watching skype here in the lab. sending a few messages from here to jingping. interesting thing is that i don't have a direct link to her. instead, skype only reports having connections with computers at NYU - several of them, six different hosts. maybe they're using me as a relay? or, i could be part of a similar set of harvard-located hosts. here, instead of 36268 or whatever it is at home, the port being used by skype for those UDP messages is always 38253. i also see that i'm sending to each of those NYU hosts from the same port, but receiving from a different port from each one. i'm guessing that all these connections are for the same purpose, and that again for each of those users the port number is the same for all their connections.
oh well, more later. maybe something interesting will happen.
Friday, May 21, 2010
Tuesday, May 18, 2010
chinese-american economics
unrelated to the internet, but i did realize this last night, so it may as well go down here.
i'm aware of two facts, to which we are all constantly exposed by various media:
A. the US buys lots of stuff from China, more than China buys from the US, so there's a trade imbalance. this means the Chinese are stuck with extra $$ that they can't spend, so they loan it back to the US to continue the cycle.
B. the Chinese 元 is tied, in part, to the US $$.
i knew these things already, but didn't realize they were directly related. but they are - and so far i think it's a one-way relationship, in that A) makes B) necessary. i understood it in terms of the following cycle:
1. China companies manufacture goods
2. US companies purchase China goods with $$
3. China companies purchase US goods with the $$ they accumulated
4. China companies have $$ leftover
5. China companies need to pay for domestic costs and profit, but can't spend $$ in China
6. China companies give their $$ to China govt, which gives them China 元 in exchange
7. China govt loans $$ to US treasury
8. US treasury loans $$ to US banks
9. US banks loan $$ to US companies
10. (back to 2.)
this seems to work. I don't know anything about how sustainable it is, though I think I see how you could get to know, or have a strong opinion about, something like that by looking at this process in detail.
anyways, why does A lead to B? because of 6). in order for 6) to be a fair deal, so that the China companies can know they're getting exactly their dollar's worth in the trade, the $$ and the 元 should be closely linked. in essence, those $$-linked 元 are like $$ printed in Chinese form, with the actual $$ stored away as ensured value, like gold - this is why they call $$ a reserve currency.
so apparently, this journal is entirely devoted to me figuring out things that everyone else knows already.
i'm aware of two facts, to which we are all constantly exposed by various media:
A. the US buys lots of stuff from China, more than China buys from the US, so there's a trade imbalance. this means the Chinese are stuck with extra $$ that they can't spend, so they loan it back to the US to continue the cycle.
B. the Chinese 元 is tied, in part, to the US $$.
i knew these things already, but didn't realize they were directly related. but they are - and so far i think it's a one-way relationship, in that A) makes B) necessary. i understood it in terms of the following cycle:
1. China companies manufacture goods
2. US companies purchase China goods with $$
3. China companies purchase US goods with the $$ they accumulated
4. China companies have $$ leftover
5. China companies need to pay for domestic costs and profit, but can't spend $$ in China
6. China companies give their $$ to China govt, which gives them China 元 in exchange
7. China govt loans $$ to US treasury
8. US treasury loans $$ to US banks
9. US banks loan $$ to US companies
10. (back to 2.)
this seems to work. I don't know anything about how sustainable it is, though I think I see how you could get to know, or have a strong opinion about, something like that by looking at this process in detail.
anyways, why does A lead to B? because of 6). in order for 6) to be a fair deal, so that the China companies can know they're getting exactly their dollar's worth in the trade, the $$ and the 元 should be closely linked. in essence, those $$-linked 元 are like $$ printed in Chinese form, with the actual $$ stored away as ensured value, like gold - this is why they call $$ a reserve currency.
so apparently, this journal is entirely devoted to me figuring out things that everyone else knows already.
Sunday, May 16, 2010
what is in my packet net?
a boring post, to start: i'm just going to go through the list of what packets i caught during a 780 second capture. skype was on, as was xdict and its incessant search for the kingsoft mothership, which is currently routed to ARKIV itself.
first on the list:
p3nlhg43c081.shr.prod.phx3.secureserver.net
robtex suggests that this is some sort of porn locus, responsible for porn spam and who knows what else. sent one packet from their http port 80 to my port 19246, which is for i don't know.
next:
multiple, periodic IGMP signals, labeled "membership report". i see this all the time, sent to 239.255.255.250. apparently, this is just to establish my presence on the network, so that the routers and other whoever know i'm here.
next:
there were 8 apparent skype contacts through port 34268. what i understand is that this is how different skype hosts find eachother. what i don't understand is why for me it's always 34268, while its always different ports for the others. could it be that for them it's always their number? maybe i'm a member of a particular skype class - the port 34268 class. really, i have no idea. these are always UDP packets, call and response, usually just once, always intiated by ARKIV. and, as i mentioned before, i see them even when skype is off, but ARKIV doesn't respond then.
next:
BROWSER: host announcement. i assume this is something like the "membership report" above, but i don't know what makes it different - ARKIV runs a browser service, and there are browser elections, to select a browser which will keep track of all the potential browsers.. argh.
next:
here is a succinct description: packet from 190.2.29.193, originating from Argentina, from port 1217 to 1434 - 1434 was the way in for something called the SQL slammer worm. SQL is a microsoft database server program - what i received was a single SSRP packet, which is a protocol specially designed for use with the SQL thingie. anyways, one hit, nothing else (presumably i am not running an SQL database server).
so really, that's it. i found a paper on principles of routing in between networks, but haven't read it yet. my learning progress is stalling.
first on the list:
p3nlhg43c081.shr.prod.phx3.secureserver.net
robtex suggests that this is some sort of porn locus, responsible for porn spam and who knows what else. sent one packet from their http port 80 to my port 19246, which is for i don't know.
next:
multiple, periodic IGMP signals, labeled "membership report". i see this all the time, sent to 239.255.255.250. apparently, this is just to establish my presence on the network, so that the routers and other whoever know i'm here.
next:
there were 8 apparent skype contacts through port 34268. what i understand is that this is how different skype hosts find eachother. what i don't understand is why for me it's always 34268, while its always different ports for the others. could it be that for them it's always their number? maybe i'm a member of a particular skype class - the port 34268 class. really, i have no idea. these are always UDP packets, call and response, usually just once, always intiated by ARKIV. and, as i mentioned before, i see them even when skype is off, but ARKIV doesn't respond then.
next:
BROWSER: host announcement. i assume this is something like the "membership report" above, but i don't know what makes it different - ARKIV runs a browser service, and there are browser elections, to select a browser which will keep track of all the potential browsers.. argh.
next:
here is a succinct description: packet from 190.2.29.193, originating from Argentina, from port 1217 to 1434 - 1434 was the way in for something called the SQL slammer worm. SQL is a microsoft database server program - what i received was a single SSRP packet, which is a protocol specially designed for use with the SQL thingie. anyways, one hit, nothing else (presumably i am not running an SQL database server).
so really, that's it. i found a paper on principles of routing in between networks, but haven't read it yet. my learning progress is stalling.
China 222 part 3
not much going on - watched a couple of scans, but haven't studied much. saw the same 222.45.112.59 scan, on ports 8085, 9415, 3246, 9090, and 8090. it probably spins around every few hours, from what others have said on ipillion.com. got a single hit from 222.169.118.106, another chinese location, on a single port. this one actually had a domain name: 106.118.169.222.broad.bc.jl.dynamic.163data.com.cn.
read a bit about routing a few days ago, and got a bit of a sense for it, but not really - but then, Jason gave me a great piece of information that I hadn't gleaned yet from my browsing: routers and other computers broadcast their addresses and routing information across the networks. this is how routing tables get their information. i'm still not totally clear on it, but i'll figure it out.
Jason also suggested i get around to learning how to use linux, and install at least a virtual version of it to use, since that's what real internet people do. i may do that, if only for the fun of it.
but anyways, nothing much learned lately. slow week.
read a bit about routing a few days ago, and got a bit of a sense for it, but not really - but then, Jason gave me a great piece of information that I hadn't gleaned yet from my browsing: routers and other computers broadcast their addresses and routing information across the networks. this is how routing tables get their information. i'm still not totally clear on it, but i'll figure it out.
Jason also suggested i get around to learning how to use linux, and install at least a virtual version of it to use, since that's what real internet people do. i may do that, if only for the fun of it.
but anyways, nothing much learned lately. slow week.
Wednesday, May 12, 2010
DNS server
ok, just got home, thought i'd look at the monitor.
nothing much going on, except i see two reciprocated queries to an address i recognize as something that comes up often as a comcast address - both packets were DNS packets, which as i take it are a type of UDP packet, or maybe not. anyways, i guessed that the address must be a DNS server. since i usually am not using the web browser when i look at the monitor, i wouldn't have noticed this before.
so, i google it and sure enough, 68.87.71.230 is the primary comcast DNS server for massachusetts.
now, one of the queries was for the institute FTP server, which i used to get a file. the other was for tools.google.com, which i do not like, because i did not know google was running something in the background on my computer. the address was then contacted and some packets were traded, a couple were HTTP messages saying "update". i'm going to find out what it is, and kill it. (could be Chrome which i have installed but don't use. i don't have any google plugins or anything for firefox. Chrome must go.)
nothing much going on, except i see two reciprocated queries to an address i recognize as something that comes up often as a comcast address - both packets were DNS packets, which as i take it are a type of UDP packet, or maybe not. anyways, i guessed that the address must be a DNS server. since i usually am not using the web browser when i look at the monitor, i wouldn't have noticed this before.
so, i google it and sure enough, 68.87.71.230 is the primary comcast DNS server for massachusetts.
now, one of the queries was for the institute FTP server, which i used to get a file. the other was for tools.google.com, which i do not like, because i did not know google was running something in the background on my computer. the address was then contacted and some packets were traded, a couple were HTTP messages saying "update". i'm going to find out what it is, and kill it. (could be Chrome which i have installed but don't use. i don't have any google plugins or anything for firefox. Chrome must go.)
China 222
maybe a better name for this log should be "what random thing did i see today".
1. it's hard to type in a wrist brace. that fits with "what did i learn today", so..
2. saw four packets from China, from address 222.45.112.59. they soaked into 4 ports which i lost because i restarted the monitor - got distracted at the wrong time, lost good information... i did scan the address and found that it may be a server - google indicates it could be a proxy server: open ports on 1026 and 3389. note comments here and especially here. apparently multiple Chinese IPs starting with 222 are pushing scans all over the place, irritating lots of people.
1. it's hard to type in a wrist brace. that fits with "what did i learn today", so..
2. saw four packets from China, from address 222.45.112.59. they soaked into 4 ports which i lost because i restarted the monitor - got distracted at the wrong time, lost good information... i did scan the address and found that it may be a server - google indicates it could be a proxy server: open ports on 1026 and 3389. note comments here and especially here. apparently multiple Chinese IPs starting with 222 are pushing scans all over the place, irritating lots of people.
Sunday, May 09, 2010
not much 2
ok, this is interesting. another packet from ircu.krypt.com. the host at that address has just about all of its ports open. i haven't seen that before. is this some sort of lure?
*edit*
not a lure - i think it's an open proxy. all those open ports are so that other hosts can use it as a proxy for whatever service they want. i can't find any resource that actually confirms this (and i think that having all ports open doesn't necessarily mean it's an open proxy), but i think that's what it is.
always something new to learn...
*edit*
not a lure - i think it's an open proxy. all those open ports are so that other hosts can use it as a proxy for whatever service they want. i can't find any resource that actually confirms this (and i think that having all ports open doesn't necessarily mean it's an open proxy), but i think that's what it is.
always something new to learn...
not much
just observed a sweep from IP 66.186.59.50, "ircu.krypt.com", looking into port 1137. a bit of news suggests this is a vulnerability search. the signal is coming from an IRC line, port 6667. they must be looking at IRC logs and sweeping those addresses, since i've actually been on IRC in the last couple of weeks (and last night).
another thing, i also saw (for the first time) some nonreciprocated requests for port 34268 while skype was turned off. looking for a relay? i scanned the source and it doesn't actually seem to be a skype host, though maybe i waited too long, after they had turned it off. instead, they actually had unfiltered, closed ports 5800/5900, which are used for remote desktop viewing. also, no clue as to the OS, so i don't know what it actually is. another user? something else? it's another comcast host, presumably another user, but who knows?
i'll check it out again later.
another thing, i also saw (for the first time) some nonreciprocated requests for port 34268 while skype was turned off. looking for a relay? i scanned the source and it doesn't actually seem to be a skype host, though maybe i waited too long, after they had turned it off. instead, they actually had unfiltered, closed ports 5800/5900, which are used for remote desktop viewing. also, no clue as to the OS, so i don't know what it actually is. another user? something else? it's another comcast host, presumably another user, but who knows?
i'll check it out again later.
Thursday, May 06, 2010
internet metaphors
okay, this is kind of dumb, bust since i haven't learned anything new lately, it's all i've got.
actually, i thought of this a few days ago. i was at the taekwondojang, thinking about how the classes work. (almost) every class starts the same way, regardless of who the teacher is, with a set of warmup exercises. different teachers will count a little differently, faster or slower maybe, but everyone does the same exercises. next, we start going through techniques in the lineup, and the first is always "riding stance to the left, left-hand punch". next technique will usually be "step forward front stance, low-section guarding block".
so, up to this point things are the same no matter who the instructor is, no matter what the rest of the class is going to be about. from here, things are still predictable to a point - after the low-section blocks, we'll probably do mid and high section blocks, maybe with a punch after the mid-section blocks. next, we go to fighting stance and start doing kicks, with front kick and punch first, round kick and roundhouse punch next, then sidekick with knifehand strike. it gets less and less predictable after this.
by the end of the lineup, we've probably done a couple of techniques that haven't come up in at least a week or so in other lineups. then, the rest of class will focus on a few specific techniques in some permutation of the "find a partner" game.
what this has to do with the internet is that i realized that the course of a given class could be analogized directly to a traceroute, assuming a single start location. the first few steps away from the local host are the same every time, but depending on the destination eventually the paths will diverge. the warmup and starting techniques are like the local network path out, the later techniques are like the area network, where there are a few possible large routers to choose from, and the remainder of class is like the ultimate path and network destination. kind of.
really, you could apply this structure to all sorts of things, where the first few steps are the same, but eventually there's a divergence and then different paths to disparate destinations. in a lot of ways that's how the brain works, how distribution networks of all kinds operate, etc.
like i said, not too interesting, but it's all i've got for now.
actually, i thought of this a few days ago. i was at the taekwondojang, thinking about how the classes work. (almost) every class starts the same way, regardless of who the teacher is, with a set of warmup exercises. different teachers will count a little differently, faster or slower maybe, but everyone does the same exercises. next, we start going through techniques in the lineup, and the first is always "riding stance to the left, left-hand punch". next technique will usually be "step forward front stance, low-section guarding block".
so, up to this point things are the same no matter who the instructor is, no matter what the rest of the class is going to be about. from here, things are still predictable to a point - after the low-section blocks, we'll probably do mid and high section blocks, maybe with a punch after the mid-section blocks. next, we go to fighting stance and start doing kicks, with front kick and punch first, round kick and roundhouse punch next, then sidekick with knifehand strike. it gets less and less predictable after this.
by the end of the lineup, we've probably done a couple of techniques that haven't come up in at least a week or so in other lineups. then, the rest of class will focus on a few specific techniques in some permutation of the "find a partner" game.
what this has to do with the internet is that i realized that the course of a given class could be analogized directly to a traceroute, assuming a single start location. the first few steps away from the local host are the same every time, but depending on the destination eventually the paths will diverge. the warmup and starting techniques are like the local network path out, the later techniques are like the area network, where there are a few possible large routers to choose from, and the remainder of class is like the ultimate path and network destination. kind of.
really, you could apply this structure to all sorts of things, where the first few steps are the same, but eventually there's a divergence and then different paths to disparate destinations. in a lot of ways that's how the brain works, how distribution networks of all kinds operate, etc.
like i said, not too interesting, but it's all i've got for now.
Saturday, May 01, 2010
local network
i mentioned earlier that i had tried the traceroute scan on the institute's local network. i had, but it was so dense that trying to look at the graph caused nmap to die. i did it again today, but carefully collapsed the densest nodes, so i could see the 'backbone' of the network. what i saw was interesting, and implies that my thinking was kind of mistaken.
i had been thinking that i would be looking at the institute network - that the institute must have set up a local 192.168 network within the Harvard system, and that by scanning that prefix (up to 192.168.36.255, which was where addresses seemed to stop existing) i would get back a picture of the institute network. instead, i saw that the scan went out into the Harvard 128.103 network, then back into the local network. I think this may have been scanning into systems outside of the Institute, and except for the hosts themselves (on the other side of the Harvard nodes) i got back no IP info, so couldn't see the structure. what i could see was that hosts with names on my side of the Harvard nodes all were associated explicitly with the institute (having the institute initials in the hostname), while those on the other side did not.
but, from institute out, i could see that there's a single way out of the institute network, connecting to two nodes both named something like 'core' (i don't have the scan here at home to look at). one of these led into many, many other private network hosts along those blind pathways, and so did the other, along with leading to the node that exits the system into NOX, or level3, or wherever the localhost is pointing.
so, point is, a traceroute to another address with the same prefix as the localhost may not traverse only other hosts with the same prefix. i had assumed that the 192.168 network was somehow self contained, that any hosts i saw within it must be linked through other 192.168 hosts. apparently this isn't necessarily how it works. i have more to learn.
(actually, i had noticed this last week, in scanning my comcast prefix - i found other systems separated from me by large interchanges with different prefixes (but prefixes common to other interchanges), but themselves having the same prefix as mine. i didn't understand it at the time, but forgot about it. this bugged me more, probably because of the 'private network' label attached to 192.168.)
i had been thinking that i would be looking at the institute network - that the institute must have set up a local 192.168 network within the Harvard system, and that by scanning that prefix (up to 192.168.36.255, which was where addresses seemed to stop existing) i would get back a picture of the institute network. instead, i saw that the scan went out into the Harvard 128.103 network, then back into the local network. I think this may have been scanning into systems outside of the Institute, and except for the hosts themselves (on the other side of the Harvard nodes) i got back no IP info, so couldn't see the structure. what i could see was that hosts with names on my side of the Harvard nodes all were associated explicitly with the institute (having the institute initials in the hostname), while those on the other side did not.
but, from institute out, i could see that there's a single way out of the institute network, connecting to two nodes both named something like 'core' (i don't have the scan here at home to look at). one of these led into many, many other private network hosts along those blind pathways, and so did the other, along with leading to the node that exits the system into NOX, or level3, or wherever the localhost is pointing.
so, point is, a traceroute to another address with the same prefix as the localhost may not traverse only other hosts with the same prefix. i had assumed that the 192.168 network was somehow self contained, that any hosts i saw within it must be linked through other 192.168 hosts. apparently this isn't necessarily how it works. i have more to learn.
(actually, i had noticed this last week, in scanning my comcast prefix - i found other systems separated from me by large interchanges with different prefixes (but prefixes common to other interchanges), but themselves having the same prefix as mine. i didn't understand it at the time, but forgot about it. this bugged me more, probably because of the 'private network' label attached to 192.168.)
Wednesday, April 28, 2010
traceroute scanning
something that's lots of fun to do is to scan a network with a traceroute command. what you get back is a (relatively) complete picture of the network connecting all the hosts with the specified prefix. depending on where you point it, it can be very, very big.
like i mentioned earlier, i know which node it is that stands between me and several routers that connect to different parts of the Boston internet. one of those routers goes to NOX, and another one to other residential (i think) comcast accounts. if i point the traceroute scan at a comcast node that's relatively nearby, and that contains the same IP prefix as mine (20 bits is reasonable and doesn't give back 65 thousand possible hosts), i get back a nice, complex picture of a network extending from here and across Boston, and across MA to CT, VT, and the MA-NY border.
i tried the same thing on the private 192.168 network at the institute, and got back something similar, and actually much denser (which makes sense, all hosts within the network have the same prefix, so i could get them all in one big shot, but the comcast network was relatively sparser, and seemed to have same-prefix hosts separated by nodes with different prefixes, which i don't understand...). since it's a single institution, it's organized differently - there are nodes for different users, but mainly the network divisions are more functional, with databases in one place, outgoing servers in another, administrative here, labs there. the comcast network looked much more regional, with a Hartford node, others (i get all these new englandy names confused, they all sound like Westly or Chestford or something like that).
ok, need to step back now and get more acquainted with the specifics rather than just playing with these toys...
like i mentioned earlier, i know which node it is that stands between me and several routers that connect to different parts of the Boston internet. one of those routers goes to NOX, and another one to other residential (i think) comcast accounts. if i point the traceroute scan at a comcast node that's relatively nearby, and that contains the same IP prefix as mine (20 bits is reasonable and doesn't give back 65 thousand possible hosts), i get back a nice, complex picture of a network extending from here and across Boston, and across MA to CT, VT, and the MA-NY border.
i tried the same thing on the private 192.168 network at the institute, and got back something similar, and actually much denser (which makes sense, all hosts within the network have the same prefix, so i could get them all in one big shot, but the comcast network was relatively sparser, and seemed to have same-prefix hosts separated by nodes with different prefixes, which i don't understand...). since it's a single institution, it's organized differently - there are nodes for different users, but mainly the network divisions are more functional, with databases in one place, outgoing servers in another, administrative here, labs there. the comcast network looked much more regional, with a Hartford node, others (i get all these new englandy names confused, they all sound like Westly or Chestford or something like that).
ok, need to step back now and get more acquainted with the specifics rather than just playing with these toys...
Tuesday, April 27, 2010
network scanning
okay, so i know how to use CIDR notation now. knowing this, i can get a network scan to work; you specify a prefix, and look for hosts on that network. last night i did this for a while on a couple of targets (jingping's insightbb network, and an AOL network around Cincinnati that i found through another connected skype user), and found that i could recognize a computer using skype by the ports it had open - all hosts i had looked at which i knew were running skype had open TCP ports on 80 and 443. so, when i saw a couple of hosts with those open ports, i guessed it must be skype, and confirmed it with more intensive, specific scans.
i also looked at my own network. given what i know, i was the only visible skype user. there was another machine which nmap guessed was a VOIP router, which is kind of interesting.
so, looking at networks is interesting. you can see all the hosts at once, get quick summaries of just what type of host they might be and what they're doing, and all of this with a couple of simple tools and some ability to recognize states (which the tools are of course better than me at doing).
also, from my office, i can see that my home network is linked by a single router to a different node than i see from home, one of the NOX comcast nodes (i can't remember what it is from home, but it isn't NOX, which is what ties together all these new england university networks). so, that router has access to several dozen hosts including my computer, and also to several higher comcast nodes, through which it can send traffic off in various directions. in other words, i think that that router is the single bottleneck for traffic from my home computer - i'm one hop from the open internet.
i also looked at my own network. given what i know, i was the only visible skype user. there was another machine which nmap guessed was a VOIP router, which is kind of interesting.
so, looking at networks is interesting. you can see all the hosts at once, get quick summaries of just what type of host they might be and what they're doing, and all of this with a couple of simple tools and some ability to recognize states (which the tools are of course better than me at doing).
also, from my office, i can see that my home network is linked by a single router to a different node than i see from home, one of the NOX comcast nodes (i can't remember what it is from home, but it isn't NOX, which is what ties together all these new england university networks). so, that router has access to several dozen hosts including my computer, and also to several higher comcast nodes, through which it can send traffic off in various directions. in other words, i think that that router is the single bottleneck for traffic from my home computer - i'm one hop from the open internet.
Monday, April 26, 2010
portscan
just got my first portscan result.
it's another address in boston, using skype. it's also a comcast address, and the first 16 bits are the same as my address. the prefix of the server above it says 'needham'. i guess it's strange that it's such a similar location to mine, and i suppose i could be looking into some sort of mirror that i don't understand, but i do think it's a real, other user, somewhere here in town.
nmap saw that its http ports (80 and 443) were open, and decided that they were being used by the Skype service. i can also see that port 2265 is open, the same port from which i'm receiving packets from this computer.
the other open port (2222) is associated with a website administration program, or with who knows what else.
nmap also claims with some confidence that the computer is a pocket PC running some version of windows XP.
still, i have no idea why this computer is reflecting messages through my computer. and i still haven't figured out why there's always an explicit connection through skype with another computer - other than jingping, this is the only skype connection at the moment, so it is *the other* connection. now i'll see if it shows up again...
it's another address in boston, using skype. it's also a comcast address, and the first 16 bits are the same as my address. the prefix of the server above it says 'needham'. i guess it's strange that it's such a similar location to mine, and i suppose i could be looking into some sort of mirror that i don't understand, but i do think it's a real, other user, somewhere here in town.
nmap saw that its http ports (80 and 443) were open, and decided that they were being used by the Skype service. i can also see that port 2265 is open, the same port from which i'm receiving packets from this computer.
the other open port (2222) is associated with a website administration program, or with who knows what else.
nmap also claims with some confidence that the computer is a pocket PC running some version of windows XP.
still, i have no idea why this computer is reflecting messages through my computer. and i still haven't figured out why there's always an explicit connection through skype with another computer - other than jingping, this is the only skype connection at the moment, so it is *the other* connection. now i'll see if it shows up again...
Saturday, April 24, 2010
nmap 1
got a program called nmap, using the windows gui.
i can't really get a port scan to work on another computer. i tried to get jingping to turn off her firewall, but she said it was already off - i guess norton does its own firewall.
still, nmap has other neat functions. you can get it to do traceroute for you, along with other things, and it will hold on to all the data for you. as you do this, it creates a graphic plot of all the addresses you've been querying. if you're doing tracerouts, it plots ip paths, which is fantastic. here's what i did:
still working off the mysteries of Skype, i ran the network monitor for a few minutes, and got a list of those UDP conversations through port 34368. most of these just consist of my computer sending out a single datagram to some other address, with which i may or may not be also involved in a TCP session. a few ms later, i get a UDP back from the target. there were about 15 of these over a 5 minute period. i plugged them all into the nmap and tracerouted them (had to do this one by one, i'm going to have to get a little more sophisticated), and got back a neat plot showing how all these connections are related to me. these other IP addresses were all over the world, China, NZ, Japan, Russia, France, all over. maybe those are the supernodes, and i'm just registering with them by sending a datagram?
the plot is interesting in itself:
you can't read them but the ip address of every node along the route is listed. the maps are dynamic; you can highlight a node and all its children (those further down the route away from the center), change the center node, rotate, etc.
like i said, most of those UDP exchanges were just 2 packets, one out and one response. there were two other things that happened. one was, I sent 2 UDP packets and got back 1 RTP packet, which i think is actually a UDP packet carrying audio/video information. there wasn't anything else associated with that address, though, so i can't guess what that was about.
the other interesting thing was an instance where i sent 3 UDP packets to a certain address, with no response. i actually guessed the reason: they were being sent to jingping's laptop on campus, on the UofL wireless network, where it hasn't actually been connnected since early friday evening: i sent those UDP packets after midnight, more than 7 hours after she had disconnected.
why did this happen? one thing is, i may have left Skype running on the computer in my office, and during the day that was a connection to her laptop on the campus wireless network. or, i may have turned it off - sometimes i forget, usually i don't, but i don't usually remember if i remembered, only if i forgot (strange how that works). at any rate, for some reason, my computer, being connected with my Skype account, thought to check to see if that UofL address was still on, despite the fact that the account it had been associated with was now associated with another IP address. this doesn't make a lot of sense to me. some sort of cleanup work on Skype's part?
mysteries, mysteries.
i can't really get a port scan to work on another computer. i tried to get jingping to turn off her firewall, but she said it was already off - i guess norton does its own firewall.
still, nmap has other neat functions. you can get it to do traceroute for you, along with other things, and it will hold on to all the data for you. as you do this, it creates a graphic plot of all the addresses you've been querying. if you're doing tracerouts, it plots ip paths, which is fantastic. here's what i did:
still working off the mysteries of Skype, i ran the network monitor for a few minutes, and got a list of those UDP conversations through port 34368. most of these just consist of my computer sending out a single datagram to some other address, with which i may or may not be also involved in a TCP session. a few ms later, i get a UDP back from the target. there were about 15 of these over a 5 minute period. i plugged them all into the nmap and tracerouted them (had to do this one by one, i'm going to have to get a little more sophisticated), and got back a neat plot showing how all these connections are related to me. these other IP addresses were all over the world, China, NZ, Japan, Russia, France, all over. maybe those are the supernodes, and i'm just registering with them by sending a datagram?
the plot is interesting in itself:
you can't read them but the ip address of every node along the route is listed. the maps are dynamic; you can highlight a node and all its children (those further down the route away from the center), change the center node, rotate, etc.
like i said, most of those UDP exchanges were just 2 packets, one out and one response. there were two other things that happened. one was, I sent 2 UDP packets and got back 1 RTP packet, which i think is actually a UDP packet carrying audio/video information. there wasn't anything else associated with that address, though, so i can't guess what that was about.
the other interesting thing was an instance where i sent 3 UDP packets to a certain address, with no response. i actually guessed the reason: they were being sent to jingping's laptop on campus, on the UofL wireless network, where it hasn't actually been connnected since early friday evening: i sent those UDP packets after midnight, more than 7 hours after she had disconnected.
why did this happen? one thing is, i may have left Skype running on the computer in my office, and during the day that was a connection to her laptop on the campus wireless network. or, i may have turned it off - sometimes i forget, usually i don't, but i don't usually remember if i remembered, only if i forgot (strange how that works). at any rate, for some reason, my computer, being connected with my Skype account, thought to check to see if that UofL address was still on, despite the fact that the account it had been associated with was now associated with another IP address. this doesn't make a lot of sense to me. some sort of cleanup work on Skype's part?
mysteries, mysteries.
Thursday, April 22, 2010
http://nil.isi.edu/
oh, this is neat!
i saw an ICMP 'echo request' packet! i was in an IRC channel at the time, for the first time in like 10 years, so i thought maybe it was somebody there. but the request actually had a working URL attached, which is in the title of this post (http://nil.isi.edu/). it really was a ping, an automated, scientific ping!
internet is very, very interesting.
i saw an ICMP 'echo request' packet! i was in an IRC channel at the time, for the first time in like 10 years, so i thought maybe it was somebody there. but the request actually had a working URL attached, which is in the title of this post (http://nil.isi.edu/). it really was a ping, an automated, scientific ping!
internet is very, very interesting.
Tuesday, April 20, 2010
portsweeping
this is called portsweeping!
i saw another one, in China (Jinan, Shandong maybe), this one looking into port 6000, which can be used for remote keystroke recording.
somebody just sets up a program to search the internet for computers with vulnerable ports. it's like if someone could go and scan apartments for ones with unlocked doors or open windows - then send in the thieves! amazing!
i saw another one, in China (Jinan, Shandong maybe), this one looking into port 6000, which can be used for remote keystroke recording.
somebody just sets up a program to search the internet for computers with vulnerable ports. it's like if someone could go and scan apartments for ones with unlocked doors or open windows - then send in the thieves! amazing!
MS WBT SERVER
watching the net monitor again, with network applications turned off. saw one unassociated address - tracked down to Henan, China. to look this up, i stopped the monitor and opened the web browser. then i started the monitor up again, and right away realized i had failed to check the port number.
luckily (or unluckily) i caught another one. this one was either in Georgia (.ge) or Turkey - i think the service is based in Turkey, but the address was in Georgia.
so, this address exchanged several TCP packets with my computer, none of which seemed to contain anything (i say this only because they had 'payload lengths' of zero - this is not something i have researched yet). they were exchanged through port 3389, which actually carried a label: MS WBT SERVER. what is MS WBT SERVER you ask? this is the port used by the 'Remote Desktop' utility in windows. obviously, this was something in the Caucasus searching for a computer with a somehow vulnerable port 3389.
how to tell if it's vulnerable? maybe if i was using the utility? i don't know. maybe he's watching me type right now, though i think then i'd be able to see him still. it was a total of 8 TCP packets, followed a couple of minutes later by 2 UDP packets.
very interesting!
luckily (or unluckily) i caught another one. this one was either in Georgia (.ge) or Turkey - i think the service is based in Turkey, but the address was in Georgia.
so, this address exchanged several TCP packets with my computer, none of which seemed to contain anything (i say this only because they had 'payload lengths' of zero - this is not something i have researched yet). they were exchanged through port 3389, which actually carried a label: MS WBT SERVER. what is MS WBT SERVER you ask? this is the port used by the 'Remote Desktop' utility in windows. obviously, this was something in the Caucasus searching for a computer with a somehow vulnerable port 3389.
how to tell if it's vulnerable? maybe if i was using the utility? i don't know. maybe he's watching me type right now, though i think then i'd be able to see him still. it was a total of 8 TCP packets, followed a couple of minutes later by 2 UDP packets.
very interesting!
Monday, April 19, 2010
skype port? broadcasts?
ok, very briefly because it's late.
if i leave the network monitor on for a while, it lists lots and lots of conversations between ARKIV (my computer) and other addresses out there in the world. most of these are UDP packets, but not all. of the ones that are UDP packets, i'm pretty sure that they're all associated with Skype. here is how i know:
the monitor does show when conversations are known to be controlled by a particular process like Skype. so, tonight, i record for a while, and i see two other addresses associated with Skype. one is jingping, i know, because tracert tells me that it's an insight address routed through Atlanta, and i already know that's our service in louisville. the other is somebody in new bedford MA, still in the comcast network. i don't know what that is.
anyways, so i can see jingping's IP address. it also shows up in the 'unknown' associated list of all those UDP conversations, with a different port number, 34268. all the other UDP conversations (most - i didn't look at each one) are also going to port 34268, so i deduce that they must also be associated with Skype.
so, apparently Skype is going to be an internet learning tool for me. it's very mysterious. are these other Skype users, using ARKIV as a waypoint for finding other users? i think that's what a supernode does, but from what i've read supernodes should have many, many more connections. so, i still don't know what this is all about, and skype's operations are kind of trade secrets which are hard to research online. still, i'm sure there's plenty out there for me to figure out.
okay, so there, i learned that i can identify a process by its port number. or, at least, i deduced it. it may be wrong.
if i leave the network monitor on for a while, it lists lots and lots of conversations between ARKIV (my computer) and other addresses out there in the world. most of these are UDP packets, but not all. of the ones that are UDP packets, i'm pretty sure that they're all associated with Skype. here is how i know:
the monitor does show when conversations are known to be controlled by a particular process like Skype. so, tonight, i record for a while, and i see two other addresses associated with Skype. one is jingping, i know, because tracert tells me that it's an insight address routed through Atlanta, and i already know that's our service in louisville. the other is somebody in new bedford MA, still in the comcast network. i don't know what that is.
anyways, so i can see jingping's IP address. it also shows up in the 'unknown' associated list of all those UDP conversations, with a different port number, 34268. all the other UDP conversations (most - i didn't look at each one) are also going to port 34268, so i deduce that they must also be associated with Skype.
so, apparently Skype is going to be an internet learning tool for me. it's very mysterious. are these other Skype users, using ARKIV as a waypoint for finding other users? i think that's what a supernode does, but from what i've read supernodes should have many, many more connections. so, i still don't know what this is all about, and skype's operations are kind of trade secrets which are hard to research online. still, i'm sure there's plenty out there for me to figure out.
okay, so there, i learned that i can identify a process by its port number. or, at least, i deduced it. it may be wrong.
Thursday, April 08, 2010
well..
oh man. i haven't learned anything today, except that there's only so far you can take a visual simulation before it breaks. so, i've been measuring thresholds for a simulated observer at different spatial frequencies, for content within photographs which has been thresholded depending on a trial-to-trial staircase. it works pretty well for the images themselves. the original image gets compared with the image containing a thresholded band, and the observer is able to converge at a measure of the threshold over several hundred trials, similar to a human observer.
what i do is this: the original image gets filtered at the frequency in question, and the filtered image (the output of the filter) is thresholded and added back into the original image minus the filtered image. so, we actually have the original image minus the subthreshold content within the filter. if the threshold is zero, these two images are identical, i.e. they are whole, unfiltered photographs. this is the experiment as i originally ran it on myself, trying to find the just-detectable threshold (the threshold-threshold). to do the experiment simulation, the thresholded image then gets filtered again, meaning that the filter picks up the thresholded content along with residual off-frequency content. this is the only reasonable way to get the test content, since 1) that off-frequency content is there in the image and would be seen by the filter, and thus can't be ignored, and 2) the filtered band contains harmonics which wouldn't be seen by the filter.
naturally, i eventually decided to do the same experiment without the complete image; i.e., just measure threshold-thresholds for the content within the filter. i thought this would be straightforward - i just use the filtered image as the 'original', and the thresholded filtered image as the 'test'. but then, i thought, ah, almost screwed up there: the thresholded filtered image should be filtered again, just like in the original experiment. so, you can see the problem. the original content is lifted straight out of the source image, while the thresholded content gets lifted out of the source image and again out of the thresholded image, which means it will be multiplied twice by the filter. so, even if the threshold is zero, the test and original images will be different.
this is a problem. in fact, it must also be a problem in the original experiment. but, the test and original images in the original experiment are the same when the threshold is zero - i assume this is because the off-frequency content amounts to the difference between the filtered and double-filtered content, and adding the filtered content back into the image basically restores the lost content.
i need to think about this.
what i do is this: the original image gets filtered at the frequency in question, and the filtered image (the output of the filter) is thresholded and added back into the original image minus the filtered image. so, we actually have the original image minus the subthreshold content within the filter. if the threshold is zero, these two images are identical, i.e. they are whole, unfiltered photographs. this is the experiment as i originally ran it on myself, trying to find the just-detectable threshold (the threshold-threshold). to do the experiment simulation, the thresholded image then gets filtered again, meaning that the filter picks up the thresholded content along with residual off-frequency content. this is the only reasonable way to get the test content, since 1) that off-frequency content is there in the image and would be seen by the filter, and thus can't be ignored, and 2) the filtered band contains harmonics which wouldn't be seen by the filter.
naturally, i eventually decided to do the same experiment without the complete image; i.e., just measure threshold-thresholds for the content within the filter. i thought this would be straightforward - i just use the filtered image as the 'original', and the thresholded filtered image as the 'test'. but then, i thought, ah, almost screwed up there: the thresholded filtered image should be filtered again, just like in the original experiment. so, you can see the problem. the original content is lifted straight out of the source image, while the thresholded content gets lifted out of the source image and again out of the thresholded image, which means it will be multiplied twice by the filter. so, even if the threshold is zero, the test and original images will be different.
this is a problem. in fact, it must also be a problem in the original experiment. but, the test and original images in the original experiment are the same when the threshold is zero - i assume this is because the off-frequency content amounts to the difference between the filtered and double-filtered content, and adding the filtered content back into the image basically restores the lost content.
i need to think about this.
Subscribe to:
Posts (Atom)