What I initially needed IPDetails to offer
A couple of months ago I needed a tool that allowed me to gather more information on IP addresses that I’d collected using SiLK. The tool will enable me to cluster IP addresses for cloud flows, not just on the IP address, but on the AS number and ISP. This was the brief for IPDetails.
Firstly I needed a resource on the Internet that I could look up this information. Ideally, it would have to have an API interface that would allow easy programmatic interfacing. I’d be dealing with a lot of IP addresses for some of the tasks. I found one on the IP-API.COM website. This gives AS# and names, geo-location data, and ISP information using a simple submission URL.
This tool would take a file of IP addresses from the SiLK outputs and use the IP-API.COM interface to retrieve the additional information and save it back as a CSV file. I import this as an input into modelling tools such as Gephi, providing further information to cluster applications together.
It’s been a while since my time at Borland. I’ve not had to code more than a couple of lines of scripts in the interim. Since then the coding style and tools sets, and even languages have changed substantially. So with the aid of Python, and the documentation website, and a few hours, I’ve been able to knock up a fairly decent tool. (I’m not saying the tool or coding is the best, there are element’s I’d like to try to remove in the future, but for now, it works).
You can find the IPDetails.py on my GitHub repository.
Other things that got added to IPDetails.py along the way
Along the way, I also decided that it would be good to add alternative output formats, such as text and JSON. Also, nefarious parts of the Internet occasionally tapped this website, and it would be good for me to quickly lookup IP addresses from the command line. Various tweaks and modifications to the code got these added over time. Now it’s complete. It is time to reveal it to the world (even though development has been on-going publicly via GitHub).
How you use IPDetails.py
IPDetails.py uses Python 3 (preferably 3.5 or later) to run. It operates in two modes, the first being the file-based input mode.
In this mode you use the command-line IPDetails.py [-f {txt [-d],csv,json}] [inputfilename] [outputfilename]
The -f option specifies the output format, selecting from txt
, multiline detailed txt
(-f txt -d
), CSV
or JSON
modes. The inputfilename
if omitted becomes stdin, and similarly, an omitted outputfilename
becomes stdout, allowing it to be used in pipes.
In the alternate mode, the command line becomes IPDetails.py -a address
where address is an IPv4 or an IPv6 address. In this mode, you get the detailed txt
output.
[john@danube]$ ./IPDetails.py -a 8.8.8.8 Looking up address: 8.8.8.8 IP: 8.8.8.8 google-public-dns-a.google.com Geo: US United States Mountain View Lat: 37.4229 Long: -122.085 TZ: America/Los_Angeles AS#: 15169 Google Inc. Google Google
Enjoy, and if you think you can improve the code a little, submit a GitHub pull request, or comment on GitHub, or below.