new IP and a new allocation of free looks.

EVERY reconnect to my DSL ISP results in a different IP, I don't think
I've ever seen a case where my IP remained the same.

The two hits are over 6 minutes apart, easily enough time to change IPs.

TTYL

2010\08\31@113455 by Mark E. Skeels

flavicon
face

> EVERY reconnect to my DSL ISP results in a different IP, I don't think
> I've ever seen a case where my IP remained the same.
>
>  
I can pay AT&T (who provides my DSL service) extra to get a fixed IP, but as it stands I get a different one on every connect, as well.

Mark

2010\08\31@121450 by Randy Abernathy

flavicon
face
Re-connecting will often result in a different IP address with the router but in
my experience, not every time.  Now, if you have a dynamic public IP address
with your DSL, resetting the modem will almost always result in a different IP
address to it.  I have a static IP so don't have that luxury as I need to have
remote access to my main PC/server at home when I am away, however, I do know
that is what happens at my daughter's home when I have to work on their network,
etc.  
Randy Abernathy
CNC and Industrial Machinery service, repair, installation and design

4626 Old Stilesboro Rd NW
Acworth, GA 30101
Fax: 770-974-5295
Phone: 678-982-0235
E-mail: spam_OUTrandyabernathyTakeThisOuTspambellsouth.net


{Original Message removed}

2010\08\31@124842 by Herbert Graf

picon face
On Tue, 2010-08-31 at 12:14 -0400, Randy Abernathy wrote:
> Re-connecting will often result in a different IP address with the router but in
> my experience, not every time.  Now, if you have a dynamic public IP address
> with your DSL, resetting the modem will almost always result in a different IP
> address to it.  
I think it depends on the technology used by your ISP. Almost all DSL
ISPs in my area use PPPoE for authetication. Since it's basically PPP
every time the router "connects" it's a "new" session, hence most ISPs
of this type will hand out a new IP.

For ISPs that use DHCP (most cable ISPs in my area) it's common that you
need to reboot the modem itself to fetch a new IP.

> I have a static IP so don't have that luxury as I need to have
> remote access to my main PC/server at home when I am away, however, I do know
> that is what happens at my daughter's home when I have to work on their network,
> etc.  
I have dynamic and use http://www.dyndns.org, works INCREDIBLY well, the router
has a client built in, so within about a minute of my having a new IP
the DNS record is already updated. Saves me $4 a month...

TTYL

2010\08\31@133358 by David

flavicon
face
 On 31/08/2010 16:26, Herbert Graf wrote:
> The two hits are over 6 minutes apart, easily enough time to change IPs.
Yes, they are "over 6 minutes apart" to the tune of 11 days.  I posted about this yesterday.

Davi

2010\08\31@163327 by James Newton

face picon face
Ah... yes, I totally missed that they were days apart.
And if DSL providers do reassign IP's on each connect, then that could
easily be the same person...

....or it could easily not be the same person. No way to tell, if you are not
the ISP.
My understanding is that ISP's are required to keep records of which
subscriber had which IP during what time, for law enforcement and spam
prevention etc... So THEY know if it is the same machine, but we don't.

If they did something abusive, you can email the log extract to the ISP's
abuse address and be ignored like I always am.

--
James Newton
1-970-462-7764
{Original Message removed}


'[TECH]: deciphering log files from website'
2010\09\01@073944 by Aaron
picon face
On Mon, Aug 30, 2010 at 3:09 PM, David <.....listsKILLspamspam@spam@edeca.net> wrote:

>
> FWIW it looks quite likely that they are the same machine, but there is
> no way of saying exactly.
>
> David

Thanks to all who responded, both on and off-list.

The consensus seems to be what I suspected.  Probably from the same
PC, but no way to be 100% certain with the info at hand.  The person
has claimed outright that he was not responsible for the original
"incident" but the plan is to "confront" him with the logs and see if
his story changes...

Aaro

2010\09\01@080122 by RussellMc

face picon face
> Re-connecting will often result in a different IP address with the router but in
> my experience, not every time.  Now, if you have a dynamic public IP address
> with your DSL, resetting the modem will almost always result in a different IP
> address to it.  I have a static IP so don't have that luxury as I need to have
> remote access to my main PC/server at home when I am away,

There are various free services which will associate your current IP
address with a URL automatically thus allowing IP address to change
"invisibly".
PC runs a small task which checks IP address occasionally and "phones
home" if needed.

This meets the letter and may or may not meet the spirit of ISP
requirements to use a dynamic IP address.
Works well.


         R

2010\09\01@083635 by Michael Watterson

face picon face
 On 01/09/2010 13:00, RussellMc wrote:
>> Re-connecting will often result in a different IP address with the router but in
>> my experience, not every time.  Now, if you have a dynamic public IP address
>> with your DSL, resetting the modem will almost always result in a different IP
>> address to it.  I have a static IP so don't have that luxury as I need to have
>> remote access to my main PC/server at home when I am away,
> There are various free services which will associate your current IP
> address with a URL automatically thus allowing IP address to change
> "invisibly".
> PC runs a small task which checks IP address occasionally and "phones
> home" if needed.
>
> This meets the letter and may or may not meet the spirit of ISP
> requirements to use a dynamic IP address.
> Works well.
>
>
>            R
>
I used Dyndns for a while (Support built in on some Dlink routers and OpenWRT though I only briefly used this*).  Originally with Dialup (initially using Wingate proxy on NT3.51) till Oct 2005!
But nearly five years I have same Public IP on my Modem. The ISP doesn't guarantee it, but basically their DHCP/CMTS will give the same IP for same Modem MAC indefinitely. DOCSIS 2.0 over 10.5GHz Wireless, 12km myabe 13km range. 8Mbps down, 1Mbps up, 20ms latency, zero packet loss so I can't complain. Very nearly 5 9s (due to UPS and Generator here as my Electricity isn't anywhere near 5 9s.)

*I now mapped a subdomain of one of my hosted domains to my home IP on my hosting for free. If I have to get a new Modem (= new IP), I'll just edit it via cpanel


'[TECH]: deciphering log files from website'
2010\11\06@182608 by Dario Greggio
face picon face
Il 31/08/2010 18.49, Herbert Graf ha scritto:
>
> I have dynamic and use http://www.dyndns.org, works INCREDIBLY well, the router
> has a client built in, so within about a minute of my having a new IP
> the DNS record is already updated. Saves me $4 a month...
>

definitely doing the same: I embedded the protocol for updating in my C++ software and it is all ok , since years..

Dari

More... (looser matching)
- Last day of these posts
- In 2010 , 2011 only
- Today
- New search...