Wednesday, October 24, 2007

How do I find the geographical location of a host, given its IP address ?

In general, it is impossible - IP addresses are allocated arbitrarily, as there's no inherent connection between an IP address and it's physical location, and there's no reliable method to do the trick.

Yet, doing some detective work could help. Try following methods :




  1. Note the following links for reference :



    A complete list of country codes

    http://www.iana.org/domain-names.htm

    http://www.ics.uci.edu/pub/websoft/wwwstat/country-codes.txt




    A complete list of U.S. state abbreviation

    http://www.usps.gov/ncsc/lookups/abbr_state.txt



    A complete list of airport codes

    http://www.aviationjobsonline.com/airports/citycode.html



    Microsoft's TerraServer - satellites pictures of geographical areas

    http://www.terraserver.microsoft.com/



  2. Use reverse DNS to find out the host's name. This item could supply some clues that could help.




    E.g. given the IP address 132.74.18.2, the command 'nslookup 132.74.18.2' translates the address to construct.haifa.ac.il gives two hints -


    1. The TLD is .il, which hints the host is in Israel.
    2. The next two domains are haifa.ac, so this host belongs to the 'haifa' academical institute (a university, in this case). The Haifa university happens to be in the city Haifa.



    Reverse DNS translation doesnt always work - it depends on the host's [the host with the given IP address] DNS server's correct configuration.



    Another trick is to execute a whois request on the IP address. Try to direct the whois query to whois.arin.net - if it doesn't have the reply it will tell you to query either whois.apnic.net or whois.ripe.net



    Notice that a host in one domain might be hosted in another country. This is due to both virtual hosting, where a domain of a company from one country or region, might be hosted where hosting is cheap.



    Also notice that the .org, .com, and even .edu domains does not imply the host is in the U.S., as many of those domains belong to companies that are either not U.S. based, or are international, and might have some hosts all over the world.



  3. Some hosts support a DNS extension which allows for hosts to enter their geographical location into their DNS record, based on an extension to DNS described in RFC 1876.




    For further information see - http://www.ckdhr.com/dns-loc/



    Another attempt to express a host's geographical location via DNS is done in RFC 1712. Both RFCs define a DNS Resource Record to contain the geographical location.



  4. Visit the host's web server. A web site will sometimes contain hints regarding the site's location.



    E.g. for construct.haifa.ac.il, you can find info at both http://www.haifa.ac.il/ and http://www.ac.il/




  5. Use whois. The whois database contains administrative contact info for all domains, filled in during domain registration time, and updated from time to time. This admin info could give some hints.



    The whois database is not highly reliable - if an address belongs to a large & responsible company, the company will supply reliable info and update it, but as domain name registrators do not insist on keeping the database accurate and current, the data might be incorrect.



    The IP to Lat/Long page will attempt to display the same information in a graphical representation.

    http://cello.cs.uiuc.edu/cgi-bin/slamm/ip2ll/



    The Allwhois.com page allows whois requests for many countries.

    http://www.allwhois.com/




    A list of whois servers, collected by Matt Power, is available at ftp://sipb.mit.edu/pub/whois/whois-servers.list



    Note that the data is usually given for the owners' main branch or contact points, but the IP addresses might be allocated to hosts that may be located at a different location(s).



  6. Use traceroute. The names of the routers through which packets flow from your [or any] host to the host with the given IP address might hint at the geographical path which the packets follow, and at the final destination's physical location.




    E.g. > traceroute www.mit.edu
    traceroute to DANDELION-PATCH.MIT.EDU(18.181.0.31), ...
    1 teg.technion.ac.il (132.68.7.254) 2 ms 1 ms 1 ms
    2 tau-smds.man.ac.il (128.139.210.16) 5 ms 5 ms 5 ms
    3 128.139.198.129 (128.139.198.129) 9 ms 11 ms 13 ms
    4 TAU-shiber.route.ibm.net.il (192.115.73.5) 535 ms 549 ms 513 ms
    5 fe7507.tlv.ibm.net.il (192.116.177.1) 562 ms 596 ms 600 ms
    6 165.87.220.18 (165.87.220.18) 1195 ms1204 ms
    7 nyc28-16-sar1.ny.us.ibm.net (165.87.28.19) 1208 ms1216 ms1233 ms
    8 198.133.27.5 (198.133.27.5) 1210 ms1239 ms1211 ms
    9 sprint-nap.bbnplanet.net (192.157.69.51) 1069 ms1087 ms1122 ms
    10 nyc1-br2.bbnplanet.net (4.0.1.25) 1064 ms1109 ms1061 ms
    11 cambridge1-br1.bbnplanet.net (4.0.1.122) 1185 ms1146 ms1203 ms
    12 cambridge2-br2.bbnplanet.net (4.0.2.26) 1185 ms1159 ms1073 ms
    13 ihtfp.mit.edu (192.233.33.3) 1052 ms 642 ms 658 ms
    14 W20-RTR-FDDI.MIT.EDU (18.168.0.8) 640 ms 665 ms 674 ms
    15 DANDELION-PATCH.MIT.EDU (18.181.0.31) 702 ms 915 ms 868 ms



    The 3rd hop takes the path to the academic network [checked by local whois lookup], the fifth hop takes the path to New-York [on the east coast], and the 10th hop takes the path to Cambridge [in Massachusetts, on the coast, northern to New-York].



    There is a utility named VisualRoute (http://www.visualware.com/visualroute/index.html) which traceroutes a host, and displays the route on a map of the world. The host's location on the map is based on the whois query, which may be wrong - an Israely domain might be displayed as being in Israel though it is hosted in another country.




  7. Some of the services available on the host might give further info.



    E.g. telnet construct.haifa.ac.il 13 <== Time of day service
    Trying 132.74.18.2...
    Connected to construct.haifa.ac.il.
    Escape character is '^]'.
    Wed Jan 21 08:32:53 1998 <== Time difference hints at the
    host's time zone.



  8. Naming conventions of ISPs and back-bones



    AT&T dialups : <port>.<router-location>.<state>.dial-access.att.net




    Port is 2-254 for the dial-up ports, and 1 for the router itself. location: example: "los-angeles-2" (city and router #). state: 2-letter abbreviation.




    uu.net dialups :

    A. <port>.<device>.<city>.<state>.<iu>.uu.net


    B. <port>.<device>.<airport>.<iu>.uu.net




    iu = intended use (meaningless), state is per USPS ZIP code, deviceis Ascend 'TNT' # or Ascend 'MAX' #.

No comments:

Tech Search