Tag Archives: Geolocation

Geolocation lookups in Linux (/Ubuntu)

Have written a short post on this before, but it seems that I’ve only scratched the surface 🙂

For Ubuntu/Debian users, the APT package to install would be:

$ sudo apt-get install geoip-bin

In addition to its commercial offerings, MaxMind has free Country and City, and AS number lookup databases that can be queried using these command line tools in Linux. Installing the geoip-bin package installs the free version of the country database, but you don’t need to stop there!

By default, the free IP-Country database is situated at /usr/share/GeoIP/GeoIP.dat. Do note that the APT package for it is NOT updated automatically, so you will need to update it yourself.

Grabbing hold of the other two free databases (they’re updated monthly I think) and placing them the shared folder. IP-ASN is a nice way to quickly determine the ownership of an IP address, which you can follow up with actually looking through the WHOIS info should that be too generic. IP-City info comes with geolocation (lat-long coordinates!) info, which is very nice for plotting IP address lists on nice maps for analysis, or for the less technically inclined (or your bosses :P).

$ ls /usr/share/GeoIP/
GeoIPASNum.dat  GeoIP.dat  GeoLiteCity.dat

It appears that GeoIP and GeoIPASNum are queried automatically by default

$ geoiplookup 8.8.8.8
GeoIP Country Edition: US, United States
GeoIP ASNum Edition: AS15169 Google Inc.

Now let’s try querying for basic location information:

$ geoiplookup 8.8.8.8 -f /usr/share/GeoIP/GeoLiteCity.dat 
GeoIP City Edition, Rev 1: US, N/A, N/A, N/A, 38.000000, -97.000000, 0, 0

What are the MaxMind database versions currently “installed”?

$ geoiplookup 8.8.8.8 -v
GeoIP Country Edition: GEO-106FREE 20120403 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved
GeoIP ASNum Edition: GEO-117 20120402 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved

$ geoiplookup 8.8.8.8 -f /usr/share/GeoIP/GeoLiteCity.dat -v
GeoIP City Edition, Rev 1: GEO-533LITE 20120403 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved

If you want more verbose reporting (shows the IP address block that matched the query):

$ geoiplookup 8.8.8.8 -i
GeoIP Country Edition: US, United States
  ipaddr: 8.8.8.8
  range_by_ip:  8.7.211.0 - 8.14.223.255
  network:      8.8.0.0 - 8.11.255.255 ::14
  ipnum: 134744072
  range_by_num: 134730496 - 135192575
  network num:  134742016 - 135004159 ::14
GeoIP ASNum Edition: AS15169 Google Inc.
  ipaddr: 8.8.8.8
  range_by_ip:  8.8.8.0 - 8.8.8.255
  network:      8.8.8.0 - 8.8.8.255 ::24
  ipnum: 134744072
  range_by_num: 134744064 - 134744319
  network num:  134744064 - 134744319 ::24

$ geoiplookup 8.8.8.8 -f /usr/share/GeoIP/GeoLiteCity.dat -i
GeoIP City Edition, Rev 1: US, N/A, N/A, N/A, 38.000000, -97.000000, 0, 0
  ipaddr: 8.8.8.8
  range_by_ip:  8.7.228.0 - 8.8.37.255
  network:      8.8.0.0 - 8.8.31.255 ::19
  ipnum: 134744072
  range_by_num: 134734848 - 134751743
  network num:  134742016 - 134750207 ::19

Cooking all of this with a little CLI script-fu for mass lookups!

$ output=outputfile.csv; echo "ip,country" > $output; for  i in $( cat /path/to/list-of-ips.txt ); do echo "$i,\"$( geoiplookup -f /usr/share/GeoIP/GeoIP.dat $i | cut -d' ' -f4-99 )\"" >> $output; done

HTH, and have fun!

Doing geolocation lookups in command line

Did you know that it’s possible to do your own geoip lookups from the linux command line?

You need to install the geoip-bin package in Ubuntu/Debian’s APT system:

sudo apt-get install geoip-bin

Then after which, lookups can be done as simply as:

$ geoiplookup 8.8.8.8
GeoIP Country Edition: US, United States

Note that the lookups are based on the GeoLite Country database.  For more detailed geoip lookups you will need to buy the better databases.

Getting additional (IP/network/location) info along with your Splunk searches

Chanced upon some of the info by accident (smack at the bottom of one part of the Splunk documentation…), but I can’t find it now.  Going to share here anyway 😀

Some (or probably most/all) of your searches might involve public IP addresses, and more often than not we would want to have additional info along with the IP address to work with.

Three of the things that we could do in Splunk automatically would be to get IP-location info, or to reverse lookup an IP to a domain, or to lookup a domain to an IP.

Continue reading Getting additional (IP/network/location) info along with your Splunk searches