What we do is basically this:
ping -c4 network_address
ping -c4 broadcast_address
Then we log the _highest number of returned packets_ from any of the 3*2
pings we now have stored replies for. The number of _dups_ we record is
this count, minus one.
Some times the number of dups we see vary wildly depending on when we
probe, or where you are probing from. I tend to attribute this to load on
the amplifier network (perhaps someone is using them in an attack at this
time), or packet-shredding international links that can't take the burst.
(That is, if you and I were probing a european amplifier network, I might
see slightly more dups than you since I am in Europe).
Oh, and by the way! No more than 254 replies, you say. That's because
you see it registered in the registry as a /24. I need to point out that
there's nothing we do at this point to verify that the prefix lengths
of the networks entered into the SAR are actually correct.
So something listed as a /24 could be anything - you'll have to look at
the actual network number to judge for yourself what it might be. We try
to keep the prefix lengths longer so as not to block too much by accident
(the probe defaults to /24).
In some cases we see that the number of dups returned far exceed the
theoretical max of the probed network. In some cases this happens because
the prefix length is wrong, but in other cases i am at a loss - the hosts
in the probed network actually seems to return more than one response per
request. I have no idea why. We saw this with the 193.55.112.0/24
network, for instance (which has now been fixed).
Oystein Homelien | oystein@powertech.no
PowerTech Information Systems AS | http://www.powertech.no/
Nedre Slottsgate 5, N-0157 OSLO | tel: +47-23-010-010, fax: +47-2220-0333