ip

Function

ArgDescriptionType
parseParse the IP as an IPv4 or IPv6 address.string
netaddr4_leA network order IPv4 address (as little endian).int64
netaddr4_beA network order IPv4 address (as big endian).int64

Description

Format an IP address.

Converts an ip address encoded in various ways. If the IP address is encoded as 32 bit integer we can use netaddr4_le or netaddr4_be to print it in a human readable way.

This function wraps the Golang net.IP library (https://pkg.go.dev/net#IP ). This makes it easy to deal with various IP address notations.

Returns an object of type net.IP, not a string. If you need to compare the result of this function to an IP string then you should apply the .String method to the result.

Examples

  1. Parse IPv4-mapped IPv6 addresses
SELECT ip(parse='0:0:0:0:0:FFFF:129.144.52.38') FROM scope()

Will return the string 129.144.52.38

  1. Get information about IP addresses

VQL will also expose the following attributes of the IP address:

  • IsGlobalUnicast
  • IsInterfaceLocalMulticast
  • IsLinkLocalMulticast
  • IsLinkLocalUnicast
  • IsLoopback
  • IsMulticast
  • IsPrivate
SELECT ip(parse='192.168.1.2').IsPrivate FROM scope()

Returns “true” since this is a private address block.

See also

  • cidr_contains: Calculates if an IP address falls within a range of CIDR specified networks.
  • geoip: Lookup an IP Address using the MaxMind GeoIP database.