# Netstat Data Sample

In [5]:
with open('netstat_sample1.log') as f:
    data = f.read()
    print(data)

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:2666            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      
tcp        0      0 123.108.163.56:50596    101.201.151.78:50000    ESTABLISHED 
tcp        0      0 127.0.0.1:41282         127.0.0.1:40920         ESTABLISHED 
tcp        0      0 127.0.0.1:53375         127.0.0.1:37474         ESTABLISHED 
tcp        0      0 127.0.0.1:37188         127.0.0.1:47231         ESTABLISHED 
tcp        0      0 127.0.0.1:40920         127.0.0.1:41282         ESTABLISHED 
tcp        0      0 127.0.0.1:49774         127.0.0.1:37635         ESTABLISHED 
tcp       24      0 123.108.163.56:39571    47.105.57.238:2008

# IP(Foreign) Lookup with WHOIS API Results

In [6]:
# -*- coding: utf-8 -*-
# @Author: Kyle Song
# @Date:   2020-06-16 17:21:15
# @Last Modified by:   Kyle Song
# @Last Modified time: 2020-06-19 09:19:05

import glob
import urllib.request
import json


""" 
Country Code Reference URL:
http://www.iegate.net/country_code.php

Whois API키는 개인적으로 직접 발급 받아야함(whois.kisa.or.kr)
"""

def main():
    log_path = '.\\**\\*.log'
    file_list = glob.glob(log_path, recursive=True)

    for file in file_list:
        slice_filename = file[2:]
        print(f"[+] Filename: {slice_filename} - Whois(whois.kisa.or.kr) Result:")

        fh = open(file, mode='r')

        while True:
            oneline = fh.readline()
            if oneline == '':
                break
            if ("ESTABLISHED" in oneline) and ("127.0.0.1" not in oneline):
                foreign_ip_port = oneline.split()[4]
                foreign_ip = foreign_ip_port.split(':')[0]
                foreign_port = foreign_ip_port.split(':')[1]

                whois_result = whois_api(foreign_ip)
                # Results
                # {"whois":{"query":"47.105.57.238","queryType":"IPv4","registry":"APNIC","countryCode":"CN"}}

                whois_result = json.loads(whois_result)
                print(f" [-] IP: {foreign_ip}, CountryCode: {whois_result['whois']['countryCode']}")
        fh.close()


def whois_api(ip):
    whois_key = 'you_need_to_request_the_private_api_key_from_whois.kisa.or.kr'
    query = "http://whois.kisa.or.kr/openapi/whois.jsp?query=" + ip + "&key="+ whois_key + "&answer=json";
    request = urllib.request.urlopen(query).read().decode("utf-8")
    return request


if __name__ == '__main__':
    main()

[+] Filename: netstat_sample1.log - Whois(whois.kisa.or.kr) Result:
 [-] IP: 101.201.151.78, CountryCode: CN
 [-] IP: 47.105.57.238, CountryCode: CN
 [-] IP: 212.83.171.224, CountryCode: FR
 [-] IP: 101.201.151.78, CountryCode: CN
 [-] IP: 47.105.57.238, CountryCode: CN
[+] Filename: netstat_sample2.log - Whois(whois.kisa.or.kr) Result:
 [-] IP: 101.201.151.78, CountryCode: CN
 [-] IP: 47.105.57.238, CountryCode: CN
 [-] IP: 184.105.247.196, CountryCode: US
 [-] IP: 47.105.57.238, CountryCode: CN
 [-] IP: 101.201.151.78, CountryCode: CN
