DragonFly On-Line Manual Pages
rwresolve(1) SiLK Tool Suite rwresolve(1)
NAME
rwresolve - Convert IP addresses in delimited text to hostnames
SYNOPSIS
rwresolve [--ip-fields=FIELDS] [--delimiter=C] [--column-width=N]
[--resolver={ c-ares | adns | getnameinfo | gethostbyaddr }]
[--max-requests=N]
rwresolve --help
rwresolve --version
DESCRIPTION
rwresolve is an application that reads delimited textual input and maps
IP addresses in the input to host names up performing a reverse DNS
look-up. If the look-up succeeds, the IP is replaced with the host
name (rwresolve uses the first host name returned by the resolver). If
the look-up fails, the IP address remains unchanged.
rwresolve does a DNS query for every IP address, so it can be extremely
slow. rwresolve works best on very limited data sets. To reduce the
number of DNS calls it makes, rwresolve caches the results of queries.
There are two libraries that support asynchronous DNS queries which
rwresolve can use if either of those libraries was found when SiLK was
configured. These libraries are the ADNS library and the c-ares
library. Specify the --resolver switch to have rwresolve use a
particular function for look-ups.
When an IP address resolves to multiple names, rwresolve prints the
first name returned by the resolver.
rwresolve is designed specifically to deal with the output of rrwwccuutt(1),
though it will work with other SiLK tools that produce delimited text.
rwresolve reads the standard input, splits the line into fields based
on the delimiter (default '|'), converts the specified FIELDS (default
fields 1 and 2) from an IP address in its canonical form (e.g., dotted
decimal for IPv4) to a hostname. If the field cannot be parsed as an
address or if the look up fails to return a hostname, the field is not
modified. The fields to convert are specified via the
--ip-fields=FIELDS option. The --delimiter option can be used to
specify an alternate delimiter.
Since hostnames are generally wider than IP addresses, the use of the
--column-width field is advised to increase the width of the IP
columns. If this switch is not specified, no justification of
hostnames is attempted.
By default, rwresolve will use the c-ares library if available, then it
will use the ADNS library if available. To choose a different IP look
up option, use the --resolver switch.
The maximum number of parallel DNS queries to attempt with c-ares or
ADNS can be specified with the --max-requests switch.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an
exact match for an option. A parameter to an option may be specified
as --arg=param or --arg param, though the first form is required for
options that take optional parameters.
--ip-fields=FIELDS
Specify the column number(s) of the input that should be considered
IP addresses. Column numbers start from 1. If not specified, the
default is 1,2.
--delimiter=C
Specify the character that separates the columns of the input. The
default is '|'.
--column-width=WIDTH
Set the width of the columns specified in --ip-fields to WIDTH.
When specified, the FIELDS columns always have the specified WIDTH
regardless of whether the IP to hostname mapping was successful.
If this switch is not specified, fields containing IP addresses
that could not be resolved will maintain their input length, and
fields where the lookup was successful will be printed with no
padding.
--resolver=c-ares
Use the c-ares library to convert the IP addresses to hostnames.
Requires that the c-ares library was found when SiLK was
configured. This library supports IPv6 look-ups when SiLK is
compiled to support IPv6.
--resolver=adns
Use the ADNS library to convert the IP addresses to hostnames.
Requires that the ADNS library was found when SiLK was configured.
This library only supports IPv4 look-ups.
--resolver=getnameinfo
Use the ggeettnnaammeeiinnffoo(3) C library function to convert IP addresses
to hostnames. This function supports IPv6 look-ups when SiLK is
compiled to support IPv6.
--resolver=gethostbyaddr
Use the ggeetthhoossttbbyyaaddddrr(3) C library function to convert IP addresses
to hostnames. This function only supports IPv4.
--max-requests=MAX
When the c-ares or ADNS library is used, limit the number of
outstanding DNS queries active at any one time to MAX. The default
is 128. This switch is not available if neither c-ares nor ADNS
were found when SiLK was compiled.
--help
Print the available options and exit.
--version
Print the version number and information about how SiLK was
configured, then exit the application.
EXAMPLE
In the following examples, the dollar sign ("$") represents the shell
prompt. The text after the dollar sign represents the command line.
Lines have been wrapped for improved readability, and the back slash
("\") is used to indicate a wrapped line.
Suppose you have found some interesting data in the file
interesting.rw, and you want to view the data using rrwwccuutt(1), but you
also want to determine the hostname of each the source IPs and append
that hostname to the rwcut output. In the example command below, note
how the source IP field (rwcut field 1) was specified twice in the
rwcut invocation, and rwresolve is told to resolve the second
occurrence, which is field in column 13. This allows you to see the
source IP (in the first column) and the host name it mapped to (in the
final column).
$ rwcut --fields=1-12,1 interesting.rw \
| rwresolve --ip-field=13
ENVIRONMENT
When ADNS is used, the following environment variables affect it. The
ADNS_ form of each variable takes precedence.
RES_CONF
ADNS_RES_CONF
A filename, whose contents are in the format of resolv.conf.
RES_CONF_TEXT
ADNS_RES_CONF_TEXT
A string in the format of resolv.conf.
RES_OPTIONS
ADNS_RES_OPTIONS
These are parsed as if they appeared in the options line of a
resolv.conf. In addition to being parsed at this point in the
sequence, they are also parsed at the very beginning before
resolv.conf or any other environment variables are read, so that
any debug option can affect the processing of the configuration.
LOCALDOMAIN
ADNS_LOCALDOMAIN
These are interpreted as if their contents appeared in a search
line in resolv.conf.
SEE ALSO
rrwwccuutt(1), ssiillkk(7), ggeetthhoossttbbyyaaddddrr(3), ggeettnnaammeeiinnffoo(3)
BUGS
Because rwresolve must do a DNS query for every IP address, it is
extremely slow.
The output from rwresolve is rarely columnar because hostnames can be
very long. You may want to consider putting the resolved hostnames in
the final column of output.
SiLK 3.11.0.1 2016-02-19 rwresolve(1)