Country codes are two-letter abbreviations assigned to IP addresses to designate the country to whom the IPs are registered. See The IANA root domain list for a list of codes.
Country codes are enabled in SiLK using p-maps. In some network analysis environments, a default country code p-map is already installed, and it is very easy to use it to look at country codes in flow data.
First, see if your system has a default country code p-map.
- Test the rwip2cc command. Try: If the command outputs "us" (this is a google.com address), then your system is configured with a default country code p-map.
- Or, you can look for the file named country_codes.pmap in one of the following directories (note: $SILK_PATH is the value of the SILK_PATH environment variable, if it is set):
Second, see if your system has the ccfilter plugin installed. This C plugin ("ccfilter.so") introduces two keys:
- scc: "source country code", field 18, and;
- dcc: "destination country code", field 19
for use in rwcut, rwsort and rwuniq. In SiLK 2.0 and higher, scc and dcc can also be called as keys in rwstats.
To check to see if you have the ccfilter plugin, try running the following rwcut command:
If the command outputs the source IP and an "scc" column with "us" as the entry, then you have the ccfilter plugin installed by default.
If you have a default country code p-map and the ccfilter plugin, check out the rest of this tooltip for easily looking at country codes. If not, find out more about making your own country code p-map in the documentation for rwgeopip2ccmap.. Find out about the ccfilter plugin in the documentation for ccfilter .
Country codes in Flow Data
In some cases we want to look at country codes in the context of flow records and not just IP addresses. Try the following rwuniq command:
This should return a bandwidth study by country code for the flows in your file. In addition to the usual records-bytes-packets output, the sip-distinct flag will count the number of source IPs associated with each country code. You can also use --fields=dcc and --dip-distinct flags to look at country codes for destination addresses.
Country codes in IP Sets and Text files
In some cases, we would like to summarize country codes for a static set of IPs, for example a watch list or a suspected botnet. This list may have been compiled outside of SiLK, or it may have been compiled from flow data but across many different flow files or time bins. The file may be a binary SiLK IP set, or a text file.
The rwip2cc command can be used to map a text file of addresses (1 per line) to country codes:
We can use UNIX tools to create a table of counts by country code. This command will sort the counts from most to least:
If you have a binary set created using rwset or rwsetbuild (myips.set), use rwsetcat to turn it to a text file first:
If you have a very large IP set, it will be quicker to use rwtuc and rwuniq, so that the sorting is done in binary instead of using UNIX text processing on the large list of country codes:
The python script CCSetSummary.py at the end of this tooltip uses the rwtuc trick along with rwstats to get some more polished output. It will take IP sets or text files as input, along with rwstats summary commands, and return country names and country code statistics in rwstats format. Usage is:
where <rwstats commands> includes, eg:
- --count=N : Top N countries in the IP set
- --threshold=N : All countries with a count greater than N IP Addresses
- --percentage=N : All countries that comprise more than N percent of the set
The output looks like:
Because it uses rwtuc and text processing, the script can take a long time to run on a large IP set (eg. 1 million IP addresses) for SiLK versions under 2.0; you may want to use the --threshold=1 flag and write the full list of counts to a file for further processing, instead of running the python script multiple times.