-
Notifications
You must be signed in to change notification settings - Fork 4
/
geoip_lookup.sh
executable file
·48 lines (38 loc) · 2.16 KB
/
geoip_lookup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/env bash
# takes a DIRectory and looks for pcaps in the DIRectory, if it finds them it runs a loop to do a geoip lookup on the public ip address and sorts them with uniq
# exlcudes the united states ips, apipa ips and broadcast ip addresses
# needs geolite databases from maxmind
#geocountrydb = http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
#geocitydb = http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#geoasndb = http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
# only works for ipv4 at the moment, maybe we need to add ipv6 support in the future
dir="$1"
output_dir="$2"
if [[ ! -d $dir ]] || [[ ! -d $output_dir ]]; then
printf "Usage: `basename $0` location of pcaps \n "
echo "Searches a pcap file for useful information"
exit 0
fi
function lookup_ip {
while read -r; do
echo ""
printf '%s %s %s %s\n' 'Reading Network Traffic from' "$REPLY" 'Time Started:' "$(date +'%D %T')"
printf '%s\n\n' "################################"
tshark -r "$REPLY" -Y '!(ip.dst == 10.0.0.0/8 or ip.dst == 192.168.0.0/16 or ip.dst == 172.16.0.0/12 or ip.dst == 224.0.0.0/4)' -T fields -e ip.dst -e ip.geoip.dst_country | sed -e '/United States/d' -e '/169.254.255.255/d' -e '/255.255.255.255/d'
printf '%s\n\n' "################################"
printf '%s %s\n\n' 'Time Finished:' "$(date +'%D %T')"
done < <(find "$dir" -type f -iname '*.pcap') | tee -a ${output_dir}/geoip.txt
}
function count_countries {
echo "" >> ${output_dir}/geoip_countries.txt
printf "%s\n" "################ Country Count ####################" >> ${output_dir}/geoip_countries.txt
# Output the number of times each country appears in the temp file
while read -r; do
printf '%s: %s\n' "$(egrep -o "${REPLY}" "${output_dir}/geoip.txt" | wc -l)" "$REPLY"
done < <(egrep '([0-9]{1,3}.){3}[0-9]{1,3}' "${output_dir}/geoip.txt"|awk '{if ($3!="") print $2,$3; else print $2}' |egrep -v "Finished|Network Traffic"|sort -u)|sort -nr |tee -a ${output_dir}/geoip_countries.txt
}
main() {
lookup_ip ${dir} ${output_dir}
count_countries ${output_dir}
}
main