Hello,

I'm looking for software that will be able to precisely identify a computer accessing my network. I have an FTP site running and I would very much like to find software that will enable me to trace an IP address back to the computer in which it is. The traceroute utility in Linux doesn't really tell me much about that. Ideally this would be a graphical program that I simply punch the IP address in, and it traces the route and tells me the physical location, type of computer it is, etc, etc.

I know there is Visual Route out there, but I think there has to be free software out there that will do what I'm looking for. If anyone knows of any, please drop me a line. Thanks.

In order to tell what OS the remote host runs you will most likely resort to quite severe port scanning - an attack in itself, according to many. Use nmap as root with the -O switch in order to guess the remote host operating system. Be warned that this is considered extremely rude and in many countries and cases probably illegal.

The host utility provides means of getting and displaying useful network information. Try host -v <ip address>. The classic whois utility also offers good information, as does traceroute.


Håkan

Hi Hakan,

Thank you for your insight, but do you know how I can simply tell the exact physical location of an IP address?? I do not wish to port scan a machine, I simply wish to find out from where my FTP site was accessed. The traceroute didn't really give me much. Neither did the host command.

OK, you want graphical, you'll get graphical.
A quick search on freshmeat.net turned up a few results that look like they could suite your needs:

- Geotrace
- GTrace
- XTraceRoute (uses OpenGL)

Håkan

Although there are graphical traceroute programs they rely on information provided by the owner of the network.

IP addresses aren't bound to physical locations. Most often visitors to your site have an IP lend to them by their Internet Service Provider (ISP). This IP addresses use to change from time to time so most of the time you only get information about that visitors ISP. IP adresses are only logical addresses.

Hi HW,

Thanks I installed Geo trace. Thanks.

And Ugge,

So, simply having their IP address from their ISP wouldn't allow me to actually see where they are physically located, eh?? Even if my traceroute makes physical contact with a person's computer?? I thought that if you are able to ping a computer that means you've made physical contact with it. So, with that logic, if I can do that, wouldn't a traceroute utility be able to tell me where the computer I'm pinging is located??

No since the TCP/IP network protocol doesn't include any information regarding physical locations.

IP addresses are like human family names, they tell you who your related to. What family you belong to. You can't tell where a person lives just by knowing the family name.

Every Network Card (NIC) has a unique hardware address assigned at manufacture time. Like a social security number. On top of this you assign an IP address to logically group computers together under a common administrator/company.

When communicating over the network the packets ask their way through to the destination. They doesn't get answers like try to go through Las Vegas, but rather take this route through this IP network 143.16.23.0/16.

[edit: ^
|_ wandered off mid-post, what he said.... and]

You're not actually pinging _them_. The trace will go back to their _ISPs_ dial-up or web-caching / proxy server. You'll only get a rough idea of their location, based upon where their isp (or regional branch thereof) is. Besides, anyone with half a clue will drop inbound pings.

For example, if I grab the ip of the aoler who discovered my webserver (and nmap at the same time, it appears) last week, I can place him in London or thereabouts. If all you want to do is chart downloads by geographic area, this is sufficient.

I log (and sometimes trace) people who repeatedly hammer at my servers, mainly to see if it's worth dropping connections from that ip block for a while, but tracing _everyone_ using your server is just asking for an outburst of righteous indignation. Stick a questionairre on the server - it's more friendly and less morally dubious.

Ugge, I think you might be mistaken. MAC addresses are like family names. IP addresses are like postal addresses or so I've been told my every single teacher I've had and every class.


And frogman, I also must disagree with what you're saying about pinging a host. If I have the IP address of a computer wherever it is in the world and I type ping xx.xx.xx.xxx, it makes contact with that host and returns a reply. If I only make it to the nearest router, I get a destination host not found or something equivalent.

If you give me your IP address and I ping you, your computer either replies back if you have it set to allow ICMP or if you have it set to ignore, I don't get anything back. The reason I say this is because I have ICMP blocked on my router. However, when I've pinged it without blocking it, it makes contact with the router and sends a reply. So, if what you're saying is true, how would I ever be able to ping my router??

But the IP address will not tell you the physical address of the person. ISPs do not give out addresses per address. They will give out a block of ip addresses based on a broad location - London, Paris, etc - so if someone is hammering you, you will know that they live in a geographical area, But, that is mostly of worth if you need to contact their ISP, you can say that a person with this IP address living in this area is doing wrong. The ISP would then take that further.

The only time an IP address would be useful for narrowing down a house address is if a person registers and owns a block of addresses and they are all being used from their home address. So, of very limited use.

As far as knowing the type of computer, etc - there are programs which can give you that information, but I don't see what use that would be. Unless you are thinking of cracking their boxes......

No Xavier, not yet anyway. Just kidding.

Yes you could do that analogy if you like but that won't help you much since you still can't get any geographical information out of an analogy. Just because postal addresses are geographical doesn't make IP geographical.

MAC addresses are 48 bit numbers where the first half is the vendor id, and the outher half is assigned as a serial number to every card manufactured by that vendor. This is a flat address space also called the physical address.

IP on the other hand is what we call a logical address. IP addresses are hierarchic like your file system tree. IP addresses are divided in networks. The three main sizes of networks, are class a, class b and class c networks. Every IP address comes with a network mask telling what size your network is, for example the private network 192.168.0.1 having the network mask 255.255.255.0
This tells us that all computers from 192.168.0.1 to 192.168.0.254 belong to the same network, and most often that means the same administrator.

To be able to communicate all routers on the Internet are communicating with it's neighbors, that is the routers connected at the other end of the wire (sometimes this is a bit too simplified but it works for now). "Hello, I have routes to the following networks". They then update their respective routing tables. Every router only knows for sure what networks are directly connected to its interfaces. It doesn't a thing about what their geographical locations.

The reason that you can use programs like XTraceRoute is a separate database, totally separated from the IP protocol. If you own a network (ip addresses) you can register with this database so that your gear would show up when people run programs like XTraceRoute.

Hmm, okay,

So what happens then when someone tries to establish an FTP connection into my server then if IP doesn't know geography?

If I give you a rope and tell you to follow the rope to the where you will find a treasure. Do you have to know the geographic place of the end before starting your travel along the rope?

If I try to establish a ftp connection to your server then I enter your IP address. My computer first looks in it's cache of known destinations to see if it can determine where to send the request. It won't find it so my computer send the request to my default gateway. My default gateway (placed at my ISP) will try to do the same route decision, if it can't find the destination it will send the request to it's own gateway.

Soon enough the packet has reached the core routers on the Internet and will travel to it's destination step by step. No single router on the way knows the entire road to take. The packet is passed on to the next router that better matches the request.

During the entire process several protocols and name/address lookups occur. DNS (DNS -> IP), ARP (IP -> MAC).