"country" and "registered_country" entries mismatch
gilarelli opened this issue · 3 comments
Hi,
When I want to lookup some addresses, I sometimes get different answers for "country" and "registered_country" as shown below.
Is this a normal behavior?
I mainly use mmdblookup to get information about fail2ban blocked ips.
Here is the command-line:
mmdblookup --file /var/lib/GeoIP/GeoLite2-Country.mmdb --ip 103.178.236.40
And the result of the query:
{
"continent":
{
"code":
"EU" <utf8_string>
"geoname_id":
6255148 <uint32>
"names":
{
"de":
"Europa" <utf8_string>
"en":
"Europe" <utf8_string>
"es":
"Europa" <utf8_string>
"fr":
"Europe" <utf8_string>
"ja":
"ヨーロッパ" <utf8_string>
"pt-BR":
"Europa" <utf8_string>
"ru":
"Европа" <utf8_string>
"zh-CN":
"欧洲" <utf8_string>
}
}
"country":
{
"geoname_id":
2750405 <uint32>
"is_in_european_union":
true <boolean>
"iso_code":
"NL" <utf8_string>
"names":
{
"de":
"Niederlande" <utf8_string>
"en":
"Netherlands" <utf8_string>
"es":
"Holanda" <utf8_string>
"fr":
"Pays-Bas" <utf8_string>
"ja":
"オランダ王国" <utf8_string>
"pt-BR":
"Holanda" <utf8_string>
"ru":
"Нидерланды" <utf8_string>
"zh-CN":
"荷兰" <utf8_string>
}
}
"registered_country":
{
"geoname_id":
1210997 <uint32>
"iso_code":
"BD" <utf8_string>
"names":
{
"de":
"Bangladesch" <utf8_string>
"en":
"Bangladesh" <utf8_string>
"es":
"Bangladesh" <utf8_string>
"fr":
"Bangladesh" <utf8_string>
"ja":
"バングラディッシュ人民共和国" <utf8_string>
"pt-BR":
"Bangladesh" <utf8_string>
"ru":
"Бангладеш" <utf8_string>
"zh-CN":
"孟加拉国" <utf8_string>
}
}
}
The country value is where the network is located, while the registered_country is the country of the organization the network was allocated to, and these aren't always expected to match.
Oh ok - thanks for the clarification.
I thought about something like that but couldn't find a description of those entries on the internet.
Last question: why some ips only return a "registered_country" entry ?
This one for example: 92.204.171.66
Thanks again for your time and this great tool!
mmdblookup --file /var/lib/GeoIP/GeoLite2-City.mmdb --ip 92.204.171.66
{
"continent":
{
"code":
"EU" <utf8_string>
"geoname_id":
6255148 <uint32>
"names":
{
"de":
"Europa" <utf8_string>
"en":
"Europe" <utf8_string>
"es":
"Europa" <utf8_string>
"fr":
"Europe" <utf8_string>
"ja":
"ヨーロッパ" <utf8_string>
"pt-BR":
"Europa" <utf8_string>
"ru":
"Европа" <utf8_string>
"zh-CN":
"欧洲" <utf8_string>
}
}
"location":
{
"accuracy_radius":
1000 <uint16>
"latitude":
47.000000 <double>
"longitude":
8.000000 <double>
"time_zone":
"Europe/Vaduz" <utf8_string>
}
"registered_country":
{
"geoname_id":
2921044 <uint32>
"is_in_european_union":
true <boolean>
"iso_code":
"DE" <utf8_string>
"names":
{
"de":
"Deutschland" <utf8_string>
"en":
"Germany" <utf8_string>
"es":
"Alemania" <utf8_string>
"fr":
"Allemagne" <utf8_string>
"ja":
"ドイツ連邦共和国" <utf8_string>
"pt-BR":
"Alemanha" <utf8_string>
"ru":
"Германия" <utf8_string>
"zh-CN":
"德国" <utf8_string>
}
}
}
mmdblookup --file /var/lib/GeoIP/GeoLite2-Country.mmdb --ip 92.204.171.66
{
"continent":
{
"code":
"EU" <utf8_string>
"geoname_id":
6255148 <uint32>
"names":
{
"de":
"Europa" <utf8_string>
"en":
"Europe" <utf8_string>
"es":
"Europa" <utf8_string>
"fr":
"Europe" <utf8_string>
"ja":
"ヨーロッパ" <utf8_string>
"pt-BR":
"Europa" <utf8_string>
"ru":
"Европа" <utf8_string>
"zh-CN":
"欧洲" <utf8_string>
}
}
"registered_country":
{
"geoname_id":
2921044 <uint32>
"is_in_european_union":
true <boolean>
"iso_code":
"DE" <utf8_string>
"names":
{
"de":
"Deutschland" <utf8_string>
"en":
"Germany" <utf8_string>
"es":
"Alemania" <utf8_string>
"fr":
"Allemagne" <utf8_string>
"ja":
"ドイツ連邦共和国" <utf8_string>
"pt-BR":
"Alemanha" <utf8_string>
"ru":
"Германия" <utf8_string>
"zh-CN":
"德国" <utf8_string>
}
}
}
I think in general the best place to lookup what the various fields mean is probably https://dev.maxmind.com/geoip/docs/databases.
Sometimes having a registered_country without a country value is expected. For this particular case though, we should have been able to return a country value, and I expect that to be corrected in either the next release or the one following.
As an aside, I wanted to point out another potentially useful tool, https://github.com/maxmind/mmdbinspect. The main advantages over mmdbinspect are that you can lookup entire networks instead of a single IP address, and that the output is actual JSON instead of JSON-ish like mmdblookup's output, so its a bit easier to pipe into other tools that can consume JSON.