NAME

num2dot - Convert an integer IP to dotted-decimal notation

SYNOPSIS

  num2dot [--ip-fields=FIELDS] [--delimiter=C]

  num2dot --help

  num2dot --version

DESCRIPTION

num2dot is a filter to speedup sorting of IP numbers and yet result in both a "natural" order (i.e., 29.23.1.1 will appear before 192.168.1.1) and readable output (i.e., dotted decimal rather than an integer representation of the IP number).

It is designed specifically to deal with the output of rwcut(1). Its job is to read stdin and convert specified fields (default field 1) separated by a delimiter (default '|') from an integer number into a dotted decimal IP address. Up to three IP fields can be specified via the --ip-fields=FIELDS option. The --delimiter option can be used to specify an alternate delimiter.

num2dot does not support IPv6 addresses. The "EXAMPLES" section below includes an example PySiLK script to handle IPv6.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--ip-fields=FIELDS: Column number of the input that should be considered IP numbers. Column numbers start from 1. If not specified, the default is 1.
--delimiter=C: The character that separates the columns of the input. Default is '|'.
--help: Print the available options and exit.
--version: Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

In the following example, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line.

Suppose in addition to the default fields of 1-12 produced by rwcut(1), you want to prefix each row with an integer form of the destination IP and the start time to make processing by another tool (e.g., a spreadsheet) easier. However, within the default rwcut output fields of 1-12, you want to see dotted-decimal IP addresses. You could use the following command:

 $ rwfilter ... --pass=stdout                               \
   | rwcut --fields=dip,stime,1-12 --ip-format=decimal      \
        --timestamp-format=epoch                            \
   | num2dot --ip-field=3,4

In the rwcut invocation, you prepend the fields of interest ("dip" and "stime" before the standard fields. The first six columns produced by rwcut will be dIP, sTime, sIP, dIP, sPort, dPort. The --ip-format switch causes the first, third, and fourth columns to be printed as integers, but you only want the first column to have an integer representation. The pipe through num2dot will convert the third and fourth columns to dotted-decimal IP numbers.

num2dot does not support converting integers to IPv6 addresses. The following PySiLK script (see pysilk(3)) could be used as a starting-point to create a version of num2dot that supports IPv6 addresses:

 #! /usr/bin/env python
 from __future__ import print_function
 import sys
 import silk
 # The IPv6 fields to process; the ID of the first field is 0
 ip_fields = (0, 1)
 # The delimiter between fields
 delim = '|'
 # The width of the IPv6 fields
 width = 39
 # The file to process; this script processes standard input
 f = sys.stdin
 try:
     for line in f:
         fields = line.rstrip(f.newlines).split(delim)
         for i in ip_fields:
             fields[i] = "%*s" % (width, silk.IPv6Addr(int(fields[i])))
         print(delim.join(fields))
 finally:
     f.close()

BUGS