6. Internet Protocol Address

IPv4

If the answer is four bytes (= eight bits) written in decimal notation (where leading zeros can be omitted) and separated by dots, you are dealing with an IPv4.

Achtung Schleudergefahr If IP addresses "hide" in several log files, you can find and process these with a regular expression, for example. (Click for more details.)

# IPV4EXTREGEXP="((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
# zgrep --extended-regexp \
             --only-matching \
             --no-filename "${IPV4EXTREGEXP}" /var/log/nginx/access.log* \
| sort \
| uniq --count \
| sort --numeric-sort --reverse \
| awk '$1 >= 100 { print $0; }'
   1493 87.148.0.84
    493 93.230.182.70
    406 213.133.113.83
    389 213.133.113.86
    386 93.230.190.40
    384 213.133.113.84
    370 205.211.169.31
    289 79.211.37.31
    288 178.255.215.98
    210 79.211.37.154
    112 62.214.90.107

In our example, the A Resource Record is "94.136.40.161".

Linux/BSD/Unix

$ dig A webmail.123-reg.co.uk

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> A webmail.123-reg.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46533
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;webmail.123-reg.co.uk.        IN    A

;; ANSWER SECTION:
webmail.123-reg.co.uk.    216  IN    A    94.136.40.161

;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 55

Microsoft Windows

PS C:\WINDOWS\system32> nslookup -q=A webmail.123-reg.co.uk
Server:  fritz.box
Address:  192.168.178.1

Non-authoritative answer:
Name:    webmail.123-reg.co.uk
Address:  94.136.40.161

eToolz

eToolz DNS - A RR

Note that not all IP addresses are unique worldwide.

Fairly early, programmers realised that the (calculationally) potential 4,294,967,296 IPv4 addresses could be used up faster than expected.
For this reason, they defined subnets that can be assigned several times in local networks and are not passed on by routers.
These subnets can themselves be subdivided into several smaller subnets.

The subnet size is defined by a subnet mask.
In the case of IPv4, the subnet mask is also 4 x 8 bytes = 32 bits long.
All ones (1) specify the part of the common network in the IPv4, whereas the zeros (0) are available for individual addresses for specific computers.
The network mask can be written like an IPv4 address (e.g. 255.255.255.0) or in CIDR notation (e.g. /24). In CIDR notation, the number behind the "/" (slash) indicates the number of ones (1) in the network mask.

Private subnets:

Achtung Schleudergefahr If what interests you during a home visit is both network traffic and statistics about the IPv4 addresses involved, it is appropriate to first record the network traffic to forensic standards and then produce statistics with, for example, tcpdump and a little bit of Command Line Kung Fu. (Click for more details.)

# netsniff-ng -i eth2 -o traffic.pcap -J -H -s
Running! Hang up with ^C!

        1088 packets incoming (6 unread on exit)
        1094 packets passed filter
           0 packets failed filter (out of space)
      0.0000% packet droprate
          12 sec, 489895 usec in total
# tcpdump -r traffic.pcap -n -t ip 2> /dev/null \
  | cut -d " " -f 2,3,4 \
  | tr ">" "\n" \
  | tr -d " :" \
  | cut -d "." -f 1,2,3,4 \
  | sort \
  | uniq -c \
  | sort -nr

[...]

Domain ≠ Hostname

The PTR Identifier Record is responsible for a reverse lookup, e.g.:

Linux/BSD/Unix

$ dig -x 94.136.40.161

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -x 94.136.40.161
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53562
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;161.40.136.94.in-addr.arpa.    IN    PTR

;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 44

Microsoft Windows

PS C:\WINDOWS\system32> nslookup -q=PTR 94.136.40.161
Server:  fritz.box
Address:  192.168.178.1

*** fritz.box can't find 161.40.136.94.in-addr.arpa.: Non-existent domain

eToolz

eToolz DNS - PTR RR

If the IP address cannot be resolved at all in a reverse lookup (as is the case in our example), you are dealing with a deliberate or unintentional misconfiguration.
(For a correctly configured example, please view the German sister site ("domain-ermittlung.de".)

If the reverse lookup fails to resolve the IP address to the original domain, you are normally dealing with the hostname the ISP assigned at the time of configuring the server, e.g.:

domain-investigation.eu.pn ---( A RR )---> 83.125.22.219 ---( PTR RR )---> f15-www.runhosting.com

One reason for this may be that the customer is unable to create PTR Resource Records himself (which is usually the case with webhosting services) or simply forgot to do so.

If a household connects to the internet via a router (e.g. ISDN, VDSL, LTE, ...) you are normally dealing with hostnames, e.g.: p7B7B7B7B.dip0.t-ipconnect.de.

Since the IP addresses and hostnames were changed at least daily back in the times of forced disconnection, a market for Dynamic DNS providers developed, e.g.:

athome.dyndns.org ---( A )---> 123.123.123.123 ---( PTR )---> p7B7B7B7B.dip0.t-ipconnect.de

IPv6

If, by contrast, the answer is eight "double" bytes (= 16 bits) written in hexadecimal notation and separated by colons, you are dealing with an IPv6 address.

The AAAA Resource Record of "www.ipv6.org.uk", for example, reads "2001:630:d0:f104::80e" (because "webmail.123-reg.co.uk" does not have an AAAA Record).

Linux/BSD/Unix

$ dig AAAA www.ipv6.org.uk

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> AAAA www.ipv6.org.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54288
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ipv6.org.uk.                IN    AAAA

;; ANSWER SECTION:
www.ipv6.org.uk.           28716 IN    CNAME   websites1.ecs.soton.ac.uk.
websites1.ecs.soton.ac.uk. 1716  IN    AAAA    2001:630:d0:f104::80e

;; Query time: 0 msec
;; SERVER: 10.1.1.11#53(10.1.1.11)
;; WHEN: Tue Aug 23 15:23:53 CEST 2016
;; MSG SIZE rcvd: 98

Microsoft Windows

PS C:\WINDOWS\system32> nslookup -q=AAAA www.ipv6.org.uk
Server:  fritz.box
Address:  192.168.178.1

Non-authoritative answer:
Name:    websites1.ecs.soton.ac.uk
Address:  2001:630:d0:f104::80e
Aliases:  www.ipv6.org.uk

eToolz

Leider unterstützt eToolz aktuell keine IPv6-Abfragen!

The following IPv6 subnets are reserved for local networks:

next