Have written a short post on this before, but it seems that I’ve only scratched the surface 🙂
For Ubuntu/Debian users, the APT package to install would be:
$ sudo apt-get install geoip-bin
In addition to its commercial offerings, MaxMind has free Country and City, and AS number lookup databases that can be queried using these command line tools in Linux. Installing the geoip-bin package installs the free version of the country database, but you don’t need to stop there!
By default, the free IP-Country database is situated at
/usr/share/GeoIP/GeoIP.dat. Do note that the APT package for it is NOT updated automatically, so you will need to update it yourself.
Grabbing hold of the other two free databases (they’re updated monthly I think) and placing them the shared folder. IP-ASN is a nice way to quickly determine the ownership of an IP address, which you can follow up with actually looking through the WHOIS info should that be too generic. IP-City info comes with geolocation (lat-long coordinates!) info, which is very nice for plotting IP address lists on nice maps for analysis, or for the less technically inclined (or your bosses :P).
$ ls /usr/share/GeoIP/ GeoIPASNum.dat GeoIP.dat GeoLiteCity.dat
It appears that GeoIP and GeoIPASNum are queried automatically by default
$ geoiplookup 126.96.36.199 GeoIP Country Edition: US, United States GeoIP ASNum Edition: AS15169 Google Inc.
Now let’s try querying for basic location information:
$ geoiplookup 188.8.131.52 -f /usr/share/GeoIP/GeoLiteCity.dat GeoIP City Edition, Rev 1: US, N/A, N/A, N/A, 38.000000, -97.000000, 0, 0
What are the MaxMind database versions currently “installed”?
$ geoiplookup 184.108.40.206 -v GeoIP Country Edition: GEO-106FREE 20120403 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved GeoIP ASNum Edition: GEO-117 20120402 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved $ geoiplookup 220.127.116.11 -f /usr/share/GeoIP/GeoLiteCity.dat -v GeoIP City Edition, Rev 1: GEO-533LITE 20120403 Build 1 Copyright (c) 2012 MaxMind Inc All Rights Reserved
If you want more verbose reporting (shows the IP address block that matched the query):
$ geoiplookup 18.104.22.168 -i GeoIP Country Edition: US, United States ipaddr: 22.214.171.124 range_by_ip: 126.96.36.199 - 188.8.131.52 network: 184.108.40.206 - 220.127.116.11 ::14 ipnum: 134744072 range_by_num: 134730496 - 135192575 network num: 134742016 - 135004159 ::14 GeoIP ASNum Edition: AS15169 Google Inc. ipaddr: 18.104.22.168 range_by_ip: 22.214.171.124 - 126.96.36.199 network: 188.8.131.52 - 184.108.40.206 ::24 ipnum: 134744072 range_by_num: 134744064 - 134744319 network num: 134744064 - 134744319 ::24 $ geoiplookup 220.127.116.11 -f /usr/share/GeoIP/GeoLiteCity.dat -i GeoIP City Edition, Rev 1: US, N/A, N/A, N/A, 38.000000, -97.000000, 0, 0 ipaddr: 18.104.22.168 range_by_ip: 22.214.171.124 - 126.96.36.199 network: 188.8.131.52 - 184.108.40.206 ::19 ipnum: 134744072 range_by_num: 134734848 - 134751743 network num: 134742016 - 134750207 ::19
Cooking all of this with a little CLI script-fu for mass lookups!
$ output=outputfile.csv; echo "ip,country" > $output; for i in $( cat /path/to/list-of-ips.txt ); do echo "$i,\"$( geoiplookup -f /usr/share/GeoIP/GeoIP.dat $i | cut -d' ' -f4-99 )\"" >> $output; done
HTH, and have fun!