Sunday, December 19, 2004

Quickly find the announcing AS of an IP address

...with no reason but because of my mind & mood I would like to write about BGP and IP routing related topics which found on the net, today. I'll write more... .

In the course of network operations, one sometimes would like to know which autonomous system (AS) announces a given IP address. One way to do this is by querying the whois server of a routing registry such as RADB or RIPE, and looking for the origin attribute of a route object. However, not all networks properly register their route objects, so the information might not be available or may be outdated.

Another method is by looking at the actual BGP route table for the origin AS of a prefix. You could do this on your own BGP speaking routers or on a public route server with the "show ip bgp" command (or equivalent), or by using one of the public looking glasses on the web. However, this method is cumbersome, especially if you want to quickly look up something or if you have a large number of addresses that you want to analyze with a script.
You can using command line whois client to lookup for AS and Provider :

$ whois -h whois.cymru.com [IP]

If you have a list of IPs, then do the following steps:
1. At First download the GNU netcat from http://netcat.sourceforge.net/download.php
then create your list such this list:
Example of list01: 

	begin

	68.22.187.5

	207.229.165.18

	...

	198.6.1.65

	end

you can add comment if you would like: 

        begin

	68.22.187.5 Checked on 2004-06-30 05:05:05 GMT

	207.229.165.18 Checked on 2004-06-30 05:05:05 GMT

	...

	198.6.1.65 Checked on 2004-06-30 05:05:05 GMT

	end

2. Finally run the netcat: 

  $ netcat whois.cymru.com 43 "<" list01 | sort -n ">" list02

(Remove " in your script)


3. The file list02 will be sorted by origin AS, and should appear as:

Bulk mode; one IP per line. [2004-06-30 15:37:07 GMT]
701 | 198.6.1.65 | UU UUNET Technologies, Inc.
6079 | 207.229.165.18 | RCN RCN Corporation
23028 | 68.22.187.5 | SAUNET SAUNET

4. Take a peek at the list02 file, and remove any RFC1918 or other
unrouted IPs.

Note: A similar service was announced by the RIPE RIS project. Their whois server can be queried using "whois -h riswhois.ripe.net", and returns results in RPSL like format (as used by the RIPE whois database itself). The data is gathered from route collector boxes in various locations. For more information about this service, see this web page.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)