Maxmind based Geo-location and ra* programs

Carter Bullard carter at qosient.com
Wed Apr 15 11:37:58 EDT 2009 

Hey Mark,
Yes, but I couldn't figure out how to get their databases simply,  
without running
a complete mirror of their system, and when you're mapping 200K  
addresses
per second (100K records per second) doesn't seem like we'll keep up  
if I have
to query whois.cymru.org ;o)

The GeoIP stuff was pretty straightforward to use, and the argus- 
client code
is now compatible with the pay-as-you-go databases from MaxMind, so it
seemed like a win.

Do you think the Cymru strategy is worth a look?  Have you implemented a
local database?

Carter

On Apr 15, 2009, at 9:13 AM, Mark Bartlett wrote:

> Hey Carter,
>
> Have you checked out   Team Cymru,
> (http://www.team-cymru.org/Services/ip-to-asn.html)  they have been
> doing some of this stuff also... Pretty cool stuff....
>
> mab
>
> On Tue, Apr 14, 2009 at 7:56 PM, Carter Bullard <carter at qosient.com>  
> wrote:
>> Gentle people,
>> All ra* programs support printing country codes, but there is much  
>> more to
>> geo-location.
>> I am integrating the use of the MaxMind's LGPL based GeoIP library  
>> into
>> argus
>> client's Geo location technology.  I need to get Origin AS numbers  
>> into the
>> argus
>> records for my work, and so this seemed to be a way to go.
>> Currently, ralabel() and radium() can use MaxMind's GeoIPASNum.dat  
>> file
>> to provide Origin AS numbers for IP addresses, and later this week  
>> I should
>> get the City, State, Country, Zip Codes, along with lat/long data
>> integrated.
>> The Origin AS number support looks pretty good:
>>       StartTime  Proto       SrcAddr  Dir          DstAddr       
>> Dport SPkts
>>  DPkts SBytes DBytes          Label
>> 19:25:27.014924    esp 207.237.36.98   ->    
>> 134.207.19.130.0x072ed6f2     2
>>      0    252      0  AS6079:AS5058
>> For the city data, its not perfect, but its pretty good data for  
>> free ;o).
>>  Here is what one
>> of the GeoIP test programs returns as a test:
>> 24.24.24.24 US NY  New York  Jamaica  11434  40.676300  -73.775200   
>> 501
>> 718  America/New_York  24.24.16.0
>> 80.24.24.24 ES 56  Catalonia  Seo De Urgel  N/A  42.349998   
>> 1.466700  0  0
>> Europe/Madrid  80.24.24.0
>>
>> So, good country code, state?, but some of it is interesting, as  
>> they don't
>> have "Spain"
>> anywhere in the output, so could be a bit better?  I have to work  
>> on what
>> the formats of the data
>> will be in the argus label fields.
>> You get the support by compiling the Maxmind C-library API code on  
>> your
>> machine,
>> then with the client's ./configure you specify where the GeoIP  
>> distribution
>> is.
>>    ./configure --with-GeoIP=yes
>> All the rest is pretty straight forward, but I haven't tested it,  
>> except to
>> see if it works at all.
>> Currently the data comes out as labels, so its just ascii text in  
>> the argus
>> record.  I'll
>> be working on more specific DSR's for geolocation in the next set  
>> of months,
>> so any
>> dialog as to what you guys would like to get out of the  
>> Maxmind.com's GeoIP
>> library,
>> that would be very helpful.
>> Take a look at their links, for additional information:
>>    http://www.maxmind.com/app/geolitecity
>> I'll have this support in the next beta release, but if everyone is  
>> happy
>> with the stability
>> of the code set, I'll release it as argus-clients-3.0.2 very soon.
>> Carter
>>
>>
>>
>>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

More information about the argus mailing list