CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Downloads | Documentation | Wiki | Tooltips
SiLK 2.1.0 | YAF 1.0.0.2 | IPA 0.4.0 | fixbuf 0.8.0 | Portal 0.9.0 | RAVE 1.9.16 | iSiLK 0.1.6
SiLK - Documentation - rwgeoip2ccmap
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwgeoip2ccmap - Create a country code prefix map from a GeoIP data file

SYNOPSIS

  unzip -p GeoIPCountryCSV.zip | \
      rwgeoip2ccmap --csv-input > country_codes.pmap
  gzip -d -c GeoIP.dat.gz | \
      rwgeoip2ccmap --encoded-input > country_codes.pmap

DESCRIPTION

Prefix maps provide a way to map field values to string labels based on a user-defined map file. The country code prefix map, typically named country_codes.pmap, is a special prefix map that maps an IP address to a two-letter country code. It uses the country codes defined by the Internet Assigned Numbers Authority (http://www.iana.org/root-whois/index.html).

The country code prefix map is used by the ccfilter(3) plug-in to partition by, count by, sort by, and display the country code in SiLK Flow files. The rwip2cc(1) command can use the map file to display the country code for textual IP addresses.

The country code prefix map is based on the GeoIP Country(R) or free GeoLite database created by MaxMind(R) and available from http://www.maxmind.com/. The GeoLite database is a free evaluation copy that is 98% accurate which is updated monthly. MaxMind sells the GeoIP Country database which has over 99% accuracy and is updated weekly.

The database comes in two forms:

GeoIPCountryCSV.zip

as a compressed (zip) textual file containing the IP range, country name, and county code in a comma separated value (CSV) form

GeoIP.dat.gz

as a compressed (gzip) binary file containing an encoded form of the IP address range and country code

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

One of the following switches is required:

--csv-input

Treat the standard input as a textual stream containing the CSV (comma separated value) GeoIP country code data.

--encoded-input

Treat the standard input as a binary stream the encoded GeoIP country code data.

EXAMPLES

Obtain your copy of the MaxMind GeoIP Country database, either the comma separated value version or the binary version (GeoIP.dat.gz). To create the country_codes.pmap data file, run

Once you have created the country_codes.pmap file, you will need to copy it to $SILK_PATH/share/silk/country_codes.pmap so that the ccfilter plug-in will use it.

SEE ALSO

ccfilter(3), rwip2cc(1)

SiLK | YAF | IPA | fixbuf | Portal | RAVE | iSiLK
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2009 Carnegie Mellon University