On 23 Jul 2010, at 1:40, Ricky Beam wrote: [...]
Do the complaints you receive include port numbers?
I've never seen one that did. I've not even seen one with an exact timestamp.
You would require the src and dst ip *and* port, plus the near exact timestamp of when the connection was opened and closed. Even then, that's one needle in a huge pile of identical needles. The netflow/sflow/etc. data needed to support such a lookup for a modern ISP network would be absolutely insane. (a decade ago for a small, regional ISP/telco, just prefix records were over 700MB per day -- back in the days of 2mb DSL, before bittorrent...)
Richard Clayton wrote some interesting articles on this earlier this year. There's a UK flavour to them but I expect the concepts are transferable. http://www.lightbluetouchpaper.org/2010/01/12/extending-the-requirements-for... http://www.lightbluetouchpaper.org/2010/01/13/practical-mobile-internet-acce... http://www.lightbluetouchpaper.org/2010/01/14/mobile-internet-access-data-re... Regards, Leo