Converting an encoded IP address to dotted decimal

wbfoxii · ‎10-30-2013

I've got a log that includes an obfuscated IP address. The source takes dotted decimal, reverses the order of the octets, converts them to binary, concatenates them, and then converts to decimal.

For example:
10.9.8.7 is turned around:
7 8 9 10
Then the octets are changed to binary:
00000111 00001000 00001001 00001010
Then all smashed together:
00000111000010000000100100001010
Then converted to a decimal number:
117967114
And that's what I get in the log. Are there any fun tools in Splunk that would help? If the set were limited, I could just use a lookup table.

wbfoxii · ‎10-30-2013

OK - This is what worked:

| eval ip=if(enc_ip<1,enc_ip+2147483648,enc_ip) | eval aaa=floor(ip/16777216) | eval     bbb=floor((ip-aaa\*16777216)/65536) | eval ccc=floor((ip-(aaa\*16777216+bbb\*65536))/256)| eval ddd=ip-(aaa\*16777216+bbb\*65536+ccc\*256) | eval ipv4=tostring(ddd)+"."+tostring(ccc)+"."+tostring(bbb)+"."+tostring(aaa)

I adapted this from http://answers.splunk.com/answers/38750/how-to-convert-ip

spark2310 · ‎12-23-2017

What if you want to match the ip against another CSV file to see if it falls in the range?
looks like this
(( 3743019008, -----> this is actually 223.25.240.0 if converted to IP format
3743020031, -----> range end 223.25.243.255
'http://thegigabit.com/'),

lukejadamec · ‎10-30-2013

Very clever.

changux · ‎06-05-2015

One question, which is the source field, i mean, the field with the decimal IP? enc_ip?

lukejadamec · ‎10-30-2013

You could write a script to evaluate the obfuscated data - here is something similar from a Splunk blog post:

http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/

Converting an encoded IP address to dotted decimal

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024