Skip to content
Find file
Fetching contributors…
Cannot retrieve contributors at this time
executable file 146 lines (119 sloc) 3.08 KB
#!/usr/bin/env ruby
##
## Copyright 2007 Matthew Lee Hinman
## matthew [dot] hinman [at] gmail [dot] com
##
## Query hostip.info to see where all the ip addresses in a pcap file
## originate from. Results are outputed into CSV format.
##
## Usage: ./iploc -r <pcap_file>
##
## Output format:
## <ip address>,<country>,<city and state>,<latitude>,<longitude>,<packet count>
##
require 'pcaplet'
include Pcap
## Hash containing all the addresses
$inaddrs = {}
$outaddrs = {}
class Address
def initialize(ip,country,city,lat,long)
@ip = ip
@country = country
@city = city
@lat = lat
@long = long
@count = 1
end
def inc
@count = @count + 1
end
def to_s
return "#{@ip.chomp},#{@country.chomp},#{@city.chomp},#{@lat.chomp},#{@long.chomp},#{@count}"
end
end
def aggregate
puts "Inbound Addresses:"
$inaddrs.each { |k,v|
puts v.to_s
}
puts "\nOutbound Addresses:"
$outaddrs.each { |k,v|
puts v.to_s
}
end
trap "SIGINT", proc{
aggregate()
exit(0)
}
pcaplet = Pcaplet.new("-n")
STDERR.puts "Aggregating...CTRL-C to finish (if in live capture mode)."
pcaplet.each_packet { |pkt|
if pkt.ip?
ipaddr = pkt.src.to_s
## Short-circuit if we already have it in the database
if $inaddrs.has_key?(ipaddr)
$inaddrs[ipaddr].inc()
next
end
fname = "/tmp/" + ipaddr + ".iptmp.tmp"
`wget -q 'http://api.hostip.info/get_html.php?ip=#{ipaddr}&position=true' -O #{fname}` unless File.exist?(fname)
f = File.open(fname,"r")
## Default values
country = "Unknown"
city = "Unknown"
lat = ""
long = ""
f.each_line {
|line|
#puts line
if line =~ /Country:\s([\s\S]+)$/i
country = $1
elsif line =~ /City:\s([\s\S]+)$/i
city = $1
elsif line =~ /Latitude:\s([\s\S]+)$/i
lat = $1
elsif line =~ /Longitude:\s([\s\S]+)$/i
long = $1
end
}
## Remove commas from city
city.gsub!(/,/,"")
$inaddrs[ipaddr] = Address.new(ipaddr,country,city,lat,long)
##############################
## Now for outbound packets ##
##############################
ipaddr = pkt.dst.to_s
## Short-circuit if we already have it in the database
if $outaddrs.has_key?(ipaddr)
$outaddrs[ipaddr].inc()
next
end
fname = "/tmp/" + ipaddr + ".iptmp.tmp"
`wget -q 'http://api.hostip.info/get_html.php?ip=#{ipaddr}&position=true' -O #{fname}` unless File.exist?(fname)
f = File.open(fname,"r")
## Default values
country = "Unknown"
city = "Unknown"
lat = ""
long = ""
f.each_line {
|line|
#puts line
if line =~ /Country:\s([\s\S]+)$/i
country = $1
elsif line =~ /City:\s([\s\S]+)$/i
city = $1
elsif line =~ /Latitude:\s([\s\S]+)$/i
lat = $1
elsif line =~ /Longitude:\s([\s\S]+)$/i
long = $1
end
}
## Remove commas from city
city.gsub!(/,/,"")
$outaddrs[ipaddr] = Address.new(ipaddr,country,city,lat,long)
end
}
## If we're reading a pcap file, it'll get here when it's done
aggregate()
Something went wrong with that request. Please try again.