I have one node that I have net debug logs for and that has blockfilterindex=1. I ran your awk script against my logs since 2026-01-01.
In total, I have 1734 entries of this happening. All but four clients have btcwire:0.5.0/neutrino:0.12.0-beta as the user agent. For three I don’t have a user agent in the output (probably connected to me before 2026-01-01 and the version message is in a different log file), and for one I have /btcwire:0.5.0/zap-desktop:0.7.7-beta/.
I have IP logging enabled on my nodes, so my output includes IPs. Not posting these here, but can share privately, if that’s interesting to you.
Looking some of these IPs up, it seems they all belong to a diverse set of cloud hosters (Digital Ocean, Hetzner, Google Cloud, some Swedish cloud hosters, …). I didn’t check all IPs, but the only residential IP I saw was for the zap-desktop:0.7.7-beta user agent. This led me to believe that these are LN nodes hosted in the cloud. Looking some of the IPs up on https://amboss.space and 1ml.com shows that there are actually LN nodes running behind these. I don’t know if you can fingerprint/identify LN node implemenations by behavior if you just have their IP addresses, but my guess would be that btcwire:0.5.0/neutrino:0.12.0-beta/ is LND?
Looking at block hashes, I have 1166 (67%) entries with 95b0d0f836f18d78dfbae435fb37bf6fff2e37a4fc01c20be8495bc3ea4fbb58. I could not find a mention of this on GitHub besides on your net: cbfilters: Don't disconnect peers for requesting unknown blocks. by davidgumberg · Pull Request #34933 · bitcoin/bitcoin · GitHub PR. I didn’t check BIP 157 yet. It might be hardcoded somewhere, but encoded.
I looked a few of the remaining block hashes up in a block explorer and they all seem to be valid.