Reporting -> Insight -> Totals tab add option to show network registration name

Started by trdeal, October 17, 2025, 02:05:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 17, 2025, 02:05:28 PM Last Edit: October 17, 2025, 02:09:47 PM by trdeal
Within the Reporting -> Insight -> Totals, add an additional option "Reverse Network Owner" so that when checked a Registration Data Access Protocol (RDAP) is made to retrieve the details of the Network registered user.  Here is the output of rdap

# rdap -t ip 34.117.223.223
IP Network:
  Handle: NET-34-64-0-0-1
  Start Address: 34.64.0.0
  End Address: 34.127.255.255
  IP Version: v4
  Name: GOOGL-2
  Type: DIRECT ALLOCATION
  ParentHandle: NET-34-0-0-0-0
  Status: active
  Port43: whois.arin.net
  Notice:
    Title: Terms of Service
    Description: By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use
    Link: https://www.arin.net/resources/registry/whois/tou/
  Notice:
    Title: Whois Inaccuracy Reporting
    Description: If you see inaccuracies in the results, please visit:
    Link: https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
  Notice:
    Title: Copyright Notice
    Description: Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
  Entity:
    Handle: GOOGL-2
    Port43: whois.arin.net
    Remark:
      Title: Registration Comments
      Description: *** The IP addresses under this Org-ID are in use by Google Cloud customers ***
      Description:
      Description: Direct all copyright and legal complaints to
      Description: https://support.google.com/legal/go/report
      Description:
      Description: Direct all spam and abuse complaints to
      Description: https://support.google.com/code/go/gce_abuse_report
      Description:
      Description: For fastest response, use the relevant forms above.
      Description:
      Description: Complaints can also be sent to the GC Abuse desk
      Description: (google-cloud-compliance@google.com)
      Description: but may have longer turnaround times.
      Description:
      Description: Complaints sent to any other POC will be ignored.
    Link: https://rdap.arin.net/registry/entity/GOOGL-2
    Link: https://whois.arin.net/rest/org/GOOGL-2
    Event:
      Action: last changed
      Date: 2019-11-01T05:34:25-04:00
    Event:
      Action: registration
      Date: 2006-09-29T16:40:11-04:00
    Role: registrant
    vCard version: 4.0
    vCard fn: Google LLC
    vCard kind: org
    Entity:
      Handle: GCABU-ARIN
      Port43: whois.arin.net
      Remark:
        Title: Unvalidated POC
        Description: ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2022-04-09
      Link: https://rdap.arin.net/registry/entity/GCABU-ARIN
      Link: https://whois.arin.net/rest/poc/GCABU-ARIN
      Event:
        Action: last changed
        Date: 2021-04-09T11:46:04-04:00
      Event:
        Action: registration
        Date: 2011-03-30T00:36:28-04:00
      Role: abuse
      Role: noc
      vCard version: 4.0
      vCard fn: GC Abuse
      vCard org: GC Abuse
      vCard kind: group
      vCard email: google-cloud-compliance@google.com
      vCard tel: +1-650-253-0000
    Entity:
      Handle: ZG39-ARIN
      Status: validated
      Port43: whois.arin.net
      Link: https://rdap.arin.net/registry/entity/ZG39-ARIN
      Link: https://whois.arin.net/rest/poc/ZG39-ARIN
      Event:
        Action: last changed
        Date: 2024-11-11T04:27:09-05:00
      Event:
        Action: registration
        Date: 2000-11-30T13:54:08-05:00
      Role: administrative
      Role: technical
      vCard version: 4.0
      vCard fn: Google LLC
      vCard org: Google LLC
      vCard kind: group
      vCard email: arin-contact@google.com
      vCard tel: +1-650-253-0000
  Link: https://rdap.arin.net/registry/ip/34.64.0.0
  Link: https://whois.arin.net/rest/net/NET-34-64-0-0-1
  Event:
    Action: last changed
    Date: 2018-09-28T10:45:41-04:00
  Event:
    Action: registration
    Date: 2018-09-28T10:45:37-04:00
  cidr0_cidrs:
    v4prefix: 34.64.0.0
    length: 10

The RDAP information could be cached so that the start and end addesses, registered owner and country can be used for further traffic without requiring further calls, only upon reboot for example would be cache be cleared
October 17, 2025, 04:49:09 PM #1
What's the output for an address outside of the ARIN region? (Resolving the owning RIR may require additional logic, at least for a useful display.)

And how would you display the data? A big popup?
October 17, 2025, 05:22:28 PM #2 Last Edit: October 17, 2025, 05:27:37 PM by trdeal
All requests globally can be achieved via a web query to https://rdap.org/<query-type>/<query> or more likely if using the linux rdap cli tool does the https query for you. All that is required for example "rdap -t ip <ipv4/ipv6 address>

$ rdap -h
OpenRDAP v0.9.1
(www.openrdap.org)

Usage: rdap [OPTIONS] DOMAIN|IP|ASN|ENTITY|NAMESERVER|RDAP-URL
  e.g. rdap example.cz
       rdap 192.0.2.0
       rdap 2001:db8::
       rdap AS2856
       rdap https://rdap.nic.cz/domain/example.cz

       rdap -f registrant -f administrative -f billing amazon.com.br
       rdap --json https://rdap.nic.cz/domain/example.cz
       rdap -s https://rdap.nic.cz -t help

Options:
  -h, --help          Show help message.
  -v, --verbose       Print verbose messages on STDERR.

  -T, --timeout=SECS  Timeout after SECS seconds (default: 30).
  -k, --insecure      Disable SSL certificate verification.

  -e, --experimental  Enable some experimental options:
                      - Use the bootstrap service https://test.rdap.net/rdap
                      - Enable object tag support

Authentication options:
  -P, --p12=cert.p12[:password] Use client certificate & private key (PKCS#12 format)
or:
  -C, --cert=cert.pem           Use client certificate (PEM format)
  -K, --key=cert.key            Use client private key (PEM format)

Output Options:
      --text          Output RDAP, plain text "tree" format (default).
  -w, --whois         Output WHOIS style (domain queries only).
  -j, --json          Output JSON, pretty-printed format.
  -r, --raw           Output the raw server response.

Advanced options (query):
  -s  --server=URL    RDAP server to query.
  -t  --type=TYPE     RDAP query type. Normally auto-detected. The types are:
                      - ip
                      - domain
                      - autnum
                      - nameserver
                      - entity
                      - help
                      - url
                      - domain-search
                      - domain-search-by-nameserver
                      - domain-search-by-nameserver-ip
                      - nameserver-search
                      - nameserver-search-by-ip
                      - entity-search
                      - entity-search-by-handle
                      The servers for domain, ip, autnum, url queries can be
                      determined automatically. Otherwise, the RDAP server
                      (--server=URL) must be specified.

Advanced options (bootstrapping):
      --cache-dir=DIR Bootstrap cache directory to use. Specify empty string
                      to disable bootstrap caching. The directory is created
                      automatically as needed. (default: $HOME/.openrdap).
      --bs-url=URL    Bootstrap service URL (default: https://data.iana.org/rdap)
      --bs-ttl=SECS   Bootstrap cache time in seconds (default: 3600)

Advanced options (experiments):
      --exp=test_rdap_net  Use the bootstrap service https://test.rdap.net/rdap
      --exp=object_tag     Enable object tag support
                           (draft-hollenbeck-regext-rdap-object-tag)

As you can see the rdap command has many options and rdap is the replacement for whois.
The key information for display is the Network Registrant in the tab, if an IP address is associated with a large corporation like Microsoft then traffic can be categorised by Organisation.
October 17, 2025, 07:30:57 PM #3
Quote from: trdeal on October 17, 2025, 05:22:28 PMAll requests globally can be achieved via a web query to https://rdap.org/[...]

That makes it easier.

Quote[...]
The key information for display is the Network Registrant in the tab
[...]

What field exactly? RDAP seems to suffer from the usual registration db issues, namely inconsistent population of fields. It would be nice if the registrars dealt with this, but that ship flew the coop and turned into a black hole years ago. If you look up a number of addresses, you'll see what I mean. Still, you may find the information useful.

A curated geoip db might be better. But that's another can o'worms.
October 18, 2025, 12:19:07 AM #4
 I found that the registrant details could be obtained using the following filter "grep fn"

$ rdap -t ip <random ip> | grep fn

Unfortunately while multiple lines are returned, in most cases the 1st line is the Registrant Name
 
$ rdap -t ip <random ip> | grep fn | head -n 1

However this is not always the case, with some Registrants it is the 2nd or 3rd line where the Registrant Name is provided
October 18, 2025, 12:02:29 PM #5
After a bit of research the following does appear to produce consistent results by selecting JSON output.
Write to temporary file to minimise calls to rdap

$ rdap -j -t ip <random-ip>  > /tmp/RDAP

Registrant     $ cat /tmp/RDAP | jq '.remarks | .[] .description'
Country        $ cat /tmp/RDAP | jq '.country'
Start IP         $ cat /tmp/RDAP | jq '.startaddress'
End IP          $ cat /tmp/RDAP | jq '.endAddress'

Print
Go Up Pages1
User actions