Nathan Ward wrote:
Can you explain how you arrived at this?
Sure.
Some starters: - Are you finding server ports by counting incoming packets to that port or outgoing packets from that port?
For every IP I look at every packet it *sends* (and ignore ones that are just targetted to it to ignore scans and whatnot). I then attempt to guess what the "server port" is, and then for each IP I keep a list of server ports seen for UDP and TCP. I then count how many IP's only ever talk to one server port, how many talk to two server ports etc.
- Bits or packets? (this may explain NTP, etc.)
A single packet is enough. (Yeah, this explains NTP etc I was surprised at the number of computers that knew what NTP was and were actually using it.).
- Are these NZ, or international (you might not be able to answer that, though. I'm not asking who, of course, just locality.)
The vast majority of these are New Zealand DSL users.
- Are you looking at end users, or any endpoint IP address that you see? (ie. internal endpoints or external endpoints or both?)
I'm really not sure I understand the question. I'm looking at packets I can be fairly confident are sent from New Zealand DSL customers. I don't just look at the destination port, but the source port too when trying to figure out what the "server port" is.