6. Internet Protocol Address
IPv4
If the answer is four bytes (= eight bits) written in decimal notation (where leading zeros can be omitted) and separated by dots, you are dealing with an IPv4.
If IP addresses "hide" in several log files, you can find and process these with a regular expression, for example. (Click for more details.)
# IPV4EXTREGEXP="((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
# zgrep --extended-regexp \
--only-matching \
--no-filename "${IPV4EXTREGEXP}" /var/log/nginx/access.log* \
| sort \
| uniq --count \
| sort --numeric-sort --reverse \
| awk '$1 >= 100 { print $0; }'
1493 87.148.0.84
493 93.230.182.70
406 213.133.113.83
389 213.133.113.86
386 93.230.190.40
384 213.133.113.84
370 205.211.169.31
289 79.211.37.31
288 178.255.215.98
210 79.211.37.154
112 62.214.90.107
In our example, the A Resource Record is "94.136.40.161".
Linux/BSD/Unix
$ dig A webmail.123-reg.co.uk
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> A webmail.123-reg.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46533
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;webmail.123-reg.co.uk. IN A
;; ANSWER SECTION:
webmail.123-reg.co.uk. 216 IN A 94.136.40.161
;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 55
Microsoft Windows
PS C:\WINDOWS\system32> nslookup -q=A webmail.123-reg.co.uk
Server: fritz.box
Address: 192.168.178.1
Non-authoritative answer:
Name: webmail.123-reg.co.uk
Address: 94.136.40.161
eToolz
Note that not all IP addresses are unique worldwide.
Fairly early, programmers realised that the (calculationally) potential 4,294,967,296 IPv4 addresses could be used up
faster than expected.
For this reason, they defined
subnets
that can be assigned several times in
local networks
and are not passed on by
routers.
These subnets can themselves be subdivided into several smaller subnets.
The subnet size is defined by a
subnet mask.
In the case of IPv4, the subnet mask is also 4 x 8 bytes = 32 bits long.
All ones (1) specify the part of the common network in the IPv4,
whereas the zeros (0) are available for individual addresses for specific computers.
The network mask can be written like an IPv4 address (e.g. 255.255.255.0) or in
CIDR
notation (e.g. /24). In CIDR notation, the number behind the "/" (slash) indicates the number of ones (1) in the
network mask.
Private subnets:
- 0.0.0.0/0 ("no" IP address or the entire address space)
- 127.0.0.0/8 ( Loopback: 127.0.0.1-127.255.255.254)
- 10.0.0.0/8 (a private Class A network: 10.0.0.1-10.255.255.254)
- 169.254.0.0/16 ( Link Local: 169.254.0.1-169.254.255.254)
- 172.16.0.0/12 (16 private Class B networks: 172.16.0.1-172.32.255.254)
- 192.168.0.0/16 (256 private Class C networks: 192.168.0.1-192.168.255.254)
- 224.0.0.0/4 (Multicast)
- 255.255.255.255/32 (Limited Broadcast)
If what interests you during a home visit is both network traffic and statistics about the IPv4 addresses involved, it is appropriate to first record the network traffic to forensic standards and then produce statistics with, for example, tcpdump and a little bit of Command Line Kung Fu. (Click for more details.)
# netsniff-ng -i eth2 -o traffic.pcap -J -H -s
Running! Hang up with ^C!
1088 packets incoming (6 unread on exit)
1094 packets passed filter
0 packets failed filter (out of space)
0.0000% packet droprate
12 sec, 489895 usec in total
# tcpdump -r traffic.pcap -n -t ip 2> /dev/null \
| cut -d " " -f 2,3,4 \
| tr ">" "\n" \
| tr -d " :" \
| cut -d "." -f 1,2,3,4 \
| sort \
| uniq -c \
| sort -nr
[...]
Domain ≠ Hostname
The PTR Identifier Record is responsible for a reverse lookup, e.g.:
Linux/BSD/Unix
$ dig -x 94.136.40.161
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -x 94.136.40.161
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53562
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;161.40.136.94.in-addr.arpa. IN PTR
;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 44
Microsoft Windows
PS C:\WINDOWS\system32> nslookup -q=PTR 94.136.40.161
Server: fritz.box
Address: 192.168.178.1
*** fritz.box can't find 161.40.136.94.in-addr.arpa.: Non-existent domain
eToolz
If the IP address cannot be resolved at all in a reverse lookup (as is the case in our example),
you are dealing with a deliberate or unintentional misconfiguration.
(For a correctly configured example, please view the German sister site
("domain-ermittlung.de".)
If the reverse lookup fails to resolve the IP address to the original domain, you are normally dealing with the hostname the ISP assigned at the time of configuring the server, e.g.:
domain-investigation.eu.pn ---( A RR )---> 83.125.22.219 ---( PTR RR )---> f15-www.runhosting.com
One reason for this may be that the customer is unable to create PTR Resource Records himself (which is usually the case with webhosting services) or simply forgot to do so.
If a household connects to the internet via a router (e.g. ISDN, VDSL, LTE, ...) you are normally dealing with hostnames, e.g.: p7B7B7B7B.dip0.t-ipconnect.de.
Since the IP addresses and hostnames were changed at least daily back in the times of forced disconnection, a market for Dynamic DNS providers developed, e.g.:
athome.dyndns.org ---( A )---> 123.123.123.123 ---( PTR )---> p7B7B7B7B.dip0.t-ipconnect.de
IPv6
If, by contrast, the answer is eight "double" bytes (= 16 bits) written in hexadecimal notation and separated by colons, you are dealing with an IPv6 address.
The AAAA Resource Record of "www.ipv6.org.uk", for example, reads "2001:630:d0:f104::80e" (because "webmail.123-reg.co.uk" does not have an AAAA Record).
Linux/BSD/Unix
$ dig AAAA www.ipv6.org.uk
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> AAAA www.ipv6.org.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54288
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ipv6.org.uk. IN AAAA
;; ANSWER SECTION:
www.ipv6.org.uk. 28716 IN CNAME websites1.ecs.soton.ac.uk.
websites1.ecs.soton.ac.uk. 1716 IN AAAA 2001:630:d0:f104::80e
;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 98
Microsoft Windows
PS C:\WINDOWS\system32> nslookup -q=AAAA www.ipv6.org.uk
Server: fritz.box
Address: 192.168.178.1
Non-authoritative answer:
Name: websites1.ecs.soton.ac.uk
Address: 2001:630:d0:f104::80e
Aliases: www.ipv6.org.uk
eToolz
Leider unterstützt eToolz aktuell keine IPv6-Abfragen!
The following IPv6 subnets are reserved for local networks: