# Educate me on IP addresses...

2 posts / 0 new
Offline
Last seen: 1 month 3 weeks ago
Joined: Apr 14 2004 - 17:52
Posts: 1366

Okay, any given IP address has four nodes:
1.2.3.4

What does each node represent?

Let's say I want to relate or demostrate that multiple emails came from a common location. Let's say I have a sample of emails in which some of the firt two nodes are the same. Do I have anything?

My goal is to try to tie a handful of these messages (from an unknown sender but with an originating IP and sever trail) back to a known sender using a different email address but possible a laptop computer and a wifi connection. The goos thing here is that I have several samples from several locations and I think a few of them may be the target wifi point as nodes 1 and 2 match.

What more can I do by reading message source code?

TIA
--Douglas

Offline
Last seen: 3 months 3 days ago
Joined: Dec 21 2003 - 14:14
Posts: 1204
Re: Educate me on IP addresses...

doug-doug the mighty wrote:
Okay, any given IP address has four nodes:
1.2.3.4

What does each node represent?

Each of the .-separated fields is simply an 8 bit fragment of an aggregate 32 bit number, arranged in big-endian format. The dots really don't serve any purpose *per-se* other then providing a way to break what would otherwise be a very difficult-to-understand-by-humans quantity into "byte-size" pieces. It would really make more sense for IP addresses to be displayed in hexadecimal, since that is much more easily translated into bitmasks then decimal numbers are, and bitmaps are important when defining "networks".

(So, for instance, your IP address 1.2.3.4 would equal 01020304 in Hex, verses the horrible decimal equivalent:

(1 * 2^24) + (2 * 2^16) + (3 * 2^8) + 4 = 16,909,060

This would have to be completely converted back to hex or binary in order to extract a meaningful netmask, and I don't know anyone who could do that in their head at a reasonable speed. (I'm sure there's someone, but it ain't me.) Most people *can* manage to convert a number from 0 to 255 into binary without too much trouble however, so the dotted-decimal representation is an "acceptable" compromise between easy-for-smart-people-to-work-with Vs. scary-to-people-who-don't-understand-binary-or-hex.)

Quote:
Let's say I want to relate or demostrate that multiple emails came from a common location. Let's say I have a sample of emails in which some of the first two nodes are the same. Do I have anything?

Yes and no.

First off, are you trying to trace activity inside a network you control, or outside of it. If you don't know that much, first off it's worth referring to RFC 3330, which details what IP ranges in the whole possible set between 0.0.0.0 to 255.255.255.255 are assigned to "special uses", like internal IP spaces. (If you don't know how to read netmasks, then the information might be confusing. Basically, it goes like this:

Say you have a network space specified like this: 10.0.0.0/8.

What that means is out of the 32 possible bits worth of space available for specifying a network address, only 8 are "significant", counting from the front. This is another point where converting to Hex makes this a lot easier to explain. Convert 10.0.0.0 to Hex:

0A:00:00:00

Each chunk is 8 bits, the netmask is "/8", thus the first block counting from the front is the "significant" identifier. The rest are *not* matched by the netmask, so "10.0.0.0/8" means "All possible network addresses between 10.0.0.0 and 10.255.255.255.255". A trickier example is the "172.16.0.0/12" block. Convert to HEX:

AC:10.0.0

The "/12" means 12 bits, so you cut off the first chunk, AC, and then take the first 4 bits of the next chunk, which is one. That makes the possible network space AC:10:0.0 to AC:1F:0:0, which in decimal comes to 172.16.0.0 to 172.31.255.255.)

For instance, if you're looking at the following two IP addresses:

10.1.1.27
10.1.68.47

The first octet, "10", indicates that these are RFC1918 "private" addresses not routed on the internet. If that's the first hop you're seeing then either your organization is using those two addresses internally (perhaps as a /16 network dhcp-ing wireless clients), *or* you could simply be seeing machines *outside* your network behind NAT-ing home gateways or whatever, and the first IP is essentially meaningless to you. (The latter possibility is very likely. Most home routers come preconfigured to hand out IPs in various 192.168/16 nets.)

If on the other hand you're seeing two IPs that fall into "assigned" space, well... if the first two octets match there's a chance the traffic could be coming from the same ISP, but that doesn't tell you much. In most cases you can use the "whois" program to get some idea to whom an IP "belongs", although in the case of an ISP or hosting company it'll only resolve that far, not to the individal machine. (For instance, if you run "whois" on Applefritter's IP address you'll see the name of the hosting company, and the size of the IP block the address comes out of. Generally you have to use at least a few hundred IP addresses to end up getting the IP's showing as "yours" on a whois query.)

Does that help at all?

--Peace