Calendar

«   2025/01   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

Article Category

분류 전체보기 (120)
Law (16)
Article (35)
Investigation (10)
Technology (41)
Etc (18)

Recent Comment

Recent Trackback

01-24 17:18

'grep'에 해당되는 글 1건

  1. 2010.07.29 Search the public IP adresses only

Search the public IP adresses only

| Investigation 2010. 7. 29. 14:29
Posted by joseph1020
You want to make a keyword or search expression to find an any IP address except private IP adresses.

GREP will help you in this case.

Since private IP addresses belong to the ranges:

10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

There would have to be a ton of conditional statements when parsing a string to eliminate just these ranges. 

The best I could come up with gets everything except the 10, 172 and 192 starting octets.

([1-9]|([11-171]|([173-191]|[193-255])))\.([1-2]?[0-9]?[0-9]\.){2}[1-2]?[0-9]?[0-9]

172\.([1-16]|[32-255])\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]

This will grab everything in the 172 octet that was missed in the first search expression.

192\.([1-167]|[169-255])\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]

This will grab everything in the 192 octet that was missed in the first expression.

To help you learn what this says:

(a|b) = Either "a" or "b". The "|" means OR.

((num0)|(num1)|((num2)|(num3))) = These can be stacked. A number will be matched if it meets any one of the three number conditions. 

[1-9] = (num0) = means any numbers in the range of 1-9
[11-171] = (num1) = means any number in the range of 1-171
[173-191] = (num2) = means any number in the range of 173-191
[193-255] = (num3) = means any number in the range of 193-255

So this means any octet starting at 1 but not including 172 or 192 will be hit.

\. = the next character must be a "." (period)

([1-2]?[0-9]?[0-9]\.) = A "?" means the expression to the left is optional. 

So this expression will match a number in the range of 0-299 followed by a period

(we know it only needs to cover 1-255 but this will match any of those numbers)

{2} = The previous expression has to be found twice, i.e. 0-299.0-299.

[1-2]?[0-9]?[0-9] = The final number has to be in the range 0-299

* [0-9] can be replaced by # or \d
저작자표시 비영리 동일조건

'Investigation' 카테고리의 다른 글

Windows System Forensics - Registry  (0) 2012.06.28
Digital Forensics on TV  (0) 2009.12.06
디지털 포렌식 기술을 활용한 윈도우 시스템 조사 방법  (2) 2009.11.17
언론 공개와 수사기법  (0) 2009.11.05
Seagate HDD 생산일자 확인  (2) 2009.10.07
And
prev | 1 | next

티스토리툴바