During the indexing process, most values in the [env] section of the request are indexed, including the IP address values.
Indexing for IPv4
During the indexing process, the indexer reviews and normalizes the remote_addr
, local_addr
, referrer
, and TltStsIPaddr
values that are IP address. Normalization for IPv4 involves:
- Zero-padding all octets so that each is three digits.
- Removing the dots between octets, so that the remaining value is a string of twelve digits.
For example, an IPv4 address of 1.12.123.4
is normalized as 001012123004
for indexing purposes.
Note: Values in the [appdata]
section of the request that contain IP addresses are indexed as text values, instead of IP addresses.
Searching for IPv4 addresses through the Portal requires entering the IP address in the above normalized format.
Indexing for IPv6
If a hit is an IPv4 hit, the indexer populates the [env]
IPv6 fields with IPv4 equivalents. In the IPv6 address, the last two groups are the hexadecimal equivalent of the IPv4 address, and the first 6 groups are all set to be zeroes, as shown in the following example:
REMOTE_ADDR=152.163.17.33
IPV6_LOCAL_ADDR=0000:0000:0000:0000:0000:FFFF:98A3:1121
Using this example, the indexer adds the following IPv6-related value as a search keyword:
ipv6_remote_addr
To retain backward compatibility and for legacy purposes, the fields remote_addr
, local_addr
and tltstsipaddr
are indexed if the addresses are IPv4 values.
Additionally, IPv4 addresses are spread across more groups, as shown in the following example:
Source Item
Data
IPV6_LOCAL_ADDR request variable
0000:0000:0000:0000:0000:FFFF:98A3:1121
ipv6_remote_addr index variable
0000:0000:0000:0000:0098:00A3:0011:0021
By splitting the data in the final two groups into four different data values, it is possible to enable searching across data ranges through the Portal and RTV.
IPv4 translated to IPv6 address example
For indexing purposes, the PCA inserts IPv4 addresses in a new, standards-based format that is compatible with IPv6. This data insertion in the request enables Tealeaf indexing and search to operate with minimal changes while supporting both IP formats.
Note: These address formats are used internally by Tealeaf to support search and indexing.
In the following example , the PCA is configured to capture IPv4 addresses only.
- REMOTE_ADDR and LOCAL_ADDR addresses are written in source IPv4 format.
- The new fields:
- IPv6_REMOTE_ADDR
- IPv6_LOCAL_ADDR
- IPv6_SERVER_NAME
- In this mode, the source addresses are written in IPv6 format using the last eight digits in hexadecimal format, with the leading five groups written as zeroes.
- Addresses are formatted with a prefix FFFF group for the concluding two groups, which represent an IPv4 address in IPv6 hexadecimal notation.
This new format is used to identify an IPv4 address translated in the IPv6 format.
IPV6_XLAT=False
IPV6=False
REMOTE_ADDR=10.10.20.105
LOCAL_ADDR=152.163.17.33
SERVER_NAME=152.163.17.33
IPV6_REMOTE_ADDR=0000:0000:0000:0000:0000:FFFF:0A0A:1469
IPV6_LOCAL_ADDR=0000:0000:0000:0000:0000:FFFF:98A3:1121
IPV6_SERVER_NAME=0000:0000:0000:0000:0000:FFFF:98A3:1121
When the above values are indexed, IPv4 values are zero-padded so that all IP addresses are of the same length.
For IPv4 addresses, the last 4 groups are indexes to the last 4 words of the IPv6 index variable, which enables range search on the IP address.
Index variable | Indexed value |
---|---|
remote_addr | 010010020105 |
local_addr | 152163017033 |
tltstsipaddr | 010010020105 |
ipv6_remote_addr | 0000:0000:0000:0000:000A:000A:0014:0069 |
ipv6_local_addr | 0000:0000:0000:0000:0098:00A3:0011:0021 |
IPv6-only compressed example
In the following example, the IP addresses are submitted as IPv6 only. The legacy fields generated by the indexer (remote_addr, local_addr, and tltstipaddr) are therefore blank.
IPV6_XLAT=False
IPV6=True
REMOTE_ADDR=fe80::20b:dbff:fe93:a462
LOCAL_ADDR=fe80::213:72ff:fe67:ed26
IPV6_REMOTE_ADDR=FE80:0000:0000:0000:020B:DBFF:FE93:A462
IPV6_LOCAL_ADDR=FE80:0000:0000:0000:0213:72FF:FE67:ED26
Index variable | Indexed value |
---|---|
remote_addr |
empty |
local_addr |
empty |
tltstsipaddr |
empty |
ipv6_remote_addr | FE80:0000:0000:0000:020B:DBFF:FE93:A462 |
ipv6_local_addr | FE80:0000:0000:0000:0213:72FF:FE67:ED26 |
IPv6-only uncompressed example
In this example, all IP addresses are in uncompressed IPv6 format. The legacy index fields are thus blank.
IPV6_XLAT=False
IPV6=True
REMOTE_ADDR=1234:5678:90ab:cdef:2123:4321:fdda:12cd
LOCAL_ADDR=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
IPV6_REMOTE_ADDR=1234:5678:90AB:CDEF:2123:4321:FDDA:12CD
IPV6_LOCAL_ADDR=FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
Index variable | Indexed value |
---|---|
remote_addr |
empty |
local_addr |
empty |
tltstsipaddr |
empty |
ipv6_remote_addr | 1234:5678:90AB:CDEF:2123:4321:FDDA:12CD |
ipv6_local_addr | FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF |
IPv4 translated into IPv6 address example
In this example, the PCA has been configured to translate IP addresses from IPv4 format to IPv6 format. The configuration settings are both true:
IPV6_XLAT=True
IPV6=True
The PCA translates the captured address to IPv4 format and inserts it into the REMOTE_ADDR
and LOCAL_ADDR
values. These values are inserted as the last two groups in the IPv6 values in the [[env] section: IPV6_REMOTE_ADDR
and IPV6_LOCALADDR
.
IPV6_XLAT=True
IPV6=True
REMOTE_ADDR=254.147.164.98
LOCAL_ADDR=254.103.237.38
IPV6_REMOTE_ADDR=0000:0000:0000:0000:0000:FFFF:FE93:A462
IPV6_LOCAL_ADDR=0000:0000:0000:0000:0000:FFFF:FE67:ED26
Index variable | Indexed value |
---|---|
remote_addr | 254147164098 |
local_addr | 254103237038 |
tltstsipaddr | 254103237038 |
ipv6_remote_addr | 0000:0000:0000:0000:00FE:0093:00A4:0062 |
ipv6_local_addr | 0000:0000:0000:0000:00FE:0067:00ED:0026 |