FreeBSD Manual Pages
rwresolve(1) SiLK Tool Suite rwresolve(1) NAME rwresolve - Convert IP addresses in delimited text to hostnames SYNOPSIS rwresolve [--ip-fields=FIELDS] [--delimiter=C] [--column-width=N] [--resolver={ c-ares | adns | getnameinfo | gethostbyaddr }] [--max-requests=N] rwresolve --help rwresolve --version DESCRIPTION rwresolve is an application that reads delimited textual input and maps IP addresses in the input to host names up performing a reverse DNS look-up. If the look-up succeeds, the IP is replaced with the host name (rwresolve uses the first host name returned by the resolver). If the look-up fails, the IP address remains unchanged. rwresolve does a DNS query for every IP address, so it can be extremely slow. rwresolve works best on very limited data sets. To reduce the number of DNS calls it makes, rwresolve caches the results of queries. There are two libraries that support asynchronous DNS queries which rwresolve can use if either of those libraries was found when SiLK was configured. These libraries are the ADNS library and the c-ares library. Specify the --resolver switch to have rwresolve use a particular function for look-ups. When an IP address resolves to multiple names, rwresolve prints the first name returned by the resolver. rwresolve is designed specifically to deal with the output of rwcut(1), though it will work with other SiLK tools that produce delimited text. rwresolve reads the standard input, splits the line into fields based on the delimiter (default '|'), converts the specified FIELDS (default fields 1 and 2) from an IP address in its canonical form (e.g., dotted decimal for IPv4) to a hostname. If the field cannot be parsed as an address or if the look up fails to return a hostname, the field is not modified. The fields to convert are specified via the --ip-fields=FIELDS option. The --delimiter option can be used to specify an alternate delimiter. Since hostnames are generally wider than IP addresses, the use of the --column-width field is advised to increase the width of the IP columns. If this switch is not specified, no justification of hostnames is attempted. By default, rwresolve will use the c-ares library if available, then it will use the ADNS library if available. To choose a different IP look up option, use the --resolver switch. The maximum number of parallel DNS queries to attempt with c-ares or ADNS can be specified with the --max-requests switch. OPTIONS Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters. --ip-fields=FIELDS Specify the column number(s) of the input that should be considered IP addresses. Column numbers start from 1. If not specified, the default is 1,2. --delimiter=C Specify the character that separates the columns of the input. The default is '|'. --column-width=WIDTH Set the width of the columns specified in --ip-fields to WIDTH. When specified, the FIELDS columns always have the specified WIDTH regardless of whether the IP to hostname mapping was successful. If this switch is not specified, fields containing IP addresses that could not be resolved will maintain their input length, and fields where the lookup was successful will be printed with no padding. --resolver=c-ares Use the c-ares library to convert the IP addresses to hostnames. Requires that the c-ares library was found when SiLK was configured. This library supports IPv6 look-ups when SiLK is compiled to support IPv6. --resolver=adns Use the ADNS library to convert the IP addresses to hostnames. Requires that the ADNS library was found when SiLK was configured. This library only supports IPv4 look-ups. --resolver=getnameinfo Use the getnameinfo(3) C library function to convert IP addresses to hostnames. This function supports IPv6 look-ups when SiLK is compiled to support IPv6. --resolver=gethostbyaddr Use the gethostbyaddr(3) C library function to convert IP addresses to hostnames. This function only supports IPv4. --max-requests=MAX When the c-ares or ADNS library is used, limit the number of outstanding DNS queries active at any one time to MAX. The default is 128. This switch is not available if neither c-ares nor ADNS were found when SiLK was compiled. --help Print the available options and exit. --version Print the version number and information about how SiLK was configured, then exit the application. EXAMPLE In the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line. Suppose you have found some interesting data in the file interesting.rw, and you want to view the data using rwcut(1), but you also want to determine the hostname of each the source IPs and append that hostname to the rwcut output. In the example command below, note how the source IP field (rwcut field 1) was specified twice in the rwcut invocation, and rwresolve is told to resolve the second occurrence, which is field in column 13. This allows you to see the source IP (in the first column) and the host name it mapped to (in the final column). $ rwcut --fields=1-12,1 interesting.rw \ | rwresolve --ip-field=13 ENVIRONMENT When ADNS is used, the following environment variables affect it. The ADNS_ form of each variable takes precedence. RES_CONF ADNS_RES_CONF A filename, whose contents are in the format of resolv.conf. RES_CONF_TEXT ADNS_RES_CONF_TEXT A string in the format of resolv.conf. RES_OPTIONS ADNS_RES_OPTIONS These are parsed as if they appeared in the options line of a resolv.conf. In addition to being parsed at this point in the sequence, they are also parsed at the very beginning before resolv.conf or any other environment variables are read, so that any debug option can affect the processing of the configuration. LOCALDOMAIN ADNS_LOCALDOMAIN These are interpreted as if their contents appeared in a search line in resolv.conf. SEE ALSO rwcut(1), silk(7), gethostbyaddr(3), getnameinfo(3) BUGS Because rwresolve must do a DNS query for every IP address, it is extremely slow. The output from rwresolve is rarely columnar because hostnames can be very long. You may want to consider putting the resolved hostnames in the final column of output. SiLK 3.19.1 2021-02-28 rwresolve(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLE | ENVIRONMENT | SEE ALSO | BUGS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=rwresolve&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>