search

appliedsec / pygeoip

DEPRECATED: Pure Python API for Maxmind's binary GeoIP databases
https://github.com/appliedsec/pygeoip
GNU Lesser General Public License v3.0
482 stars 111 forks source link

Empty dictionary from one specific ip address #36

Closed p0bailey closed 11 years ago

p0bailey commented 11 years ago

Hi William,

Thanks for your module, it work great except with one specific ip address. Using this ip address I'm constantly getting an empty dictionary. Any clue on this?

Best, Phillip

import pygeoip gic = pygeoip.GeoIP('GeoLiteCity.dat') test = gic.record_by_addr('91.201.64.20') print test

{}

tiwilliam commented 11 years ago

Hi Phillip,

That address works fine in my GeoLiteCity database, where did you get yours? Any chance I can get your database to try to see if it's an underlying problem in pygeoip? An empty dictionary can be returned when the IP address can not be found in the database, or the lookup method fail for some reason.

p0bailey commented 11 years ago

Hi William,

I downloaded the file from here:

http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz

Here you can find mine:

http://bailey.st/files/GeoLiteCity.dat

I've downloaded a new db file and just to be sure I've made a md5sum of the files, it looks fine.

md5sum GeoLiteCity.dat.* 037a996de48e77e8d1d0fb9ceca49e6d GeoLiteCity.dat.NEW 037a996de48e77e8d1d0fb9ceca49e6d GeoLiteCity.dat.OLD

Now I'm puzzled.

Phillip

p0bailey commented 11 years ago

This is the version of pygeoip I'm using.

pip search pygeoip pygeoip - Pure Python GeoIP API INSTALLED: 0.2.6 (latest)

tiwilliam commented 11 years ago

The database does not contain information for the IP. I did a sanity check with the Ruby library:

>> GeoIP.new('GeoLiteCity.dat').country('91.201.64.20')
=> nil

I will altough make a change to return None instead of {} to make it consistant with how the organisation miss work.

p0bailey commented 11 years ago

I don't know why someone else didn't come across to this problem before, looks weird maxmind is missing one ip from the database.

tiwilliam commented 11 years ago

I think Maxmind are excluding addresses with status ALLOCATED UNSPECIFIED, meaning the address is yet to be allocated from RIPE NCC.

p0bailey commented 11 years ago

This ip belong to a botnet command control server.

tiwilliam commented 11 years ago

Hardcore, but I don't think this is an pygeoip issue though, Maxmind might help you further.

Thanks for reporting.

p0bailey commented 11 years ago

Anyway thanks for your effort and time.

p0bailey commented 11 years ago

Hi William,

Sorry to comment on a closed issue. Are you going to make the change to return None instead of {} ?

tiwilliam commented 11 years ago

Yes, record_by_addr will in >= 0.2.7 return None instead of {}

p0bailey commented 11 years ago

This fix will really help if you iterate through an ip addresses txt file, as I'm doing.

Thanks very much,