CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Downloads | Documentation | Wiki | Tooltips
SiLK 2.1.0 | YAF 1.0.0.2 | IPA 0.4.0 | fixbuf 0.8.0 | Portal 0.9.0 | RAVE 1.9.16 | iSiLK 0.1.6
SiLK - Documentation - rwresolve
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwresolve - Convert IP addresses in delimited text to hostnames

SYNOPSIS

  rwresolve [--ip-fields=FIELDS] [--delimiter=C] [--column-width=N]
      [--resolver={ adns | getnameinfo | gethostbyaddr }]
      [--max-requests=N]
  rwresolve --help
  rwresolve --version

DESCRIPTION

rwresolve is a pipe-lining application to resolve the IP addresses that appear in delimited textual input and replace the IP address with its hostname.

rwresolve does a DNS query for every IP address, so it can be extremely slow. rwresolve works best on very limited data sets. To reduce the number of DNS calls it makes, rwresolve caches the results of queries. rwresolve will also use the ADNS (Asynchronous DNS) library if that library was found when SiLK was configured.

When an IP address resolves to multiple names, rwresolve prints the first name returned by the resolver.

rwresolve is designed specifically to deal with the output of rwcut(1), though it will work with other SiLK tools that produce delimited text. rwresolve reads the standard input, splits the line into fields based on the delimiter (default '|'), converts the specified FIELDS (default fields 1 and 2) from a dotted-decimal IP address to a hostname. If the field cannot be parsed as an IPv4 address or if the look up fails to return a hostname, the field is not modified. The fields to convert are specified via the --ip-fields=FIELDS option. The --delimiter option can be used to specify an alternate delimiter.

Since hostnames are generally wider than IP addresses, the use of the --column-width field is advised to increase the width of the IP columns. If this switch is not specified, no justification of hostnames is attempted.

By default, rwresolve will use the ADNS library if available. To choose a different IP look up option, use the --resolver switch.

The maximum number of parallel DNS queries to attempt with ADNS can be specified with the --max-requests switch.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--ip-fields=FIELDS

Specify the column number(s) of the input that should be considered IP addresses. Column numbers start from 1. If not specified, the default is 1,2.

--delimiter=C

Specify the character that separates the columns of the input. The default is '|'.

--column-width=WIDTH

Set the width of the columns specified in --ip-fields to WIDTH. When specified, the FIELDS columns always have the specified WIDTH regardless of whether the IP to hostname mapping was successful. If this switch is not specified, fields containing IP addresses that could not be resolved will maintain their input length, and fields where the lookup was successful will be printed with no padding.

--resolver=adns

Use the ADNS library to convert the IP addresses to hostnames. Requires that the ADNS library was found when SiLK was configured.

--resolver=getnameinfo

Use the getnameinfo(3) C library function to convert IP addresses to hostnames.

--resolver=gethostbyaddr

Use the gethostbyaddr(3) C library function to convert IP addresses to hostnames.

--max-requests=MAX

When ADNS is used, limit the number of outstanding DNS queries active at any one time to MAX.

--help

Print the available options and exit.

--version

Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLE

Suppose you have found some interesting data, and you want to look up the hostnames of the sources. In addition to the default fields of 1-12 produced by rwcut, you also want to append to each row the hostname of the source IP:

    rwcut --fields=1-12,1 interesting.rwf | \
        rwresolve --ip-field=13

ENVIRONMENT

When ADNS is used, the following environment variables affect it. The ADNS_ form of each variable takes precedence.

RES_CONF
ADNS_RES_CONF

A filename, whose contents are in the format of resolv.conf.

RES_CONF_TEXT
ADNS_RES_CONF_TEXT

A string in the format of resolv.conf.

RES_OPTIONS
ADNS_RES_OPTIONS

These are parsed as if they appeared in the options line of a resolv.conf. In addition to being parsed at this point in the sequence, they are also parsed at the very beginning before resolv.conf or any other environment variables are read, so that any debug option can affect the processing of the configuration.

LOCALDOMAIN
ADNS_LOCALDOMAIN

These are interpreted as if their contents appeared in a search line in resolv.conf.

SEE ALSO

rwcut(1)

BUGS

Because rwresolve must do a DNS query for every IP address, it is extremely slow.

The output from rwresolve is rarely columnar because hostnames can be very long. You may want to consider putting the resolved hostnames in the final column of output.

SiLK | YAF | IPA | fixbuf | Portal | RAVE | iSiLK
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2009 Carnegie Mellon University